August 24, 2014

Vulture Beat: Internet of Things will be vulnerable for years, and no one is incentivized to fix it

The Internet is no longer just accessible from your laptop or mobile phone. It’s now part of television sets, baby monitors, ovens and cars. It is increasingly embedded into medical devices and other critical devices. The Internet is everywhere and the Internet of Things (IoT) is a trend that will continue to grow.

Unfortunately this growth in technology is being matched by an equally large growth in security concerns. Just last month multiple presentations at the Black Hat and Defcon security conferences highlighted weaknesses in various IoT devices. Although there has been some additional focus on the challenges of IoT security, such as the OWASP Top 10 for Internet of Things Security, the future is still going to be an uphill battle.

Lack of updates will be IoT’s Achilles heel

An ineffective or nonexistent plan for deploying security updates will be the single largest impediment to security for the Internet of Things. The reality is that vulnerabilities appear in all code from time to time. A solid security lifecycle that considers security throughout design and development will have notably fewer security issues. However, all software manufacturers must be ready to quickly respond to a vulnerability and release a patch to protect their users.

We must learn from past failures

The impact of a poor patching plan can be observed directly today just by looking at iOS and Android. Both of these operating systems made by talented organizations with plenty of security resources, and both of them quickly make patches available when a security issue is found. However, while Apple controls the distribution of patches directly to its users through iOS updates, a patch bound for an Android device must jump through numerous delays by device manufacturers and network operators. As a result, Android devices may not receive critical patches for months or years. And with less than 18 percent of Android devices running the latest Android version, 82 percent of devices are missing key security updates and capabilities.

Today’s incentive model hurts patching of IoT

Let’s imagine a security vulnerability is discovered within an Internet-connected oven, fridge, or baby monitor that you’ve recently purchased. Will a patch be delivered to address the issue? Let’s review the incentive model of the various parties to see how this would play out.

Manufacturer

  • Wants to make product sales
  • Includes Internet connectivity as a feature – not their specialty area
  • Concerned with public reviews of the product which drive sales

Customer

  • Wants the device to work for its primary purpose
  • Considers the Internet connectivity as a nice, often secondary, feature
  • Majority don’t want to be hassled with “fixing” things

Criminal Organizations

  • Want devices under their control for botnets and distributed attacks
  • Want to remain hidden and not impact device performance so there is no effort to “fix” the device and eradicate their malware

If we evaluate the above factors, we’ll see that patching vulnerabilities on Internet-connected devices is going to be a very low priority for the manufacturer. The criminal organizations will exploit vulnerabilities present on a wide number of outdated devices. If they’re smart, which they are, the criminal organizations will run their malicious activities in the background without impacting the overall performance of the device. This means the customer won’t notice the malware, and the security vulnerability will have no impact on the customer’s opinion or review of the device. Therefore, if the device reviews aren’t negatively impacted by a security vulnerability, the manufacturer will have few incentives to patch the device.

IoT vulnerabilities have many victims

Although manufacturers may not be rushing to fix these flaws, there is still a lot of damage that will result.

Owners of Internet enabled devices

Customers will lose on the privacy front. Their private data will be monitored and sold without their knowledge. As the IoT expands, this data will become even more personal and will include health data, location and video streams of their house, children, and more.

Applications across the Web

Web applications all across the Internet will also be at risk. Vulnerable Internet-enabled devices will be compromised and added to malicious botnets. These compromised devices will send spam, participate in denial of service attacks, and even harvest and test stolen credentials across the web. The victim websites that are targeted will be unrelated sites and web applications that now must not only defend against malicious attackers but also the ever-expanding botnets of compromised devices from the Internet of Things.

Effective patch deployment is a big problem

The vast majority of device hacks will remain unnoticed and without impact to the device owner. However, some vulnerabilities will be discovered and will be so severe that the public will demand a patch. But how will this play out?

In these situations a manufacturer may scramble to issue a patch. But then what? How is the patch actually delivered to the device? Will all customers be requested to reboot their oven, car, or pacemaker and navigate through an update process? Or will the updated software only be available in the next release of the physical product? This would mean customers would be unpatched until they bought a new toaster, baby monitor, etc. Unfortunately, one of our current challenges with IoT is that, even if a patch is issued, there is not an effective channel to reach the majority of devices in a timely fashion.

How can we do better?

There are two ways the situation can get better.

First, we need to work as consumers to alter the incentive model so manufacturers are inclined to rapidly patch vulnerabilities. This can be accomplished through the wide publication of shortcomings of IoT security via responsible disclosure. It can also be accomplished by clearinghouses of data on IoT security weaknesses. Repeat offenders should be held accountable, and consumers should vote with their wallets. We should also promote positive security approaches that can help build robust and secure Internet-enabled devices.

Second, manufacturers of IoT devices must be prepared for the inevitable security vulnerabilities in their products. They must consider security during design and implementation to avoid obvious security weaknesses. But they must also build in a usable patching model so devices can be upgraded when critical security patches are necessary. This also needs to be nearly seamless to users and an approach that can reach a very high percentage of devices.

The Internet of Things will quickly envelope our way of life. If we’ve learned anything from the last decades of the Internet and computer security it’s that we should be proactive in our security planning. We can’t plan for every new vulnerability or weakness. But we must design Internet-enabled devices with the ability to deploy new code quickly in the name of securing users, data, and the web at large. Otherwise the Internet of Things could turn into the Internet of botnets.

Michael Coates is director of product security at Shape Security and chair of open software security community OWASP.

July 29, 2014

Quatrashield Releases App for Azure Marketplace

We have released the QuatraScan on the Microsoft Azure Marketplace. For more information please refer to: http://datamarket.azure.com/application/ea5d5f86-ae12-46b5-a196-96d5fff00b75

June 26, 2014

Computer World: Ethical hacking – Getting inside the minds of cyber criminals

Just when you think you’ve got yourself all covered on the security front, an attack comes out of nowhere and bites you on the arse. You think to yourself: How did I not see that coming?

That’s where penetration testing, or ethical hacking, comes in. The idea is to get a third party to think (and act) like a hacker to test your organisation’s resilience to attack.

And the stakes are high, says Hacklabs senior consultant Jody Melbourne. “Nobody is concerned with targeting websites or going after your database – that’s old,” Melbourne says. “The real bad guys are trying to steal your IP, your business intelligence or business information. [The criminal] is going after you internal network.

“You make a lot more money if you find out that large corporation A is about to acquire large corporation B in a few months, for example. If you hack some board members of a large corporation and find out all of their secret information, read their emails, then that is far more serious than stealing credit cards.”

Melbourne has been employed by both private sector and public sector organisations to test their security, with sometimes alarming results.

He said he’s found it “frustratingly easy” to just walk into many organisations. “I just wave my hand and say ‘I’m walking in here, it’s fine’ and walk straight in,” Melbourne says. “I’m wearing the right clothes, I’m confident, and I look like I’m supposed to be there.”

All it can take then is swapping out a desk phone for a tampered-with handset of the same model. “I plug in a device behind a phone; or I swap out the phone entirely for the exact same model and say ‘I’m here to change the phone, there’s something wrong with it’ and the receptionist says ‘OK’.”

“That whole network and organisation is compromised with a spy phone that I was able to make for $50,” Melbourne says.

Melbourne gave another hypothetical scenario for compromising a network — a hacker dressed like, and acting like, a regular employee just strolls in and connects a Wi-Fi or 3G dongle to an organisation’s network.

“[Then] I’m sitting in a hotel room 500 metres away with full access to your internal network reading your executives’ emails,” Melbourne says. “That’s the landscape now.”

A network could be compromised with just $100 worth of innocuous-looking hardware that most employees wouldn’t even recognise as a threat.

Melbourne said that when engaged by a government department to test their security he was able to compromise the entire agency after gaining access to a computer on its network – with no special tools required.

“A business insider at a corporation might only have mediocre hacking skills, but might actually guess the password of the CEO and get access to all of that information,” Melbourne says.

“That’s far more devastating to an organisation than the most advanced hacker in the world sitting inside that network who has absolutely no business experience, doesn’t know anything about the corporation.

“The hacker could get access to all the corporate documentation, all of the board members, meeting minutes, all kinds of internal IP and emails. But the hacker doesn’t know how the business works so he/she doesn’t know what is valuable and what isn’t.”

Daniel Cabezas, IT security testing services leader at Macquarie Group, says that when he does test email campaigns, he still finds many users clicking on links, downloading files or installing untrusted applications.

“We are doing security awareness courses, but whenever we do testing by sending ourselves email campaigns, there’s still more percentage of our user base who click on things,” he says.

One issue that security teams have to deal with is that hackers are also not necessarily looking to directly break into a company’s systems. Cabezas says they may have more success in hacking a personal computer of an employee to find business information or a work password or account.

“If the malware is trying to target the users at their homes, the reality is that I don’t have that many security controls in my laptop at home. So [criminals] are most successful attacking the home laptop of the users to try and get information about the company they work for. They go to LinkedIn and look for potential employees from the company to attack their personal laptops.”

The rise of bring-your-own device (BYOD) schemes – under which employees can use their own smartphones, tablets and notebooks for work – and an emphasis on flexible working only further complicate the situation.

Cabezas says that there’s usually a struggle to balance user demand for new technology with security.

“We have to determine what the risk of [introducing] the new technology is, but our users are already asking us to implement it,” he says.

“You might have a very functional, well-defined application, and you might think ‘it works the way we expect it to’. But what happens when somebody finds something unexpected?

“Criminals don’t work for X hours a day and then go home. They keep working during the night, during the weekend and they just have to find one hole. So you have to think the way they do. You might say ‘this vulnerability is really difficult to exploit’, but they will take the time and whatever the means to exploit it.”

May 31, 2014

HostingCon in Miami Beach

We will be attending the 2014 HostingCon in Miami Beach in a couple of weeks and look forward to meeting up with industry colleagues.  

April 28, 2014

Critical zero-day vulnerability in Internet Explorer exposes Windows XP to risks (Re-post from TWCN Tech News)

Microsoft said that a critical zero-day vulnerability has been found in Internet Explorer, right from IE6 to IE11, that allows cyber-criminals to exploit it using Drive-by attacks.

Drive-by download attacks occur when vulnerable computers get infected by just visiting a website. It’s accepted that Drive-by download attacks continue to be many attackers’ favourite type of attack. This is because the attack can be easily launched through injection of a malicious code to legitimate websites. Once injected, malicious code may exploit vulnerabilities in operating systems, web browsers and web browser plugins such as Java, Adobe Reader and Adobe Flash. The initial code that gets downloaded is usually small. But once it lands on your computer, it will contact another computer and pull the rest of the malicious coder to your system.

Microsoft is expected to release a patch for this vulnerability very soon. But it will be available for supported operating systems. It will not be available for Windows XP as this operating system is no longer supported. This will leave Windows XP users exposed to risks.

Workarounds

Apart from following other steps to secure their Windows XP, users may do the following to mitigate this issue, till a patch to fix it is released:
1.Disable the Flash plug-in within IE
2.Do not click on any doubtful links and immediately close IE if they find something suspicious
3.Use Microsoft’s anti-exploit tool – Enhanced Mitigation Experience Toolkit
4.Unregister the vgx.dll file. Go here to read how to unregister dll files in Windows.
5.Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting
6.Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
7.Consider using an alternative browser on your Windows XP.

March 14, 2014

Rise in cyber security budgets

New data from a  BAE Systems Applied Intelligence survey indicates that about 60 percent of large companies across the U.S., Canada, Great Britain, and Australia have increased their spending on cybersecurity since last year’s Target Breach.  Industries such as banking, technology, law, and mining are now spending up to 15 percent of their entire IT budgets on security.   More than 80 percent of survey respondents expect the number of cyberattacks to rise. The loss of customer data ranked as the companies’ greatest concern, followed by the loss of trade secrets, reputational damage, and service interruption.

Nearly half of the U.S. companies in the survey said a cyberattack would cost them around $15 million, while 29 percent estimated the cost at more than $75 million. The results suggest that breaches would take an extreme financial toll on smaller companies as well.

The Target breach over the 2013 holiday season claimed 40 million customers’ credit and debit card numbers.

 

February 12, 2014

Quatrashield VP Artice on SMB Nation: SMBs Lack the Tools to Fight Cyber Attack

http://www.smbnation.com/content/news/entry/smbs-lack-the-tools-to-fight-cyber-attack

When it comes to cyber-attack, Small and Medium Businesses are at a significant disadvantage. Lacking the resources and expertise of their Enterprise counterparts, SMBs often rely on free or lightweight tools that leave their organizations exposed to attack. Instead of shoring up their cyber-defenses, many SMBs wait for a breach to occur. In some cases this can be too late.

Hacking has never been as easy as it is today. The significant information sharing between hackers has created a publicly-available knowledgebase that is easily accessible to cyber-criminals. Sites such as hackthissite.org serve as a training ground for cyber criminals, hacktivists and even government entities to gain up-to-date information on new attack vectors.

The net result is that SMBs are often the victim of data breaches, phishing, DDoS and watering hole attacks. A recent report commissioned by the Department for Business, Innovation and Skills (BIS) indicates that 63% of small businesses in the UK were attacked by an unauthorized outsider in the last year which is up from 41% a year ago. The research also uncovered that 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago). [1]

The Enterprise/SMB Technology Model Does Not Apply to Cyber Security

Traditionally, Enterprise and SMB level technologies differ in design and capability – whether they have been built from the ground-up as unique solutions or whether the SMB module is a “light” version of the Enterprise class technology with certain features disabled. The key differentiators between Enterprise and SMB class technology are the expected level of flexibility and sophistication including configuration, deployment, management and reporting. From a scalability perspective, Enterprise level technologies are designed to be deployed in a non-disruptive way to hundreds, if not thousands, of users or access points within an organization spanning multiple offices and geographic territories. SMB level technology is designed for a small number of users or ports and is not intended to scale.

When it comes to cyber-security, the traditional Enterprise versus SMB model does not work. Pricing SMB oriented technology at a more affordable level as a trade-off for limited functionalities may be a good marketing tactic for security vendors selling into this segment, but leaves the SMB with a limited and mostly cosmetic protection against attack.

Firstly, regulatory compliance requirements such as PCI-DSS and HIPAA are applicable to both SMB and the Enterprise size organization. The onus on the part of both size organizations necessitate the implementation of systems and process to protect third party data. Therefore, companies that are mandated to protect their sensitive data may not have the flexibility to rely on basic cyber security technologies that fall short of regulatory requirements. More importantly, Small and Medium businesses are often the direct target of hacker attacks. By relying on a cheap “light” but largely ineffective software, the SMB business maker may inadvertently expose his or her organization to significant risk to cyber-attack.

The Downside to SMB Level Technologies

Many of the (inexpensive) cyber security tools in the marketplace that are targeted at the SMB segment, offer basic protection that can easily be bypassed by most hackers. For instance, the typical entry-level web application vulnerability scanners is based on open source technologies widely disseminated in the hacksphere. For the small business owner with limited staff, trying the Do-It-Yourself route can be frustrating, resource intensive and takes away from business focus.

Marketers of SMB focused cyber technologies take advantage of the overall confusion in the marketplace and overemphasize basic capabilities. For instance, the Open Web Application Security Project (OWASP) publishes a list of Top 10 application vulnerabilities. The typical Enterprise organization will purchase a tool that scans for twenty or more vulnerabilities and the better technologies are based on artificial intelligence that scan more deeply. When SMB focused tools list product specs, they often include features that are rudimentary.

In our evaluation of sample population of web application vulnerability scanners that target the SMB market, we have identified significant flaws in many of the current commercial offerings. Important capabilities – such as the ability for a scanner to drill deeply within an application layer based on dynamic parameters – are often not bundled in the basic SMB cyber security packages. Many of the tools report vast amounts of false positives, thereby requiring additional follow on investments in costly remediation. More troubling is the number of false negatives – the number of significant vulnerabilities and malware that are simply not caught by even some of the leading SMB targeted software vendors.

The Cloud Is Not a Silver Bullet

Another challenge for SMBs is the confusion about how cloud-based technologies can help them protect their businesses from attack. In many cases, the hype surrounding some cyber solutions in the marketplace may lead the SMB business owner to over-rely on technology to address the cyber threat. For instance, many cloud-based solutions advertise their end-to-end capability and falsely claim that their systems can identify and remove the threat of cyber-attack. There is huge difference between systematically identifying a vulnerability and automatically removing it. Remediation is a complex process often requiring coding or access to system configuration. The claims to the contrary are misleading and can result in an over-reliance on point solutions to address a systemic risk of attack. Furthermore, we are noticing the attack vector moving towards the Cloud as hackers have realized that the Cloud is a single point of information concentration.

Final Thoughts on Technology as a Sole Solution

Not one software solution is going to remove the threat of cyber-attack. Good cyber security practices need to be applied on a company-wide basis and are not simply restricted to the IT department. We are only as strong as our weakest link and a company’s employees, customers and partners are the first line of defense against cyber-attack. From a technology perspective one should always assume that hackers have access to the latest advances in technologies and one should constantly update one’s defense toolset in order to reflect what’s happening in the hacker-sphere. Equally important is to create policies that standardize security practices across the organization.

Although hackers are constantly changing their methods, organizations need guidelines that withstand the test of time. Business of all sizes need to plan carefully and budget wisely when to protect their data assets.

About the author: Mervin Pearce (CISSP-ISSAP) is the Vice President of Professional Services at QuatraShield, a SaaS provider of Enterprise-class cyber security technologies that include web application vulnerability scanners and malware scanners.

January 13, 2014

Announcement: Quatrashield Launches White Label Program for ISP’s to Enter Cyber Security Market

(The Hosting News) – Quatrashield, a SaaS provider of Enterprise-class cyber security technologies, has launched a new partner program for the Hosting Industry. ISP Protection Plus is a white label offering for Hosting Companies to re-sell web application vulnerability scanners, penetration testing and threat remediation services.

The company’s cloud-based software platform is based on military grade technology. Its two leading products – QuatraScan V3000 and QuatraWare M3000 – use advanced artificial intelligence to deeply penetrate a corporate website and identify malware and application vulnerabilities that are often undetected by standard commercial software packages.

ISP Protection Plus offers ISPs the opportunity to create their own branding for the QuatraScan and QuatraWare scanners. Because the solutions are cloud-based, there is no investment in technical infrastructure required on the part of the Hosting Company. In an era where companies are increasingly concerned about the threat of hackers, Hosting Companies can use website security protection services as a competitive differentiator in the marketplace.

Said QuatraShield CEO Johan Grobler: “We believe that ISP Protection plus is an easy entry into the high-end of the cyber security market. Although some ISP’s are re-selling low-end scanners, we allow ISP’s to offer their customers with Enterprise-class cyber-security technologies.”

In addition to the company’s malware and application vulnerability scanners, Quatrashield offers Hosting Companies a white labeled value-added professional services including Black Box Penetration Testing and Threat Remediation. “Our goal is provide ISPs with a packaged security offer to their most valuable customers that are looking for more help combatting the threat of hackers” said Grobler.

December 17, 2013

10 Ways to Protect Your Company and Employees from Hacking

10 Ways to Protect Your Company and Employees from Hacking

Here is a link to my blog posting on websitemagazine.com

December 17, 2013

UK Study: SMB’s report more security breaches in 2013

A new study released by PwC and InfoSecurity Europe, indicates that the large increase in security breaches is occurring in the Small Business segment (under 50 employees) and that these businesses are “now experiencing incident levels previously only seen in larger organisations.”   

Below are some of the report highlights: 

  • 63% of small businesses were attacked by an unauthorized outsider in the last year (up from 41% a year ago)
  • 23% of small businesses were hit by denial-of-service attacks in the last year (up from 15% a year ago)
  • 15% of small businesses detected that outsiders had successfully penetrated their network in the last year (up from 7% a year ago)
  • 9% of small businesses know that outsiders have stolen their intellectual property or confidential data in the last year (up from 4% a year ago)
  • 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago)
  • 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago)

 Good News/Bad News

For the SMB segment, there has been a rise in the cost associated with breaches.  The average cost for to a small business for its worst breach was between 35,000 to 65,000 pounds. 

The silver lining here is that senior management does understand the risk of cyber-crime and there is an increase effort to prioritize investment and education in this arena.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers