As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them.
Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18).
In the meantime, we had some questions for him:
Global organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The use of IoT is increasingly widespread, from home IoT, office IoT to factory IoT, and the use of automation equipment is increasing. Therefore, the most realistic and worst case for IoT is to affect critical infrastructure equipment, such as industrial control systems (ICS), by attacking IIoT devices.
Hackers can affect the operation of ICSes by attacking IIoT, resulting in large-scale damage. Furthermore, protecting medical IoT devices is also important. Hacked pacemakers, insulin pumps, etc. can affect human lives directly.
What are the main challenges when it comes to vulnerability research of IoT devices?
Expanding from IoT devices to IoT systems. The main challenge is that IoT systems consist of various components. Most components have different software/firmware, hardware, etc. The discovery of vulnerabilities in IoT devices requires expertise in many fields – researchers need to know a lot about chips, applications, communication protocols, network protocols, operation systems, cloud services, and so on.
What advice would you give to an enterprise CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
To start, CISOs should check whether the vendors of the products they plan to use care about product security. How do they deal with vulnerabilities? Do they have a PSIRT? Do they have a point of contact for vulnerability reports? And so on.
Once they settle on a product to use, they should make sure that best practices – e.g., safely configuring the device, applying security updates in a timely manner – are part of the internal processes. They should also check the security of the services the devices use, e.g., network services used by an IP camera. Finally, network defenses should be structured to effectively control the access rights of the various networked devices in the environment.
How do you expect the security of IoT devices to evolve in the near future?
As we move forward, governments will attempt to create security baselines with regulations and certifications (labelling schemes). New security standards for various sectors (automotive, aviation – to name a few) will also be created.
As IoT products use similar network security protocols or hardware components, IoT security will no longer be a unilateral effort by the manufacturers. In the future, manufacturers, suppliers of parts, security organizations and governments will cooperate more closely, and even achieve mutual defense alliances to ensure effective and immediate protection.
Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.
During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.
What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?
I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.
How would you rate Microsoft Office 365 security in general?
Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.
Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.
What type of bugs did you find? What was the severity of the discovered issues?
I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.
When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.
What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?
Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.
Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.
When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.
For better or for worse, the global COVID-19 pandemic has confined most of us to our own countries (our houses and apartments, even), has changed how and from where we do our work, and has restricted our social lives.
The distractions and tools still available to help us battle our growing anxiety and sadness are few, but some of them, such as learning new things, are very powerful. Happily for all of us, many courses and trainings that were previously available only on-site are now virtual, opening new prospects and opportunities.
Among these new offerings is HITBSecTrain, an initiative launched by the organizers of Hack in the Box security conference, which has been offering deep-knowledge technical trainings in numerous cities (including Kuala Lumpur, Singapore, Amsterdam, Dubai, Bahrain, and Beijing) since 2003.
Known for featuring specialized security courses, HITB has worked with nearly 100 trainers across the years to offer cool, atypical trainings for security folks looking to hone their skills.
Now, in response to constant feedback from trainees who asked that HITB offer more specialized topics, more subject matter experts, more often in the year, they’ve set up HITBSecTrain, which will offer HITB trainings on a monthly basis instead of just during HITB conference events.
In October, the courses on offer taught attendees about big data analytics, malware reverse-engineering and threat hunting, bug hunting and cloud security.
In November, to coincide with the virtual edition of HITBCyberWeek 2020, 10 deep-knowledge technical trainings are being offered, covering topics such as: 5G security awareness, practical malware analysis and memory forensics, mobile hacking, secure coding and DevSecOps, applied data science and machine learning for cybersecurity, and more.
For now, while courses run virtual, classes are via livestream, with virtual lab environments and structured through a learning management system. All trainees will receive digital certs corresponding to their course choice, with additional badges awarded for completion of practical tests and quizzes.
With the new virtual format, HITB trainers are incorporating more interactive quizzes, collective exercises and practical assessments into their courses that will help trainees engage better with the content and with each other. This will also help to understand better whether trainees have effectively gained the skills they sought from their course.