Leading up to Def Con 21, white hat researchers have announced that they have figured out how to hack into both the Ford and Toyota automotive systems. They have announced that they will release a 100 page report detailing their efforts. While they will not release the specifics of how they achieved the takeover, now that they've reported it can be done, you can bet that others will follow suit. According to reports, the researchers were able to force a Prius into suddenly slamming on the brakes while the car was moving 80 mph, they were also able to force the steering wheel to jerk and force the engine to race unexpectedly. On the Ford Escape system, they were able to disengage the breaks on the vehicle while it was moving at low speeds.
Additionally, academic researchers have also figured out how the anti-theft systems of several automotive makers can be bypassed. Volkswagen, Porsches, Audis, Bentleys, and Lamborghinis are all subject to the hack. The researchers claim that they have figured out multiple ways to bypass the immobilizer mechanism by reverse engineering the algorithm. Volkswagen actually preemptively went to the courts and received an injunction preventing the authors from publishing the details of their research. While the judge has prevented the information from being published, now that it is known that it is possible to hack the algorithm, others will undoubtedly follow and perform their own research.
Earlier this year, a tool called "DropSmack" was created by a security consultant that used DropBox to remotely take over a PC. The consultant was able to add macros to a Word document on DropBox and then use spearfishing techniques to get an executive at a company that he was working for to open the said document. Once the document was open, the consultant was then able to take over the PC.
How many of you work in organizations that either knowingly or unknowingly have PC's that are connected to DropBox?
As altruistic as we would like to be, we live in a society where some people are intent on gaining access to systems that they don't own for various reasons. Sometimes they just want the thrill of being able to gain access to something that they shouldn't have access to; sometimes they want to take everything you've got. If you're not paying attention and doing the right things to secure your network, secure the applications you use and secure the applications you create internally, you're making it easy for the bad guys. The latest report from Verizon - the 2012 Verizon Data Breach Investigations Report - identifies that 78% of all attacks last year, were targets of opportunity.
As you are designing software, the primary question you need to ask yourself is, how will someone attempt to use this to do something that they shouldn't be doing?
Security needs to be a significant focus of the design, build and test phases of the lifecycle. Additionally, regular testing needs to occur once your applications move in to the production environment to ensure that the system is not vulnerable to the latest vulnerabilities.
I've heard some organizations make the claim that they can't afford to take the time to worry about this, that they are small and nobody is going to notice their web site. Well, I hate to be the one to burst your bubble, but if your network is accessible via the internet - and who's isn't these days - then you're at risk. If you don't take the time and dollars necessary to secure your web site and put the technology in place to protect your network, someone is going to find you. They may not necessarily be looking for you, but they will find you. They have built tools that move through the internet going from one system to the next looking for vulnerabilities.
If you haven't patched the software you've purchased to run your systems, and kept those patches up to date - then they will find it. If you haven't patched the open source software you are using, and kept those patches up to date - they will find the opening. If you haven't prevented cross-site scripting from impacting your web site, if you haven't prevented SQL injection - then they will find it. There are easy things you can do to protect yourself and not all of it costs money:
- Keep your systems patched to the most recent releases - whether purchased or open source.
- Install firewalls in your network and keep the firewall patched to prevent unauthorized programs from accessing your network.
- Institute and enforce policies for users to change their passwords regularly and to use strong passwords.
- Install and use anti-virus/anti-malware/anti-spyware protection.
- Don't open emails from people you don't know?
- Institute whitelisting of applications and internet sites that can be used and accessed from within your organization.
You also need to ensure that your developers take the time necessary to educate themselves on secure development techniques. This isn't an overnight miracle that will suddenly make you invulnerable, it is a process that will take time, but will slowly and surely improve the security stance of your applications. They are books, websites and seminars dedicated to this topic. Pick the one you can afford and get moving - today!
Tags: SDLC, Software Development Lifecycle, Project Lifecycle, Project, Manager, Development, Paradigm, Security, Secure Development Lifecycle
For more information on David L. Collison: LinkedIn Profile
No comments:
Post a Comment