October was the global cyber security month 2017. Looking back, it seems that it should’ve been named cyber insecurity month. For some reason it felt like October provided bad infosec news on a daily basis. On one particular Monday I felt that there’s no hope anymore for the online world as companies continued to screw up across the board and security products / protocols were essentially reduced to ashes.
What happened? A recap of the month follows with a glint of hope for some of the cases. Please note that some of these examples were reported on October, not necessarily when they were discovered.
WPA2 broke down. A vulnerability in the WPA2 protocol itself was reported and showed that the KRACK attack just obliterated the security of the Wifi Protected Access 2. Fortunately this discovery has limitations – it’s not possible to exploit this fault without proximity. Remedies for the insecurity were also fairly easy to implement. Just add security on a layer on top of the Wifi (network) layer. Or update your hardware – if an update is available. One good best practise tip: Always use a VPN when you are not using wires.
A faulty software library used in millions of chips that power electronic identity cards or TPM modules in computing devices resulted in weak asymmetric keys. The fault in the generation process of the keys means that someone could discover the secret key. The discovery will still require a hefty amount of computing power, but compared to the properly generated keypairs, the process takes a minuscule fraction of time and processing. But the bad part still is that the secret key is discoverable. This begs the question – how many other faulty libraries are out there?
30 GB of military data was breached. An Australian subcontractor in the military sector leaked a ton of information on modern military craft, including the F-35. What’s astounding is that the company used Internet facing services with default user id and password combinations (admin :: admin). This is a facepalm moment. If you outsource / collaborate, please make sure your partner has proper infosec posture.
Do I need to mention the continuous screw-ups from Equifax? The cyber security month 2017 is too short to cover all that’s happened with this company.
Tons of data was exposed when Accenture left their Amazon Web Services (AWS) data storages, called buckets, open for public access. Fortunately, it seems that the data was not breached or downloaded by anyone with bad intentions. Still – a “slight” oops & phew moment for the consulting & cloud giant. BTW – googling “S3 bucket exposed” gives you a bucket load (pun intended) of companies who have not configured their AWS properly (securely).
On October 19th Check Point reported that a massive IoT botnet, “Reaper” was forming. This botnet is using a more subtle method of spreading compared to the rampaging Mirai botnet. The Reaper epidemic is yet another example of smart != secure. This nerd talk meaning smart does not equal secure. It was estimated that around million connected devices were infected already. Later reports cut down the number of infected devices considerably, to a “mere” 10 – 20 000 range. So – it’s still a big question mark.
The end of October saw a classic USB drive mishap. Sensitive information from Heathrow security was found on a USB memory stick found on a street. It contained detailed data about the security measures and routes of the Queen and several members of the cabinet. And other sensitive data.
So – the cyber security month 2017 was definitely interesting. Should we despair? Not really… when you sit down for a while and think about it. Quite a few of these news could have been avoided with simple common sense. Don’t take sensitive data on a USB stick away from the office – why would you need to do that anyways? If you outsource / partner with someone, make sure their security policies are sane (and followed). Remember that the cloud is just someone else’s computer – if you put something out there, secure it. To keep safe, make sure your gadgets are up to date and prefer vendors who are committed delivering OS / software updates.
And of course, if you need to improve the management of your customer identities or need help towards GDPR compliance – contact us now.
About The Author: Petteri Ihalainen
More posts by Petteri Ihalainen