Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cyber-Security Failure Brings Societal Risks: Black Hat Researchers

    By
    Scot Petersen
    -
    August 13, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Black Hat 2018 Security Concerns

      LAS VEGAS—The message was clear at this year’s Black Hat conference: The “culture,” for lack of a better term, of security must change, or society faces living in a world of perpetual cyber-risk. 

      “We need to be more ambitious, strategic and collaborative in our approach to defense,” said keynote speaker Parisa Tabriz, director of engineering at Google. “We have to stop playing whack-a-mole.” 

      She was mostly referring the way enterprises and the IT industry in general approach security bugs. But the problem goes deeper than that, according to some speakers here, and extends the scope of the problem to potentially any vendor that makes and sells connected devices or writes for software them.  

      Researchers demonstrated the ability to hack into a number of devices, which is nothing new, but these days more critical systems are being hacked, including commodity hardware controllers for SCADA (Supervisory Control and Data Acquisition) systems and Industrial Control Systems (ICS), as well as medical devices such as insulin pumps and pacemaker controllers. 

      For instance, research analyst Thomas Roth, founder of leveldown security in Esslingen Germany, presented how he reverse engineered the firmware of control systems products from Moxa, Advantech, Lantronix, Schneider and others. 

      He found a general lack of basic security protections on the devices, giving hackers the ability to perform stack overflows that can crash systems and to remotely execute code. The devices are essentially an open door to any network they are connected to, he said.  

      “Industrial systems are used as weapons,” he said, citing incidents in Germany (steel mill), the Ukraine (power plant) and Saudi Arabia (oil producers) in recent years. ICS systems also control dams that are remotely controlled, traffic management systems and tunnel ventilation systems, among other types of critical infrastructure, he said. 

      Roth also found a “security culture problem” at the vendors that led to the security bugs getting into the products in the first place. Though some vendors are willing to work with hackers, others are less cooperative or won’t go the extra mile to secure their products. “If you report a bug to some of these vendors,” he said, “the vulnerability [on one product] may get fixed, but they don’t make the changes universal.” 

      Some vendors just don’t have the resources to make a real effort on cyber-security. He found firmware in some brand new devices dated to 2009. “What’s really sad is that we are in 2018 and still writing software that allows you to make a stack overflow,” he said.  

      Concerns About Medical Devices 

      Two health care researchers, frustrated by their lack of cooperation with device maker Medtronic, took their case public at Black Hat.  

      The two reported to Medtronic almost two years ago that they could remotely control an insulin pump and a pacemaker to disrupt proper operation. The company dragged its feet in response, according to Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions. 

      The two have since published the nine bugs they found as CVEs (Common Vulnerabilities and Exposures) on the NIST National Vulnerability Database, and at Black Hat presented their findings for the first time. 

      “All the key pieces of this exploit were told to the manufacturer 570 days ago,” said Rios at a press conference. “This isn’t something we just did yesterday. It’s been almost two years. At some point you have to say, ‘enough is enough’.”  

      Hope for the future 

      “People should be outraged all the way around with the way security is approached,” said Mark Nunnikhoven, Vice President for Cloud Research at Trend Micro, who attributes much of the poor security culture to a skills gap. There are just not enough people trained in security, including software developers, and not enough security pros skilled in making sense of security issues to the business, he said. 

      Trend Micro is doing its part and announced this week several initiatives including the opening of six security training centers around the country. No college degree or experience is required, only a desire to “think like a hacker.”  

      Over at the concurrent DefCon 26 conference, a large group of medical practitioners, FDA regulators, researchers and vendors spoke at the “Do No Harm” panel on the state of health care security. 

      The group acknowledged the problem, but also celebrated how far security has come over the past few years and cautioned that the reaction to niche security bugs may be overblown. “More people are saved by medical devices than are accounted for in a lot of stories,” said Beau Woods, technology consultant and a leader at the grassroots I Am The Cavalry hacker organization. 

      What worried this panel is that doctors may start choosing not to install a connected device or implement a security patch for fear of putting the patient at risk.  

      “That is one of our nightmare scenarios [that this will create] a crisis of confidence in the public to resist connected medicine,” said Joshua Corman, Chief Security Officer PTC and an I Am The Cavalry hacker. 

      Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.

      Scot Petersen
      Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise, While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×