Story image

Sententia talks IoT hacking, surveillance & modem backdoors at ASIAL Conference

27 Jul 2017

At this week’s Security Exhibition and ASIAL conference, Sententia’s cybersecurity practice manager Tony Vizza hosted a session on how physical security and IoT is so easy, and how organisations can fight back.

Speaking further to SecurityBrief, Vizza says that Sententia is a managed service provider that flies under the radar, particularly as it works with system integrators to make sure they implement the right security solutions.

Sententia supports major partners including Check Point, Kaspersky, F5, Fortinet, and strategic partners such as AWS and Microsoft.

At his ASIAL session on security hacking, Vizza explained to the crowd that, “The internet is filth. It’s hackers and rats, infiltrating the internet. It’s our job to make it clean.”

He also gave a profile of the average hacker: 35, 80% affiliated with organised crime, it’s their choice of job and sometimes state-sponsored.

Vizza revealed that the average price of information on the dark web can vary dramatically - a credit card number is only worth fifty cents, but ransomware creation can be worth $1500. 

“The one that concerns me the most is DDoS. If you want to disable an organisation, it’s around $1000. If I’m a competitor who wants to sabotage your products, I can make your product fail.”

While DDoS attacks aren’t too common in Australia, hacking is still far too easy for attackers.

Check Point’s Philip Lowe hacked an iPad in front of the audience. Through phishing emails and social engineering, he was able to install a fake app on the device. He found out calendar, contacts and the location of the device. He was also able to record audio.

In terms of physical security, there have been cases where hackers attacked a contractor, which then left them access to Target’s POS systems. The breach cost $162 million, just for the cleanup.

Even surveillance cameras have been put in the spotlight. One particular website lists security cameras with their physical IP addresses left public – these can then be exposed on the internet.

Moving further into the internet security space, he also touched on the fact that telcos leave backdoors in modems. All modems have the same usernames and passwords.

While Vizza says he understands why they do it, securing them should be a major priority. It’s not, though, primarily because of the money involved in such a task.

“If telcos secured them through proper authentication, then absolutely you might want to put backdoors in. But if they’re not putting any authentication in place or leaving it as default, then it’s their responsibility.

But of course, telcos’ business decisions are only part of the puzzle. It’s up to the users to practice good cyber hygiene habits.

“User awareness is one of the worst areas of cybersecurity. There’s no other industry in which we shame the victim as much as we do in cybersecurity. People aren’t stupid; they’re just not professionals,” Vizza says.

“Social media engineering is going to be a big area. We volunteer information online all the time. We have no guides about what’s appropriate and what’s not appropriate,” he adds.

In the presentation, Vizza says that statistics from the US show that user awareness is only effective for around 28 days. Speaking in an interview with SecurityBrief, he explains that the short timeframe is primarily because life and other responsibilities take hold.

“You can’t just do the same course every 28 days because people will probably tune out. My argument is that you need to gamify it. You need to turn it into something fun or rewarding, then it can work.”

He comments on Australia’s upcoming data breach notification laws, and he says there will be a lot of focus on compliance and auditing.

The Privacy Commissioner will be more lenient towards organisations that have made efforts to apply security, but will come down heavy on those who think it’s not their problem.

Sententia's advice:

  • Have an information security strategy/plan
  • Secure networks and devices
  • Keep software and applications up to date
  • Secure your cloud environments
  • Have disaster recovery plan and data backups
  • Implement a data loss prevention strategy
  • Educate staff, suppliers and customers
  • Undertake cybersecurity assessments and reviews
  • Purchase cyber breach insurance policy
  • Consider a cybersecurity managed service partner.

Catch the final day of the Security Exhibition tomorrow July 28 at ICC Sydney.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.