Sententia talks IoT hacking, surveillance & modem backdoors at ASIAL Conference
At this week’s Security Exhibition and ASIAL conference, Sententia’s cybersecurity practice manager Tony Vizza hosted a session on how physical security and IoT is so easy, and how organisations can fight back.
Speaking further to SecurityBrief, Vizza says that Sententia is a managed service provider that flies under the radar, particularly as it works with system integrators to make sure they implement the right security solutions.
Sententia supports major partners including Check Point, Kaspersky, F5, Fortinet, and strategic partners such as AWS and Microsoft.
At his ASIAL session on security hacking, Vizza explained to the crowd that, “The internet is filth. It’s hackers and rats, infiltrating the internet. It’s our job to make it clean.”
He also gave a profile of the average hacker: 35, 80% affiliated with organised crime, it’s their choice of job and sometimes state-sponsored.
Vizza revealed that the average price of information on the dark web can vary dramatically - a credit card number is only worth fifty cents, but ransomware creation can be worth $1500.
“The one that concerns me the most is DDoS. If you want to disable an organisation, it’s around $1000. If I’m a competitor who wants to sabotage your products, I can make your product fail.”
While DDoS attacks aren’t too common in Australia, hacking is still far too easy for attackers.
Check Point’s Philip Lowe hacked an iPad in front of the audience. Through phishing emails and social engineering, he was able to install a fake app on the device. He found out calendar, contacts and the location of the device. He was also able to record audio.
In terms of physical security, there have been cases where hackers attacked a contractor, which then left them access to Target’s POS systems. The breach cost $162 million, just for the cleanup.
Even surveillance cameras have been put in the spotlight. One particular website lists security cameras with their physical IP addresses left public – these can then be exposed on the internet.
Moving further into the internet security space, he also touched on the fact that telcos leave backdoors in modems. All modems have the same usernames and passwords.
While Vizza says he understands why they do it, securing them should be a major priority. It’s not, though, primarily because of the money involved in such a task.
“If telcos secured them through proper authentication, then absolutely you might want to put backdoors in. But if they’re not putting any authentication in place or leaving it as default, then it’s their responsibility.
But of course, telcos’ business decisions are only part of the puzzle. It’s up to the users to practice good cyber hygiene habits.
“User awareness is one of the worst areas of cybersecurity. There’s no other industry in which we shame the victim as much as we do in cybersecurity. People aren’t stupid; they’re just not professionals,” Vizza says.
“Social media engineering is going to be a big area. We volunteer information online all the time. We have no guides about what’s appropriate and what’s not appropriate,” he adds.
In the presentation, Vizza says that statistics from the US show that user awareness is only effective for around 28 days. Speaking in an interview with SecurityBrief, he explains that the short timeframe is primarily because life and other responsibilities take hold.
“You can’t just do the same course every 28 days because people will probably tune out. My argument is that you need to gamify it. You need to turn it into something fun or rewarding, then it can work.”
He comments on Australia’s upcoming data breach notification laws, and he says there will be a lot of focus on compliance and auditing.
The Privacy Commissioner will be more lenient towards organisations that have made efforts to apply security, but will come down heavy on those who think it’s not their problem.
- Have an information security strategy/plan
- Secure networks and devices
- Keep software and applications up to date
- Secure your cloud environments
- Have disaster recovery plan and data backups
- Implement a data loss prevention strategy
- Educate staff, suppliers and customers
- Undertake cybersecurity assessments and reviews
- Purchase cyber breach insurance policy
- Consider a cybersecurity managed service partner.
Catch the final day of the Security Exhibition tomorrow July 28 at ICC Sydney.