The problem wasn’t specific to Axis, which seems to have reacted far more quickly than competitors to quash the bug. Rather, the vulnerability resides in open-source, third-party computer code that has been used in countless products and technologies (including a great many security cameras), meaning it may be some time before most vulnerable vendors ship out a fix — and even longer before users install it.
Still, there are almost certainly dozens of other companies that use the vulnerable gSOAP code library and haven’t (or won’t) issue updates to fix this flaw, says Stephen Ridley, chief technology officer and founder of Senrio — the security company that discovered and reported the bug. What’s more, because the vulnerable code is embedded within device firmware (the built-in software that powers hardware), there is no easy way for end users to tell if the firmware is affected without word one way or the other from the device maker.
Read the full article
CEO venerable of the DuoSecurity, Dug Song wrote a poignant blogpost honoring Black History Month. If you are unfamiliar with DuoSecurity, they are a information security startup rocketship providing Two-Factor Authentication and unprecedented security tools to enterprises worldwide. It was quite nice to have our CTO listed alongside some incredible security icons. Thanks for including us. You can read that blogpost here:
On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.
How insecure are products like broadband routers and smart surveillance cameras? The Security Ledger sat down with three experts from the firm SENRIO to discuss the matter: Stephen A. Ridley, the Founder and Chief Technology Officer; Jamison Utter, Senrio’s Vice President of Field Operations and Margaret Carlton-Foss, the company’s Vice President of Research.
Today, security is little more than a cost center for companies developing new, connected products. Building in security features, like a hardware security model or more robust application security and identity management features, adds to the complexity of the development process and the time needed to complete a product. On the other side of the ledger, however, there is little to compel smart device makers from expending that time and effort.
“(The FTC) is changing the cost benefit ratio of having security in products,” said Ridley. “Up to now, there has been no reason to have any security, so the stuff you’ve seen was more altruistic in nature.” The FTC’s suit against D-Link will give vendors pause, he said. “They have to ask: do we spend x on security now if we can avoid paying x-squared in the cost of litigation and class action suits,” Ridley said.
Listen to the Podcast here.
New Year's Resolutions for IT Security Executives and the Cybersecurity Threats Facing Businesses in 2017
What is one resolution every IT security executive should make for the coming year?
“DATA, DATA, DATA. Effective Information Security departments these days are less about cool tech for IR, detection, policy, and orchestration. We have a wealth of those for traditional endpoints/networks. What we now see is that Information Security (like the rest of technology) is that we need to be better about storing and utilizing data (and in an actionable time-frame). The largest transportation networks own no cars. The largest search engines and social media sites generate no content. It's all about data management. Security is now no different. Solutions that don't speak to how data is stored, searched, parsed, and effectively plugged into your existing architecture need to be ignored. Security products need to provide operational value now. We've evolved past the ‘how’ and now need to focus on the ‘why.’ Security solutions have the burden of bringing more to the enterprise than just security.
What’s the biggest cybersecurity threat facing companies in 2017?
“VISIBILITY, VISIBILITY, VISIBILITY. Networks have grown more diverse and now include more than just servers and endpoints that an agent can be installed into for policy, management, and enforcement. Gartner predicts that by 2020, over 15% of all network intrusions will leverage embedded devices. These devices are (from a CISO's perspective) impossible to ‘get into.’ So how do you make sure these devices aren't compromising your network security posture? Look for solutions that speak to this. This burgeoning blind-spot is symptomatic of the CURRENT ‘visibility’ problem. How can you cheaply and efficiently get visibility into the behavior of assets on your network without incurring the cost of archiving terabytes worth of pcaps? Visibility is king. And at the heart of the visibility problem is the DATA problem. The deluge of alerts. The overloaded SIEM. The ‘analysis paralysis’ of your Operations/Security team. Look clever solutions to the data/visibility problem that are tractable and accessible.”
"It's not a very political issue," said Jamison Utter, VP at Portland, Ore.-based Senrio, an IoT cybersecurity firm. "I believe that the issue is pretty strong and apparent, and doesn't have much to do with party or politics. This is a societal problem, not a Democrat or Republican or whatever issue."
“If we consider the disruptive changes that IoT, and globalization of commerce have made on our economy (and culture) maybe we can stop looking for workforce in all the same places. What I am saying here is that we want 8-5 in the office workforces. That’s not where people are, or want to be. Cyber security is not a suit-and-tie, 8-5 job. Let’s flex to a globalized workforces (mobile, on the go) and non-traditional forces; stop looking for your classic computer science grad (they don't make the best analysts, criminals don’t do things by the book). But let’s instead look to displaced soldiers (that might think about security differently) or former security workers, even former criminals. The influx of different thinking might help the perspective of the entire industry.”
Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following a series of massive distributed denial-of-service attacks that leveraged IoT devices using default security settings. Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology(NIST) have released recommendations for how to approach security for the internet of things (IoT). Experts said the IoT security guidance from DHS focuses on the basics, while NIST offers more of a how-to for businesses.
[...] Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high-impact, but very achievable."
"For example, in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."
This video was published in IoT-Inc. See detailed show notes and additional useful information here.
Jamison Utter, VP of Senrio, told SCMagazine.com that the proof-of-concept is “an interesting stopgap solution to the recent distributed denial of service (DDoS) attacks. He said an anti-virus firm could use the approach “in an opt-in manner, rather than as a worm.”
IoT device security specialist Stephen Ridley will join us in this week's feature slot to discuss that.
The problems with the XiongMai devices underscores a general lack of security in the supply chain for devices that are currently being sold globally, said Jamison Utter of the firm Senrio. “Manufacturers really have no guidance on what is good or bad or what they should be doing. It might seem obvious to us that you don’t build devices with unchangeable default administrator account names and passwords, but from their standpoint, there’s no checklist or guidance on what industry best practices are.”
The security industry has not done a great job at protecting our computers and servers. And now we are connecting billions of devices with no or minimal security. IoT poses a real threat to physical safety, cybersecurity, financial and privacy risk. The risk is systemic and at a much bigger scale than we have seen in traditional IT. IoT security requires a scalable and procedural approach - to replace the fragmented and ad hoc practices we currently have in place.
Cisco issued an advisory for a flaw that the company has linked to exploits released by the Shadow Brokers group a month ago. The vulnerability (CVE-2016-6415), which has not yet been patched by the firewall manufacturer, affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could be exploited by unauthenticated, remote attackers to execute arbitrary code. The vulnerability affects Internet Key Exchange (IKEv1) packet processing.
Senrio CTO and founder Stephen Ridley told SCMagazine.com that researchers are more able to discover “the hallmark of a specific attack” following the release of code containing exploits affecting Cisco products. Companies have likely been observing the behavior of their network traffic, he said. He told SCMagazine.com that he suspects new vulnerabilities “could have been discovered” through an examination of network traffic in the wild. The "1-day" tactic used to be primarily an offensive tool, he said, referring to the process of reverse engineering a vulnerability from a manufacture's patch. "1-days" are highly valuable, Ridley noted, especially concerning networking equipment and embedded devices due to difficulties applying patches to embedded systems.
Code leaked on Github by the Shadow Brokers group this past weekend has unnerved security researchers, as some evidence emerges possibly linking the exploits to the National Security Agency (NSA). [...] One security professional told SCMagazine.com that the speed at which the discussion involving attribution of the exploits and the leaked code is “astonishing". The security industry “agreed that attribution is difficult, and then at one point, we forgot,” Senrio CEO Stephen Ridley told SCMagazine.com. He said the latest evidence is “definitely pretty strong attribution evidence,” but noted that the chronology is not “bullet-proof.”