CYBER FUTURE: SECURITY AND PRIVACY DOOMED?

21 September 2017

Rob Clyde, CISM, NACD Board Leadership FellowManaging Director, Clyde Consulting LLCVice-Chair, ISACAExecutive Chair White Cloud SecurityExecutive Advisor to BullGuard and HyTrust

NEW MANUFACTURING COMPANIES AREREALLY SOFTWARE COMPANIES

3

Tesla is a software company as much as it is a hardware company." Elon Musk, Tesla CEO

OLD MANUFACTURING COMPANIES ARE SOFTWARE COMPANIES TOO?

4

"If you went to bed last night as an industrial company, you're going to wake up today as a software and analytics company,"Jeff Immelt, CEO General Electric

SOON EVERY BUSINESS WILL BE A DIGITAL BUSINESS

5

WITH SOFTWARE AT THE CORE

DIGITAL OUTAGES LIKE THOSE AT THE AIRLINES AND NEW YORK STOCK EXCHANGE ARE THE NEW NATURAL DISASTERS

6

British Airways computer glitch causes big delays at multiple airports

FTC Opens Probe into Equifax Data BreachApache Struts flaw was known to be critical and should have been addressed, security researchers say.The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

9/14/2017

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Social Security numbers, birth dates, addresses and drivers license numbers exposed

By AnnaMaria Andriotis and Ezequiel MinayaUpdated Sept. 8, 2017 9:48 a.m. ET

CYBER ATTACKS HAVE MAJOR IMPACTS

8

CONNECTED DEVICES ON PUBLIC INTERNET

9

10

USING THE INTERNET OF THINGS TO SPY?

11 | 9/20/2017

In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment, says James Clapper, US director of national intelligence.

Photograph: Alex Brandon/AP

MIGHT USE INTERNET TO SPY?

12

WASHINGTON WikiLeaks on Tuesday released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computers and even Internet-connected televisions.

If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A., which maintains its own hacking capabilities to be used for espionage.

Source: https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0

The C.I.A. headquarters in Langley, Va. If the WikiLeaks documents are authentic, the release would be a serious blow to the C.I.A. CreditJason Reed/Reuters

http://topics.nytimes.com/top/reference/timestopics/organizations/w/wikileaks/index.html?inline=nyt-orghttps://wikileaks.org/ciav7p1/http://topics.nytimes.com/top/reference/timestopics/organizations/c/central_intelligence_agency/index.html?inline=nyt-orghttps://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0

RANSOMWARE EXPLODINGRansomware is profitable PCs and MACs both attacked Encrypts data to deny access to data users Half of financially motivated malware is ransomware Average ransom: $300 2015, $1000 2016 70% of Enterprise victims paid 45% of Enterprise victims paid over $20K

Defense: App white listing or trust lists (top defense US-CERT) Use OpenDNS and similar tools Backups; however, cloud backups and storage are

also being attacked (airgap?)

Ransomware be applied to IOT? Home lockout? Car lockout? Pacemaker function? Source: Verizon, Symantec, Lancope, IBM Security, Intel/McAfee

SAN FRANCISCO TRANSPORTATION HIT WITH RANSOMWARE

14

City lets people ride for free until fare machines restored to service

RANSOMWARE OPERATORS ADOPT TYPICAL BUSINESS PRACTICES

15

Technical Support Time Limited Offers Try Before You Buy

APP CONTROL RECOMMENDED AS #1 MITIGATION STRATEGY

16

Run only known trusted apps

The Australian Government issued mandatory application whitelisting usage requirements to protect their high value systems

NEXT GENERATION WHITE LISTINGTRUSTED APP TECHNOLOGY

Run only trusted apps or scripts

Pull rather than push trust lists to ensure updates

Handles application updates automatically

Allow trust of applications, application families (e.g., Microsoft Office), or software publishers

Crowdsourcingallow individuals and organizations to publish their own trusted app lists

Allow organization to control which lists to use

17 Source: White Cloud Security

Experts you trust

Apps you trust

Software you trust

SOON EVERYTHING WILL BE CONNECTED

19 https://schrier.wordpress.com/2015/05/25/the-internet-of-first-responder-things-iofrt/

LENOVO IOT VIDEO

20

RISK FROM CONNECTED MEDICAL DEVICES

J&J insulin pump (Animus OneTouch Ping)

Unencrypted command traffic

Might receive unauthorized insulin injections

St. Jude pacemaker

MedSec found many vulnerabilities, including wireless master key

MuddyWaters shorted the stock

Bad PR

21

SMART TV SECURITY CONCERNS

Microphone may always be on (for voice commands)

Risk that attacker could turn on webcam

Activity on Smart TV is tracked and may be shared with social media

Like with smartphones, malicious apps could be downloaded

22

Smart TVs in the office: Consider not connecting to Internet; if you do, connect to a

Guest network Take care as to which features and apps are enabled Turn off or disable microphone and webcam If possible, lockout others from changing TV settings

CLOUDPETS

23

CLOUDPETS TEDDY BEAR HACKED

24

Hackers hold MILLIONS of voice recordings to ransom after creepy CloudPets teddy bears leak private data of parents and children Leak left private messages of families exposed online

for several days Leak also exposed 800,000 account email addresses

and passwords The company 'Spiral Toys' has chosen not to tell

affected families Hackers have now taken the database down and

demanded a ransom of $1190 in bitcoins from parents

By Harry Pettit For MailonlinePublished: 15:34 GMT, 28 February 2017

source: http://www.dailymail.co.uk/sciencetech/article-4267276/Toys-leak-2MILLION-voice-recordings-kids-online.html#ixzz4a4UEaNBp

The exposed database was easy for cyber-criminals to find using a search engine called Shodan, which is designed to find unprotected websites and databases

http://www.dailymail.co.uk/home/search.html?s=&authornamef=Harry+Pettit+For+Mailonlinehttp://www.dailymail.co.uk/sciencetech/article-4267276/Toys-leak-2MILLION-voice-recordings-kids-online.html#ixzz4a4UEaNBp

VULNERABLE SMART THERMOSTAT RISKS

. . .The HVAC system dormant hoursin other words when the climate control is off or in standbywould at the minimum be a security risk because it could give a potential robber times when the home may be empty.

An expensive problem that could be created through a thermostat hack is that malicious damage could be launched by raising temperatures too high or low. Winter-time damage could include freezing, burst water pipes.

Credit: Torbjrn Arvidso

CONNECTED CARS ARE AT RISK

27

As the researchers stated, the remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the drivers seat.

SOON OUR CARS WILL AUTOMATICALLY DRIVE MOST US

28

Uber launches self-driving cars in Pittsburg

THERE IS A DARK SIDE

29

INSECURE IOT DEVICES AND PRIVACY

30

All too often for other pieces of major industrial machinery, the controls are sitting there in plain sight or hidden behind the most rudimentary credentials. In 2012, simply attempting to log in as root or admin, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.

SHODAN.IO WEBCAM BROWSER

31

DEF CON: IOT VILLAGE

Total of 113 vulnerabilities found in two DEF CON events

50 different devices 39 brand name manufacturers

75% of tested smart locks easily compromised (attacker can open)

32Source: http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928

http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928

MORE LOCKUPS

To access on PC:1. click view > slide master2. click on the desired more

lockup and copy (CTRL+C)

3. exit out of the slide master view by clicking view >normal

4. navigate to desired slide and paste in more lockup (CTRL+V)

To access on Mac:1. click view > master >

slide master2. click on the desired more

lockup and copy (CMD+C)3. exit out of the slide master

view by clicking view >norm