NEWS ROUND-UP IoT threats: same hacks, new devices

The internet of things explosion has proven controversial due to the insufficient security measures in many of these internet- connected devices. And a new report from cyber security provider F-Secure finds that threats and the number of attacks continue to increase, but still rely on well-known security weaknesses, such as unpatched software and weak passwords. The report, using data collected and analyzed by F-Secure

Labs, highlights that threats targeting internet-connected devices are beginning to multiply more rapidly than in the past. The number of IoT threats observed by F-Secure Labs doubled in 2018, growing from 19 to 38 in the space of a single year. But many of these threats still use predictable, known techniques to compromise devices. Threats targeting weak/default credentials, unpatched vulnerabilities, or both, made up 87% of observed threats. F-Secure Operator Consultant Tom Gaffney says that larger

device vendors are paying more attention to security than in the past, but there’s a lot of devices from many different manufacturers that don’t offer consumers much in the way of security or privacy. “The big guys like Google and Amazon have made strides in

their smart home products with the help of massive backing and ethical hackers like our own Mark Barnes, who executed the first proof of concept for a hack of an Echo in 2017,” said Gaffney. “But for years manufacturers have been releasing products without giving much thought to security, so there’s a lot of ‘smart’ devices out there vulnerable to relatively simple attacks.”

IoT threats and attacks are increasing, but rely on well-known security weaknesses IoT threats were rarely encountered before 2014, the report

explains. But that changed around the time the source code for Gafgyt – a threat that targeted a variety of IoT devices, including BusyBox devices, closed-circuit television (CCTV) devices and many digital video recorder (DVR) devices – was released. In October 2016, Mirai, which was developed from Gafgyt’s

code, became the first IoT malware to achieve global infamy when its massive botnet was used to launch one of the largest distributed denial-of-service attacks in history. Mirai’s code has been public “for Research/IoC Development Purposes” since 2016.** Originally, it used 61 unique combinations of credentials used for infections. Within three months, that number had reached almost 500. And it’s incredibly prevalent as a malware family. Approximately 59 percent of attack traffic detected by F-Secure’s honeypot servers in 2018 targeted exposed Telnet ports, with Mirai’s attempts to spread as the main culprit behind the attacks. According to F-Secure Labs Principal Researcher Jarno Niemela, the root cause of many of the IoTs problems starts with the manufacturers’ supply chains. “Most device vendors license software development kits for

the chipsets they use in their smart cameras, smart appliances, and other IoT devices. That’s where the vulnerabilities and other issues are coming from,” explains Niemela. “Device vendors have to start asking for more in terms of security from these suppliers, and also be prepared to issue updates and patches as they become available.”

Banks leave customers open to more outages through code vulnerabilities

Veracode’s latest State of Software Security report (SoSS) revealed financial services is one of the slowest industries when it comes to addressing common vulnerabilities found in software. The global report found financial services companies took 29 days to address a quarter of their vulnerabilities in coding – and over a year – 573 days – to remediate all open vulnerabilities. It also ranked as second to last of all other sectors in terms of speed to complete flaw remediation. A significant 67% of current applications used by banks are

at risk from information leakage attacks, wherein an application reveals sensitive data that can be used by an attacker to exploit a web application or its users. This is worrying given the IT outages occurring within the global financial services industry. In spite of this, Veracode’s report did reveal that the largest population of applications scanned came from the financial vertical. While financial organisations tend to have the reputation of having some of the most mature overall cybersecurity practices, Veracode’s data shows they struggle like the rest to stay on top of application security. The industry ranked second to last in the major verticals for latest scan OWASP pass rate, and based on the flaw persistence analysis chart, it is leaving coding flaws to linger longer than other industries. Even as it is prolific at testing, the financial sector tests almost

as many apps as the technology sector, the sector in general is still slow in responding to responding to open vulnerabilities. Additionally, the banking sector addresses the first half of its open flaws slowly, but it starts to pick up speed once it passes the halfway point. “We would presume financial services would address flaws

and potential doorways to data breaches promptly as it’s a highly regulated industry,” said Paul Farrington, Director of EMEA and APJ at Veracode. “However, we have observed several downfalls over the last year that suggest banks may not as be as technically robust as they like to make out. Historically, we’ve witnessed the likes of the TSB IT outage occur due to legacy infrastructures and code left over from multiple mergers, which lead to IT outages.” It’s a tough job for banks to coordinate cybersecurity awareness

so it’s at the forefront of employee’s minds. “These banks are large organisations with high headcount so it’s possible that banks are not raising of the importance of these crucial data leakages internally,” Farrington continues. The sluggish speed to which banks initially respond to vulnerabilities could be an indication of bureaucracy that may impede initial progress, but which is likely overcome once security teams and developers collaborate more to cut through the red tape. 05

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19