Godzilla Foreshadows Trouble for Internet of Things

The Internet of Things has come under attack by pranksters in recent days. The events could signal tumultuous things to come as more and more everyday objects connect to the Internet.

The U.S. Department of Homeland Security has advised the customers of digital sign maker Daktronics to “take defensive measures” following a series of cyberpranks on the company’s traffic signs.

The DHS action was prompted by the hack of a digital traffic sign in San Francisco that warned motorists of a “Godzilla Attack.” Meanwhile, a number of traffic signs across North Carolina started displaying “Hack By Sun Hacker.”

The DHS’ Industrial Control Systems Cyber Emergency Response Team cautioned cities and others using the signs to update access credentials and harden communications paths to the signs.

Lax Security

Traffic sign pranks may seem to be a minor annoyance, but it’s very likely they’re just the beginning of woes to come as the Internet of Things grows.

There will be 25 billion connected devices in the world by the end of next year, according to Cisco, and by 2020, that number will double to 50 billion.

Security for the Internet of Things will require a different mindset regarding default settings and the ability to deliver patches or manage configuration changes, observed Cisco TRAC manager Seth Hanford.

“When we are dealing with numerous devices like road signs, you can see from the ICS CERT advice some very simple things which will not scale securely in a future of myriad embedded devices,” he told TechNewsWorld.

Security surrounding IoT devices currently is weak. A simple scan of the Internet by a savvy hacker easily can identify many devices. Once discovered, the devices use default credentials on default management consoles. Under such conditions, those trying to secure the devices will quickly be overwhelmed.

“Instead of deploying systems with simplistic and well-known weaknesses like this,” Hanford said, “as experts informing the industries which will be producing the IoT devices of the future, security professionals need to be providing tools and architectures which allow ease of management in secure ways to industries whose expertise will not be with the computers on their embedded devices.”

Every Home a Hotspot

Would you like your home to be a public WiFi hotspot? If you’re a Comcast subscriber, you may not have much choice in the matter.

The cable provider last week turned 50,000 homes in Houston, Texas, into public hotspots through its Xfinity modems. Houston is just the beachhead for Comcast’s grand design to piggyback a public WiFi network on the Xfinity hardware in the homes of its customers.

Although Xfinity WiFi is supposed to be isolated from a homeowner’s WiFi, the users of Xfinity’s public network remain exposed to each other. Those users could be exploited by a hacker just as they could be if they were on any public network — from Starbucks to a hotel or an airport.

“Sharing home routers with strangers opens an attack surface to cybercriminals,” Craig Young, a router security expert with Tripwire, told TechNewsWorld.

“Even the best-secured devices can be penetrated, and home routers are typically not that well secured. If Comcast has included a backdoor for maintenance, it will eventually be exposed,” he said.

“Encouraging consumers to trust unencrypted public WiFi leaves them susceptible to an attacker replacing file downloads or embedding malware into Web page responses — both attacks that can be used for a variety of malicious purposes,” added Young. “The security industry has been advocating against the use of open WiFi for years.”

Outside Advice for Inside Job

Yet another point-of-sale system was breached last week. This time, the system belonged to restaurant chain P.F. Chang’s. The company still is investigating the breach, so it doesn’t know yet how many payment card numbers may have been stolen.

Chang’s knows about the problem only because the U.S. Secret Service informed it of the violation of its systems. That’s all too often the case in these kinds of incidents. A company goes along on its merry way until a third party tells it something is wrong.”P.F. Chang’s is yet another reminder that breaches are happening more and more from inside companies,” Eric Chiu, president and founder of HyTrust, told TechNewsWorld.

“Once an attacker is on your network, they have plenty of time to go after customer data, intellectual property or government secrets without being detected,” he said.

“That’s why companies are being told they have been breached versus detecting it themselves,” Chiu explained.

“Organizations need to shift to an inside-out model of security and assume the attacker is already on the network,” he added. “Critical systems and data need to be secured from the inside through access controls, role-based monitoring and data encryption.”

Breach Diary

  • June 9. CrowdStrike reports dozens of cyberattacks have been launched against public and private organizations by a Shanghai group of hackers called “Putter Panda” because they often target golf conference attendees.
  • June 9. Risk Based Security reports 176 million records were exposed in the calendar quarter ending in April, a 46 percent increase over the same period in 2013.
  • June 9. McAfee reports dozens of cybercrime groups have reached a level of technological sophistication on a par with some government agencies around the world. It also estimates that cybercrime costs the world economy US$400 billion a year.
  • June 9. Deutsche Telecom announces it will release a report revealing all the requests it receives to access its networks from governments outside Germany. Vodaphone released a similar report earlier this month.
  • June 9. Access Health CT exchange in Connecticut suspends employee for removing records of some 400 plan enrollees from the exchange without authorization.
  • June 10. Evernote and Feedly report that they are under Distributed Denial of Service attacks. The attack was launched by criminals demanding money to make the disruption stop, according to Feedly.
  • June 10. College of the Desert in Nevada confirms personal data for about 1,900 current and retired employees is at risk after an employee sent to other employees an unauthorized email that contained the information.
  • June 11. PC World reports that two weeks after TrueCrypt was discontinued by its creators, it remains the only way to secure imported and exported data at Amazon Web Services.
  • June 12. P.F. Chang’s restaurant chain confirms payment card information stolen from some of its eateries. Breach under investigation; size undetermined.
  • June 12. AT&T Mobility reports that personal information of an unknown number of customers, including Social Security numbers and call records, was accessed illegally. An employee of one of the company’s service providers violated AT&T’s privacy and security guidelines to access accounts without authorization, AT&T said.
  • June 12. Health information records of some 33,000 x-ray patients are at risk following the theft of a thumb drive from the offices of an affiliate of Santa Rosa Memorial Hospital in California.

Upcoming Security Events

  • June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, US$495; June 18, $595.
  • June 18. Was Heartleed Really That Critical? 7 a.m. ET. Webinar sponsored by Secuna. Free with registration.
  • June 19. Appsec: Overview, Deep Dive, and Trends. 2 p.m. ET. Blackhat webinar. Free with registration.
  • June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
  • June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC. Free.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: after May 14, $1,249-$5,095.
  • June 23-27. Hack in Paris. Disneyland Convention Center, Paris, France. Training sessions: 1200-1800 euros; conference: 75-285 euros; HIP14 training and conference: 100 euros.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • July 12. B-Sides Detroit. COBO Center, 1 Washington Blvd., Detroit. Free.
  • July 19. B-Sides Cleveland. B side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug.5-6. B-Sides Las Vegas. Tuscany Suites and Casino, Las Vegas. Free.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels