UNM4SK3D: IoT, Yahoo!, and Microsoft

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

UNM4SK3D: IoT, Yahoo!, and Microsoft

Published: February 17, 2017 | By: Olivia | Views: 1635
save

cyber_security_news

#DNS

Someone was really craving fish. That’s the only logical explanation for why an unnamed university’s vending machines and other IoT devices were making seafood-related DNS requests every 15 minutes.

This case, which comes from Verizon’s recently released Data Breach Digest is just one of 16 cautionary tales making headlines. It began when the university’s help desk ignored student complaints of slow network connectivity which escalated by the time a senior IT security member got involved. That team member suspected something ‘fishy’ after noticing many seafood-related requests across the network. It was then discovered the hackers had created an IoT botnet, a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, using the university’s own vending machines and other IoT devices to disrupt their network. What a catch.

According to a report from NetworkWorld.com “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” This botnet spread from device to device by brute forcing default and weak passwords. The report detailed further that once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password — locking them out of the 5,000 systems.

Don’t keep all your eggs in one basket, create separate network zones for IoT systems and air-gap them from other critical networks where possible. -Data Breach Digest, 2017

For an overview of Verizon’s Data Breach Digest, as well as 2 other recently released reports discussing IoT, among other things, read ‘A Report on Reports: Briefing on the State of Security.’

#dejavu

Do you ever have that intuitive feeling that you’ve experienced something before? Yahoo! certainly does. It’s been reported that there was actually a 3rd, yes, a 3rd data breach. 

If you don’t remember the previous two, considered some of the biggest data breaches on record, you may be living under a rock. On Wednesday, Yahoo! sent out a notice to its users saying that their accounts may have been compromised as recently as 2016. How did this happen a third time? An investigation turned up evidence that hackers used forged cookies to log accounts without passwords. ‘Forged cookies’ are digital keys that allow access to accounts without re-entering passwords.

“The total number of customers affected by this attack is still unknown, though the company has confirmed that the accounts were affected by a security flaw in Yahoo’s mail service,” wrote The Hacker News. Apparently, this breach was revealed in a December 2016 report but was buried alongside more information regarding the August 2013 breach. Some many beaches, so little time. Ironically the day the notice was sent to users was also the day it was reported that Verizon is slashing the price they’ll pay for Yahoo! by at least $250 million.

The average cost of a data breach increased from $145 to $154 per lost or stolen record in 2015 -The Ponemon Institute

If you’re looking for more information on data breaches, specifically how to prevent one, check out ‘The Average Cost of a Data Breach & How to Manage Cyber Risk’ from CAMI.

#digitalgeneva

Let’s face it, there are growing concerns over state-sponsored hacking. During the Fourth Geneva Convention in 1949, parties agreed to protect civilians from harsh treatment during wartime. Now, in 2017, Microsoft president and chief legal officer Brad Smith is proposing something similar, a ‘Digital Geneva Convention.’

Microsoft is calling on tech companies to protect users from nation-state attacks and asking them to promise to never mount offensive cyber attacks. They are also pushing governments around the world to establish norms for engagement in digital warfare. Having flashbacks from the Miss Congeniality movie where every pageant queens’ answer is ‘world peace?’ Us too, although in seriousness, Smith’s reference to the 2014 Sony hack and the recent 2016 election hacks, are chilling reminders of attacks that occurred without any meaningful international laws.

Smith said the technology industry needs an agreement similar to the Geneva Convention to protect civilians from harm as governments begin to fight their wars online. This process has been underway with the United Nations and the U.S. government, but it’s unclear how these efforts will turn out. With consideration of imposing these laws, one must ask, as John Dunn of Naked Security did, “If you can’t be certain who was behind an attack, how can a nation be held to account under a convention?”

Conflicts between nations are no longer confined to the ground, sea and air, as cyberspace has become a potential new and global battleground -Smith

Nation states have been spying on one another since biblical times, the only thing that’s really changed are their methods. Read ‘Nation State Hacking and Its’ Impact on Enterprises.’

#endsecuritylast

“The days of convenience first are coming back to haunt us. That’s the problem with the security last mindset.” – @infosec_eskimo

#certspotlight

Cyber security is everyone’s responsibility, even users because they work with computers and are exposed to critical data every day. The End User Micro certifications are an introduction to security awareness. They present an overview of what cyber security is and why you should care.

Designed with the end-user in mind, these micro certifications serve as the ideal starting point for anyone looking to enter the cyber security field and ultimately raise their threat awareness. During the courses, remember the ultimate goal of security practices: The C-I-A Triad (confidentiality, integrity, and availability) — the three things we are most concerned with when it comes to the information on our computers and networks.

Specific Micro Certifications within the End User collection include Security Fundamentals, Email, Cyber Fundamentals, Physical Security, Mobile Device Security, PII, Social Engineering, and Network Security.

 

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
1 Comment
  1. i enjoyed reading this… nice expose on cyber security issues and concerns

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel