Will Automation Cause more #Cybersecurity Problems?

There seem to be lots of attention to ‘new’ automation in many areas of our lives.

Atlantic Story: ” the Parts of America Most Susceptible to Automation”

Notice that no one is interested in Cybersecurity problems that will be created within this new automated world.

Sometimes Hollywood is looking further ahead than we are, on Season 7 episode 16 ‘Murder by Remote Control’  an “automated house” killed a person because it was programmed to do so in a house that was automated (opens and closes doors, lights and more). the episode played on CBS 2/10/2000.

So 17 years ago Hollywood played an episode that looked unrealistic at the time. I am not here to discuss the viability of the episode or the cast/show etc. I am here to discuss what can go wrong as we automate more and more aspects of our lives. Today we also call these devices IoTs (Internet of Things) where these devices power on and off lights and alarms, doors and others.

what happened in the episode could happen today with a hacker controlling your IoTs which are controlling  heating and air conditioning to make your life in the house unbearable and maybe even dangerous (depends on the add-ons you installed) and although it may not be dangerous yet, but it may be in the future.

On TV (which is visual) the computer system is shown at it’s control screen where one can see the cameras and make adjustments, this control screen may be replicated by a remote hacker (ransomware) today.

The Atlantic story was trying to find economic regions which are most likely to see automation:

(image from Atlantic Article). You can see that the major metropolitan areas seem to be more likely to have concentrations of automation as an estimate this may be accurate.

But what is a glaring omission in this article?

Cybersecurity

This is the paragraph concluding the article:

 

The work by Moenius and his colleagues suggests that this divergence will only continue. While a handful of cities with good jobs and highly educated workers will continue to thrive, other areas are going to see more and more jobs disappear as automated technologies become ever better. This may have much wider implications, politically and socially. People in America’s struggling regions feel left behind economically, as the 2016 election indicated.

It is not surprising that Cybersecurity is not on the radar of most people,  and will not be until they experience it for themselves, or at least it is simplified to their level.

As I have discussed in many blogposts until there are concrete reasons like compliance or experiences with Cybersecurity events there is no mention of disaster recovery or other ‘potential’ calamities. IT is supposed to handle this.

I believe the owner/ managing person needs to be aware of a minimal set of standards like making backups and ensuring they work. defending against cyberattacks.

The problem is there are many compliance levels which are not good enough in some cases.  So what is a small business to do? This image is the problem:

With minimal Cybersecurity standards one can defend and ensure the viability of the business. Even when automation creates an even greater reliance on technological advances with computing devices.

Here are a few cybersecurity automation examples from a 3 year old defcon video:

https://www.youtube.com/watch?v=h5PRvBpLuJs

“Hack all the things 20 devices in 45 minutes”

There were many Android devices from GoogleTV  to standard routers, embedded multi media, file storage devices, smart refrigerators, blu-ray devices, cloud connectivity devices, printers, baby listening devices,  and devices that control on-off states of electrical appliances in a home.

The devices in our homes are not automated yet, because we have not dreamed up enough uses but the video hcked them all using UART mostly as a way into the hardware. The end result was almost always the same – full exploitation, allowing many full admin rights and allowing other code to be run than from what the manufacturer wanted to produce.

As usual, in many cases the root password was simple and in plain text on the system.  It is obvious to me that Cybersecurity is not important at this time.

So in the coming days Fixvirus.com and Oversitesentry will propose a solution to this dilemma.

#SmallBusinessWeek Fail on Cybersecurity

I apologize, but I see most small business do not have plans in place for disaster recovery and Cybersecurity because it does not help them run their companies.

True it does not help run the company but it allows you to run the company after a Cyber event happens.

I have written about this before in the past few posts and weeks/months. But there is a definite disconnect between the Decision makers and the current environment. Here is a past post where the mechanics of making money for the Cyber criminals only makes it clear in dollars and cents that the Criminals are making MORE money every year.

I don’t want to bore you with actual criminal dollar numbers, because they are low estimates since people do not report the actual amount.

This picture from a past post also explains the large problem of database breaches.

 

To come back to my initial post – if you never backup your files in a proper way then ‘when’ a problem occurs you will not have a business.

This isn’t even insurance, because if there are no files backed up then it is over. Insurance is “a thing providing protection against a possible eventuality”.

If you have cyberinsurance you can get some money back to rebuild your files. But you still have to rebuild.

IF small business would have had proper IT practices then there is no need for cyber insurance. Look around the world for others that perform good practices that will help you keep your information safe.

Saumil has presented 7 axioms of security at BlackHat Asia  online here: youtube video

7 axioms of security

Intelligence Driven Defense

  1. Defense doesn’t mean risk reduction
  2. CISO’s job is Defense
  3. Schrödinger’s hack – i.e. test realistically
  4. Can’t Measure? Can’t use it
  5. Identify your target users, and improve them
  6. The best defense is a creative defense
    1. create credit cards with no usage except to tell you when it is used.
  7. Make defense Visible, make defense count
  • Intelligence means collect everything!
  • Get creative, get organic (organic security=grow it yourself)

Contact me to discuss: tonyz”@”fixvirus.com

 

Changing Default Passwords: Too Hard?

Is changing the default password too hard on your devices?  For example the highest profile devices (not IoT Internet of things), but the ones that process money: POS(Point Of Sale) terminals.

Above is an Ingenico ISC250 with a stand. (from discountcreditcardsupply.com)

Are manufacturers making it easy or hard to change the default password?

 

Well, if you Google “hacking a point of sale terminal”, then several interesting links come through:

Old news stories are relevant as many businesses (small and large) do not make changes and purchase old equipment. Wired 2012 story of 63  breached POS systems using malware.

The story also mentioned 40 people arrested in Canada over a carding ring, which also tampered by stealing POS terminals and installing sniffers on them.  Which means they were able to modify the machines at will.

 

So this is why I mention the difficulty of changing the default password on these machines. Yet the password information is on the Internet, so if you are a hacker and wish to spend time to learn the password it is available for you to do so.

Helcim Support helpfully has the method of changing the password on their website:

Check the default password from manufacturer: ‘123456P’ not very sophisticated??? and the new password is to be 7 characters long with one letter. An amazing testament of password schema from the manufacturer Ingenico.

At oversitesentry we are dedicated to helping companies harden their security systems, including POS. Changing your default password is a must, and places you in compliance with PCI DSS (Payment Card Industry – Data Security Standard)

I don’t understand why owners and managers in charge of POS systems that depend on revenue from these systems have not understood the concept of changing the default password on their POS devices. Why am I mentioning this?

Because small businesses fail after a successful criminal cyber attack

(from a previous post among many on our blog)

The statistics are bad… but why is this? Is it that the default password is _REALLY_ that hard to change? Is it that difficult to make a Cyber policy?

I think that the managers and owners assume nothing will happen to them, because last month nothing happened.  Their education is based upon experiences and the news of companies being hacked is not a big deal.

VISA has stated in the past that the major problems (breaches) come from basic failures like not changing default passwords. Visa website to go for more information.

The following is a screenshot from a VISA presentation on PCI compliance challenges.

Card Present Vulnerabilities:

  • Insecure remote access used by attackers to gain access
  • Weak or Default passwords and settings commonly used
  • lack of network segmentation
  • malware deployed to capture card data
    • absence of anti-virus tools to detect malware

 

 

So I would like for you to contact me if you want to do something about this problem – tonyz”@”fixvirus.com or 314-504-3974 Tony Zafiropoulos.

What are the top 5 thoughts to keep in mind?

I was watching Feynman videos and saw this unique   list (10 times Feynman blew our minds) that has insight into what we should focus in Cybersecurity as well.

I wanted to distill this video into 5 top items and relate them to Cybersecurity.

#5 Asking How Things Work Can Start You on a path of discovery (the definition of a hacker), and keep asking how, make experiments etc.

#4 History is fundamentally irrelevant when trying to solve new problem. As the new problem will not have an old method solution. (Of course Feynman assumes you DO know the methods of the past). This is akin to TTP Tactics,Techniques, and Procedures in Cybersecurity.  We as humans tend to let our history guide our future, but if we want to solve new problems, we need to have new solutions.  In this arena we do not need history (fundamentals still need to be known).

#3 In trying to learn about the world, ask questions and doubt. Can you live with doubt and approximations? Not everything learned is exact. In cybersecurity there are many areas that we do not know – for example: ” How will the next attack come into our environment?” . Can you live with this knowledge? We have to learn how to perform risk management with an incomplete picture

#2 Naming things(xyz) does not give you knowledge (it allows you to talk to others about xyz). Fundamental knowledge is not about the name. Also analogies are also bad as they can mean different things to different people.

#1 Know that you don’t know – and what it is you don’t know (basic tenet of blue team defense).

As Rumsfeld has been known to say “There are known knowns and known unknowns” Things that you think you know that it turns out you did not.

 

With these 5 tenets we can develop Cybersecurity top5 tenets:

  1. Known unknowns – Keep searching for new methods to learn environment in new ways.
  2. Explain methods and reasons without technical jargon
  3. Always review your environment with a level of uncertainty
  4. Tactics, Techniques, and Procedures cause a certain mindset to develop, one must still try to think out of box to see the attacker’s viewpoint.
  5. Asking how things work is good beginning. And eventually it can build into being a subject matter expert.

 

The Weak Link Gets Stressed

I’m always looking for more attack angles into the network.

What is the weakest link?

To know the answer to the question we need to investigate what Risk = likelihood * impact is in our organization.

It is more exciting to talk about higher productivity, faster computers, and sales of product xyz.  But a weak link has to be monitored or it can become a disaster of your own doing.   The Internet has improved productivity (and made us social media hogs) but also has allowed our computer environment to be affected by all the Criminal people of the world.

I have mentioned this in the last couple of posts, but Small business does not seem to get the message.

There are so many things to do in a small business just to stay afloat or to grow, that working on a backup strategy is just not important. How does a backup help sell product “xyz”?

It may not help selling or operating a business, but when an IT failure occurs will it be an annoyance – “recover the data please”? Or will it be a disaster and then we have to say things like… the computers are not operating right now… we are working using the old paper based methods. A few years from now this will not work, as Credit cards increasingly need a network to operate.

Getting the following message might make you pay the ransom, thinking you will have solved the problem ‘on the cheap’

But if it happened once, it will happen again. You better fix this issue of management willpower. 60% of small businesses fail within 6 months of a Ransomware attack. There is a reason for this phenomena.  The weak link is the ignorance of the problem.

As you can see the sophistication of criminals will get to the point that they will charge more for Ransoming your own devices back to you.  If management does not have the willpower to create the processes of sophistication to defeat digital Criminals (and major disasters). Then it will only be a matter of time and circumstances when the hole dug is going to be too deep.

Thus my conclusion is that the true “Weak Link” is management thinking itself. A minimal amount of time could be spent on defensive preparations, like 10% which I have recommended before: http://oversitesentry.com/what-is-your-budget-in-preventing-unforeseen-attacks/

Contact Me to discuss this phenomena.