Tag: hackers

Rigging the Internet of Things

The Internet of Things offers many new opportunities for hackers

Hackers are infiltrating public companies to gain an edge on Wall Street warns a story on financial website Finextra.

This is not news, companies’ networks have been the target of insider traders since the early days of corporate computing. What is different today though are the nature of the risks as Chinese and even North Korean hackers are probing networks containing vast amounts of information to find weaknesses and confidential information.

For insider traders, it may be the internet of things turns out to be a boon. By hijacking delivery or supply data, traders may have an advantage over the market.

Things could get very nasty if those hackers subtly alter the data, say over reporting production yields, so a company gives the wrong income guidance based on faulty information.

Security is one of the big issues facing the internet of things sector and the consequences of poorly protected sensors or systems could be immense when governments, businesses and communities come to rely on a stream of data they can trust.

The bad guys are only just starting to explore the possibilities of the connected world.

Similar posts:

  • No Related Posts

The online security pains of a growing business

Stratfor’s humiliating computer hack is a lesson for all businesses about IT security

Possibly the most embarrassing of the outbreak of computer hacks in late 2011 was the breaching of prominent geopolitical analysts Strategic Consulting, also known as Stratfor.

The Daily Dot dissects what went wrong for Stratfor based on a leaked report from Verizon Business who carried out a “forensic investigation” of the hack which the company claims cost them $3.8 million in damages.

While the monetary damages were substantial for a relatively small company, Stratfor’s reputation was probably the greatest casualty as customers’ credit card details were exposed and the firm’s confidential files were distributed by Wikileaks.

The tragic thing is that none of this would have happened had Stratfor followed basic IT security practices, something that every business should be following.

Don’t store credit card details

Probably Stratfor’s biggest mistake was storing customers’ credit card details – there is no reason for saving your clients’ payment details. Ever.

If you’re accepting credit cards, organise a payment service to handle that work for you as they know what they are doing and take most of the management hassles, security and fraud risks.

In most cases, these companies’ fees are no more than manual processing fees that Stratfor and most businesses manually processing payments get hit with anyway.

Password policies

Another basic mistake was that passwords were shared and kept simple; there is no excuse for giving staff the same password to access confidential or critical files and systems.

Similarly, there wasn’t a ‘need to know’ policy; that is, that an analyst has no reason to have access to HR files and the receptionist no need to be looking at sales figures. Sensitive data should only be accessible to those who need it for their day-to-day work.

Remarkably, Stratfor didn’t have any properly configured firewalls and on many computers didn’t have up to data anti-virus protection. All of this made it easy for hackers to get into the network and access confidential information.

The online pains of growing a business

In some respects it’s possible to feel sorry for Stratfor’s management, the report is a classic example of a business that outgrew the IT structure for a one or two person operation founded by men who didn’t understand the risks of the internet.

Today there’s no excuse not to have systems locked down or to lack a company culture that recognises data security as being essential in the modern business world.

Stratfor’s hack was a spectacular example of what could go wrong, but it’s a warning for all businesses about the importance of security in a connected world.

Similar posts:

  • No Related Posts

Our hackable lives – why IT security matters.

Now our cars, homes and security systems are hackable we have to start taking IT security seriously.

Two stories this week illustrate the security risks of having a connected lifestyle. Forbes magazine tells in separate pieces how modern car systems can be overriden and how smarthomes can be hacked.

Smarthome system security is a particular interest of mine, for a while I was involved in a home automation business but I found the industry’s cavalier attitude towards keeping clients’ systems secure was unacceptable.

The real concern with all of these stories is how designers and suppliers aren’t taking security seriously. In trading customer safety for convenience, they create serious safety risks for those using these system. It’s as if nothing has been learned from the Stuxnet worm.

A decade ago, a joke went around about what if General Motors made cars like Microsoft designed Windows. Like all good stories, it had a lot of truth to it. Basically, the software industry doesn’t do security particularly well; there are developers and vendors who treat security as a basic foundation for their work, but they are the exception rather than the rule.

That may well be a generational thing as today’s young developers and future managers are more aware of the risks of substandard security in the age of the internet.

Rather than seeing security as something that is bolted on to a product when problems arise, this generation of coders are having to treat security as one of the fundamental foundations of a new system.

What is clear though is that the builders of critical systems are going to have take security far more seriously as embedded computers connected to the internet of machines become commonplace in our lives.

Similar posts:

Avoiding industrial nightmares

How we can harden our computer networks from hacking attacks

The Iranian nuclear program is crippled by a virus that infects their control systems while a hacker claims a Texas waterworks can be accessed with a three word password.

Any technology can be vulnerable to the bad guys – obscure systems like office CCTV networks and home automation services can be as vulnerable as the big, high profile infrastructure targets.

While there’s good reasons to connect our systems to the web, we need to ensure our networks are secure and there’s a range of things we can do to protect ourselves.

Does this need to be connected?

Not everything needs a Internet or network connection, if there’s no reason for a device or network to be connected then simply don’t plug it in.

Keep in mind though that threats don’t just come through the web, both the Iranian malware attack and the Wikileaks data breach weren’t due to hackers or Internet attacks.

Get a firewall

No server or industrial system should be connected directly to the public Internet, an additional layer of security will protect systems from unwanted visitors.

All Internet traffic should go through a firewall that is configured to only allow certain traffic through, if the router or firewall can be configured to support a Virtual Private Network (VPN), then that’s an added layer of security.

Disable unnecessary features

The less things you have running, the fewer opportunities there are for clever or determined hackers to find weaknesses.

Shut down unnecessary services running on systems – Windows servers are notorious for running superfluous features – and close Internet ports that aren’t required for normal running of your network.

Patch your systems

Computer systems are constantly being updated as new security problems and flaws are found.

Unpatched computers are a gift to malicious hackers and all systems should be current with the latest security and feature updates.

This is a lesson the Iranians learned with the Stuxnet worm that was almost certainly introduced through an unpatched system – probably one running an early version of Windows XP or even 98 – which was vulnerable to known security problems.

Have strong passwords

Passwords are a key part of a security policy, they have to be strong and robust while being different to those you use for social media and cloud computing services.

It’s also important not to share passwords and restrict key log in details and administrator privileges to those who require them for their work.

With online services like social media, cloud computing and other web tools becoming a part of business and home life, we have to take the security of our systems seriously. Hardening them against threats is a good place to start.

Similar posts: