Andrew Szajlai

This is a really risky situation. If a fraudster is able to get a valid SSN and a Name, or even a birthday, they could easily open all kinds of credit cards, bank accounts, etc, and virtually ruin someones life with credit fraud. With the increases in these types of crime, could it possibly be time to upgrade our government SSN system from a number to possibly some sort of biometrics? We already have biometric scanning at ports of entry into the country, on a majority of smart phones, and even in public schools. We should implement these biometric scanning systems into our Government Identification systems as well as our banking systems to be used when opening any accounts.

From my experience in the industry, generally speaking, bank-owned ATM’s are more likely to be more updated and have better security than non-bank owned ATMs. I know several banks are now rolling out ATMs which have enhanced security features to the point where you don’t even need your ATM card. This new technology can use token technology through your phone similar to ApplePay where your account number isn’t even sent. I personally try never to use non-bank owned ATMs (for the very few times I actually need to get paper money anymore). As we can see with this article, these non-bank ATMs are often not kept up to the same standards as the bank owned.

Thanks Frederic..this was very helpful!

Another sobering fact is that the article indicates a situation where someone was able to get sensitive tax information from a mortgage company simply by supplying the last four digits of a SSN and matching caller id. With all of the recent breaches of PII in the news, how long will it take for companies to shore up their security regarding PII? Until then, It is up to the consumer to ensure their information is not being used fraudulently, the awareness campaign you mentioned, Satwika, is a great way to educate the consumer and help mitigate against these attacks.

I agree with this post. It’s no secret that finance drives industry. The fact that some machines still run Windows XP is a strong indication that security is not a high priority for these ATM machines. As you stated, the company is most likely insured to withstand a reasonable amount of hits from the ATM machines, so it will take a significant loss until the franchise takes a hit. So who suffers from this theft? Ultimately I feel the ATM users in the short run, through higher ATM fees. Banks may charge a higher fee on their end to cover risk. It will be interesting to see what, if any, significant effect this has on the ATM industry.

Is it crazy that we still use a 9 digit plain text number to conduct authentication for our federal tax reporting system?

The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy.

YES!

Challenge questions that can be guess by visiting social media sites:

What is your high school mascot?
Where did you go to elementary school?
What road did you grow up on?
What is your favorite sports team?
What is your favorite color?
On, and On, and On…

Check out how easy it is to start an ATM business. It is similar to the Vending Machine Business. The owners of these ATM, with Diebold Nixdorf software (running on Windows) have no clue about Windows XP, the software, the hard drive, or even the physical controls.

These owners are making an investment in a “franchise” type business. They are putting the machines in a location and visiting them every week or two, just to fill and check to see if something looks different. I would imagine one large company owning millions of ATM machines that were purchased through Diebold Nixdorf.

So Diebold emails the owner and says, hey franchisee… The millions of ATM machines you purchased are vulnerable. We will send you a new hard drive (Which the owner says, “What is a hard drive”), Then the owner will need to install and configure the hard drive (Which the owner says, “What is a hard drive”) Then the owner will need to purchase and install new security locks on the cases of all “million” of your machines.
Or you can risk a very sophisticated hacker will conduct a jackpoting scam and get a max amount of $40,000 per machine if the standard machine held all $20. (Common machines hold 20,000 notes. The note value depends on how you configure ATM). I can almost guarantee that the company with over a million ATM machines have only decided to do this on certain ones and will take their chances.

They don’t feel like spending the money to protect it properly, so they will say, “Hey, if you are good enough to do it, go for it… I have insurance for this anyway, and if the police catch you… You are going to jail.” Now, let me get back to fishing on my Yacht…

I used Camtasia. It has a Camtasia Recorder and an Editor. I found the editor to be pretty useful since I could stitch multiple video recordings and also could add audio or other features later. It also comes with a bunch of features like adjusting frame speed and also supports several formats . However, it is not free!

Fraser,
I did not see anything about off-site log storage, but that definitely makes sense to implement. You could log on a IaaS server and then pull the logs to your backup using a secure service broker. If the attacker somehow manages to intercept the logs then you probably have bigger problems.

This article is actually disclosing the real truth behind ongoing tax frauds. I am in favor of organized programs where people can get information about the complete steps of how they can safeguard their information. Such a step will educate and empower people to make sure that no frauds are taking place. I deeply believe that people are usually honest unless they don’t have an opportunity to commit something illegal. Therefore, if we can close all such windows of opportunities, the problem can automatically be eradicated.

This is an important point to make Patrick. I completely agree with you about what you stated about the vulnerabilities in the existing ATM systems. To avoid these attacks, the technological upgradation is very much necessary. The business owners need to understand the importance of being safe from the loopholes of outdated versions of technologies. The physical safety of the premises is another relevant aspect which needs to be looked after. These safety measures can also be taken using the technology which can provide remote access of any such devices.

Absolutely Scott. I believe multi-factor authentication is a good way to keep the consumer’s information safe and secure. In today’s fast changing world where we see a lot of customer data driven businesses coming up, it is the responsibility of the organizations to ensure that data is secure and not available for malicious use to anybody. In such scenarios, multi-factor authentication a sense of confidence to users as well. This internet driven age is like a two sided sword and a secure ecosystem for any kind of transactions is what can reduce this feeling of insecurity.

I don’t know enough about the full functions of an ATM machine. What do they store in their Electronic Journals? How long? Seeking answers on the internet I found this pdf of ATM Software
Security Best Practices Guide from ATIMA an independent, non-profit trade association for ATM connivence and growth.

https://www.atmia.com/files/Best%20Practices/ATMIA%20Best%20Practices%20v3.pdf

It is a very thorough paper on the history and security of ATMs. I’d like to point out their goals 3, 4 & 6 ,which if followed by Diebold Nixdorf potentially could have saved them $1 million at the time of this writing.

Goal 3: Maintain a Vulnerability Management Program Pg 23
Goal 4: Implement Strong Access Control Measures Pg 24
Goal 6: Maintain an Information Security Policy Pg 26

ATM jackpotting, at least in this current instance, is a governance issue. Improper security practices have left a vulnerability and the crooks are finding it.

$1 million loss is still a large loss to any organization. It might cost a lot to perform upgrades and especially a redesign… BUT NOW Diebold Nixdorf is at least -$1 million in the hole and is still holding the bag for a solution. This is another example of a failure to address security concerns or a lack auditing. Upgrades and patches are imminent now and so is spending more $$$$

I mentioned in my other post, but I’ll reiterate here. I’m actually not very surprised that these devices are running Windows. Most ATMs were deployed many years ago and they are very expensive to replace or upgrade. At the time, a decision was probably made to use Windows based on user experience and functionality. I imagine financial institutions accepted some of the security risks and assumed they could rely on physical security and monitoring controls to LIMIT losses. One of the YouTube videos I watched mentioned that there has been over $1 million in losses related to these jackpotting attacks, but if you think about it, I know it would cost much much more to upgrade and.replace all of these devices. In today’s age, however the tools and techniques available to attackers are much more sophisticated. ATM manufacturers and financial institutions are clearly rethinking the traditional model.

I found it really interesting, well actually surprised, that these ATMs were still running Windows XP. Microsoft released this OS in 2001, roughly 17 years ago! They stopped supporting updates for it in 2014, so these machines hadn’t had any security updates or patches in at least 4 years. That’s really a scary thought considering that these are financial devices which could possibly put a lot of people at risk of having their account information compromised.

It would be wise for ATM manufacturers to begin installing a failsafe for not installing your security updates in a timely fashion. Perhaps have the ATM suspend service if a patch is released and not installed after more than 30 days, or similar.

I’m going to assume that it was just lack of knowledge that led these ATM owners/operators to believe that keeping an old ATM without updating the software was perfectly fine. It honestly terrifies me considering that our financial institutions and devices should be one of the most secure things out there but these devices hadn’t had software patches or updates in at least 4 years since Microsoft stopped supporting XP. Just think of how many people could have had their financial assets put at risk, even if you aren’t considering this recent string of Jackpotting

Definitely, updating the OS would mitigate this issue. And, just as physical security is being given due consideration, so should we tighten the network security. Because, a lot of the ATM hackers have swung lately to network-based attacks. Attackers can hack into the bank’s main network easily through phishing mails directed at bank’s employees and once they enter the network, they can easily access the network’s meant for bank ATMs. Taiwan network attack (2016) is one such example. Such network-based attacks may not just steal the money from ATM but also jeopardizes personal information of the customers.
Other major concern is that these malware creators do even sell their “products” to perpetrators who are not well versed with developing malware.

It’s inevitable that sensitive information will get breached at some point in time, It’s up to us, as consumers, to demand that companies are held responsible for any negligence and to ask our governing bodies to enact logical and effective regulation and standards to promote heightened security measures against cyber attacks. Like you mentioned about putting the hold on your Experian credit account and using the multi-factor authentication. Multi-factor authentication is very helpful in adding an additional layer of security.

Just from personal experience, I have an account with a popular cryptocurrency trading site which requires multi-factor authentication via a digital token. Whenever I first set up my account, I had to download Google Authenticator, which is a digital token generator. Now when I login, it asks for my username, password, and token number in addition to an anti-bot puzzle test. In my opinion, any secure or sensitive information should use multi-factor authentication, especially if making changes to an account or opening a credit card or something along those lines.

Interesting stuff. I was recently discussing the Equifax breach with a colleague. A question came up regarding the risk of a system that had a SSN and account information, but did not actually contain the customers name or other identifiable information. Obviously this is restricted information regardless, but now the risk is much higher for these systems after the Equifax breach. Even if you only have the SSN of a person and their account information, with the Equifax breach you could potentially allow someone to purchase their Equifax record and look up their name using the SSN (if it was one of the 145 million records breached).

Thanks for sharing Mustafa. I used SnagIt because it was recommended in Wade’s class, but I had to purchase it. I like it because it allows you to create advanced screen shots with detailed annotations, perform screen recording, and perform video recording. The only thing I don’t like about it is that I cannot seem to edit the recordings in SnagIt. I ended up using iMovie on my phone for this.

Does Game Bar allow you to record video? For some reason I don’t meet the hardware requirements for Game Bar on this PC.

What are some of the tools others used for Assignment 1?

Wow, I’m going to have to check these out and look more into what PowerShell is capable of. I’m more of a beginner with PowerShell and after several software installation issues, I didn’t have enough time or focusing capability after a long day at work to really dig deep into all that PowerShell can do.

I feel like with removing these it can definitely free up some storage and memory on the virtual machines.

Nice post Frederic,

I used these useful removal scripts with Powershell for some unnecessary applications. Thank you.

Great post Sev – the key points were nicely laid out. The impression that I came away with after reading the paper was that the recommendations made in the SANS article seemed to me like they were preparing to ‘fight the next war using weapons and implements from the last war’ The document seemed to take a perspective more along the lines of security best practice recommendations from a couple of years ago instead of providing an insight into future security architecture.
For example,in my opinion:

– The article continually references the need to secure ‘THE cloud’. That may have been applicable a few years ago when enterprises where initially starting to experiment with cloud viability as a delivery platform (by moving a few non-mission critical applications over to a SINGLE AWS or GCS instance) but today, there is no ‘THE cloud’ – today businesses deploy their applications on MULTIPLE public and private clouds in addition to maintaining legacy, mission critical applications inside the data center. The point is, an architecture that is designed for ‘THE cloud’ will be radically different than one that needs to be designed for the realities of today’s environments.

-The articles suggested architecture fails to take into account major paradigm shifts in how information and information services are delivered and consumed today – things like the security implications of the transition to new microservice based architectures, the ‘co-mingling’ of both legacy and cloud native application environments, the explosion of ‘Shadow IT’, the creation of vast, abstracted, distributed pools of resources that are clustered across multiple geographically disbursed data centers and clouds, (resources like storage pools and VMs) etc., etc., etc.,

– The idea of software based ‘packet brokers’ (again in my opinion), should be an anathema to any well thought out security architecture because, among other things, the packet broker function is THE FIRST place that an adversary is going to attack. This means that adding this function just creates another attack vector that must be protected which in turn adds more complexity and hence more vulnerability to the environment.

– It seems to me that the article/architecture overemphasizes a reliance on ‘visibility’. For example, the article constantly brought up monitoring logs as a way to gain viability.. This may have been effective a few years ago when logging was essentially confined to a small subset of devices that resided within the confines of a data center but today, those ‘logs’ are probably spread across multiple data centers AS WELL AS multiple clouds. The point here is that (again in my opinion) the article’s emphasis on visibility ignores the need for new methods of governance and control. Detective controls are important but so are the preventative, responsive and countermeasure controls that the article’s ‘architecture’ fails to address.

Existing security policies must be adapted to leverage new approaches to administration, technical and physical controls. For example, a proper security architecture should take advantage of new capabilities like machine learning that is integrated into a single compute, storage and network ‘fabric’. This kind of capability would instantly identify, classify and remediate bad-actor behaviors – AUTOMATICALLY. This would be an architecture that HOLISTICALLY addresses security governance and controls.

I thought that there were other deficiencies in the SANS article but its getting late and I’m out of gas right now;););)

Freddy-

Does the white paper mention anything about redundancy for storing logs? On site sounds great but I would think having another copy is important. As we have learned in this program, malware and attackers will overwrite logs to hide suspicious activity.

And how about logging access to the logs? I need to read this white paper.

File taxes early is probably the most efficient way to keep you tax return in your name but it is a highly improbable outcome. I have never been able to file early. Forget your employer, if you invest in stocks it takes until March to see your documents. That has been my experience at least. When we are at the mercy of other, larger entities, what is someone to do?

The other best practices provided in this story are relevant and should be followed by everyone on the internet most always. I like that they mentioned oversharing on social media. The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy. If you wouldn’t be willing to provide personal information to a stranger over the phone on a cold call then you should keep it off social media.

The Equifax leak will likely aid in identity fraud for a few lifetimes.

Very interesting article Vince. I was looking at some VM encryption about a year ago. I never got around to testing it out. I was very curious about the performance impact on the VM itself. Seems like in your test, there was very minimal impact. I was looking at storing a Virtual Server offsite for DR. Looking at encryption was one of the items we had on our list. We never moved forward with the project, so I never got to play around.

Brock, when I first heard about how they were getting into ATM’s, I too was very surprised to find that the ATM systems were relying upon Windows. I would have bet anything that it was using some flavor of Unix/Linux as the OS. You’re right on target, the best way to stop these attacks is beefing up the physical security at the ATM. Connecting physically to the system, adding skimmers to read cards, it’s all physical. I assume they thought Windows was a safe operating system to use since it was contained, or so they thought. Kind of locked away and unobtainable! It just goes to prove again that thieves will go to any lenght, and find any little hole in a system to get through.

Thanks Frederic, a good post. We have an imaging process at our work to deploy workstations. We routinely run Powershell scripts to configure our workstations. Powershell is such a useful utility that most people don’t know about. With a little time and practice , you can really use it to your advantage! Just test what you’re doing first, I’ve seen some scripts really blow up a machine!! 🙂

These are really useful, thanks Freddy!

Seems like hyperlink for the campaign page I mentioned isn’t clickable. Below is the actual link:
https://www.irs.gov/pub/irs-pdf/p4524.pdf

Hi Sev,
Nice post, I agree. With new architecture methodology, we would definitely need new security controls. Unfortunately, security technologies have not reached the same level of advancement. These methodologies all connected to the internet, newer encryption technologies need to keep up. Such as quantum cryptography.

Nevermind everyone, I think I figured it out.

Ref: https://www.pcmag.com/news/349410/how-to-capture-video-clips-in-windows-10

…..posting the XML failed a second time. I think this el-cheapo blogging tool may be trying to interpret the XML statements – so you’ll have to check it out on your own or send me an email and I’ll reply with the text

sorry, it looks like this blogging software truncated the config file text (I guess ya get what you pay for;). Here is the cut & paste of the configuration file again:
”

Centos7 VM for VboxVMLab NGNE Fundamentals
base VM NO Software Installed
user=xxxxxxxxxxxxxxxxxxxxxxxxxxx
password=xxxxxxxxxxxxxxxxxxxxxxx

all openstack passwords are xxxxxxxxxxxxxxxxxxxxxx

“

sorry, it looks like this blogging software truncated the config file text (I guess ya get what you pay for;). Here is the cut & paste of the configuration file again:
”

Centos7 VM for VboxVMLab NGNE Fundamentals
base VM NO Software Installed
user=xxxxxxxxxxxxxxxxxxxxxxxxxxx
password=xxxxxxxxxxxxxxxxxxxxxxx

all openstack passwords are xxxxxxxxxxxxxxxxxxxxxx

“

Ref: https://www.pcmag.com/news/349410/how-to-capture-video-clips-in-windows-10

Hey class,

I found out that there’s a built in way to do screen recordings with in MacOS. You should be able to do screen recordings on your mac using the native quicktime player. After you open quicktime player, there’s an option under file to do a “new screen recording”. You can select the complete screen or you can select an area of the screen to record. Also there’s an option that shows your clicks in the recordings too.

Good luck!

Sev Shirozian

Hey All, Is anyone else having issues with getting the PowerShell setup? I’m following the video from Box, but for my virtual machine, whenever I run the setup file, it’s showing the following messages.

‘\vmware-hostShared FoldersWindows_LinkedPS_WU_Setup’
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.

C:Windows>z:

Z:>cd Windows_LinkedPS_Scripts
The system cannot find the path specified.

Z:>Set Target=C:UsersPublicTemple

Z:>cd
Z:

Z:>echo C:UsersPublicTemple
C:UsersPublicTemple

Z:>pause
Press any key to continue . . .

Z:>dir C:UsersPublicTemple
Volume in drive C has no label.
Volume Serial Number is 7ACD-BF08

Directory of C:UsersPublic

File Not Found

Z:>pause
Press any key to continue . . .

Good Morning,

I have see a few of you have sent me video files for you first assignment. Don’t forget to send in your outline of the steps as well. If you have any questions please let me know via e-mail.

Hi Sev,
Nice post, I agree. With new architecture methodology, we would definitely need new security controls. Unfortunately, security technologies have not reached the same level of advancement. These methodologies all connected to the internet, newer encryption technologies need to keep up. Such as quantum cryptography.

https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
This issue, although destructive, the vulnerability seems to be somewhat limited or easily mitigated. At the end of the reading was a suggestion to update the OS of the ATMs would mitigate this sort of attack. Another point was that the hackers needed physical access to the ATMs, this would mean implementations of physical controls would also mitigate this vulnerability.

Seems like hyperlink for the campaign page I mentioned isn’t clickable. Below is the actual link:
https://www.irs.gov/pub/irs-pdf/p4524.pdf

File taxes early is probably the most efficient way to keep you tax return in your name but it is a highly improbable outcome. I have never been able to file early. Forget your employer, if you invest in stocks it takes until March to see your documents. That has been my experience at least. When we are at the mercy of other, larger entities, what is someone to do?

The other best practices provided in this story are relevant and should be followed by everyone on the internet most always. I like that they mentioned oversharing on social media. The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy. If you wouldn’t be willing to provide personal information to a stranger over the phone on a cold call then you should keep it off social media.

The Equifax leak will likely aid in identity fraud for a few lifetimes.

Very interesting article Vince. I was looking at some VM encryption about a year ago. I never got around to testing it out. I was very curious about the performance impact on the VM itself. Seems like in your test, there was very minimal impact. I was looking at storing a Virtual Server offsite for DR. Looking at encryption was one of the items we had on our list. We never moved forward with the project, so I never got to play around.

Brock, when I first heard about how they were getting into ATM’s, I too was very surprised to find that the ATM systems were relying upon Windows. I would have bet anything that it was using some flavor of Unix/Linux as the OS. You’re right on target, the best way to stop these attacks is beefing up the physical security at the ATM. Connecting physically to the system, adding skimmers to read cards, it’s all physical. I assume they thought Windows was a safe operating system to use since it was contained, or so they thought. Kind of locked away and unobtainable! It just goes to prove again that thieves will go to any lenght, and find any little hole in a system to get through.

Thanks Frederic, a good post. We have an imaging process at our work to deploy workstations. We routinely run Powershell scripts to configure our workstations. Powershell is such a useful utility that most people don’t know about. With a little time and practice , you can really use it to your advantage! Just test what you’re doing first, I’ve seen some scripts really blow up a machine!! 🙂

These are really useful, thanks Freddy!

Freddy-

Does the white paper mention anything about redundancy for storing logs? On site sounds great but I would think having another copy is important. As we have learned in this program, malware and attackers will overwrite logs to hide suspicious activity.

And how about logging access to the logs? I need to read this white paper.

Nice post Frederic,

I used these useful removal scripts with Powershell for some unnecessary applications. Thank you.

Wow, I’m going to have to check these out and look more into what PowerShell is capable of. I’m more of a beginner with PowerShell and after several software installation issues, I didn’t have enough time or focusing capability after a long day at work to really dig deep into all that PowerShell can do.

I feel like with removing these it can definitely free up some storage and memory on the virtual machines.

Thanks for sharing Mustafa. I used SnagIt because it was recommended in Wade’s class, but I had to purchase it. I like it because it allows you to create advanced screen shots with detailed annotations, perform screen recording, and perform video recording. The only thing I don’t like about it is that I cannot seem to edit the recordings in SnagIt. I ended up using iMovie on my phone for this.

Does Game Bar allow you to record video? For some reason I don’t meet the hardware requirements for Game Bar on this PC.

What are some of the tools others used for Assignment 1?

This article is actually disclosing the real truth behind ongoing tax frauds. I am in favor of organized programs where people can get information about the complete steps of how they can safeguard their information. Such a step will educate and empower people to make sure that no frauds are taking place. I deeply believe that people are usually honest unless they don’t have an opportunity to commit something illegal. Therefore, if we can close all such windows of opportunities, the problem can automatically be eradicated.

This is an important point to make Patrick. I completely agree with you about what you stated about the vulnerabilities in the existing ATM systems. To avoid these attacks, the technological upgradation is very much necessary. The business owners need to understand the importance of being safe from the loopholes of outdated versions of technologies. The physical safety of the premises is another relevant aspect which needs to be looked after. These safety measures can also be taken using the technology which can provide remote access of any such devices.

Absolutely Scott. I believe multi-factor authentication is a good way to keep the consumer’s information safe and secure. In today’s fast changing world where we see a lot of customer data driven businesses coming up, it is the responsibility of the organizations to ensure that data is secure and not available for malicious use to anybody. In such scenarios, multi-factor authentication a sense of confidence to users as well. This internet driven age is like a two sided sword and a secure ecosystem for any kind of transactions is what can reduce this feeling of insecurity.

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

The increase in the quantum of data and the growing interactions between various devices has further increased the risk of threats. In a similar incident as stated in the article, a massive internet attack took place, affecting a large number of websites. These attacks happened with the help of hacked IoT devices including CCTV video cameras and digital video recorders. The cyber criminals trained the Dyn to cause internet problems for users who tried hitting sites such as Amazon, Netflix, Twitter, Reddit, etc.

While the source of the attacks have been unclear, it is said that Mirai could have been behind the attack. The way Mirai works is by attacking the less protected IoT devices that have no other than factory supplied security.

https://krebsonsecurity.com/2018/01/chronicle-a-meteor-aimed-at-planet-threat-intel/

Chronicle: A Meteor Aimed At Planet Threat Intel?

This article talks about the following:
Alphabet, which is the parent company of the billion dollar search firm Google, aims to equip companies with tools that could allow them to work more efficiently on threat data that is generated by cybersecurity tools. While many organizations rely solely on the internal software and service to detect malicious threats and stop them, it doesn’t do any good because of the massive amounts of data generated by these cybersecurity tools, making it further difficult to identify missed threats.
The service from Alphabet named Chronicle is an advanced service offered that combines the power of advanced search, machine learning, data analytics, and storage capabilities. The goal of the service is however to give much more power to the security teams to identify and analyse security signals in a more cost-effective manner.

It’s pretty clear that with the massive amounts of data that Google has and the internal resources that it possesses, Chronicle might be the next big-thing in the world of cybersecurity. It is more important that any new service is not only efficient, but also filters out threats faster and is cheap. Today, many companies spend millions of dollars on software and systems that do not eradicate the vulnerability of threats.

https://technet.microsoft.com/en-us/library/cc514539.aspx

Windows Server 2008 Security Baseline

Microsoft has launched the security baseline for its Microsoft Security Compliance Manager platform. The SCM is basically a free tool from Microsoft that enables users to configure security parameters on computers, private cloud, datacentres, and Microsoft System Center Configuration Manager. The SCM is primarily designed to configure, access, and monitor the security baselines and parameters as defined for the Windows Server 2008 SP2 environment. The security baselines server as a great way for users to protect their systems from threats. The Server security baselines provides technical support in understanding the nature of threats, implementing appropriate countermeasures and risk strategies, etc. The countermeasures list out the recommended measures to counter threats and to know the state of the each countermeasure against those threats.

The various features of the SCM include baseline portfolio, security baseline export flexibility, and baseline management features to efficiently manage the security parameters against threats.

File Your Taxes Before Scammers Do It For You

https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/

According to the article the first day of the tax-filing season, also known as the day fraudsters start requesting phony tax refunds in the names of identity theft victims. And this tax refund fraud affects hundreds of thousands of U.S. citizens annually. If we look at the highlights of article:

– If you file your taxes electronically and the return is rejected, and if you were the victim of identity theft, you should submit an Identity Theft Affidavit – Form 14039.

– The IRS advises that if you suspect you are a victim of identity theft, continue to pay your taxes and file your tax return, even if you must do so by paper.

– If the IRS believes you were likely the victim of tax refund fraud in the previous tax year they will likely send you a special filing PIN that needs to be entered along with this year’s return before the filing will be accepted by the IRS electronically.

– While you’re getting your taxes in order this filing season, be on guard against fake emails or Web sites that may try to phish your personal or tax data. The IRS stresses that it will never initiate contact with taxpayers about a bill or refund. If you receive a phishing email that spoofs the IRS, consider forwarding it to phishing@irs.gov.

– Fraudsters threatening taxpayers with arrest, deportation and other penalties if they don’t make an immediate payment over the phone. If you care for older parents or relatives, this may be a good time to remind them about these and other phone-based scams.

I agree with this post. It’s no secret that finance drives industry. The fact that some machines still run Windows XP is a strong indication that security is not a high priority for these ATM machines. As you stated, the company is most likely insured to withstand a reasonable amount of hits from the ATM machines, so it will take a significant loss until the franchise takes a hit. So who suffers from this theft? Ultimately I feel the ATM users in the short run, through higher ATM fees. Banks may charge a higher fee on their end to cover risk. It will be interesting to see what, if any, significant effect this has on the ATM industry.

Another sobering fact is that the article indicates a situation where someone was able to get sensitive tax information from a mortgage company simply by supplying the last four digits of a SSN and matching caller id. With all of the recent breaches of PII in the news, how long will it take for companies to shore up their security regarding PII? Until then, It is up to the consumer to ensure their information is not being used fraudulently, the awareness campaign you mentioned, Satwika, is a great way to educate the consumer and help mitigate against these attacks.

Thanks Frederic..this was very helpful!

All please send me an e-mail if you can not download. I’ll send it to the person that can fix it for those that are still having issues downloading any of the software.

For the version of Windows, please use Windows 8 or 10. If you would like everything to work as is for the videos, powershell etc. Windows 8.1 version works as all the videos are recorded, just a bit of a different interface. If you would like the challenge as I have always seen, working to get things from documentation to functional. You will get a bigger challenge with Windows 10. I know I have so far. You will not get docked points for the first assignment, it will be where the desktop software is moving.

I have the same problems and I couldn’t download and install anything yet.

These aren’t showing up as hyperlinks to me (ust plain text). Can you please confirm that we should be installing Windows 10 on VMWare Workstation 12 or VMWare Workstation 14?

I saw in the other thread that we are not going to be using Windows 7. Do the same instructions apply for windows, update Cygwin, Windows_LinkedPS_Scripts, and PowerShell? Or should we just be installing Windows 10 at this point and we’ll discuss the rest in class?

Here are the two links on the Week 1 Update:

To download Windows : Temple Download site

VMWare: Temple Download Site for VMWare

It is towards the bottom of the page.

Here are the two links on the Week 1 Update:

To download Windows : Temple Download site

VMWare: Temple Download Site for VMWare

It is towards the bottom of the page.

Brock,

I like the approach you took with making the financial case for cyber security enhancements. The more knowledgable cyber criminals are becoming, the more reason for companies to invest in proper security controls to protect their assets as well as their clients/customers. That 20% revenue loss is a scary number for any company. With so much of the US economy based on small and medium size businesses, that could essentially put some companies out of business if they don’t have a large enough profit margin and just starting out.

I agree! With all the older technology out there which was introduced before security became as big of a concern as it is today (and some that is still being put into production), its imperative to educate companies developing theses products as well as the users on the proper ways of protecting the devices. Firewalls, password updates, security updates, etc, should all be implemented together to properly secure these types of devices.

I completely agree Mark,

Change is always going to cause some friction and growing pains. Even in the workplace, I’m sure we all know of times when processes keep changing and we all get frustrated (because of course, we just mastered the old process). The key here is proper and effective communication. Everyone wants to be in control of their own lives. In order to get people to agree that the change is necessary, Communication and education about the reason for the change and why they decided to change the processes the way they did. All too often, change is pushed on people without any explanation and, in my opinion, that is one of the main reasons why there is so much friction with change.

This vulnerability with pacemakers really got me thinking. What other types of technology has been developed and is still in production today which doesn’t have the ability to have updates pushed and may have antiquated security vulnerabilities present? I’m sure there are tons of iot devices which were developed throughout the years before security became as pressing of an issue as it is today. Security Cameras, older ATMs, cash registers, other types of medical devices/monitors. Although a lot of the technology is newer and updated here in the US, we also need to keep in mind the technology in less developed areas of the world which may also be vulnerable and not have the ability or knowledge available to be patched.

Satwika,

I agree with everything you mentioned. One of the biggest vulnerabilities I’m seeing in society today is that there is literally half of the population from a generation that didn’t have anywhere near the amount of technology we have today when they were growing up. This is leading to a large amount of the population being technologically illiterate and when they try to bring these new technologies into their lives, they don’t know how to handle everything that comes with it. Hell, just the other day, my mother called me and was asking how to update her iMac because her TurboTax software gave a notification that she was using the old version and it needed an update before she could do her taxes. Education of the public is the most essential solution that needs to be addressed.

Hi Frederic,

I’m in complete agreement with your assessment. While automation is becoming more and more popular to increase efficiency and reliability for executing processes for companies to do good, it also has the same perks for those who wish to do harm. There’s no way a fraudster or hacker can take over millions of devices like the situation here without automation. The good thing about this method of attack for the users, is that if the vulnerability being exploited is found early enough, the OS can be patched or a user can manually update the password or other functionality so that the malicious automated script fails and moves on to its next target. That being said, if a hacker is attempting to access the device manually and they are skilled enough, they will see this and attempt to get in a different way.

Sadly patches for some of these IoT devices is not possible and we will have to wait for them to “time out” in this world. Most of these devices are from lower end manufactures that are not worried with security but rather profit and cost. One of the articles I read about his from Krebs stated that the firmware from one manufacturers is not upgradable and the default password could not be changed. It is forever hackable. Time to throw it out. Enforcing a global standard might be the only future solution for prevention. As of now companies will have to look into DDoS protection.

The attacker simply needs to scan the global IPv4 address space (only 4,294,967,296) for known open ports.

Check this out. Can be done is seconds!

Censys.io

Satwika & Frederic,

I agree patching is a very big deal, but what if the IoT manufacture didn’t provide enough space for constant patching? Example: Hardrive limit.

The patching will crash the hard drive at some point because of the file additions. Also, as you mention in a previous post,

The manufacturer may have used a very basic OS, that can’t handle certain operations. Even logging in. They may only have the ability to use one username and password, that can’t be changed.

The end results from patching could crash the device and make it unusable.

I would be very upset as a consumer if I purchased a “smart” appliance and the internal hard drive crashed because the “.net” or “iOS” update was too big.

In my opinion, the manufacturers pushed out these products way too fast, in hopes to cash in on the “make my life easier” train, but forgot to install seat belts. I doubt if people are going to repurchase a new IoT device, so they will be sitting there for the pickings.

We are using Patch Management for our clients using a third-party product. If you are interested in the product, let me know and I will give you info.

Anyway,

One of the things you mention is patching causing issues with applications. This is something we run into from time to time from our clients. Another issue we have is patching software that was installed on only 1 or 2 machines, and never used again. These patches are more difficult to identify and could leave the network vulnerable to penetration. In small business environment, many times employees can download what ever, where ever. The Scan, Patch, Scan is great advice, and don’t just focus on Windows Patching. Patch everything!

good points. I wonder how long before the ramifications of having lax IoT security begin to manifest themselves in unexpected ways – Insurance companies refusing coverage to an company because it hasn’t upgraded it’s old SCADA controllers, 4th amendment issues with a law enforcement agency hacking into a driver-less car in order to determine where a person was at a particular point in time and how long they were there?, etc, etc.

Mark,
First, thank you for your service. Totally agree with your assessment. In addition, what was worrisome to me was the observation about exploits that fall outside of the orderly scanning and patching process – for example the iPhone leveraging a nearby accelerometer to detect what someone typed. I seem to recall several years ago during the cold war that the CIA had invented a method of pointing a laser at a window in order to measure vibrations cause by someone in the room talking. It was said that they could pick up extremely high quality recordings of conversations that occurred in a Russian Embassy. I think his statement “…anything that has software in it is going to be vulnerable – its going to have bugs…” should be expanded to something like, “…anything that has a devious and imaginative human intellect at work against it is going to be vulnerable…” ;):)

Thank you Jason. Completely understand and agree Jason – I guess its more a issue of quibbling/semantics. I don’t believe that dirtyc0w is a privilege escalation method at all, its simply a tool that can be used as part of privilege escalation – right? In other words, dirtyc0w itself doesn’t ‘do’ the privilege escalation any more than the C compiler does – but in the case of dirtyc0w you need both to actually accomplish the exploit (the dirtyc0w source code and access to a gcc compiler). We don’t refer to the C compiler as a privilege escalation exploit so why should we assign the same label to dirtyc0w. True, it was expressly created for that purpose (and the C compiler was not) but i think that’s beside the point – you could use dirtyc0w for any number of useful (and ethical) things.

Again, this was just more quibbling than anything else;)

Physical security falls short when it comes to pacemakers. The common connections to the pacemakers recalled during this time communicate through bluetooth, or at least an earlier version of it. It was so new that security was an afterthought. yes another one of these mishaps.

check out these three reasons as to why pacemakers are vulnerable to hacking:

Three key issues hold back cyber-safety:

1. Most embedded devices don’t have the memory or power to support proper cryptographic security, encryption or access control.
2. Doctors and patients prefer convenience and ease of access over security control.
3. Remote monitoring, an invaluable feature of embedded devices, also makes them vulnerable.

http://theconversation.com/three-reasons-why-pacemakers-are-vulnerable-to-hacking-83362

This is a good list of what we should do, but what can we do when manufacturers with a minimal overhead don’t include a way to change default credentials. In response to telnet and SSH on these devices:
“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

We are at a point where we need a governing organization to impose rules and regulations.

Nice post Mustafa – Has anyone ever tried one of the Mirai scanners that are available such as this one?

https://www.incapsula.com/mirai-scanner/

The scanner checks ports 22(ssh)/23(telnet) to see if it can connect to any IoT devices. I gave this a try, but it did not scan successfully. I got the message “a device being scanned is infected with Mirai or because there are no vulnerable ports on your devices” The support page says it is likely the latter, but I would need to restart all of my IoT devices to make sure. Restarting the devices disables Mirai’s blocking capability to enable a valid scan.

Restart all of my IoT devices?! Sounds like a weekend project!

Hi Vince,
What a thorough post! Nice work.

I think the key in why it is referred to a “privilege escalation” exploit is because of this statement you made: “This will replace/overwrite the existing sudo (root) line of text with a new line containing your user name added to the sudo group.” Since you are a non-root user and you were able to use this exploit to gain root access under your own name (without the root password), I can understand why it is considered a “privilege escalation” exploit. Many exploits only allow you to gain access to the command line with minimum privileges, but if an attacker can combine those exploits with dirtyc0w, they can cause some serious damage.

Our organization is also currently heavily focused on vulnerability and patch management right now. The traditional model requires periodic scans and typically manually patching servers that have the highest vulnerabilities. We are shifting to automated patching capabilities that will be used to patch systems uniformly and in an expedited manner. This method will still require testing patches in lower environments to ensure they do not break the application or system that the OS supports, however TS people need to be able to continuously regression test their applications as security patches are applied so that they are prepared as the patches are automatically deployed through higher environments, including production.

Cloud computing is facilitating this automation across the industry as it allows you to deploy patches and configuration changes across the footprint (rather than one by one).

Pat,

By forcing the users to change their default passwords during the initial login it will certainly make the systems more difficult to breach. I really liked your idea to have a rule programmed in place that requires users to install patches as they’re available and for the device to disconnect at a set point if it’s not updated. This would be a great way to force updates being installed in a timely manner and ensure that the latest security updates are applied. I think the end users might complain a bit initially however, part of the battle moving forward will be educating them on the importance of these sorts of things.

Fraser,

I liked how you mentioned that in the future we can expect that people will still be using whatever their ISP gives them. You’re correct in the regard that they can do a few things alright but nothing really good. The key as you recommended is a better baseline which can hopefully zone in a little more on the security perspective as we already know that 99% of people will not be scrutinizing their devices in the same manner you are. This is why a baseline approach that gets pushed out would be a good start. As Pat DeStefano recommended, configuring new devices with a rule that requires users update them as the newest patches become available would be a great addition to a hardened baseline. The legislation thing you mentioned is a whole separate beast though. Unfortunately it will probably take something much worse happening until that takes place.

Richard,

As you pointed out, this technology is being released at an alarming rate. It is difficult enough trying to keep up with the current technology in terms of mitigating the vulnerabilities as they appear let alone maintaining pace with the new ones as they hit the streets. Couple that with the fact that security is often an after thought as companies try to push out the newest tech before their competitors with little to no regard for the potential ramifications of doing so. It is up to us to work to mitigate these vulnerabilities as tech continues to evolve as well as raising user awareness along the way. Needless to say, we certainly have our work cut out for us.

Thanks Duy! I’ll have to give them a call tomorrow.

Satwika, I agree with your additions. I love that you mention patching. I never considered that myself, but keeping the firmware and software up to date is essential. I think that most end users never consider applying patches to their devices, because the devices are so out of sight (and out of mind). I believe the expectation that “It just works” applies to the user mentality here. Because of that mindset many customers do not see security as a feature but as a chore. I do not believe that this mentality will change since the attackers are usually smart and never affect the IoT device’s functionality.

Sev,

I like the fact that you are suggesting somewhat of a defense in depth concept here. Sure the first thing that could have helped prevent this was changing the default passwords. I think it’s a good recommendation for the vendors to incorporate this practice during the initial set up process. By incorporating these simple procedures as you recommended it could have been a huge deterring factor for the adversary. Raising situational awareness of these sorts of issues with everyone from the vendors to the end users will be clutch as we move forward in an attempt to prevent future recurrences of this event.

Hi Patrick,

You have to call Fox IT Support, I had the same problem.
215-204-3847 (9am to 5pm)

We are going to use Windows 10. I have not had luck finding a Windows 7 version. We can use the current videos for Windows 7 and will work to fill in the gaps as we need.

Duy,

I agree with your statement that no system/device can be 100% threat proof but there are many things that we can do to help mitigate most of these vulnerabilities. Staying up to date with the most current patches and incorporating recommended best practices will certainly help. We are challenged with this task which is an ongoing issue that will only grow more complex as we witness the advances in technology.

Frederic,

Great post. This unfortunately was an attack that could have been prevented or at the very least mitigated to reduce the overall impact that was seen. Having default passwords in place as you pointed out is almost like an invitation for the adversary to exploit them. I also loved your mention of properly securing incoming connections in a home network as this is generally something that most individuals aren’t mindful of. Manually setting NAT would be a great deterrent however as we all know the majority of people aren’t very tech savy when dealing with the home networks. This will be a continued challenge as we move forward and can hopefully raise some situational awareness of the real time threats that are out there.

Satwika,

I like the fact that you opened with the fact that we are dealing with a lot of not so well educated end users utilizing these types of products. Hopefully as we move forward with this challenge we can raise awareness and learn from this unfortunate and mostly preventable incident. I also liked that you suggest as a mitigating factor for the issue with default passwords being used that the users could be prompted to change them upon the first login. This is the standard in the majority of organizations and rightfully so. Something as simple as this could have deterred or at least slowed the adversary from gaining access. Patching is also a huge issue. Think of how many people probably hit “remind me later” when the notification pops up that there is a new update available. Hopefully moving forward from this with a heightened level of awareness for folks it will make people think twice about delaying running those updates.

Although, I’m not finding any links to download Windows 7. The only things I’m seeing are for Windows 10.

I’m having an issue where it says my account is expired and unable to download VMware, but not having the issue with Windows.

I was able to get into the Imagine link but the oldest version of windows available to me was Windows 8. Did anyone find Windows 7 when they logged in?

https://computerservices.temple.edu/educational-discounts-computer-equipment-and-software

Scroll down-to: “Microsoft’s Imagine Subscription Program” You will need to get an account from the site; They have moved the link from last year. Let me know how that works for you.

I’ve visited the Temple download site, but I’m not finding any of the Windows versions available. I’ve used this site several times to download multiple versions of Windows and office products, but I’m not sure why there are no Microsoft products available to me. I contacted support, but is anyone else having this issue?

Thank you,
Jason

RE: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

After reading the online post on krebs on security, “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage”, I think one of the best ways to have soften the blow with this would have been if everyone used egress filters as much and ingress filters preventing those IoT devices from free reign on anything on the Internet. Even if the IoT devices got compromised, the network or firewall could have prevented the communication from those IoT devices to DYN or anywhere on the Internet. Another way to prevent a massive attack like this is if the vendors as part of setting up the IoT devices made it a step during setup or configuration to change default passwords on the IoT devices. That could have also mitigated back actors from accessing wide open devices connected to the Internet.

– Sev Shirozian

Although, I’m not finding any links to download Windows 7. The only things I’m seeing are for Windows 10.

I would like to add my following views in addition to the ones mentioned by Frederic regarding the October 21 IoT DDoS attacks.

I believe that the increasing number of Internet of Things(IoT) with very limited or no security measures at all and also not so well educated end users of these products make these devices a more attractive target for creating botnets than the conventional devices.

1. Since DDoS infection happened mainly because of the use of default passwords on these devices, one suggestion would be to compel the end users to change the password during the first login itself before they navigate to making any further configuration of the device.

2. PATCHING: According to my understanding, patching is often neglected in most of the IoT devices by the manufacturers as well as end users. Most of the IoT devices run on antiquated versions of Linux and so becomes even more vulnerable from the security point of view. Although some of these devices may receive patches from the vendors, most of the manufacturers do not even create patches for these devices since, often these devices are developed with cost optimization in mind. Thus, they become highly vulnerable to any malware infections or security breaches. Also, the end users should be well educated about the product and they should be advised to check with their vendors periodically for updates.

3. SYSTEM HARDENING: I understand that many of the IoT devices may not be capable of running an AV, but it is more important to have security within the host itself. Manufacturers must have checks to ensure that their device/system abides by the system hardening guidelines. For example, the ports must be enabled only when required by the end user. Also, aborting services and applications that are running in the background and are not necessary for the device operation.

4. LOGGING: This would apply best in an enterprise situation. The IT or respective department in an enterprise should maintain access logs of their IoT in a secured location. Monitoring these logs will help them identify in case their devices are compromised. However, this method may not be the best option in the case of large enterprises with infinite number of IoT devices.

https://www.npr.org/2017/01/13/509355546/what-happens-when-hackers-hijack-our-smart-devices

Based on the Avi Rubin presentation of hackable devices, all devices seem to have vulnerabilities no matter what. No system/device can be 100 % threat-proof. Access to these systems varies from wired, wireless or even Bluetooth connectivity.
There can be a variety of mitigation techniques that could be used to reduce or mitigate these risks either protective or detective techniques. Since most or all devices are not 100% threat proof, there should be more focus on detective techniques such as IDS or strong IPS system. There are of course many preventative techniques such as patching vulnerabilities, firewall, updated antivirus, creating secure accounts, and baselines/ or standards.

Frederic,

Great post. This unfortunately was an attack that could have been prevented or at the very least mitigated to reduce the overall impact that was seen. Having default passwords in place as you pointed out is almost like an invitation for the adversary to exploit them. I also loved your mention of properly securing incoming connections in a home network as this is generally something that most individuals aren’t mindful of. Manually setting NAT would be a great deterrent however as we all know the majority of people aren’t very tech savy when dealing with the home networks. This will be a continued challenge as we move forward and can hopefully raise some situational awareness of the real time threats that are out there.

Nice post Mustafa – Has anyone ever tried one of the Mirai scanners that are available such as this one?

https://www.incapsula.com/mirai-scanner/

The scanner checks ports 22(ssh)/23(telnet) to see if it can connect to any IoT devices. I gave this a try, but it did not scan successfully. I got the message “a device being scanned is infected with Mirai or because there are no vulnerable ports on your devices” The support page says it is likely the latter, but I would need to restart all of my IoT devices to make sure. Restarting the devices disables Mirai’s blocking capability to enable a valid scan.

Restart all of my IoT devices?! Sounds like a weekend project!

Hi Vince,
What a thorough post! Nice work.

I think the key in why it is referred to a “privilege escalation” exploit is because of this statement you made: “This will replace/overwrite the existing sudo (root) line of text with a new line containing your user name added to the sudo group.” Since you are a non-root user and you were able to use this exploit to gain root access under your own name (without the root password), I can understand why it is considered a “privilege escalation” exploit. Many exploits only allow you to gain access to the command line with minimum privileges, but if an attacker can combine those exploits with dirtyc0w, they can cause some serious damage.

Our organization is also currently heavily focused on vulnerability and patch management right now. The traditional model requires periodic scans and typically manually patching servers that have the highest vulnerabilities. We are shifting to automated patching capabilities that will be used to patch systems uniformly and in an expedited manner. This method will still require testing patches in lower environments to ensure they do not break the application or system that the OS supports, however TS people need to be able to continuously regression test their applications as security patches are applied so that they are prepared as the patches are automatically deployed through higher environments, including production.

Cloud computing is facilitating this automation across the industry as it allows you to deploy patches and configuration changes across the footprint (rather than one by one).

Pat,

By forcing the users to change their default passwords during the initial login it will certainly make the systems more difficult to breach. I really liked your idea to have a rule programmed in place that requires users to install patches as they’re available and for the device to disconnect at a set point if it’s not updated. This would be a great way to force updates being installed in a timely manner and ensure that the latest security updates are applied. I think the end users might complain a bit initially however, part of the battle moving forward will be educating them on the importance of these sorts of things.

Fraser,

I liked how you mentioned that in the future we can expect that people will still be using whatever their ISP gives them. You’re correct in the regard that they can do a few things alright but nothing really good. The key as you recommended is a better baseline which can hopefully zone in a little more on the security perspective as we already know that 99% of people will not be scrutinizing their devices in the same manner you are. This is why a baseline approach that gets pushed out would be a good start. As Pat DeStefano recommended, configuring new devices with a rule that requires users update them as the newest patches become available would be a great addition to a hardened baseline. The legislation thing you mentioned is a whole separate beast though. Unfortunately it will probably take something much worse happening until that takes place.

Richard,

As you pointed out, this technology is being released at an alarming rate. It is difficult enough trying to keep up with the current technology in terms of mitigating the vulnerabilities as they appear let alone maintaining pace with the new ones as they hit the streets. Couple that with the fact that security is often an after thought as companies try to push out the newest tech before their competitors with little to no regard for the potential ramifications of doing so. It is up to us to work to mitigate these vulnerabilities as tech continues to evolve as well as raising user awareness along the way. Needless to say, we certainly have our work cut out for us.

This is a good list of what we should do, but what can we do when manufacturers with a minimal overhead don’t include a way to change default credentials. In response to telnet and SSH on these devices:
“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

We are at a point where we need a governing organization to impose rules and regulations.

Physical security falls short when it comes to pacemakers. The common connections to the pacemakers recalled during this time communicate through bluetooth, or at least an earlier version of it. It was so new that security was an afterthought. yes another one of these mishaps.

check out these three reasons as to why pacemakers are vulnerable to hacking:

Three key issues hold back cyber-safety:

1. Most embedded devices don’t have the memory or power to support proper cryptographic security, encryption or access control.
2. Doctors and patients prefer convenience and ease of access over security control.
3. Remote monitoring, an invaluable feature of embedded devices, also makes them vulnerable.

http://theconversation.com/three-reasons-why-pacemakers-are-vulnerable-to-hacking-83362

The most important step in preventing DDOS attacks like the one that took place on 10/21/16 in my opinion is security awareness. This awareness must be adopted by both manufacturers and consumers. With the popularity of IOT devices growing at a rapid pace, more and more devices in our environment have an IP address. As the quote Avi Rubin used at the end of the Ted Talk states, “just because you can connect something to the Internet, does not mean you should.” Every device that is given access to the Internet increases the attack surface and could introduce new vulnerabilities into a network.

Manufacturers must be aware of the dangers IOT devices can bring to a network and must embed security in their production using secure SDLC which ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. Manufacturers should also be responsible for informing consumers of the risk a IOT device could bring to the consumers network environment. Much like the warning instructions included on devices to prevent physical harm, manufacturers should include warnings to inform the consumers on making their IOT devices more secure such as changing default usernames, passwords etc.

Providing consumers with information to make them security aware is much less difficult than getting them to adhere to these practices. That’s why I feel manufacturers should do as much as possible on their end to produce devices that are secure by design. As more devices get hacked, secure software engineering is becoming a necessity, manufacturers must act proactively to cyber security issues to remain competitive.

Mark,
First, thank you for your service. Totally agree with your assessment. In addition, what was worrisome to me was the observation about exploits that fall outside of the orderly scanning and patching process – for example the iPhone leveraging a nearby accelerometer to detect what someone typed. I seem to recall several years ago during the cold war that the CIA had invented a method of pointing a laser at a window in order to measure vibrations cause by someone in the room talking. It was said that they could pick up extremely high quality recordings of conversations that occurred in a Russian Embassy. I think his statement “…anything that has software in it is going to be vulnerable – its going to have bugs…” should be expanded to something like, “…anything that has a devious and imaginative human intellect at work against it is going to be vulnerable…” ;):)

good points. I wonder how long before the ramifications of having lax IoT security begin to manifest themselves in unexpected ways – Insurance companies refusing coverage to an company because it hasn’t upgraded it’s old SCADA controllers, 4th amendment issues with a law enforcement agency hacking into a driver-less car in order to determine where a person was at a particular point in time and how long they were there?, etc, etc.

The attacker simply needs to scan the global IPv4 address space (only 4,294,967,296) for known open ports.

Check this out. Can be done is seconds!

Censys.io

Sadly patches for some of these IoT devices is not possible and we will have to wait for them to “time out” in this world. Most of these devices are from lower end manufactures that are not worried with security but rather profit and cost. One of the articles I read about his from Krebs stated that the firmware from one manufacturers is not upgradable and the default password could not be changed. It is forever hackable. Time to throw it out. Enforcing a global standard might be the only future solution for prevention. As of now companies will have to look into DDoS protection.

Hi Frederic,

I’m in complete agreement with your assessment. While automation is becoming more and more popular to increase efficiency and reliability for executing processes for companies to do good, it also has the same perks for those who wish to do harm. There’s no way a fraudster or hacker can take over millions of devices like the situation here without automation. The good thing about this method of attack for the users, is that if the vulnerability being exploited is found early enough, the OS can be patched or a user can manually update the password or other functionality so that the malicious automated script fails and moves on to its next target. That being said, if a hacker is attempting to access the device manually and they are skilled enough, they will see this and attempt to get in a different way.

I agree! With all the older technology out there which was introduced before security became as big of a concern as it is today (and some that is still being put into production), its imperative to educate companies developing theses products as well as the users on the proper ways of protecting the devices. Firewalls, password updates, security updates, etc, should all be implemented together to properly secure these types of devices.

Brock,

I like the approach you took with making the financial case for cyber security enhancements. The more knowledgable cyber criminals are becoming, the more reason for companies to invest in proper security controls to protect their assets as well as their clients/customers. That 20% revenue loss is a scary number for any company. With so much of the US economy based on small and medium size businesses, that could essentially put some companies out of business if they don’t have a large enough profit margin and just starting out.