Why Are Companies Failing to Create Better Security for Your Cellphone and Thousands of Other Devices?

 

In today’s hacker-infested world, one would think cell phone, tablet, computer and laptop security would be top of the list for all manufacturers. Along with the desire to make all these devices unhackable.

First, this would help clients feel safe. Second it would sell more products. Third, companies would likely be capable of selling these products at even higher prices.

The answer to why they don’t do this will shock you.

In their desire to make devices easy to use – and therefore sell more – manufacturers use protocols which make it easy for hackers to exploit say WatchGuard Technologies CTO Corey Nachreiner and Security Threat Analyst Marc Laliberte. The two are coauthors of the 4thquarter 2016 Internet Security Report from WatchGuard. This illuminating report covers quantifiable data and trends about hackers’ latest attacks and understanding how and why these trends can help improve our defenses, says the company.

“Attackers can gain access to these vulnerable interfaces, then upload and execute the malicious code of their choice”, says Paul Fletcher, cyber-security evangelist at Alert Logic. Not to mention manufacturers frequently have poor default settings for their devices, says Fletcher. Worse, says Fletcher, admin passwords are often left blank or have an easily breakable one like ‘password123’. Making those products eminently hackable.

By the end of 2016:

73% of web attacks, says Nachreiner and Laliberte’s report, were instigated against individuals (clients) – attacking their browsers and supporting software. The pair doesn’t believe what they call “drive-by download-style attacks” will go away.  And since January 2017  hackers have redirected their attacks toward web servers. Which, because an attack such as this affects far more people, it can provide them more opportunities for fraudulent activities.

Nowadays, says Laliberte, cyber-criminals use many subtle tricks to ‘re-pack’ their malware so it’s able to pass through signature-based detection. In short, to slide through barriers set up by companies such as Microsoft.

But that’s not all. The cyber-criminal’s new playground is security cameras.

Unfortunately, security experts and security IT pros have recently discovered remote security cameras – posted by companies in public areas such as banks, airports, and even homes to deter break-ins –  have now been breached by these criminals.

In July 2017, security company Senrio discovered a flaw in a security camera developed by Axis Communications; one of the world’s largest manufacturers of these devices. Which allowed cyber-criminals to commandeer the cameras for their own use.

This particular camera  – Model 3004 – was used to monitor L.A. International Airport. Upon review, Senrio discovered the problem lay deep within the communication layer of gSOAP; an ‘open-source toolkit’ used by a wide variety of device makers, says Senrio.  And which was uploaded into these cameras by hackers.

What is open-source software and how can it affect you?

This is software with source code anyone can inspect, modify and enhance. “Source code” is the part of software most computer users don’t ever see; it’s the code computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Open source software can be re-written and re-designed by hackers to meet their needs. And in the process develop even more creative ways to defraud you.

In short, open source software can be re-designed by anyone and is freely available for download and distribution.

 For example, if you’re a blogger, and use WordPress, you know – or should know – this is open-source. Anyone can dabble in it, monkey with it and make changes. This is the main reason why so many Word Press blogs are hacked; and hacked so frequently. Even large, popular blogs have been hacked.


Regarding the gSOAP issue and the Axis cameras:

Many top companies like IBM, Microsoft and Adobe use gSOAP for a variety of things.  It saves companies money since it’s free, already developed and easy to use. Ryan Spanier, director of research at Kudelski Security says because gSOAP is part of a ‘free library’, used by a variety of top companies, the vulnerability exists in a wide variety of devices. “Companies”, says Spanier, “regularly integrate hardware and software, which they did not create, into their devices”. In short, hackers tapped into an insecure ‘backdoor’ present in a chip used by multiple camera manufacturers”. 

Furthermore, the ‘Mirai Botnet’,  https://en.wikipedia.org/wiki/Mirai
which swept through the Internet in the summer of 2016, was one of the largest incidents ever recorded. Mirai turns networked devices (including security cameras), running Linux, into remotely controlled “bots” which can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras (in order to run, new cameras are connected to the Internet) and home routers. 

What is Linux and how can its inclusion in your device allow hackers to commandeer it?

Like Windows and Mac, Linux is an operating system which helps software and hardware work properly on your computers. In short, once you turn on your computer, your operating system is activated and responsible for guiding you and running your computer. On the other hand, Android is the operating system for many cell phones.

Linux can be found in hundreds of millions of devices. In 1991 – what’s now called Linux – https://www.linux.com/what-is-linux – was created as a free operating system developed by Finnish student Linus Torvalds. It’s still free and what’s called ‘open source’. A system which cyber-fraudsters began to hack, in earnest, within the past several years.

Since Linux is ‘open source’:

Companies like IBM and Adobe can tweak the code to meet their own needs. Thousands of top companies have opted to use it to operate millions of their devices. In fact, it’s not only in phones and laptops but in cars and household appliances like refrigerators; even baby monitors.
 http://www.omgubuntu.co.uk/2015/05/meet-the-smart-fridge-that-runs-ubuntu

Bottom line, the Linux operating system runs most of the Internet, super-computers and also most of the world’s ‘stock exchanges’. Which is why hackers can do so much damage with one attack.

As you can imagine, more and more issues have come to light with cyber-attacks propagated by hackers and affecting devices of millions using a Linux operating system. But finally:

Microsoft’s eagerly anticipated cloud-based bug detection tool, called Microsoft Security Risk Detection, has become generally available.
https://blogs.microsoft.com/ai/2017/07/21/ai-for-security-microsoft-security-risk-detection-makes-debut/

It uses artificial intelligence (AI) to hunt down security vulnerabilities in about-to-be launched software.

Microsoft’s new Security Risk Detection Tool
Originally called ‘Project Springfield’ –
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

This new bug detection tool discovers issues which help developers determine whether the issue detected can be rooted out (eliminated) before launch. This helps avoid necessary ‘patches’ needed (at the back end) after a product or device has been launched, perhaps even created havoc, once released to millions. In short, this bug detection tool uses A.I. which asks ‘what if’ questions about the software.  Allowing it to focus on critical and potentially weak areas susceptible to bad actors.

Docusign, a company specializing in automated signatures, tried Microsoft’s new bug detector in 2016. And was happy to discover it pointed out simple, yet critical problems, which may have had negative, far-reaching effects; but which were quickly weeded out.  The tool was recently launched. 

Dustin Childs, communications director for Trend Micro, says:

Microsoft’s Security Risk Detection tool gives developers access to security testing they otherwise might not use. Says Childs, “Bugs are much easier to detect during software development. So enhanced security testing could prevent security problems down the road.”

Whether companies feel, or believe, the Microsoft tool is cost effective for them is another question.

“Security is something everybody wants”, says Jim McGregor of Tirias Research. “IT managers often stick with security solutions they’re familiar with and upgrade with budgetary cycles.” Unfortunately, the industry rarely works together when it comes to security issues, McGregor notes.

However, McGregor is hopeful things will change since Microsoft’s new detection solution takes security to a new level.

It:

* Combines AI with cloud resources.
* Continuously leverages a wide variety of information.
* Reacts to new threats faster than traditional solutions.

Let’s be hopeful IT managers realize the excellent abilities of Microsoft’s new risk tool as the solution to not only managing Linux hacking issues and making for more secure devices for us all, but as a way into the future for stomping out cyber fraud.

Authors:  J.L.Serio and the Staff at Cyber Fraud Protect

 

CyberGate – Password Protect

Wireless Personal Cloud Password Manager Smart Card with * Bluetooth Connectivity and * Military Grade Encryption for Offline Password Management, Storage and Security:

Why give hackers easy access to your account login information that is stored on cloud based solutions.  The CyberGate Password Vault can store, manage and secure your passwords on the card right in your purse or wallet with the power of your own PERSONAL PASSWORD CLOUD.  The CyberGate Password Vault allows you stay in complete control of your sensitive personal information and keep it out of the hands of the bad guys by doing away with the security concerns of cloud-based solutions and public Wi-Fi.

 FREE REPORT:

Start taking steps NOW to keep cyber attackers from accessing your accounts.
“5 Tips to Improve the Security of Your Online Personal Accounts and Info – Exclusive Report – http://bit.ly/2x7XUTN

 

 

 

Leave a Reply

Your email address will not be published.