Ignore until sued

October 2016 News & Events

Recently, the world was witness to the largest distributed denial-of-service (DDoS) attack in history. Was this a nefarious plot against the world’s democracies? Perhaps a Western attack on a rogue nation? No, it was an attack on a web server belonging to Brian Krebs, security researcher and author. (You can find the story at https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/.)

According to Wikipedia, “a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.” (Read more at https://en.wikipedia.org/wiki/Denial-of-service_attack.)

The attack consisted of 620 Gbps being thrown at Krebs’ web server over a sustained period. The interesting and also frightening thing about the attack was that it was orchestrated with the help of a botnet – devices that have been compromised by malware. Krebs describes these as "Internet of Things" (IoT) devices, consisting of “mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”

We have mentioned IoT security in this column before, but it seems that many physical security companies are still living in a world where security is something they sell and not something they do. Not long ago we commented on the vulnerabilities in DVRs and cameras which had been used to launch attacks similar to this one – although not nearly on the same scale.

Well, it’s gotten worse. If your ISP provides you with a router, you can easily find the default passwords with a simple online search. The same applies to your surveillance camera and DVR and whatever ‘thing’ you have that has a password. Default passwords are a good thing. It allows installers to set up various devices easily and quickly, but they are meant as a starting point, not as an excuse for laziness.

(To be fair, I know that a few CCTV companies force you to change the default passwords when you install their products.)

I know passwords are a pain in the security, but they are there for a reason. Before the Internet you only had to worry about people on your network fooling around, today you have endless people making use of endless opportunities to hack. Whether it’s someone doing it for fun and just to see if they can, some teenager trying to prove how cool they are by breaking something, various layers of criminals looking for a quick buck (or to include you and yours in a botnet), or nation states spying on everything in existence because they can, you can no longer assume anything is secure. It is also incredibly naïve to think that if you are not famous nobody will try to take advantage. The Internet is the great leveller.

If a surveillance camera is a good enough target, so is your router at home and your CCTV camera and your cool gadget that switches the lights on when you’re close to home. When you take a step into the corporate world, things simply get worse. When your air conditioner is online so that a building management system can switch it on or off and save energy costs, will it be secured?

Insecure on demand

Like most people, I have a router at home that was supplied by my ISP. I use it to connect my computers and mobiles to the Internet, as well as cameras at home. I also use it to view the cameras in the complex I live in. Everything talks to everything very nicely.

I decided to see how secure my router was after reading this article. I shouldn’t have. I changed the default password as soon as my Internet was installed, much to the amusement of the technician who came to sort something out one day. Apparently that is seen as overkill by my ISP. Sadly, everything else is default and I can’t change it. I wouldn’t be surprised if the switches at my ISP had the username ‘admin’ as well as the password ‘admin’.

My router has no security. The default username and password to log into it remotely are hard coded (unchangeable). This is great if the original manufacturer in China wants to load the latest firmware onto the device (which of course they don’t), but the channel is there, wide open, it doesn’t even require an https connection – and you can’t change it to force https.

And by the way, the cameras and recorders in my residential complex are also set to their default passwords – and they are connected to the Internet. I was outvoted when I suggested changing them. Too much effort I guess.

Integration intershmashun

How often have you read about integration and the benefits of integrated security systems as opposed to standalone solutions? Hi-Tech Security Solutions has had its fair share of articles on this topic. We’ve even dared to speak about integration extending beyond the physical security market into the cyber security market. Next year we will get into that even more.

But I have to ask myself, which user, when purchasing an integrated solution of, for example, perimeter, intrusion and surveillance, thinks about whether the solution is secure from a digital perspective. Chances are the solution will be linked via an IP network and also connected to the Internet to allow the integrator or service provider to monitor the system’s health and the customer’s security in real time. Who else gets to have a peek?

Of course, the reason users rely on integrators and consultants is because they don’t have the knowledge to advise and design these systems themselves. The integrators and consultants are the ones who need to be aware of the dangers and advise appropriately.

The problem is the nature of the business where they want to get the job done and move on. Less effort means more profit. The bakkie brigade is renowned for this, but sadly, some of the more ‘respectable’ integrators follow the same process.

Viva users

Perhaps the solution to our lack of security is the user. They need to demand secure systems as part of their service-level agreement (SLA). This will terrify most integrators, but if there’s money at risk maybe they will pay attention to the basics. Changing the default passwords is not the ultimate security solution, but it makes it a bit harder for villains to control your devices. Taking care of other basic security processes will assist in making it even harder, and it will protect the customer from any backlash. The PoPI Act requires companies to make ‘reasonable’ effort to protect personal data, basic security processes are a huge step to such reasonable effort.

The idea of integration finds its Utopia in the IoT where everything is connected. The IoT will see the tiniest sensors sending and receiving data, as well as the largest things, like ships or planes (even more than they do today). It doesn’t require a doctorate in computer science to understand that the more connected devices there are, the more potential vulnerabilities there are. All it takes is one device, no matter how irrelevant, that is vulnerable and your whole network could be compromised.

Sadly, if the security industry’s performance to date is anything to go by, you don’t need to be a genius to find a physical security vulnerability, you can simply search for its default login credentials on the Internet and then access a device with administrator privileges. Leaving default passwords is akin to installing the latest security system in your car, arming it and then leaving the keys and remote on the roof.

Andrew Seldon

Editor



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Fire safety in commercial kitchens
Technews Publishing Kestrel Distribution Products & Solutions Fire & Safety Commercial (Industry)
Fire safety in commercial kitchens is becoming increasingly critical. Defender is Europe’s first EN 17446:2021-approved kitchen hood fire suppression system and offers the indispensable safety measures required.

Read more...
Linear heat detection (LHD) from Technoswitch
Technews Publishing Technoswitch Fire Detection & Suppression Products & Solutions Fire & Safety
SecuriHeat LHD by Securiton prevails where conventional fire detectors reach their physical limits. It copes well with extreme temperatures and constantly high atmospheric humidity, while precise measurements are also possible when corrosive gases and contaminated air are present.

Read more...
From the editor's desk: A burning issue
Technews Publishing News & Events
      Welcome to the first publication from SMART Security Solutions devoted to the fire industry. In the BMI report, sponsored by the Elvey Group, released earlier this year, fire was the smallest component ...

Read more...
Effective fire and smoke detection using cameras
Hikvision South Africa XtraVision SMART Security Solutions Technews Publishing Dahua Technology South Africa Fire & Safety
Video analytics, spurred on by advances in image processing, enhanced fire and smoke detection capabilities while significantly reducing false alarms in surveillance cameras. Today, AI has further improved accuracy and minimised false alarms.

Read more...
Surveillance on the perimeter
Axis Communications SA Hikvision South Africa Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Cameras have long been a feature in perimeter security, with varying reports of success and failure, often dependent on the cameras’ planning, installation and configuration, as well as their integration with other perimeter solutions and centralised management platforms.

Read more...
Onyyx wireless alarm
Technews Publishing Editor's Choice Smart Home Automation
IDS has introduced Onyyx, a wireless alarm system engineered to provide complete system control via the Onyyx app or keyring, as well as seamless installation.

Read more...
Visual verification raises the security game
Technews Publishing Inhep Electronics Holdings Videofied SA Editor's Choice Perimeter Security, Alarms & Intruder Detection
Incorporating alarm signals with live surveillance footage, visual verification enables a human observer in a control room (onsite or offsite) to gain a clear understanding of the situation, thereby facilitating informed decision-making.

Read more...
From the editor's desk: Keeping them out, keeping you aware
News & Events
Alarm, intrusion, and perimeter protection have been part and parcel of South African society for years. Many years ago, a home alarm consisted of wires covering one’s windows, which caused an alarm ...

Read more...
Intrusion Selection Guide 2024
Technews Publishing Perimeter Security, Alarms & Intruder Detection
The Intrusion Selection Guide 2024 includes the latest products and solutions aimed at small, medium, and large operations that require reliable, easy-to-install, set-up, and use intruder detection technology that reduces false alarms but never misses an actual event.

Read more...