February 17, 2017
UNM4SK3D: IoT, Yahoo!, and Microsoft
February 17, 2017
Someone was really craving fish. That's the only logical explanation for why an unnamed university's vending machines and other IoT devices were making seafood-related DNS requests every 15 minutes.
This case, which comes from Verizon's recently released Data Breach Digest is just one of 16 cautionary tales making headlines. It began when the university's help desk ignored student complaints of slow network connectivity which escalated by the time a senior IT security member got involved. That team member suspected something 'fishy' after noticing many seafood-related requests across the network. It was then discovered the hackers had created an IoT botnet, a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, using the university’s own vending machines and other IoT devices to disrupt their network. What a catch.
According to a report from NetworkWorld.com "the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” This botnet spread from device to device by brute forcing default and weak passwords. The report detailed further that once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password — locking them out of the 5,000 systems.
Don’t keep all your eggs in one basket, create separate network zones for IoT systems and air-gap them from other critical networks where possible. -Data Breach Digest, 2017
For an overview of Verizon's Data Breach Digest, as well as 2 other recently released reports discussing IoT, among other things, read 'A Report on Reports: Briefing on the State of Security.'
#dejavuDo you ever have that intuitive feeling that you've experienced something before? Yahoo! certainly does. It's been reported that there was actually a 3rd, yes, a 3rd data breach. If you don't remember the previous two, considered some of the biggest data breaches on record, you may be living under a rock. On Wednesday, Yahoo! sent out a notice to its users saying that their accounts may have been compromised as recently as 2016. How did this happen a third time? An investigation turned up evidence that hackers used forged cookies to log accounts without passwords. 'Forged cookies' are digital keys that allow access to accounts without re-entering passwords."The total number of customers affected by this attack is still unknown, though the company has confirmed that the accounts were affected by a security flaw in Yahoo's mail service," wrote The Hacker News. Apparently, this breach was revealed in a December 2016 report but was buried alongside more information regarding the August 2013 breach. Some many beaches, so little time. Ironically the day the notice was sent to users was also the day it was reported that Verizon is slashing the price they'll pay for Yahoo! by at least $250 million.
The average cost of a data breach increased from $145 to $154 per lost or stolen record in 2015 -The Ponemon Institute
If you're looking for more information on data breaches, specifically how to prevent one, check out 'The Average Cost of a Data Breach & How to Manage Cyber Risk' from CAMI.
Let's face it, there are growing concerns over state-sponsored hacking. During the Fourth Geneva Convention in 1949, parties agreed to protect civilians from harsh treatment during wartime. Now, in 2017, Microsoft president and chief legal officer Brad Smith is proposing something similar, a 'Digital Geneva Convention.'
Microsoft is calling on tech companies to protect users from nation-state attacks and asking them to promise to never mount offensive cyber attacks. They are also pushing governments around the world to establish norms for engagement in digital warfare. Having flashbacks from the Miss Congeniality movie where every pageant queens' answer is 'world peace?' Us too, although in seriousness, Smith's reference to the 2014 Sony hack and the recent 2016 election hacks, are chilling reminders of attacks that occurred without any meaningful international laws.
Smith said the technology industry needs an agreement similar to the Geneva Convention to protect civilians from harm as governments begin to fight their wars online. This process has been underway with the United Nations and the U.S. government, but it’s unclear how these efforts will turn out. With consideration of imposing these laws, one must ask, as John Dunn of Naked Security did, "If you can’t be certain who was behind an attack, how can a nation be held to account under a convention?"
Conflicts between nations are no longer confined to the ground, sea and air, as cyberspace has become a potential new and global battleground -Smith
Nation states have been spying on one another since biblical times, the only thing that’s really changed are their methods. Read 'Nation State Hacking and Its' Impact on Enterprises.'