Tag Archives: Business Advice

When surveying the state of your company’s security, it’s important to understand what your biggest risks are.

According to the 2019 Application Report published by F5 Labs, the answer is simple.

Fully 71 percent of all web-related data breaches in 2018 specifically targeted customers’ financial information.

The single biggest culprit?  Formjacking.  According to F5’s Senior Threat Evangelist, Davidd Warburton, formjacking attacks in the hacking community have exploded in popularity over the last two years.

A big part of the problem arises from the fact that most businesses have outsourced their shopping cart and credit card payment systems to third party vendors.  Developers make use of imported code libraries, and in some cases, access third party scripts hosted on the web.

This has the advantage of saving companies money, but it simultaneously puts them in an awkward, vulnerable position. The majority of the code used to handle and process sensitive customer information exists outside the purview of IT security.  Companies simply have no way of controlling the code or verifying its safety.

Worse, hackers know that since most companies use the same small group of payment processing options, all they have to do is compromise a single component of one of those systems and they have access to a vast pool of information that spans multiple companies.

This is exactly how and why Magecart attacks have become so devastatingly effective, and it explains their meteoric rise in popularity.

Warburton describes the challenges businesses face as follows:

“Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code.  The more code we hand over to third parties, the less visibility and less control we have over it.”

Unfortunately, there’s no simple fix for that.  Companies are driven by necessity to seek the lowest cost solution.  It would be ruinously expensive for each company to create, manage and maintain their own custom payment processing solutions.

Do you employ a biometric security solution at your company to control building access?

If your solution employs BioStar 2 technology (which is often integrated into third-party systems such as Nedap’s AEOS access control system), you have cause for concern. Recently, researchers from vpnMentor announced that they uncovered a massive database.

It is about 23 gigabytes in size and houses 27.8 million records including fingerprints and facial recognition images. These are mostly un-encrypted and publicly available.  In addition to the above, the exposed data also included employee names, usernames and passwords.

Worse, using the information contained in the database, the researchers who made the discovery were able to trace the precise movement of individual employees throughout physical facilities. That along with their security clearance levels and their home and email addresses. This kind of exposure is catastrophic.  It allows hackers an unprecedented view into the inner workings of any exposed company, and it renders the security infrastructure of any building using BioStar 2’s technology completely useless.

Worst of all, Suprema, the company that makes BioStar 2, has been unusually uncooperative and unresponsive about the matter.  They fixed the issue with the exposed database eight days after it was reported by vpnMentor.

A few days after that, made a terse formal reply, which reads, in part, as follows:

“Suprema is aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor.  The Company takes any report of this nature very seriously.  It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary.”

If your firm utilizes any security solution built around BioStar 2, at a minimum, you should immediately change your password and the passwords associated with all of your employees.

Recently, Trend Micro published some statistics that just about everyone should find disturbing.  According to their latest statistics, the security company has blocked more than five million cyber-attacks against IP cameras, just in the past five months. Worse, IP cameras don’t tend to have great security in place to begin with, making it relatively easy for hackers to control them remotely.

IP cameras send video directly to the internet as it is captured, and are typically used for surveillance. They’re among the vast crop of ‘low hanging fruit’ of web-connected devices these days.  The company found that of the attacks, fully 75 percent relied on simple brute-force tactics.

Oscar Chang, of Trend Micro, had this to say about the findings:

“More verticals are seeking connected, AI-powered video surveillance applications, causing a clear paradigm shift from a relatively closed-off network to a more interconnected network operated heavily by cloud-based technologies.  Due to this shift in the landscape, manufacturers and users must pay attention to the security of these IoT devices. While the industry has known about cyber-risks, manufacturers have been unable to properly address the risk without knowing the root cause and attack methods.”

Those are wise words. There is explosive growth of the number of smart devices in recent years, and hackers have gleefully appointed them by the tens of thousands and turned them into botnet armies for hire. Given those circumstances, one would think that every smart device manufacturer would make increased security of the devices they sell a top priority.

To date, however, that simply hasn’t been the case.  Until that changes, we can expect to see the numbers Trend Micro and other security companies report increase until we finally reach a tipping point.

The sad thing is, it doesn’t have to come to that.  If the industry were to start getting serious about IoT security and standards put in place, we could, at the very least, diminish the magnitude of the problem.  At present, that appears unlikely.