CNN.com has a reputation among my colleagues in IT for how long it takes to load its front page. I reasoned that it must be pulling in many resources from third party sites. Therefore I thought it would be an ideal target for the Burp Suite intercepting proxy.
Week 12: Web Services
The writer of this article focusing on the three areas (energy, telecommunications, and finance) that are vital and vulnerable to cyber attacks that President Elect Trump should immediately address once he officially becomes President.
Gartner predicts that over the next two years more than half of IoT manufacturers won’t be able to contain weak authentication methods, which can pose a data risk. It is also estimate that by the year 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets. Security experts according to this article, mentioned that last April they projected security spending on IoT will approach $350M this year, that is almost a 24% increase from last year, but this may not be enough, experts say.
With proper measurements and security tactics we could work things out. A recent Forbes article covered the topic of IoT security, advocating “strict regulatory standards,” the need to “enhance security while simplifying compliance” and implementing “an end-to-end approach that integrates both IT and operations technology (OT).”
Devices which must authenticate against other systems (generally in order to access or transmit data) should be configured to do so securely, such as with unique IDs and passwords. It may also be possible to implement encryption (SSH) keys to provide device identity to permit it to authenticate against other systems (securing the keys themselves is obviously a critical priority for this model to work). Examples of IoT devices with this capability can include closed-circuit TV (CCTV) or DVR devices and satellite antenna equipment.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. When it comes to device updates (software and firmware, for instance) authentication should be employed where possible to ensure these can retrieve code only from approved systems, such as internal servers or authorized devices.
Depending on your IoT devices, researching and implementing the capabilities above (if not already) present would be a good first step in security.
This week, I came across this interesting article talking about certain low-end Android phones secretly communicating users’ data and texts to China. In fact, this has been all over tech news all week, so I’m sure most of you are already aware of this. To me, this raises two important security questions that have nothing to do directly to either Android or those low-end phone manufacturers.
It’s pretty evident that Android has been around for a while now. So, first, why did it take home land security so long to uncover something of this magnitude against American consumers? Secondly, this article’s title mentions that “No one knows why,” but I’m wondering whether no one really didn’t know why this has been going on and for how long if this security flaw claim is founded.
Below is the Article.
In an effort to better combat cyber attacks IBM built a simulated version of the entire internet in a data center located in Massachusetts coined the “cyber range”. The cyber range is manned by former security experts from federal law enforcement and intelligence agencies. The cyber range is capable of simulating live malware, ransomware and other hacking tools type of cyber attacks. The end goal is to better prepare clients to recover from large scale cyber attacks. According to IBM many IT and security professional who they surveyed do not have an incident response plan in place. No one can stop all cyber attacks but having an incident response plan in place could be the deciding factor in determining if your business succeeds or fail if faced with that situation.
The Internet of Things is changing how we look at securing our home networks, gone are the days of just installing antivirus software on your pc and feeling secure. We now have to look at all the devices connected to our home network as a possible entry point for a cyber attack. Gryphon’s wireless router aims to fill this void by offering a technology that monitors smart thermostats, webcams, and other internet-connected devices for unusual activity. Similar to how businesses have hardware/software to monitor their networks for traffic. A perfect example of why this type of device is now needed is the DDOS attack a few weeks back that crippled internet activity for the northeast region of the united states before moving west. The DDOS attack took advantage of wireless devices on home networks to launch an attack on popular websites. I see this as a positive step in the IoT age.
In a recent Computop report, a survey of over 1,900 consumers in the US and UK indicated that 71% of consumers would check that SSL certificates of ecommerce sites they shopped, and 61% would check the liability policies. Respondents were also asked which biometric features they’d use for authentication, and fingerprints was the top choice (35%), but 41% rejected biometric authentication altogether. It was pleased to see that so many consumers are aware of the importance of ecommerce security. However, online sales kept growing because even though consumers knew the security risks of ecommerce, its convenience outweighed its security concerns.
The Black Friday and Cyber Monday are coming soon, and ecommerce companies are preparing for the boosting sales. On the other hand, fraudsters and cyber-gangs are also preparing for attacks targeting on both retailers and shoppers. Retailers should ensure that all site extensions are updated, the proper firewalls are configured on sites. Shopper need to avoid clicking on sketchy advertisements。
A single laptop can take down high-bandwidth enterprise firewall by using an attack known as BlackNurse, which uses ICMP type 3 (destination unreachable) code 3 (port unreachable) packets. It would take between 40k-50k per second of these types of packets to overload the firewall. The bandwidth required to generate this type of attack requires only between 15Mbps and 18Mbps.
The attack causes high CPU loads which causes users from the LAN side to be unable to communicate with the internet. This attack was successfully tested using Cisco ASA firewalls in default settings. Firewalls from Palo Alto Networks, SonicWall, and Zyxel Comm. are also impacted, but only if settings are misconfigured.
In order to mitigate an attack like this would need ICMP Type 3 Code 3 on the WAN interface to be disabled. Enabling ICMP Flood in the firewall’s DoS protection profile can also mitigate this type of attack.
With Donald Trump’s win this past week cybersecurity could have a new face in the White House, Rudy Giuliani. Giuliani has been head of several cyber security investigations in a law firm he works for and is one of the candidates for attorney general of the United States. This means that Giuliani could be leading the effort to force manufacturers such as Apple to provide backdoors to their encryption. This should be interesting to see how Trump will also head the NSA which has come under turmoil during Obama’s administration due to the Snowden leaks. Needless to say this should be an interesting four years for cyber security in America and the world.
Indiana’s Madison County is going on Day 5 of a ransomware nightmare. According to Madison County police, both first responders and civic officials are logging all calls for service by hand. Anderson Police, the Madison County Jail and the county court systems are locked out. “We cannot query old information to bring up prior reports or prior court records,” said Madison County sheriff Scott Mellinger, “If we want to bring somebody’s record up for something in the future, let’s say for somebody that has been arrested or somebody who is even in jail then we cannot look up information that would help us at a hearing. On the sheriff’s office side, we cannot book people into jail using the computers. We are using pencil and paper like the old days.” The IT department worked around the clock to recover files, while officers work to track down who is responsible for the attack. The only good news is that officials do not believe that people’s personal or payment information is at risk for this event.