Page 24 - Cyber Warnings
P. 24
marketplace create compelling feature parity, the option to reduce agents becomes a
reality. 2017 will be a good year to closely look at vendor renewals and evaluating which
systems have feature overlap, which ones you can keep, and which relationships you
can drop.
VI. Further exploitation of the IoT condition targeted to disrupt critical infrastructure will lead to
vendors finally "understanding" what security professionals have been warning about for
years.
For years security professionals have been
ringing the bell and raising the flags on the
Internet of Things condition. It seems as though
almost every consumer product is coming
equipped with IP access features these days. I
feel like it will not be too long before I utter the
words, “Back in my day, I didn’t have to update
the firmware of my toaster….”
Mirai took full advantage of the lax security on
IoT devices and fully proved in October what we
said would eventually happen. The day the
toasters attacked. Ok, so maybe it wasn’t exactly toasters, but Mirai was smart. The
scanner had a list of default username and passwords that are baked into a wide range
of IoT devices, many of them running telnet by default, and automated its way into the
future of home automation.
In my opinion, Mirai was just a test. A rather successful test at that. It proved that as
more and more devices come enabled for remote access and internet connectively the
greater the haul from a wide cast net designed to snag the weakest links. Frankly, we
are lucky it was just DNS that was taken out. I hope that it was a wake-up call for
vendors and a lesson to them that they can do better when it comes to how their devices
come configured by default.
Since Mirai, a firm called SEC Consult posted that it found backdoor user accounts
called “primana” and “debug” in Sony’s Ipela Engine IP Cameras. These accounts were
likely dev accounts that they should have removed at some point. Sony has since
released a firmware update to fix this, but now users have to make sure they update
these devices to delete these accounts. Updating firmware is still something I have seen
professionals get complacent about, yet we have highly technical smart devices
wrapped up in “easy to deploy” marketing reaching the hands of people that are not tech
savvy. At the same time, vendors are pushing accountability for secure configurations
down to their customers. Customers that do not know that these devices need to be
secured.
24 Cyber Warnings E-Magazine February 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
