Story image

Sententia talks IoT hacking, surveillance & modem backdoors at ASIAL Conference

27 Jul 2017

At this week’s Security Exhibition and ASIAL conference, Sententia’s cybersecurity practice manager Tony Vizza hosted a session on how physical security and IoT is so easy, and how organisations can fight back.

Speaking further to SecurityBrief, Vizza says that Sententia is a managed service provider that flies under the radar, particularly as it works with system integrators to make sure they implement the right security solutions.

Sententia supports major partners including Check Point, Kaspersky, F5, Fortinet, and strategic partners such as AWS and Microsoft.

At his ASIAL session on security hacking, Vizza explained to the crowd that, “The internet is filth. It’s hackers and rats, infiltrating the internet. It’s our job to make it clean.”

He also gave a profile of the average hacker: 35, 80% affiliated with organised crime, it’s their choice of job and sometimes state-sponsored.

Vizza revealed that the average price of information on the dark web can vary dramatically - a credit card number is only worth fifty cents, but ransomware creation can be worth $1500. 

“The one that concerns me the most is DDoS. If you want to disable an organisation, it’s around $1000. If I’m a competitor who wants to sabotage your products, I can make your product fail.”

While DDoS attacks aren’t too common in Australia, hacking is still far too easy for attackers.

Check Point’s Philip Lowe hacked an iPad in front of the audience. Through phishing emails and social engineering, he was able to install a fake app on the device. He found out calendar, contacts and the location of the device. He was also able to record audio.

In terms of physical security, there have been cases where hackers attacked a contractor, which then left them access to Target’s POS systems. The breach cost $162 million, just for the cleanup.

Even surveillance cameras have been put in the spotlight. One particular website lists security cameras with their physical IP addresses left public – these can then be exposed on the internet.

Moving further into the internet security space, he also touched on the fact that telcos leave backdoors in modems. All modems have the same usernames and passwords.

While Vizza says he understands why they do it, securing them should be a major priority. It’s not, though, primarily because of the money involved in such a task.

“If telcos secured them through proper authentication, then absolutely you might want to put backdoors in. But if they’re not putting any authentication in place or leaving it as default, then it’s their responsibility.

But of course, telcos’ business decisions are only part of the puzzle. It’s up to the users to practice good cyber hygiene habits.

“User awareness is one of the worst areas of cybersecurity. There’s no other industry in which we shame the victim as much as we do in cybersecurity. People aren’t stupid; they’re just not professionals,” Vizza says.

“Social media engineering is going to be a big area. We volunteer information online all the time. We have no guides about what’s appropriate and what’s not appropriate,” he adds.

In the presentation, Vizza says that statistics from the US show that user awareness is only effective for around 28 days. Speaking in an interview with SecurityBrief, he explains that the short timeframe is primarily because life and other responsibilities take hold.

“You can’t just do the same course every 28 days because people will probably tune out. My argument is that you need to gamify it. You need to turn it into something fun or rewarding, then it can work.”

He comments on Australia’s upcoming data breach notification laws, and he says there will be a lot of focus on compliance and auditing.

The Privacy Commissioner will be more lenient towards organisations that have made efforts to apply security, but will come down heavy on those who think it’s not their problem.

Sententia's advice:

  • Have an information security strategy/plan
  • Secure networks and devices
  • Keep software and applications up to date
  • Secure your cloud environments
  • Have disaster recovery plan and data backups
  • Implement a data loss prevention strategy
  • Educate staff, suppliers and customers
  • Undertake cybersecurity assessments and reviews
  • Purchase cyber breach insurance policy
  • Consider a cybersecurity managed service partner.

Catch the final day of the Security Exhibition tomorrow July 28 at ICC Sydney.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.