The ‘S’ in IoT Stands for ‘Secure’
In This Issue:
- Baby steps to blockchain
- Yes, you have been pwned
- ‘IoT security’: an Oxymoron
- Hack-a-Tesla
Have You Heard? Blockchain Is Hard
Not only is "something something blockchain" not the answer to every problem, things involving blockchain tech are really complicated. Consider, for example, the recent attacks against Ethereum. The original explanation of the Ethereum attack is complicated: Constantinople enables new Reentrancy Attack. Fortunately, an infographic has popped up to make things a bit more clear.
The technical details, while interesting, aren't actually what's important here. What's important is that Ethereum is not some fly-by-night, me-too cryptocurrency. It is one of the major cryptocurrencies of the world, and the code behind regularly has many eyes going over it.
The larger-than-usual community of developers and auditors comes with a commensurate increase in attackers. Though this will come as no great surprise to regular Countermeasure readers, even the experienced and capable folks behind Ethereum aren't ninja masters of blockchain. So the chances that anyone in your organization understands blockchain (and associated software) enough to deploy blockchain for anything sensitive is pretty small.
Countermeasure:
Take baby steps when deploying blockchain-based technologies within your organization. While there is no doubt that the technology will find its niche, even the (quite rare) experts have trouble with it. Learn, audit, and learn some more. Blockchain comes with unique vulnerabilities; learn from the SQL injection fiasco of the 90s and 00s and let others learn what not to do first.
733 Million Records Compromised; Emails and Passwords Both
Troy Hunt – of Haveibeenpwned fame – has released details on The 773 Million Record "Collection #1" Data Breach. This is the largest cache of passwords added to haveibeenpwned, and it includes passwords.
Haveibeenpwned will not give combinations of email addresses and passwords. Instead, it will reveal if individual e-mail addresses have been part of a breach. There is also a Pwned Passwords page to check if your favorite passwords have been compromised.
Countermeasure:
NIST recommends checking your passwords against the known passwords list. Do not use any passwords that appear in Pwned Passwords. Learn to use e-mail aliases so that you can determine when you have been compromised, and by whom. Credentialed hygiene education – especially the use of password managers, and limiting password reuse – should once more be top priority.
Planes, Cranes, and Automobiles: IoT Security Continues To Be Wretched; Tesla Will Pay You To Hack Their Car
It's time for the weekly reminder that IoT security is non-existent: Why Internet Security Is So Bad. Bruce Schneier has a point. Early 2019 has been really terrible for IoT breaches and vulnerabilities. We already knew airplanes were hackable, but now they can also be grounded by drones, an attack type that is likely to be re-used, since it has proven effective.
Hackable trains are old news, so this week it’s hackable cranes. Yes, construction cranes. Devices that can move and drop tens of tons of material. There is no security. None. Look upon the reports, ye techy, and weep.
In the lone IoT bright spot, Tesla has learned from the security woes of other auto manufacturers and is offering up its Model 3 for public pen testing at the Pwn2Own CanSecWest security conference. There are cash bounties to be earned, and one successful hacker gets to take home the car. A security conference will let you hack a Tesla car and earn cash prizes.
Countermeasure:
Some things really don’t need to be connected to the Internet. Like your keyboard. Or your air conditioner. Some smart devices have dumb versions that perform their functions just fine. This is not to say that entirely abandoning automation and remote management of devices is practical, or necessary, but do check the default security settings on every connected device; there may not be any at all.
Or, if you’re into that sort of thing, use blockchain. Blockchain may be immature, and the skills rare, but it's still more secure than most things IoT.
Bat Signal of the Week
The development notebook of the main developer of SecBSD – an infosec-focused BSD distribution – has broken. A Gofundme page has been set up, asking for the modest sum of $1,776.88 USD to replace it.
Podcast of the Week
New podcast this week: Pardon the penetration
Sweet Cyber Jones (@jaidbarrett) does an excellent job of explaining the premise herself: "So I had the idea last year when listening to Security podcasts I didnt find or hear any PoC talking about InfoSec (if they weren’t a guest on a show) so I wanted to change that."
Infographic of the Week
While not overtly infosec related, this infographic is a good overview of the Domain Name System (DNS). DNS is at the heart of so much of modern IT, making it an absolutely critical element of base knowledge, especially for those seeking to start out in infosec. This infographic is worth keeping around to educate junior team members.
Domain Facts
Thread of the Week
TThis week's thread is another discussion on gatekeeping in infosec. It's stupid, and absolutely none of us should support it. We've enough trouble finding warm bodies willing to do this work without bullying colleagues using entirely arbitrary datasets.
"There is a newly created website that basically assigns a Klout score to security researchers and conferences." – Shannon Snubs (@Snubs)
Tool of the Week
Metasploit major update!
Metasploit, popular hacking and security tool, gets long-awaited update
Quick Links
Life in cybercrime isn't easy, and sometimes it's downright bizarre. Two hackers get jail time for separate DDoS attacks, and a civil suit over a cryptocurrency theft gets weird. Two court decisions this week gave out stern sentences, seemingly wanting to make an example of the defendants. Evidence submitted in the second trial gave a glimpse into the sometimes surreal lives of cyber criminals. (Fleeing to Cuba in a used speedboat, having to be rescued by a Disney Cruise ship when the escape vehicle broke down in the middle of the ocean.)
- New hardware-agnostic side-channel attack works against Windows and Linux
- What your company should know about addressing Kubernetes security
- How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
- Courts Hand Down Hard Jail Time for DDoS
- The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison
- “Stole $24 Million But Still Can’t Keep a Friend