Story image

Sententia talks IoT hacking, surveillance & modem backdoors at ASIAL Conference

27 Jul 2017

At this week’s Security Exhibition and ASIAL conference, Sententia’s cybersecurity practice manager Tony Vizza hosted a session on how physical security and IoT is so easy, and how organisations can fight back.

Speaking further to SecurityBrief, Vizza says that Sententia is a managed service provider that flies under the radar, particularly as it works with system integrators to make sure they implement the right security solutions.

Sententia supports major partners including Check Point, Kaspersky, F5, Fortinet, and strategic partners such as AWS and Microsoft.

At his ASIAL session on security hacking, Vizza explained to the crowd that, “The internet is filth. It’s hackers and rats, infiltrating the internet. It’s our job to make it clean.”

He also gave a profile of the average hacker: 35, 80% affiliated with organised crime, it’s their choice of job and sometimes state-sponsored.

Vizza revealed that the average price of information on the dark web can vary dramatically - a credit card number is only worth fifty cents, but ransomware creation can be worth $1500. 

“The one that concerns me the most is DDoS. If you want to disable an organisation, it’s around $1000. If I’m a competitor who wants to sabotage your products, I can make your product fail.”

While DDoS attacks aren’t too common in Australia, hacking is still far too easy for attackers.

Check Point’s Philip Lowe hacked an iPad in front of the audience. Through phishing emails and social engineering, he was able to install a fake app on the device. He found out calendar, contacts and the location of the device. He was also able to record audio.

In terms of physical security, there have been cases where hackers attacked a contractor, which then left them access to Target’s POS systems. The breach cost $162 million, just for the cleanup.

Even surveillance cameras have been put in the spotlight. One particular website lists security cameras with their physical IP addresses left public – these can then be exposed on the internet.

Moving further into the internet security space, he also touched on the fact that telcos leave backdoors in modems. All modems have the same usernames and passwords.

While Vizza says he understands why they do it, securing them should be a major priority. It’s not, though, primarily because of the money involved in such a task.

“If telcos secured them through proper authentication, then absolutely you might want to put backdoors in. But if they’re not putting any authentication in place or leaving it as default, then it’s their responsibility.

But of course, telcos’ business decisions are only part of the puzzle. It’s up to the users to practice good cyber hygiene habits.

“User awareness is one of the worst areas of cybersecurity. There’s no other industry in which we shame the victim as much as we do in cybersecurity. People aren’t stupid; they’re just not professionals,” Vizza says.

“Social media engineering is going to be a big area. We volunteer information online all the time. We have no guides about what’s appropriate and what’s not appropriate,” he adds.

In the presentation, Vizza says that statistics from the US show that user awareness is only effective for around 28 days. Speaking in an interview with SecurityBrief, he explains that the short timeframe is primarily because life and other responsibilities take hold.

“You can’t just do the same course every 28 days because people will probably tune out. My argument is that you need to gamify it. You need to turn it into something fun or rewarding, then it can work.”

He comments on Australia’s upcoming data breach notification laws, and he says there will be a lot of focus on compliance and auditing.

The Privacy Commissioner will be more lenient towards organisations that have made efforts to apply security, but will come down heavy on those who think it’s not their problem.

Sententia's advice:

  • Have an information security strategy/plan
  • Secure networks and devices
  • Keep software and applications up to date
  • Secure your cloud environments
  • Have disaster recovery plan and data backups
  • Implement a data loss prevention strategy
  • Educate staff, suppliers and customers
  • Undertake cybersecurity assessments and reviews
  • Purchase cyber breach insurance policy
  • Consider a cybersecurity managed service partner.

Catch the final day of the Security Exhibition tomorrow July 28 at ICC Sydney.

Microsoft urges organisations to tackle data blindspots
Despite significant focus placed on CX transformation, over a third of Australian organisations claimed that more than one in five of their projects failed.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Renesas develops 28nm MCU with virtualisation-assisted functions
The MCU features four 600 megahertz CPUs with a lock-step mechanism and a large 16 MB flash memory capacity.
DOCOMO ranked world's top mobile operator in 5G SEP applications
NTT DOCOMO has been ranked the world's leading mobile operator in terms of applications for candidate standard-essential patents.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
Gartner’s top 10 data and analytics trends for 2019
Data is the fuel for the modern world, and analytics the engine. Gartner has compiled the top 10 trends to watch this year.
How CIOs can work with colleagues to drive new competitive advantages
"If recent history has taught us anything, it’s that the role of the CIO is always changing, and that it won’t stop changing anytime soon."