Drones are a great example of the intersection of physical and cybersecurity. This article discusses the increasing commercial interest in drones and the evolving threats that come with wider usage. The author, Bill Edwards, speculates that we’re not too far away from a drone superhighway that resides 200-400 feet above our heads and warns that businesses are not prepared to handle the associated security risks. Edwards recommends that public sector businesses should consider drones when assessing risk and when developing policies and procedures. He suggests that security programs should include a drone vulnerability and risk assessment, a technical survey and reconnaissance of the airspace, and a drone emergency response plan.
There is a burgeoning industry emerging to respond to drone threats and help businesses to detect and react to incursions of their air space. The focus has mostly been on physical security and detecting aircraft in unauthorized areas. There has been less of a focus on cybersecurity with drones as the use case isn’t as apparent. For example, a drone containing a small computer set-up to spoof wireless networks and harvest user data. Currently, the laws limit options with drone interdiction which means that the public must be diligent. Good cybersecurity practices, such as avoiding passwordless wifi networks, help protect against rogue wireless access points attached to drones.
Thank you. Great point about the manufacturer. DJI accounts for a large section of the drone market and is headquartered in China. There’s been some debate about about their practices as it relates to cybersecurity. Here’s an additional article that provides an overview the concerns. https://gizmodo.com/pentagon-official-warns-about-chinese-drones-without-ex-1845022250
This article from ASIS, an international professional organization that focuses on traditional physical security, discusses the challenges of creating a physical security program for higher education institutions. Universities require a balancing of privacy and safety of their student body. The security program must contend with ” the accessibility of spaces and freedom of movement” for public events and residential buildings as well as compliance with local authorities. The author outlines the importance of security controls like access control and video monitoring as mentioned by PHYSBIT to provide a uniform approach to evidence collection and incident response for security events. I also like the mention of integrating continuous security awareness on TV monitors, social media, and apps.
I also like the idea of using TVs to display on-going security messages. I thought the author’s mention of collaborating with designers and planners during renovations is important. Security first design can save money and provide a better experience for end users. It’s often easier to build something new than attempt to retrofit.
This article details how popular retailer Neiman Marcus only recently found out that it had been victim of a data breach dating all the way back to May 2020.
It was determined that the unauthorized attacker may have accessed usernames, passwords, and security questions/answers linked to Neiman Marcus online accounts.
I think it is interesting to note that Neiman Marcus was only recently made aware of a data breach that occurred in May 2020. I wonder if attackers were able to get into the system and were sitting there collecting customer information for all this time.
I also find it interesting that it took this long for Neiman Marcus to detect the breach; the article doesn’t go into this, but I wonder if Neiman Marcus became complacent with their security, and didn’t bother keeping up to date when it came to their security.
In either case, I think this goes to show that information security is as important as ever.
Yes, for some reason it is taking companies longer than usual to notice that there is a breach within their system. I read recently that the Wawa data breach that had occurred back in 2019 has been settled for a 9 million dollar claim in cash. Each customer that can prove that there information may have been stolen via credit or debit card at a fuel gas pump throughout the time period is eligible for up to $500. Breaches within our day to day businesses are failing to maintain standards of security to themselves and the consumer more frequently than I had originally thought.
“Study: Security leaders expect to see an increase in physical threats in wake of pandemic, and Physical, IT security professionals discuss the challenges facing their organizations as businesses prepare to reopen”
As per the article on physical security attack, which is very useful for the plan and implement proper physical security against the latest threat to physical security, it also give brief idea about new generated risk to physical security and new challenges to the implement best physical security.
The time of approaching a physical security plan, either for an existing properties, information security assets or new-build, it’s essential to have an understanding of common physical security risks, threats and vulnerabilities, and how the different types of physical security threats should be approached.
Physical security is foundation of all security mechanism, to protect all security structure need to setup proper physical security, latest physical security article and new help to design and implement physical security
A human rights organization by the name of Amnesty International was the target of hackers pretending to be them in order to get users with fake security software in order to disburse malware. Victims were tricked into downloading malware they thought protected them against Pegasus spyware from NSO Group (an Israeli technology firm). The hackers had setup a fake website that mirrored Amnesty that linked to an antivirus tool to protect against Pegasus; instead, installed a little known malware called Sarwent. This malware can activate remote desktop protocol from a user’s machine, and allows them to have direct access to their desktop. No known facts can support whether or not this was financially motivated.
In this article mentioned it reviews 5 ways cybersecurity has an impact on the physical security. It ranges from a the internet of things in our homes at risk of being at risk if our home network were to be hacked to our smart cars being unlocked or possible override from hackers. A good example that related to this week’s topic of discussion was the security environment being breached. It reviewed how an organization’s security department can be hacked and allow entrance to whoever or possibly disguising it by setting off fire alarms repeatedly to the point it gets shut off or people ignore it. This actually happened to me at work today where the fire alarm was ringing continuously however the RFID scanner was not reading my ID card and so I needed a co-worker to open the door for me. When they did open the door though they checked for verification that I actually worked there and made sure I was in the IS department.
Twocanoes Software Releases Innovative Smart Card Solution for iPhone/iPad
Twocanoes Software has recently released a smart card reader compatible with Apple/iOS devices. “ Smart Card Utility 3” enables applications to authenticate with smart cards—specifically personal identity verification (PIV) cards and PIV-Transitional (CAC) cards. Smart Card Utility 3 is compatible with single sign on (SSO) capabilities, allowing users to only authenticate once before gaining access to resources/systems within the device. The overall concept of the Smart Card Utility 3 works by plugging the device into the charging port of an iPhone or iPad, then connecting the PIV card into its respective reader throughout the duration of device usage.
This invention is particularly interesting since it opens up opportunity for businesses to secure employees/user access to BYOD Apple electronics and can also provide personal computer users with a secure method of authentication–therefore mitigating human physical security threats such as equipment theft. Having a PIV card hardens electronic targets, and the ease of access with the Smart Card Utility 3 promotes a user/consumer friendly experience with the device. This invention makes me wonder if, in the long run, Apple will integrate PIV card slots into iOS devices in response to growing security threats.
Poorly configured instances of apache airflow (a tool I have done a great deal of work with in the past) contain openly available credentials to many popular services. Intezer the organization that came across this vulnerability. Some of the poor configurations included hard-coded database passwords and cleartext keys in the airflow configuration files. If several of these passwords became visible a threat actor could use the credentials to gain access to the database or other accounts. The worst-case scenario is that malware gets placed on the databases ultimately making them useless.
I figured that since this was such a big story yesterday that it would be worth following up on. Facebook experienced one of its longest outage ever, affecting it’s site and others such as WhatsApp, Messenger, Oculus VR, and Instagram. This blackout lasted approx. six hours long. While this outage was happening it was speculated that Facebook may be under some type of attack. However, Monday night FB confirmed that the outage was due to a configuration change on one of the backbone routers. This router facilitated communication between FB’s data centers and had it’s disruption on the network had a cascading effect until communication was completely interrupted and the sites were completely offline. Even though Facebook has confirmed it was a case of misconfiguration, it has not stopped individuals online from speculating that the outage was due to a data breach.
Iran May Be Behind Cyberattack on Company Serving Major Names in Israeli Tech, Experts Say
After looting 15 terabytes of information from Israeli company Voicenter, a group of foreign hackers offered the data online for $1.5 million. But evidence points to motives beyond just money
As an huge apple fan, I haven’t found a chance to look closer to their recent product AirTag. When I was searching some articles for this week, I finally found an opportunity to learn about AirTags.
This article explains the lack of awareness we perform on smaller devices such as AppleWatch, rings or AirTags. It is easier to catch phishing email on your laptop versus you trying to get the job done and missing the red flags on your AppleWatch. Unfortunately, the more effective and functional devices create more risk for the user since your priority is to complete tasks quick and easy.
Article explains: ““The AirTag’s Lost Mode lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com, and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner’s message.”.
The primary function of AirTag products is to find your lost items attached to it. Once, you found lost item, you scan the AirTag, and it directs you to website (supposedly found.apple.com) to find the owner. However, the creative attackers can purchase AirTags and set it up for any URLs for you to scan and be directed. It is easy for attackers to type XSS into AirTag’s phone field and turn the device to lost mode.
So, the idea behind physical small devices that they are designed to be tiny and single-function capability which makes you think they are innocuous. Therefore, all of us should be aware that anything that can communicate and connect to network is a major risk. It is important that organization is following tech news up-to-date and aware of its employees preferences. For an employee who uses AppleWatch or AirTag, it might not be enough to just give training for the devices are being used at the workplace.
The article I chose for this week pertains to a ransomware attack which may have resulted in the death of a baby. In 2019, Springhill Medical Center which is located in Mobile Alabama had their computer systems crippled due to a ransomware attack. Eight days into this hack a baby named Nicko Silar “was born with her umbilical cord wrapped around her neck and constricting her airway, causing severe brain damage.” (Joseph Marks) Normal protocol in this instance is to perform a Caesarean section also known as a C-section. However, due to the ransomware ordeal they were experiencing at the time, monitoring the baby’s heart rate proved to be a difficult task.
Under normal circumstances, the nurses would have had a large digital display of the baby’s heart rate at the nurses’ station. Unfortunately, in this case the baby’s heart rate was being recorded on a strip of paper printed by the bedside monitor as an alternative. Consequently, the nurses did not observe the fetal heart rate change which resulted in the obstetrician being oblivious of it as well. The consequences were indeed severe, and Nicko Silar died nine months after being born.
Silar’s mother is arguing in a lawsuit that safeguards were not in place due to the ransomware hack. However, the hospital denies any wrongdoing and has concluded that it was safe and normal operations should continued during the ransom ware attack.
Back in March 2021, a French cloud services called OVHcloud experienced a fire in their Strasbourg, France data center, which disrupted millions of websites, knocking out government agencies’ portals, banks, shops, and news websites. While disclosure of how the fire started will not be reported until 2022, I was very interested in the findings (bulleted below) that were observed as a result of the fire:
– SBG4 was not independent, drawing power from the same circuit as SBG2;
– SBG2 did not have its own network room;
– Backups were made in the same data center;
– The floors of the five-story SBG2 data center were made of wood;
– It has been reported in various places that OVHcloud did not have an automatic fire extinguishing system
While we don’t know if any of these findings actually led to the cause of the fire, I think it’s fair to assume that monitoring controls around heating/cooling and circuit utilization combined with backups and recovery procedures need to be reassessed and enhanced to mitigate the risk of similar event in the future.
On Monday, October 4th, Facebook experienced a mass blackout that lasted about 6 hours long, making it the one of the longest outages in the history of the company. The VP of infrastructure at Facebook claimed that the outage began with DNS and border gateway protocol problems. After digging into the problem, he confirmed that the heart of the issue was configuration changes on the backbone routers that coordinate network traffic between data centers. No cyber attack was made and no user data was compromised. While Facebook came out publicly and explained the situation, there are conspiracies that the outage was related to a mass data breach and all of our compromised data is being sold on a criminal forum.
Apache web server had an vulnerability within one of its update which could allow an attacker access to a sensitive data within a web server. Apache has quickly released a patch once the vulnerability was identifies. The CVE number for that vulnerability is CVE-2021-41773. The vulnerability was allowing the attacker access to a path traversal and allowing a subsequent file disclosure. Path traversal is an issue which would allow an attacker access to a files on a web server by either tricking the web application or web server and having it return a file back to an attacker. The vulnerability was rated as an important with score of 5.1 out of 10 CVSS. This vulnerability was being identified within Apache version 2.4.49 within Unix or Windows. There were over 112,000 server that had that vulnerable version of Apache running and around 43,000 was in the U.S. The patch for that vulnerability is available within the upgrade version 2.4.50.
With reference to the above captioned and based on the recent increase in attacks on physical security devices, I came across this article dated June 14, 2021, that clearly states the minimum cybersecurity features for a would-be security device and recommendations to end-user organizations to ensure that such devices are adequately and efficiently used to prevent attacks. I believe this is a good read and could also serve as a good source for baseline configuration within an organization.
The under-listed recommendations and processes are recommended to end-users.
1. Cybersecurity product features.
2. Conduct routine penetration testing.
3. Create closed networks for physical security devices; and
4. Use suppliers who are committed to cybersecurity and comply with National Defense Authorization Act (NDAA) regulations.
The under-listed cybersecurity features were recommended for devices:
1. IEEE 802.1x Authentication:
2. Transport Layer Security (TLS) Protocol
3. Hypertext Transfer Protocol Secure (HTTPS)
4. User Authentication
5. No Backdoor Accounts
6. Access Control via Firewall
7. Digest Authentication:
8. Signed Firmware
9. Configuration Lockdown
I found this very interesting because the article touched on securing physical security devices meant to ensure physical security.
The article that I chose to read and summarize this week is titled “Why data centres need physical security”.
One of the first things the article mentions are the average impacts of a data breach – $3.86 million, reputational loss, legal troubles, customer loss, and more.
The article then dives into how Covid-19 has been making physical security more important for data centers now than ever before, due to an increase in remote work, online socializing, video conferencing, e-commerce, gaming, and more. With that being said, these factors also contirbute to an increase in revenue for the supplying companies involved, so investing a little bit of money in more security should not be an issue.
In a study of 320 C-suite professionals about business challenges related to video technologies, this quote from the article was a main takeaway. “Among physical security professionals, we see that one of the top concerns is lack of multi-departmental cooperation to address cybersecurity threats. Physical security leaders and IT leaders need to work together. The threat is real and it needs to be addressed.”
The article also mentions specific physical security features that could be implemented; cameras, VMS (consolidates video, audio, sensor, and other data streams into one), thermal imaging, facial recognition, license plate and vehicle recognition, people counting, behavioral monitoring, and more.
“Besides internal protection, you also should protect your perimeter, consider your utilities and prepare your people.”
This article was written by Amine Sadi on ITP.net. ITP media group is a global media company headquartered in Dubai that has regional departments in the United States and several European countries. It has over 60 different media brands and attracts tens of millions of views per month.
Since we are on the topic of physical security this week I felt my article was relevant. The article discusses a company called Yubico. The company is known for its series of products called Yubikeys, which are hardware authentication devices that protect access to computers, networks, and online services with one time passwords. They recently added another layer of defense to their line of products – fingerprint readers. Called the YubiKey Bio Series, these devices have built-in bio metric authentication for passwordless and second-factor logins. The key is optimized with most operating systems, including Mac, Windows, and Linux. It also includes access to a Yubico authenticator app which can add and remove recognizable fingerprints. If the reader cannot be used, a pin can be entered instead. The key requires a subscription, but it can be used across various devices. It can be purchases for around 80 USD in USB or USB-c formats. It also uses three-chip architecture, which stores data on a separate, secure element in order to “enhance protection from physical attacks.”
This article from September 29, 2021 by KrebsOnSecurity explains the recent surge of a new trend of stealing OTP tokens (one-time passwords) by spoofing this common second form of authentication. With advancements in security and the now commonplace usage of 2FA / MFA, inherently comes advancements from attackers. These OTPs are now being phished through automated services that spoof the actual service, getting the user to generate and send the OTP code to the attacker, who then forwards it automatically to the requesting malicious user attempting to breach the identity/account.
The service, however, can only deliver the OTP if the phishing attempt is successful; it assumes that the user already has obtained the login credentials as it is there solely to steal OTPs. The service, “otp.agency” requires a target phone number and name, then performs a phishing call that requests the user deliver the OTP for authentication purposes, obviously sending it to the malicious requester. This service went offline quickly after an earlier KrebsOnSecurity article talking about it, but since then, multiple new similar services have come about, namely “SMS Ranger.” The link below actually provides a great picture of the service being used. Unfortunately for many soon-to-be victims, the services are lucrative as they are extremely profitable and are receiving high positive feedback from users, tipping more towards using them.
This article becomes really important to security as it calls out an extremely common oversight regarding what people normally refer to as 2FA. A password and an OTP are both under the same authentication category through the same authentication channel: something you know, through a web browser. This is a massive problem as it has become the norm and makes people feel more secure. In reality, these types of spoofing services demonstrate just how easy it is to circumvent this layered authentication method as it is really not 2 different factors of authentication of the common 3: something you are/have/know. Both authentication methods fall into the something you know category, which is obviously not 2 different factors. The author points out that instead, true 2FA would be the first form of authentication-the password-, something you know, followed by a request from the website/app to your physical device that is uniquely registered – this would then be something you have, completing the 2nd factor for a true 2FA setup.
I found this article interesting because I have seen this first hand happen in organization who vastly underestimated cybersecurity expenses. I’ve also seen how mismanaged it can get since the business side of things tends to have a difficult time quantifying information since risk management can be tedious.
One thing about this article though is that it only highlights organizations that respond – something that organizations may not do in fear of losing reputation for not having a secure network. The article also highlights that many companies are switching to cloud-based security which makes sense since these are low-cost alternatives that can make monitoring and analysis much easy and streamlined for their price. My prediction as ransomware becomes more of a threat to the Internet of Things (IOT) we will likely see a cloud takeover for most enterprise systems; as the criminal market increases – so does the market for cybersecurity.
This article talks about data breaches at two American mental healthcare providers that may have exposed thousands of individuals’ personal health information (PHI).
Horizon House, Inc., which is in Philadelphia, Pennsylvania, warned that 27,823 people might have been impacted by a cyber-attack that took place in the late winter.
The mental health and residential treatment services provider detected suspicious activity on its IT network on March 5. An investigation revealed that the healthcare provider’s IT system had been infected with ransomware.
In a security notice, Horizon House said: “Horizon House systems were accessible by an unknown actor between March 2, 2021, and March 5, 2021, and certain data was exfiltrated from the Horizon House systems.”
Great article,
With so many attacks happening daily, it still surprises me that these health care companies can’t protect patient’s sensitive information. If I was a horizon patient, I would be devastated to have my personal diagnosis stolen and reveled to the world.
I chose an article that highlights the importance and criticality of cyber security. It further legitimizes the area that we all recognize and hold near & dear to our hearts – cyber security. In this article the head of the NSA is predicting that the US will face ransom ware attacks every day for years to come! We can probably also read that headline and think: job security! 🙂
In this article the NSA cyber chief gave his assessments on the ‘Big 4’ nation states in the cyber space (excluding USA). Fascinating to see their focus (and relative strengths) mapped out publicly.
Amazon owned Twitch the livestreaming service was attacked yesterday. An anonymous user on the 4chan site posted a 125 GB file of data which included Twitch code, streamers pay and an unannounced video game store. At this time it is unclear if user data was affected but it has been recommended to change their password and set up two-factor authentication. The hacker stated his/her reasoning for the breach as to “foster more disruption and competition in the online video streaming space because Twitch’s community is a disgusting toxic cesspool.
Appears, twitch has made some enemy’s over the years and the competition is looking to do whatever they can to slow twitch down. From the look of it the files came from an internal Github server which were part of the original infrastructure from 2011.
The topic of this article “What is physical security? How to keep your facilities and devices safe from on-site attackers” . Primarily, it talks about securing premises and devices from physical attacks can be regarded as challenging as defending against cyber threats to business establishment. Automation and AI are increasingly being used to shore up defenses of assets in organization. IT talks about physical security as being seen as the protection of people, property, and physical assets from actions and events that could cause damage or loss to an organization. Though it is basically often overlooked in favor of cybersecurity, physical security is equally important. And, indeed, it has grown into a $30 billion industry. All the firewalls in the world can’t help you if an attacker removes your storage media from the storage room. https://article/3324614/what-is-physical-security-how-to-keep-your-facilities-and-devices-safe-from-on-site-attackers.html
Microsoft Exchange Bug Exposes- 100,000 Windows Domain Credentials
Of Microsoft Exchange’s Autodiscover, an unpatched spot has caused a spill of 100,000 domain credentials around the world. According to the article, “The weakness discovered by Guardicore resides in a specific implementation of Autodiscover based on POX XML protocol that causes the web requests to Autodiscover domains to be leaked outside of the user’s domain but In the same top level domain.” The attackers impacted China corporations, investment banks, food manufacturers, power plants, and real estate firms.
The news reflects the importance of technology enhancement programs for companies. Check for security vulnerabilities and improve systems in a timely manner. In order to ensure that the company’s systems are equipped to withstand risks, constant efforts must be made to set up and maintain security defenses for the website.
The article describes an organization’s security training program as the first line of defense against cyber attacks. In Verizon’s 2021 Data Breach Survey Report, 85% of data breaches involved human factors. The survey report reflects the importance of security training programs for companies. Training needs to be an ongoing process, not just once a year or during employee on boarding. Certain key performance indicators are included in the training program to measure the effectiveness of employee training. Organizations must continually strive to provide training to their employees to ensure that they are able to meet the level of compliance and competence in all areas of training.
“Google pulls ‘stalkerware’ ads that promoted phone spying apps.”
Google has pulled several ads for “tracking software” that violated its policy by promoting apps that encourage potential users to spy on their spouses’ phones.
These consumer-grade spyware applications are often marketed under the guise of predator prevention to parents who want to monitor their children’s phone calls, messages, apps, photos, and locations. But these apps, often designed to be installed in secret without the device owner’s consent, have been repurposed by abusers to spy on spouses’ phone calls.
Matthew Bryan says
Drones are a great example of the intersection of physical and cybersecurity. This article discusses the increasing commercial interest in drones and the evolving threats that come with wider usage. The author, Bill Edwards, speculates that we’re not too far away from a drone superhighway that resides 200-400 feet above our heads and warns that businesses are not prepared to handle the associated security risks. Edwards recommends that public sector businesses should consider drones when assessing risk and when developing policies and procedures. He suggests that security programs should include a drone vulnerability and risk assessment, a technical survey and reconnaissance of the airspace, and a drone emergency response plan.
There is a burgeoning industry emerging to respond to drone threats and help businesses to detect and react to incursions of their air space. The focus has mostly been on physical security and detecting aircraft in unauthorized areas. There has been less of a focus on cybersecurity with drones as the use case isn’t as apparent. For example, a drone containing a small computer set-up to spoof wireless networks and harvest user data. Currently, the laws limit options with drone interdiction which means that the public must be diligent. Good cybersecurity practices, such as avoiding passwordless wifi networks, help protect against rogue wireless access points attached to drones.
Article: Cybersecurity And Drones: A Threat From Above
Author: Bill Edwards
Published: Feb 25, 2021
Link: https://www.forbes.com/sites/forbestechcouncil/2021/02/25/cybersecurity-and-dronesa-threat-from-above/?sh=6f84403c7b0d
Kelly Sharadin says
Hi Matthew,
Great article! I would be interested to know where these commericals drone are manufactured. That could be an additional security concern.
Matthew Bryan says
Thank you. Great point about the manufacturer. DJI accounts for a large section of the drone market and is headquartered in China. There’s been some debate about about their practices as it relates to cybersecurity. Here’s an additional article that provides an overview the concerns. https://gizmodo.com/pentagon-official-warns-about-chinese-drones-without-ex-1845022250
Kelly Sharadin says
This article from ASIS, an international professional organization that focuses on traditional physical security, discusses the challenges of creating a physical security program for higher education institutions. Universities require a balancing of privacy and safety of their student body. The security program must contend with ” the accessibility of spaces and freedom of movement” for public events and residential buildings as well as compliance with local authorities. The author outlines the importance of security controls like access control and video monitoring as mentioned by PHYSBIT to provide a uniform approach to evidence collection and incident response for security events. I also like the mention of integrating continuous security awareness on TV monitors, social media, and apps.
https://www.asisonline.org/security-management-magazine/latest-news/online-exclusives/2021/challenges-in-higher-education-security-open-environments/
Matthew Bryan says
I also like the idea of using TVs to display on-going security messages. I thought the author’s mention of collaborating with designers and planners during renovations is important. Security first design can save money and provide a better experience for end users. It’s often easier to build something new than attempt to retrofit.
Andrew Nguyen says
This article details how popular retailer Neiman Marcus only recently found out that it had been victim of a data breach dating all the way back to May 2020.
It was determined that the unauthorized attacker may have accessed usernames, passwords, and security questions/answers linked to Neiman Marcus online accounts.
I think it is interesting to note that Neiman Marcus was only recently made aware of a data breach that occurred in May 2020. I wonder if attackers were able to get into the system and were sitting there collecting customer information for all this time.
I also find it interesting that it took this long for Neiman Marcus to detect the breach; the article doesn’t go into this, but I wonder if Neiman Marcus became complacent with their security, and didn’t bother keeping up to date when it came to their security.
In either case, I think this goes to show that information security is as important as ever.
https://www.infosecurity-magazine.com/news/major-data-breach-hits-neiman/
Wilmer Monsalve says
Yes, for some reason it is taking companies longer than usual to notice that there is a breach within their system. I read recently that the Wawa data breach that had occurred back in 2019 has been settled for a 9 million dollar claim in cash. Each customer that can prove that there information may have been stolen via credit or debit card at a fuel gas pump throughout the time period is eligible for up to $500. Breaches within our day to day businesses are failing to maintain standards of security to themselves and the consumer more frequently than I had originally thought.
Mohammed Syed says
https://www.securityinfowatch.com/security-executives/article/21230718/study-security-leaders-expect-to-see-an-increase-in-physical-threats-in-wake-of-pandemic
“Study: Security leaders expect to see an increase in physical threats in wake of pandemic, and Physical, IT security professionals discuss the challenges facing their organizations as businesses prepare to reopen”
As per the article on physical security attack, which is very useful for the plan and implement proper physical security against the latest threat to physical security, it also give brief idea about new generated risk to physical security and new challenges to the implement best physical security.
The time of approaching a physical security plan, either for an existing properties, information security assets or new-build, it’s essential to have an understanding of common physical security risks, threats and vulnerabilities, and how the different types of physical security threats should be approached.
Physical security is foundation of all security mechanism, to protect all security structure need to setup proper physical security, latest physical security article and new help to design and implement physical security
Christopher Clayton says
A human rights organization by the name of Amnesty International was the target of hackers pretending to be them in order to get users with fake security software in order to disburse malware. Victims were tricked into downloading malware they thought protected them against Pegasus spyware from NSO Group (an Israeli technology firm). The hackers had setup a fake website that mirrored Amnesty that linked to an antivirus tool to protect against Pegasus; instead, installed a little known malware called Sarwent. This malware can activate remote desktop protocol from a user’s machine, and allows them to have direct access to their desktop. No known facts can support whether or not this was financially motivated.
Wilmer Monsalve says
In this article mentioned it reviews 5 ways cybersecurity has an impact on the physical security. It ranges from a the internet of things in our homes at risk of being at risk if our home network were to be hacked to our smart cars being unlocked or possible override from hackers. A good example that related to this week’s topic of discussion was the security environment being breached. It reviewed how an organization’s security department can be hacked and allow entrance to whoever or possibly disguising it by setting off fire alarms repeatedly to the point it gets shut off or people ignore it. This actually happened to me at work today where the fire alarm was ringing continuously however the RFID scanner was not reading my ID card and so I needed a co-worker to open the door for me. When they did open the door though they checked for verification that I actually worked there and made sure I was in the IS department.
https://www.resolver.com/blog/5-ways-cybersecurity-impacts-physical-security/
Lauren Deinhardt says
Twocanoes Software Releases Innovative Smart Card Solution for iPhone/iPad
Twocanoes Software has recently released a smart card reader compatible with Apple/iOS devices. “ Smart Card Utility 3” enables applications to authenticate with smart cards—specifically personal identity verification (PIV) cards and PIV-Transitional (CAC) cards. Smart Card Utility 3 is compatible with single sign on (SSO) capabilities, allowing users to only authenticate once before gaining access to resources/systems within the device. The overall concept of the Smart Card Utility 3 works by plugging the device into the charging port of an iPhone or iPad, then connecting the PIV card into its respective reader throughout the duration of device usage.
This invention is particularly interesting since it opens up opportunity for businesses to secure employees/user access to BYOD Apple electronics and can also provide personal computer users with a secure method of authentication–therefore mitigating human physical security threats such as equipment theft. Having a PIV card hardens electronic targets, and the ease of access with the Smart Card Utility 3 promotes a user/consumer friendly experience with the device. This invention makes me wonder if, in the long run, Apple will integrate PIV card slots into iOS devices in response to growing security threats.
https://www.einnews.com/pr_news/551067731/twocanoes-software-releases-innovative-smart-card-solution-for-iphone-ipad
Dhaval Patel says
Poorly configured instances of apache airflow (a tool I have done a great deal of work with in the past) contain openly available credentials to many popular services. Intezer the organization that came across this vulnerability. Some of the poor configurations included hard-coded database passwords and cleartext keys in the airflow configuration files. If several of these passwords became visible a threat actor could use the credentials to gain access to the database or other accounts. The worst-case scenario is that malware gets placed on the databases ultimately making them useless.
https://thehackernews.com/2021/10/poorly-configured-apache-airflow.html
Ryan Trapp says
I figured that since this was such a big story yesterday that it would be worth following up on. Facebook experienced one of its longest outage ever, affecting it’s site and others such as WhatsApp, Messenger, Oculus VR, and Instagram. This blackout lasted approx. six hours long. While this outage was happening it was speculated that Facebook may be under some type of attack. However, Monday night FB confirmed that the outage was due to a configuration change on one of the backbone routers. This router facilitated communication between FB’s data centers and had it’s disruption on the network had a cascading effect until communication was completely interrupted and the sites were completely offline. Even though Facebook has confirmed it was a case of misconfiguration, it has not stopped individuals online from speculating that the outage was due to a data breach.
https://threatpost.com/facebook-blames-outage-on-faulty-router-configuration/175322/
Christopher Clayton says
Here’s the article name and website from previous message that I forgot to add:
“Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with Malware”
https://thehackernews.com/2021/10/beware-of-fake-amnesty-international.html
Jason Burwell says
Iran May Be Behind Cyberattack on Company Serving Major Names in Israeli Tech, Experts Say
After looting 15 terabytes of information from Israeli company Voicenter, a group of foreign hackers offered the data online for $1.5 million. But evidence points to motives beyond just money
https://www.haaretz.com/israel-news/tech-news/.premium-experts-iran-may-be-behind-cyberattack-on-company-serving-big-names-in-israeli-tech-1.10231555
Miray Bolukbasi says
As an huge apple fan, I haven’t found a chance to look closer to their recent product AirTag. When I was searching some articles for this week, I finally found an opportunity to learn about AirTags.
This article explains the lack of awareness we perform on smaller devices such as AppleWatch, rings or AirTags. It is easier to catch phishing email on your laptop versus you trying to get the job done and missing the red flags on your AppleWatch. Unfortunately, the more effective and functional devices create more risk for the user since your priority is to complete tasks quick and easy.
Article explains: ““The AirTag’s Lost Mode lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com, and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner’s message.”.
The primary function of AirTag products is to find your lost items attached to it. Once, you found lost item, you scan the AirTag, and it directs you to website (supposedly found.apple.com) to find the owner. However, the creative attackers can purchase AirTags and set it up for any URLs for you to scan and be directed. It is easy for attackers to type XSS into AirTag’s phone field and turn the device to lost mode.
So, the idea behind physical small devices that they are designed to be tiny and single-function capability which makes you think they are innocuous. Therefore, all of us should be aware that anything that can communicate and connect to network is a major risk. It is important that organization is following tech news up-to-date and aware of its employees preferences. For an employee who uses AppleWatch or AirTag, it might not be enough to just give training for the devices are being used at the workplace.
To read the article: https://www.computerworld.com/article/3635628/how-one-coding-error-turned-airtags-into-perfect-malware-distributors.html
Joshua Moses says
The article I chose for this week pertains to a ransomware attack which may have resulted in the death of a baby. In 2019, Springhill Medical Center which is located in Mobile Alabama had their computer systems crippled due to a ransomware attack. Eight days into this hack a baby named Nicko Silar “was born with her umbilical cord wrapped around her neck and constricting her airway, causing severe brain damage.” (Joseph Marks) Normal protocol in this instance is to perform a Caesarean section also known as a C-section. However, due to the ransomware ordeal they were experiencing at the time, monitoring the baby’s heart rate proved to be a difficult task.
Under normal circumstances, the nurses would have had a large digital display of the baby’s heart rate at the nurses’ station. Unfortunately, in this case the baby’s heart rate was being recorded on a strip of paper printed by the bedside monitor as an alternative. Consequently, the nurses did not observe the fetal heart rate change which resulted in the obstetrician being oblivious of it as well. The consequences were indeed severe, and Nicko Silar died nine months after being born.
Silar’s mother is arguing in a lawsuit that safeguards were not in place due to the ransomware hack. However, the hospital denies any wrongdoing and has concluded that it was safe and normal operations should continued during the ransom ware attack.
https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/
Bryan Garrahan says
https://www.datacenterdynamics.com/en/news/ovhcloud-wont-reveal-the-cause-of-its-disastrous-fire-till-2022/
Back in March 2021, a French cloud services called OVHcloud experienced a fire in their Strasbourg, France data center, which disrupted millions of websites, knocking out government agencies’ portals, banks, shops, and news websites. While disclosure of how the fire started will not be reported until 2022, I was very interested in the findings (bulleted below) that were observed as a result of the fire:
– SBG4 was not independent, drawing power from the same circuit as SBG2;
– SBG2 did not have its own network room;
– Backups were made in the same data center;
– The floors of the five-story SBG2 data center were made of wood;
– It has been reported in various places that OVHcloud did not have an automatic fire extinguishing system
While we don’t know if any of these findings actually led to the cause of the fire, I think it’s fair to assume that monitoring controls around heating/cooling and circuit utilization combined with backups and recovery procedures need to be reassessed and enhanced to mitigate the risk of similar event in the future.
Michael Galdo says
Facebook Blames Outage on Faulty Configuration
On Monday, October 4th, Facebook experienced a mass blackout that lasted about 6 hours long, making it the one of the longest outages in the history of the company. The VP of infrastructure at Facebook claimed that the outage began with DNS and border gateway protocol problems. After digging into the problem, he confirmed that the heart of the issue was configuration changes on the backbone routers that coordinate network traffic between data centers. No cyber attack was made and no user data was compromised. While Facebook came out publicly and explained the situation, there are conspiracies that the outage was related to a mass data breach and all of our compromised data is being sold on a criminal forum.
https://threatpost.com/facebook-blames-outage-on-faulty-router-configuration/175322/
Vraj Patel says
Apache web server had an vulnerability within one of its update which could allow an attacker access to a sensitive data within a web server. Apache has quickly released a patch once the vulnerability was identifies. The CVE number for that vulnerability is CVE-2021-41773. The vulnerability was allowing the attacker access to a path traversal and allowing a subsequent file disclosure. Path traversal is an issue which would allow an attacker access to a files on a web server by either tricking the web application or web server and having it return a file back to an attacker. The vulnerability was rated as an important with score of 5.1 out of 10 CVSS. This vulnerability was being identified within Apache version 2.4.49 within Unix or Windows. There were over 112,000 server that had that vulnerable version of Apache running and around 43,000 was in the U.S. The patch for that vulnerability is available within the upgrade version 2.4.50.
Reference:
Seals, Tara. 2021. Apache Web Server Zero-Day Exposes Sensitive Data. Retrieved from: https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/
Olayinka Lucas says
Cybersecurity for Physical Security Devices.
With reference to the above captioned and based on the recent increase in attacks on physical security devices, I came across this article dated June 14, 2021, that clearly states the minimum cybersecurity features for a would-be security device and recommendations to end-user organizations to ensure that such devices are adequately and efficiently used to prevent attacks. I believe this is a good read and could also serve as a good source for baseline configuration within an organization.
The under-listed recommendations and processes are recommended to end-users.
1. Cybersecurity product features.
2. Conduct routine penetration testing.
3. Create closed networks for physical security devices; and
4. Use suppliers who are committed to cybersecurity and comply with National Defense Authorization Act (NDAA) regulations.
The under-listed cybersecurity features were recommended for devices:
1. IEEE 802.1x Authentication:
2. Transport Layer Security (TLS) Protocol
3. Hypertext Transfer Protocol Secure (HTTPS)
4. User Authentication
5. No Backdoor Accounts
6. Access Control via Firewall
7. Digest Authentication:
8. Signed Firmware
9. Configuration Lockdown
I found this very interesting because the article touched on securing physical security devices meant to ensure physical security.
Reference:
https://www.securityinfowatch.com/cybersecurity/article/21224063/cybersecurity-for-physical-security-devices
Michael Jordan says
The article that I chose to read and summarize this week is titled “Why data centres need physical security”.
One of the first things the article mentions are the average impacts of a data breach – $3.86 million, reputational loss, legal troubles, customer loss, and more.
The article then dives into how Covid-19 has been making physical security more important for data centers now than ever before, due to an increase in remote work, online socializing, video conferencing, e-commerce, gaming, and more. With that being said, these factors also contirbute to an increase in revenue for the supplying companies involved, so investing a little bit of money in more security should not be an issue.
In a study of 320 C-suite professionals about business challenges related to video technologies, this quote from the article was a main takeaway. “Among physical security professionals, we see that one of the top concerns is lack of multi-departmental cooperation to address cybersecurity threats. Physical security leaders and IT leaders need to work together. The threat is real and it needs to be addressed.”
The article also mentions specific physical security features that could be implemented; cameras, VMS (consolidates video, audio, sensor, and other data streams into one), thermal imaging, facial recognition, license plate and vehicle recognition, people counting, behavioral monitoring, and more.
“Besides internal protection, you also should protect your perimeter, consider your utilities and prepare your people.”
This article was written by Amine Sadi on ITP.net. ITP media group is a global media company headquartered in Dubai that has regional departments in the United States and several European countries. It has over 60 different media brands and attracts tens of millions of views per month.
https://www.itp.net/security/why-data-centres-need-physical-security
Alexander William Knoll says
Since we are on the topic of physical security this week I felt my article was relevant. The article discusses a company called Yubico. The company is known for its series of products called Yubikeys, which are hardware authentication devices that protect access to computers, networks, and online services with one time passwords. They recently added another layer of defense to their line of products – fingerprint readers. Called the YubiKey Bio Series, these devices have built-in bio metric authentication for passwordless and second-factor logins. The key is optimized with most operating systems, including Mac, Windows, and Linux. It also includes access to a Yubico authenticator app which can add and remove recognizable fingerprints. If the reader cannot be used, a pin can be entered instead. The key requires a subscription, but it can be used across various devices. It can be purchases for around 80 USD in USB or USB-c formats. It also uses three-chip architecture, which stores data on a separate, secure element in order to “enhance protection from physical attacks.”
https://www.engadget.com/yubico-yubikey-bio-fingerprint-reader-130034276.html
Antonio Cozza says
This article from September 29, 2021 by KrebsOnSecurity explains the recent surge of a new trend of stealing OTP tokens (one-time passwords) by spoofing this common second form of authentication. With advancements in security and the now commonplace usage of 2FA / MFA, inherently comes advancements from attackers. These OTPs are now being phished through automated services that spoof the actual service, getting the user to generate and send the OTP code to the attacker, who then forwards it automatically to the requesting malicious user attempting to breach the identity/account.
The service, however, can only deliver the OTP if the phishing attempt is successful; it assumes that the user already has obtained the login credentials as it is there solely to steal OTPs. The service, “otp.agency” requires a target phone number and name, then performs a phishing call that requests the user deliver the OTP for authentication purposes, obviously sending it to the malicious requester. This service went offline quickly after an earlier KrebsOnSecurity article talking about it, but since then, multiple new similar services have come about, namely “SMS Ranger.” The link below actually provides a great picture of the service being used. Unfortunately for many soon-to-be victims, the services are lucrative as they are extremely profitable and are receiving high positive feedback from users, tipping more towards using them.
This article becomes really important to security as it calls out an extremely common oversight regarding what people normally refer to as 2FA. A password and an OTP are both under the same authentication category through the same authentication channel: something you know, through a web browser. This is a massive problem as it has become the norm and makes people feel more secure. In reality, these types of spoofing services demonstrate just how easy it is to circumvent this layered authentication method as it is really not 2 different factors of authentication of the common 3: something you are/have/know. Both authentication methods fall into the something you know category, which is obviously not 2 different factors. The author points out that instead, true 2FA would be the first form of authentication-the password-, something you know, followed by a request from the website/app to your physical device that is uniquely registered – this would then be something you have, completing the 2nd factor for a true 2FA setup.
https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/
Michael Duffy says
I found this article interesting because I have seen this first hand happen in organization who vastly underestimated cybersecurity expenses. I’ve also seen how mismanaged it can get since the business side of things tends to have a difficult time quantifying information since risk management can be tedious.
One thing about this article though is that it only highlights organizations that respond – something that organizations may not do in fear of losing reputation for not having a secure network. The article also highlights that many companies are switching to cloud-based security which makes sense since these are low-cost alternatives that can make monitoring and analysis much easy and streamlined for their price. My prediction as ransomware becomes more of a threat to the Internet of Things (IOT) we will likely see a cloud takeover for most enterprise systems; as the criminal market increases – so does the market for cybersecurity.
https://www.zdnet.com/article/cybersecurity-budgets-for-industrial-control-systems-increasing-sans-institute/
Ornella Rhyne says
This article talks about data breaches at two American mental healthcare providers that may have exposed thousands of individuals’ personal health information (PHI).
Horizon House, Inc., which is in Philadelphia, Pennsylvania, warned that 27,823 people might have been impacted by a cyber-attack that took place in the late winter.
The mental health and residential treatment services provider detected suspicious activity on its IT network on March 5. An investigation revealed that the healthcare provider’s IT system had been infected with ransomware.
In a security notice, Horizon House said: “Horizon House systems were accessible by an unknown actor between March 2, 2021, and March 5, 2021, and certain data was exfiltrated from the Horizon House systems.”
https://www.infosecurity-magazine.com/news/mental-healthcare-data-breaches/
Corey Arana says
Great article,
With so many attacks happening daily, it still surprises me that these health care companies can’t protect patient’s sensitive information. If I was a horizon patient, I would be devastated to have my personal diagnosis stolen and reveled to the world.
Richard Hertz says
I chose an article that highlights the importance and criticality of cyber security. It further legitimizes the area that we all recognize and hold near & dear to our hearts – cyber security. In this article the head of the NSA is predicting that the US will face ransom ware attacks every day for years to come! We can probably also read that headline and think: job security! 🙂
https://therecord.media/nsa-chief-predicts-u-s-will-face-ransomware-every-single-day-for-years-to-come/?web_view=true
Corey Arana says
I absolutely agree with that statement. Job security for years to come. Cyber security is important and we are in demand.
Richard Hertz says
I couldn’t resist posting a 2nd article from my new favorite cyber news site:
https://therecord.media/around-the-world-with-the-nsas-cyber-chief/
In this article the NSA cyber chief gave his assessments on the ‘Big 4’ nation states in the cyber space (excluding USA). Fascinating to see their focus (and relative strengths) mapped out publicly.
Corey Arana says
Amazon owned Twitch the livestreaming service was attacked yesterday. An anonymous user on the 4chan site posted a 125 GB file of data which included Twitch code, streamers pay and an unannounced video game store. At this time it is unclear if user data was affected but it has been recommended to change their password and set up two-factor authentication. The hacker stated his/her reasoning for the breach as to “foster more disruption and competition in the online video streaming space because Twitch’s community is a disgusting toxic cesspool.
Appears, twitch has made some enemy’s over the years and the competition is looking to do whatever they can to slow twitch down. From the look of it the files came from an internal Github server which were part of the original infrastructure from 2011.
https://www.businessinsider.com/major-twitch-hack-breach-leak-source-code-streamer-payments-2021-10
https://threatpost.com/twitch-source-code-leaked/175359/
kofi bonsu says
The topic of this article “What is physical security? How to keep your facilities and devices safe from on-site attackers” . Primarily, it talks about securing premises and devices from physical attacks can be regarded as challenging as defending against cyber threats to business establishment. Automation and AI are increasingly being used to shore up defenses of assets in organization. IT talks about physical security as being seen as the protection of people, property, and physical assets from actions and events that could cause damage or loss to an organization. Though it is basically often overlooked in favor of cybersecurity, physical security is equally important. And, indeed, it has grown into a $30 billion industry. All the firewalls in the world can’t help you if an attacker removes your storage media from the storage room.
https://article/3324614/what-is-physical-security-how-to-keep-your-facilities-and-devices-safe-from-on-site-attackers.html
Victoria Zak says
Microsoft Exchange Bug Exposes- 100,000 Windows Domain Credentials
Of Microsoft Exchange’s Autodiscover, an unpatched spot has caused a spill of 100,000 domain credentials around the world. According to the article, “The weakness discovered by Guardicore resides in a specific implementation of Autodiscover based on POX XML protocol that causes the web requests to Autodiscover domains to be leaked outside of the user’s domain but In the same top level domain.” The attackers impacted China corporations, investment banks, food manufacturers, power plants, and real estate firms.
Reference:
https://thehackernews.com/2021/09/microsoft-exchange-bug-exposes-100000.html
Dan Xu says
The news reflects the importance of technology enhancement programs for companies. Check for security vulnerabilities and improve systems in a timely manner. In order to ensure that the company’s systems are equipped to withstand risks, constant efforts must be made to set up and maintain security defenses for the website.
Dan Xu says
“Cybersecurity Is A Journey, Not A Destination”
The article describes an organization’s security training program as the first line of defense against cyber attacks. In Verizon’s 2021 Data Breach Survey Report, 85% of data breaches involved human factors. The survey report reflects the importance of security training programs for companies. Training needs to be an ongoing process, not just once a year or during employee on boarding. Certain key performance indicators are included in the training program to measure the effectiveness of employee training. Organizations must continually strive to provide training to their employees to ensure that they are able to meet the level of compliance and competence in all areas of training.
Reference:https://www.forbes.com/sites/forbesbooksauthors/2021/10/11/cybersecurity-is-a-journey-not-a-destination/?sh=540fe9e03a91
zijian ou says
“Google pulls ‘stalkerware’ ads that promoted phone spying apps.”
Google has pulled several ads for “tracking software” that violated its policy by promoting apps that encourage potential users to spy on their spouses’ phones.
These consumer-grade spyware applications are often marketed under the guise of predator prevention to parents who want to monitor their children’s phone calls, messages, apps, photos, and locations. But these apps, often designed to be installed in secret without the device owner’s consent, have been repurposed by abusers to spy on spouses’ phone calls.