Story image

Sententia talks IoT hacking, surveillance & modem backdoors at ASIAL Conference

27 Jul 2017

At this week’s Security Exhibition and ASIAL conference, Sententia’s cybersecurity practice manager Tony Vizza hosted a session on how physical security and IoT is so easy, and how organisations can fight back.

Speaking further to SecurityBrief, Vizza says that Sententia is a managed service provider that flies under the radar, particularly as it works with system integrators to make sure they implement the right security solutions.

Sententia supports major partners including Check Point, Kaspersky, F5, Fortinet, and strategic partners such as AWS and Microsoft.

At his ASIAL session on security hacking, Vizza explained to the crowd that, “The internet is filth. It’s hackers and rats, infiltrating the internet. It’s our job to make it clean.”

He also gave a profile of the average hacker: 35, 80% affiliated with organised crime, it’s their choice of job and sometimes state-sponsored.

Vizza revealed that the average price of information on the dark web can vary dramatically - a credit card number is only worth fifty cents, but ransomware creation can be worth $1500. 

“The one that concerns me the most is DDoS. If you want to disable an organisation, it’s around $1000. If I’m a competitor who wants to sabotage your products, I can make your product fail.”

While DDoS attacks aren’t too common in Australia, hacking is still far too easy for attackers.

Check Point’s Philip Lowe hacked an iPad in front of the audience. Through phishing emails and social engineering, he was able to install a fake app on the device. He found out calendar, contacts and the location of the device. He was also able to record audio.

In terms of physical security, there have been cases where hackers attacked a contractor, which then left them access to Target’s POS systems. The breach cost $162 million, just for the cleanup.

Even surveillance cameras have been put in the spotlight. One particular website lists security cameras with their physical IP addresses left public – these can then be exposed on the internet.

Moving further into the internet security space, he also touched on the fact that telcos leave backdoors in modems. All modems have the same usernames and passwords.

While Vizza says he understands why they do it, securing them should be a major priority. It’s not, though, primarily because of the money involved in such a task.

“If telcos secured them through proper authentication, then absolutely you might want to put backdoors in. But if they’re not putting any authentication in place or leaving it as default, then it’s their responsibility.

But of course, telcos’ business decisions are only part of the puzzle. It’s up to the users to practice good cyber hygiene habits.

“User awareness is one of the worst areas of cybersecurity. There’s no other industry in which we shame the victim as much as we do in cybersecurity. People aren’t stupid; they’re just not professionals,” Vizza says.

“Social media engineering is going to be a big area. We volunteer information online all the time. We have no guides about what’s appropriate and what’s not appropriate,” he adds.

In the presentation, Vizza says that statistics from the US show that user awareness is only effective for around 28 days. Speaking in an interview with SecurityBrief, he explains that the short timeframe is primarily because life and other responsibilities take hold.

“You can’t just do the same course every 28 days because people will probably tune out. My argument is that you need to gamify it. You need to turn it into something fun or rewarding, then it can work.”

He comments on Australia’s upcoming data breach notification laws, and he says there will be a lot of focus on compliance and auditing.

The Privacy Commissioner will be more lenient towards organisations that have made efforts to apply security, but will come down heavy on those who think it’s not their problem.

Sententia's advice:

  • Have an information security strategy/plan
  • Secure networks and devices
  • Keep software and applications up to date
  • Secure your cloud environments
  • Have disaster recovery plan and data backups
  • Implement a data loss prevention strategy
  • Educate staff, suppliers and customers
  • Undertake cybersecurity assessments and reviews
  • Purchase cyber breach insurance policy
  • Consider a cybersecurity managed service partner.

Catch the final day of the Security Exhibition tomorrow July 28 at ICC Sydney.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.