Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cyber-Security Failure Brings Societal Risks: Black Hat Researchers

    By
    SCOT PETERSEN
    -
    August 13, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Black Hat 2018 Security Concerns

      LAS VEGAS—The message was clear at this year’s Black Hat conference: The “culture,” for lack of a better term, of security must change, or society faces living in a world of perpetual cyber-risk. 

      “We need to be more ambitious, strategic and collaborative in our approach to defense,” said keynote speaker Parisa Tabriz, director of engineering at Google. “We have to stop playing whack-a-mole.” 

      She was mostly referring the way enterprises and the IT industry in general approach security bugs. But the problem goes deeper than that, according to some speakers here, and extends the scope of the problem to potentially any vendor that makes and sells connected devices or writes for software them.  

      Researchers demonstrated the ability to hack into a number of devices, which is nothing new, but these days more critical systems are being hacked, including commodity hardware controllers for SCADA (Supervisory Control and Data Acquisition) systems and Industrial Control Systems (ICS), as well as medical devices such as insulin pumps and pacemaker controllers. 

      For instance, research analyst Thomas Roth, founder of leveldown security in Esslingen Germany, presented how he reverse engineered the firmware of control systems products from Moxa, Advantech, Lantronix, Schneider and others. 

      He found a general lack of basic security protections on the devices, giving hackers the ability to perform stack overflows that can crash systems and to remotely execute code. The devices are essentially an open door to any network they are connected to, he said.  

      “Industrial systems are used as weapons,” he said, citing incidents in Germany (steel mill), the Ukraine (power plant) and Saudi Arabia (oil producers) in recent years. ICS systems also control dams that are remotely controlled, traffic management systems and tunnel ventilation systems, among other types of critical infrastructure, he said. 

      Roth also found a “security culture problem” at the vendors that led to the security bugs getting into the products in the first place. Though some vendors are willing to work with hackers, others are less cooperative or won’t go the extra mile to secure their products. “If you report a bug to some of these vendors,” he said, “the vulnerability [on one product] may get fixed, but they don’t make the changes universal.” 

      Some vendors just don’t have the resources to make a real effort on cyber-security. He found firmware in some brand new devices dated to 2009. “What’s really sad is that we are in 2018 and still writing software that allows you to make a stack overflow,” he said.  

      Concerns About Medical Devices 

      Two health care researchers, frustrated by their lack of cooperation with device maker Medtronic, took their case public at Black Hat.  

      The two reported to Medtronic almost two years ago that they could remotely control an insulin pump and a pacemaker to disrupt proper operation. The company dragged its feet in response, according to Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions. 

      The two have since published the nine bugs they found as CVEs (Common Vulnerabilities and Exposures) on the NIST National Vulnerability Database, and at Black Hat presented their findings for the first time. 

      “All the key pieces of this exploit were told to the manufacturer 570 days ago,” said Rios at a press conference. “This isn’t something we just did yesterday. It’s been almost two years. At some point you have to say, ‘enough is enough’.”  

      Hope for the future 

      “People should be outraged all the way around with the way security is approached,” said Mark Nunnikhoven, Vice President for Cloud Research at Trend Micro, who attributes much of the poor security culture to a skills gap. There are just not enough people trained in security, including software developers, and not enough security pros skilled in making sense of security issues to the business, he said. 

      Trend Micro is doing its part and announced this week several initiatives including the opening of six security training centers around the country. No college degree or experience is required, only a desire to “think like a hacker.”  

      Over at the concurrent DefCon 26 conference, a large group of medical practitioners, FDA regulators, researchers and vendors spoke at the “Do No Harm” panel on the state of health care security. 

      The group acknowledged the problem, but also celebrated how far security has come over the past few years and cautioned that the reaction to niche security bugs may be overblown. “More people are saved by medical devices than are accounted for in a lot of stories,” said Beau Woods, technology consultant and a leader at the grassroots I Am The Cavalry hacker organization. 

      What worried this panel is that doctors may start choosing not to install a connected device or implement a security patch for fear of putting the patient at risk.  

      “That is one of our nightmare scenarios [that this will create] a crisis of confidence in the public to resist connected medicine,” said Joshua Corman, Chief Security Officer PTC and an I Am The Cavalry hacker. 

      Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×