The security industry has not done a great job at protecting our computers and servers. And now we are connecting billions of devices with no or minimal security. IoT poses a real threat to physical safety, cybersecurity, financial and privacy risk. The risk is systemic and at a much bigger scale than we have seen in traditional IT. IoT security requires a scalable and procedural approach - to replace the fragmented and ad hoc practices we currently have in place.
Cisco issued an advisory for a flaw that the company has linked to exploits released by the Shadow Brokers group a month ago. The vulnerability (CVE-2016-6415), which has not yet been patched by the firewall manufacturer, affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could be exploited by unauthenticated, remote attackers to execute arbitrary code. The vulnerability affects Internet Key Exchange (IKEv1) packet processing.
Senrio CTO and founder Stephen Ridley told SCMagazine.com that researchers are more able to discover “the hallmark of a specific attack” following the release of code containing exploits affecting Cisco products. Companies have likely been observing the behavior of their network traffic, he said. He told SCMagazine.com that he suspects new vulnerabilities “could have been discovered” through an examination of network traffic in the wild. The "1-day" tactic used to be primarily an offensive tool, he said, referring to the process of reverse engineering a vulnerability from a manufacture's patch. "1-days" are highly valuable, Ridley noted, especially concerning networking equipment and embedded devices due to difficulties applying patches to embedded systems.
Code leaked on Github by the Shadow Brokers group this past weekend has unnerved security researchers, as some evidence emerges possibly linking the exploits to the National Security Agency (NSA). [...] One security professional told SCMagazine.com that the speed at which the discussion involving attribution of the exploits and the leaked code is “astonishing". The security industry “agreed that attribution is difficult, and then at one point, we forgot,” Senrio CEO Stephen Ridley told SCMagazine.com. He said the latest evidence is “definitely pretty strong attribution evidence,” but noted that the chronology is not “bullet-proof.”
Not long ago, we sat down with Portland startup founder Stephen Ridley, the founder of Senrio. Senrio is an entirely new approach to data security, a Software as a Service product that easily scales to protect all kinds of companies, from small businesses to major medical, critical infrastructure, and financial institutions.
For this edition of the Making Oregon podcast we bring you one interview divided into two episodes.
In the first half, we ask Stephen to tell us about his path from teenage hacker to working for the Department of Defense, Wall Street banks and social media companies. He’ll tell us how his love of research eventually lead him to become an entrepreneur—two pursuits that require very different skill sets. He’ll describe Senrio, how it works, and what makes it different from other security applications. We’ll learn how it addresses the vulnerabilities found in embedded systems. And yes, we’ll explain how ubiquitous embedded systems are—and here’s a hint—they exist in your cell phone.
In our second episode, we back track for a couple minutes and make sure everyone is on the same page with understanding how Senrio works. Then we dive into a discussion about best practices for protecting data, especially if you are a small business. Stephen will also talk about the vulnerabilities he and his developers find in consumer electronics and how Senrio can play a role in providing solutions. Plus, we’ll get his take on data privacy, metadata and what social media giants like Facebook are doing with the information users supply, whether they know it or not. Finally, we’ll ask whether data privacy really exists in today’s world and how Stephen balances his awareness of security issues with his own personal practices in daily life.
The webcam baby monitor, the computer chips in an elevator panel, the circuitry inside medical devices: Portland startup Senrio sees these as the next frontier in online security.
It takes only a single line of code to hijack over 400,000 vulnerable D-Link devices. The stack overflow issue gives attackers the opportunity to overwrite administrator passwords in home Wi-Fi cameras, placing users at risk of being spied upon. The remote execution flaw not only allows an attacker to set their own custom password to access devices but also add new users with admin access to the interface, download malicious firmware or reconfigure products how they please.
Shodan has turned up half a million D-Link devices exposed to the internet, and subject to easy hijacking using zero-day vulnerabilities. The stack overflow vulnerabilities affect more than 120 D-Link products, from Wi-Fi cameras to routers and modems, and allow remote attackers to completely hijack the administer account of the devices to install backdoors and intercept traffic.
“The market needs a comprehensive answer to the IoT dilemma: A dramatic increase of deployed devices, high susceptibility to attacks due to inherent vulnerabilities and high value of the accessible assets. Today, there are few solutions to this challenge. However, Senrio offers a much-needed new approach,” said Christina Richmond, Program Director, Security Services, IDC.
“We typically associate the term ‘Internet of Things’ with the consumer world, smart toasters and WiFi fridges; however, a large part of our life depends on networked embedded devices that have been around for decades. Think of smart meters, medical devices, and connected industrial controllers used for elevators, traffic lights, and factories. Adoption is driven by business rationale but the security exposure is often overlooked. Based on my experience, there is not a single IoT device that cannot be compromised or misused by a determined attacker,” said Stephen Ridley, CEO of Senrio.