Security Digest, 25th February 2016.
Welcome to Thursday February 25th edition of the cybX Security digest, as always the last few days have been busy and I have a number of articles for you to look out and some potential insights.
A few years ago, Sony Pictures got attacked and it became a bit of a media circus, through no direct fault of Sony’s. It turns out according to some analysis from a number of security vendors that the attackers that targeted Sony Pictures get around a little bit, CSO Online, Security Affairs and others have some analysis on this as well as a link to the report. We also have a list of Data Breaches that have been collated by IT Governance, for February alone. Following that theme, Helpnet Security have an article talking about Data Breaches and also at Helpnet they have a very interesting article “A third of IT managers admit hacking” which I’d love to delve into but sadly I don’t have time! Lastly for the news in brief, Tripwire has some analysis on the ‘Good, Bad and Ugly’ of the GDPR.
Starting today properly with a report from The Register which states, “A dozen facilities fall as humble dropped USB sticks lead to network ruin.” Now, thankfully this was nothing more than research and not actually a real event, however the implications are no less damaging. For the last two years and probably longer we have seen several researchers find flaws in medical devices, the way hospitals are storing data and in how frivolous staff can be with that data. Not to mention hospitals recently giving in to ransomware demands which will likely make them targets for further attacks. We know that none of this is new, however the way this has been presented should hopefully hit home a little harder, particularly as it’s not just patients data at risk but potentially lives too. This quote sums it up in a pretty damning way.
"We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more," researcher Ted Harrington says. "These vulnerabilities are a result of systemic business failures."
Note; this research has been compiled on American Hospitals. Because UK hospitals fall under the NHS there is a much stricter regimen that applies to their data security and also means that every hospital has the same guidance, same best practice and same advice. Typically meaning they are more secure, however I wouldn’t let that fool you into thinking they won’t fall into the same traps as some US hospitals and medical care.
The website VPN-Haus has an article with some analysis on “Flaws in Industrial IoT Underline Importance of Secure Connectivity” which references an interesting statistic from a Gartner Study that “50% of major new business processes and systems will incorporate some element of the Internet of Things (IoT) by the year 2020.” Yes, okay so I’m hammering on about IoT but if that prediction is correct, more than half of new business processes and systems will incorporate IoT well we had better start getting it right! Nissan are off to a flying start, but cheap jabs aside the article touches on many of the same important points you’ve read here before. The race to market, being first is more important than being secure for example. We as end users are going to suffer unless we start to demand change in how new devices are brought to market. IoT can be hugely beneficial to a company given the huge range of opportunities that it can offer but we just need to make sure manufacturers are aware of the huge range of new vulnerabilities that they are exposing as well, and just getting the simple things right - such as authentication is a start.
Over at Data Breach Today, they have been looking at a blogpost by Kaspersky on the Android Banking Trojan Acecard, originally released in 2014 but still going strong today. The trojan, unsurprisingly is looking to steal login credentials for banking apps and social media apps and over it’s life has gone through a series of iterations. Reading through the article and the evolution of the trojan is almost a very neat timeline of the evolution of malware to date, how attackers are evolving to not just meet new opportunities but to work around systems put in place by the defenders to prevent the malware from working. The original Acecard in 2014 had a limited ability to read/send SMS, check phone details and change a few of the core information on the phone. Fast forward to 2016 and the new strain of Acecard can overlay apps with phishing windows, remotely wipe phones, harvest login credentials, a hackers complete toolkit for acquiring accounts and well on their way to fraud and stealing digital dollars, with most of those features being developed within 6 months of original release of the malware.
Have you got a wireless mouse or keyboard? Then this next article is for you, as The Register reports that Wireless Mice and Keyboards have been hijacked in a proof of concept hack. While this shouldn’t come as a huge surprise, the actual ins/outs of it are that your dongle transmits in order for your wireless device to pair and so they can communicate. What does surprise me is that the keystrokes, or mouse movements are sent as cleartext and through a series of additional ‘features’ being added to the software, can then be captured/sniffed and effectively logged. This carries on from the IoT piece, manufacturers just aren’t thinking like attackers they are thinking about how to find the simplest, cheapest solution to a problem and then how to market and sell it. We need to start approaching any new device, be it a mouse, a webcam, a toaster with RSS feeds with the attitude of ‘okay, I have this device, now how can I break into it? What would an attacker do’ and really start to follow through on the ‘Think Thief’ philosophy of Infosec.
Finally I have an article from Data Breach Today, once more. This time about Cyber Insurance and the potential for discounts. Now apologies in advance if this starts sounding like a sales pitch… at cybX we train, test and validate IT teams in order to ensure that the people, process, policies are all up to scratch. Second to this we ensure that team structures, communication collaboration as well as trust and understanding are not only there but reinforced. With that knowledge and experience, maybe it would give additional bargaining power when approaching vendors about Cyber Insurance. I can’t say if it will or won’t work (I don’t have that authority sadly!) but Insurance is based on risk, Cyber Risk to insurance vendors is a largely unknown quantity. By having training, validation and a stamp of approval it removes some of that ambiguity and much like here, where being HIPAA certified reduced premiums then the concept applies.
And that’s all I have time for today, I hope you don’t mind my little ramble at the end, I’ll be back on Monday with Cyber Security news from over the weekend. Enjoy the rest of your week!