The Countermeasure is security commentary and news focused on the enterprise, hand-delivered to your inbox every Saturday morning.
IoT security: yep, still 💩
In This Issue:
- IoT security: yep, still crap
- Dunkin’ Donuts has Holes in More Than Just Its Products
- Cyberwar: What Is it Good For?
- Project Furnace Is the Hot Newtech
IoT Security: Yep, Still Crap
Some days, it's easy to be fooled by a nice headline into thinking real progress is being made in the information security space, with stories like this: 'Picnic' Passes Test for Protecting IoT From Quantum Hacks. Unfortunately, it doesn't take long for reality to sink in. Reminders abound that for every victory we achieve, a dozen new failures enter the market: Xiaomi electric scooters vulnerable to remote hijacking.
IoT devices have real-world impacts that exist outside one's organization. Your business can be just as harmed because someone hacked your sysadmin's scooter as they can be because they broke into your customer database. How IoT devices affect your staff, both inside the organization's walls and in their own homes, affects your organization. Education is the watchword here. Educate!
Dunkin’ Donuts has Holes in More Than Just Its Products
Dunkin' Donuts has experienced its second credential stuffing attack in three months. The attack affects the Dunkin' Donuts loyalty program, and is detailed in an excellent write up over at Bleeping Computer: Dunkin' Donuts Issues Alert for Credential Stuffing Attack, Passwords Reset.
The notification put out by Dunkin' Donuts states that they learned about the attack on Jan. 10, 2019. It was uncovered by one of the security vendors that Dunkin' Donuts uses when this vendor detected attempts to access some of the loyalty program accounts. The Dunkin' Donuts case is interesting for a couple of reasons.
First, the part where Dunkin' Donuts was attacked twice in three months is instructive regarding the reality of IT. Being compromised, discovering that compromise, and coming out publicly about that compromise doesn’t prevent the same (or a similar) compromise from recurring. In fact, they probably raise the likelihood of that service or application being attacked, now that it's known to be vulnerable.
Coping with compromises can be hard. Credential stuffing in particular isn't something easily dealt with using technology alone. Business processes and a lot of hard decisions need to be made about how much inconvenience to cause users, and where that inconvenience should be built in.
Second, this latest compromise event shows the value of security vendors. Nobody can prevent everything, but the ability to detect the compromise is valuable, and helps reduce the damage by catching it as early as possible.
Incident response plans should be reviewed to establish a clear chain of command for making decisions post-compromise. Hard calls will have to be made about how to lock down affected services, and how to modify them to be once more made available for public consumption. Dithering, and/or too many cooks in the kitchen, slow everything down, and can cause recovery to take so long that additional compromise events occur.
Cyberwar: What Is it Good For?
Militaries around the world are weaponizing the Internet. That's all part of their job. They also have a tough time recruiting talent when private demand for information security pros is so high, driving wages beyond what governments can provide. And that's before looking at the ethical concerns that many hackers have about government surveillance and the rapid erosion of civil liberties.
Militaries are responding to this by encouraging people to consider a career in information security using every means available, including drone hacking competitions. Of course, the flip side to this is that the more technologically competent individuals there are, the higher the likelihood of a compromise event, something that has recently been a bit of an issue for the U.S. military.
None of this will stop militaries around the world from pursuing cyberwar, of course, and they increasingly have the backing of industry: Security Pros Agree Military Should Conduct Offensive Hacking.
What's worth bearing in mind is that militaries all around the world, belonging to nations of all sizes, are really stepping up their recruitment game. This is not a joke or a game to them. They’re deadly serious about this, and the repercussions are worth thinking seriously about.
We've already seen innumerable examples of the world's superpowers being willing to mix trade negotiations with industrial espionage and cyberwar. While many information security experts still say that it isn't worth worrying about state actors, the larger your organization is – and/or the more interesting the things your organization does – the more you legitimately have to worry. State-sponsored, and state committed, hacking is increasing, and it’s better to start planning for the new reality than be caught up in it when the fur starts to fly.
Project Furnace Is the Hot Newtech
New technology discussions can often seem like someone caused a dictionary to explode. NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps? Unfortunately, the "words" emitted in any newtech discussion are often unique to that discussion. Serverless has occupied this space for some time, and *Ops is the new linguistic hotness.
Under it all, however, are real problems being solved by real technologies. Project Furnace in particular is worth some serious consideration, as it may well solve some very real issues facing organizations pursing "digital transformation," the buzzword for "making parts of the organization that don't use IT and/or automation use IT and/or automation."
it's time to take a look at Project Furnace, and see whether or not this can bring some of the unruly newtech platforms in use by *Ops teams to heel.
This Week in Phishing
A couple of phishing articles this week that didn't quite make the cut for headline articles, but are absolutely worth flagging up as interesting reads.
- Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions
- Weird Phishing Campaign Uses Links With Almost 1,000 Characters
Thread of the Week
This thread is a nice glass of cold water for those who don't have a complete understanding of the statistical likelihood of various types of attacks.
"0hday/Zeroday/0-day exploits should be the least of your worry. Adversaries mostly wont be using them" – Daniel Cuthber
Podcast of the Week
From dispelling 2FA myths to talking about $10 million in proposed fines for "cybersecurity violations" by a U.S. energy utility, this podcast is a must.
The Cyberlaw Podcast: We Give You Weaver
Tool of the Week