Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Hackers Penetrate Your Network Through Chinese Menus and Soda Machines

April 9, 2014

In a fascinating New York Times story (hat tip to Dave Ries), you can learn how watering hole attacks work, so-called because predators wait at a watering hole for their thirsty prey to show up.

Take the Chinese takeout menu case. Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they unknowingly downloaded code that gave the attackers entry into the company's huge computer network.

Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies seeking to secure their systems from hackers and government surveillance need to look in odd nooks and crannies for vulnerabilities.

Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system contractor. In other cases, hackers have used printers, thermostats and videoconferencing equipment. Have you looked there? Probably not.

Let's see – what else do companies need and outsource? Vendors often install software controlling all kinds of services: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance services; and even vending machine services. These vendors, all too often, seem to have the keys to kingdom through their software.

Data on the percentage of cyberattacks that can be tied to a third party is difficult and scarce, primarily because the victims' lawyers try not to disclose breaches. But a survey of more than 3,500 global IT and cybersecurity practitioners conducted by security research firm the Ponemon Institute, last year found that roughly a quarter of breaches were attributable to third-party negligence. Security experts think that figure is low. One expert estimated that third-party suppliers were involved in 70 percent of the breaches her company reviewed.

The world has changed. Heating and cooling providers can now monitor and adjust office temperatures remotely, and vending machine suppliers can see when their clients are out of Cokes and Fritos. Those vendors often don’t have the same security standards as their clients, but for business reasons they are allowed behind the firewall that protects a network.

Vendors are alluring targets for hackers because they tend to run older systems, like Microsoft’s Windows XP software. Also, security experts say that seemingly innocuous devices such as videoconference equipment, thermostats, vending machines and printers are often delivered with the security settings switched off by default. Once hackers have found a way in, the devices offer them a place to hide in plain sight.

Last year, security researchers found a way into Google’s headquarters in Sydney, Australia, and Sydney’s North Shore Private hospital — and its ventilation, lighting, elevators and even video cameras — through their building management vendor. More recently, the same researchers found they could breach the circuit breakers of one Sochi Olympic arena through its heating and cooling supplier.

The Ponemon survey last year found that in 28 percent of malicious attacks, respondents could not find the source of the breach. Clearly, corporations should set up their networks so that access to sensitive data is sealed off from third-party systems and remotely monitored with advanced passwords and technology that can identify anomalous traffic — like someone with access to an air-conditioning monitoring system trying to get into an employee database. Even that isn't good enough. You need security folks who know what to do when alerted to trouble.

Even though Target used security technology supplied by FireEye, a company that sounds alerts when it identifies such anomalous activity, its IT personnel apparently ignored the red flags.

One Arbor Networks study found that banks spend up to 12 percent of their information technology budgets on security. But retailers spend, on average, less than 5 percent of their budget on security. The bulk of their spending goes to customer marketing and data analytics. Not a good plan when your Coke machine may be your worst nightmare.

E-mail: Phone: 703-359-0700

http://www.senseient.com

http://twitter.com/sharonnelsonesq

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Hackers Penetrate Your Network Through Chinese Menus and Soda Machines

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer