As one of the world’s most sophisticated technology companies whose primary business is running web sites was hacked, a The New York Times Company (NYSE:NYT) reporter discovered his computer-automated car was stolen not by thieves using physical force, but the car was illegally opened by roaming computer hackers.
In other news, trends towards self-driving cars, “the internet of things” and military drones being considered to make kill decisions in the battle field – all of which are dependent on remote security technology – come as the hackers increasingly are winning the game over technical security measures.
Google hacked in Malaysia through domain name service re-direction
The hack took place at the domain name service (DNS) and rerouted traffic to the pirate web site. A Google official contacted the firm operating the domain name service in Malaysia and corrected the problem within minutes of it being noticed.
“We’re aware that some users are having trouble connecting to google.com.my, or are being directed to a different website,” aGoogle spokesperson told The Wall Street Journal. “We’ve reached out to the organization responsible for managing this domain name and hope to have the issue resolved shortly.”
Today’s hack follows an incident in February when someone re-directed traffic from the web site to a pirated web site.
Breaking into a locked car without breaking glass touching the vehicle
Nick Bilton found out how easy it is for someone to break into a car. The New York Times technology columnist, living in the Hollywood Hills section of Los Angeles, happened to watch a group of teenagers riding bikes when they stopped in front of Bilton’s Toyota Prius.
The teenagers pulled out a computerized device that essentially guessed at the code that opened the car doors without touching the car. The computer operates by continually trying different algorithmic numeric combinations to unlock the car.
When speaking on a CNN interview, Bilton said the issue is concerning for a host of reasons, but on a basic level cars with old fashioned locks require a thief to break glass (or manipulate the lock) to gain access, which attracts attention. When a hacker breaks into the car they look like the owner in a normal setting, he said.
NASA HACK EXPOSES SPACE AGENCY STAFF’S DATA
Nasa has emailed its staff to warn them that hackers may have stolen their personal details.
The message said it suspected that two of its servers containing details of past and present employees had been compromised.
It added that it did not believe any Nasa mission had been put in jeopardy.
One expert noted that this was the latest in a series of breaches experienced by the space agency to have been made public since 2011.
In this case, the memo involved was published by the SpaceRef news site.
It said that a probe into the incidents had been ongoing since 23 October.
“Our entire leadership team takes the protection of personal information very seriously,” it said.
“Nasa is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure that the latest security practices are being followed throughout the agency.”
The email added that social security numbers and other private information belonging to civil service employees of the agency who had worked for it since July 2006, might have been affected.
Previous attacks include an incident in which hackers took control of computers in Nasa’s Jet Propulsion Laboratory in 2011, and an attack in 2013 that led to eight Nasa web domains being defaced by a gang calling itself the Master Italian Hackers Team.
“The public want to know that this government agency is learning from the past, we want the post-mortem,” commented Sam Curry, chief security officer at Cybereason.
“There are many things at Nasa in the national security domain which are of vital importance.”
THE IOT’S PERPLEXING SECURITY PROBLEMS
Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.
The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.
Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.
Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.
IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.
Shadow IoT Devices on Enterprise Networks
One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.
The reported shadow IoT devices included the following:
- Fitness trackers – 49 percent;
- Digital assistants such as Amazon Alexa and Google Home – 47 percent;
- Smart TVs – 46 percent;
- Smart kitchen devices such as connected microwaves – 33 percent; and
- Gaming consoles – 30 percent.
There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.
Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.
“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.
“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.
More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.
However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.
Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.
Security for the IoT
“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.
“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.
Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”
Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.
For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.
A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.
“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.
Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”
Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”
Medical Devices and IoT Security
The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.
Medical device manufacturers increasingly have been incorporating connectivity to the Internet, but 53 percent of healthcare providers and 43 percent of medical device manufacturers don’t test their medical devices for security, noted Siddharth Shah, a healthcare industry analyst at Frost & Sullivan.
Few have taken significant steps to avoid being hacked, he told the E-Commerce Times.
Network-connected medical devices “promise an entirely new level of value for patients and doctors,” said Frost & Sullivan healthcare industry analyst Kamaljit Behera.
However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.
“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”
The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.
“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.
Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.
CRYPTOHACKERS BREACH STATCOUNTER TO STEAL BITCOINS
The malicious code was added to StatCounter’s site-tracking script last weekend, he reported Tuesday.
The malicious code hijacks any bitcoin transactions made through the Web interface of the Gate.io cryptocurrency exchange. It does not trigger unless the page link contains the “myaccount/withdraw/BTC” path.
The malicious code secretly can replace any bitcoin address that users enter on the page with one controlled by the attacker. Security experts view this breach as critical because so many websites load StatCounter’s tracking script.
Limited Target, Broad Potential
The attack also is significant because it shows increased sophistication among hackers regarding the tools and methods they use to steal cryptocurrency, noted George Waller, CEO of BlockSafe Technologies.
Although this form of hijacking is not a new phenomenon, the way the code was inserted was.
The growth of the cryptocurrency market and its emerging asset class has led hackers to increase their investments in devising more robust attempts and methods to steal it. The malware used is nothing new, but the method of delivering it is.
“Since the beginning of 2017, cryptocurrency exchanges suffered over (US)$882 million in funds stolen through targeted attacks across at least 14 exchanges. This hack adds one more to the list,” Waller told TechNewsWorld.
In this instance, attackers chose to target the users at Gate.io, an important cryptocurrency exchange, said Eset’s Faoul. When a user submitted a bitcoin withdrawal, attackers in real time replaced the destination address with an address under their control.
Attackers were able to target Gate.io by compromising a third-party organization, a tactic known as a “supply chain attack.” They could have targeted many more websites, Faoul noted.
“We identified several government websites that are using StatCounter. Thus, it means that attackers would have been able to target many interesting people,” he said.
Telling Financial Impact
Gate.io customers who initiated bitcoin transactions during the time of the attack are most at risk from this breach. The malware hijacked transactions legitimately authorized by the site user by changing the destination address of the bitcoin transfers, according to Paige Boshell, managing member of Privacy Counsel.
As a rule, the number of third-party scripts, such as StatCounter, should be kept to a minimum by webmasters, as each represents a potential attack vector. For exchanges, additional confirmations for withdrawals would have been beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves.
“Gate.io has taken down StatCounter, so this particular attack should be concluded, Boshell told TechNewsWorld.
The extent of the loss and the fraud exposure for this breach is not yet quantifiable. The attackers used multiple bitcoin addresses for the transfers, Boshell added, noting that the attack could have been deployed to impact any site using StatCounter.
Protection Strategies Not Foolproof
StatCounter needs to improve its own code audit and constantly check that only authorized code is running on its network, suggested Joshua Marpet, COO at Red Lion. However, most users will not realize that StatCounter is at fault.
“They’ll blame Gate.io, and anything could happen — loss of business, run on the bank,’ and even closing their doors,” he told TechNewsWorld.
Checking the code is not always a workable prevention plan. In this case, the malware code looked like the Gate.io user’s own instructions, noted Privacy Counsel’s Boshell.
“It was not easily detectable by the fraud tools that Gate.io uses to protect against and detect malware,” she said.
Network admins are not really affected in this type of breach, as the malicious code is processed at the workstation/laptop rather than on the webserver, according to Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust. It also does not provide any mechanism to gain control over the system.
“In essence, a lot of stars need to line up to make this a significant risk in that regard,” he told TechNewsWorld. “Effective vulnerability and privilege management would naturally limit the impact of any intrusion.”
That is a direction that admins need to look. There is nothing they can do to control the initial attack, assuming the targeted websites are accepted sites within their organization, Chappell added.
Even a well-protected website can be breached by compromising a third-party script, noted Eset’s Faou.
One potential strategy is to screen for scripts that replace one bitcoin address with another, suggested Clay Collins, CEO of Nomics.
Using analytics services that have a good security reputation is part of that, he told TechNewsWorld.
“Folks with ad/script blockers were not vulnerable,” Collins said.
More Best Practices
Traffic analysis, website scanning and code auditing are some of the tools that could have detected that something was causing abnormal transactions and traffic, noted Fausto Oliveira, principal security architect at Acceptto. However, it would have been ideal to prevent the attack in the first place.
“If the Gate.io customers had an application that requires strong out-of-band authentication above a certain amount, or if a transaction is aimed at an unknown recipient, then their customers would have had the opportunity to block the transaction and gain early insight that something wrong was happening,” Oliveira told TechNewsWorld.
Using script blocking add-ons like NoScript and uBlock/uMatrix can put a measure of personal control in the website user’s hands. It makes Web browsing more challenging, noted Raymond Zenkich, COO of BlockRe.
“But you can see what code is being pulled into a site and disable it if it is not necessary,” he told TechNewsWorld.
“Web developers need to stop putting third-party scripts on sensitive pages and put their responsibility to their users over their desire for advertising dollars, metrics, etc.,” Zenkich said.
Beware Third-Party Anythings
As a rule, the number of third-party scripts should be kept to a minimum by webmasters, suggested Zenchain cofounder Seth Hornby, as each one represents a potential attack vector.
“For exchanges, additional confirmations for withdrawals would also be beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves,” he told TechNewsWorld.
Even third-party outsourcing solutions can open the door to cyber shenanigans, warned Zhang Jian, founder of FCoin.
“So many companies within the cryptocurrency space rely on third-party companies for different duties and tasks. The ramification of this outsourcing is a loss of accountability. This puts many companies in a tough spot, unable to locate attacks of this nature before it is too late,” he told TechNewsWorld.
Instead, network admins should work toward creating in-house versions of their tools and products, from beginning to end, Jian suggested, to ensure that control of these security measures lies within their reach.