ITsecurity
twitter facebook rss

Woefully Unprepared, but Full Steam Ahead!

Posted by on August 15, 2015.

I have called for a professionalizing of the Information Security field. And please know that professionalizing does not equate to governmental control, but possibly oversight. One major reason I believe this is needed is simply that Information Security has failed to become inculcated into the business proper. It is usually a subcomponent of IT and thought of as a technology only issue.

Years ago, if a business did not engage Information Security it was simply harming itself. With the Internet of Things (IoT) this no longer holds true. When businesses do not embrace Information Security, the ramifications are far-reaching. Take two recent examples:

Researcher hacks house arrest tracking system

This year at DEF CON, security researcher William “Amm0nRa” Turner demonstrated his successful hacking of a tracking bracelet. First, he got the unit by social engineering it from the manufacturer. Next, he wrapped it in tin foil so it could not connect to the regular telecom signal, but it could connect to his local network. From there he obtained the warning message that goes out when the bracelet is tampered with. After that he took the SIM card out of the unit, put it in a phone – called another phone to get the phone number associated to the SIM. And with that, he used an online SMS spoofing service to send fake SMS messages that the bracelet was both secure and at home.

Then we have this story:

Corvette Brakes Hacked Using Text Messages

Researchers from the University of California at San Diego found a way to break into a dongle plugged into a vehicle onboard diagnostics port. These are devices used in things like Progressive’s Snapshot program, or for a corporate fleet. They plug into the ODBII port. And just like the tracking bracelet, they use cellular networks and as such you can send them a text message. Using specially crafted text messages the researchers were able to turn on and off windshield wipers, hit the brakes, and, more ominously, disabled the brakes entirely. They noted the following:

The security problem here is threefold:

  1. Many dongles aren’t especially secure, and it appears that’s because manufacturers don’t fully understand how they can be exploited in attacks.
  2. Many dongles allow hackers to flip them into “developer mode” increasing the amount of havoc they can wreak.
  3. Many, many dongles are connected to cellular networks, meaning that anyone with a cell phone can reach them, from anywhere around the world.

Please note item one above which goes to the heart of my concern. These two stories are hardly unique, rare or shocking today. What they are is proof that Information Security is still an afterthought, if it is a thought at all in the business world.

Yet every day, more and more technology is cobbled together like adult tinker toys, to server an immediate need and long term implications be damned. We continue to build on an insecure framework, with insecure protocols while we continue to expand the depth and breadth of that reach. In perfect tune with that muddle, we absolve the business educators and business leaders from engagement. The day is coming soon when this lack of engagement and self-discipline will give way to a major event. The postscript of that event will be full-on government control.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Martin Zinaich |