Reflare Weekly Security Briefing 2016-06- Activism and IoT
This week was a busy week for hacktivists as well as IoT data breaches. Once again, hackers have shown interest in political gain for hacking large organizations such as healthcare, government facilities and postal services.
The hacking organization Anonymous recently hacked Turkeyâ€™s General Directorate of Security (EGM) due to â€“ what Anonymous claims â€“ various abuses from the government. They then released 2.8GB of compressed data that contains information on the governmentâ€™s infrastructure. This is just another example of hackers using attacks to gain political awareness for their causes. No significant backlash is expected to happen, but the published data was used to bring to light political events between Turkey and its anti-terrorist activity.
At the same time, Hollywood Presbyterian Memorial Medical Center has been forced back into pen and paper transactions. The hospital released a statement to say that they are working with the FBI and LAPD on an investigation into a recent attempt to hold the hospitalâ€™s data hostage. Recent reports show that the hospital could be a part of a ransomware attack, which means that attackers encrypt its data and require thousands of dollars for the decryption key. In an organization with millions of health records, it could set a precedent in ransomware attacks. Ransom attacks are common in individual machines, but this is one of the first attacks that threaten an entire organization enough to force them to stop using their computer systems.
IoT technology continues to show its limitations in security. Samsung recently sent a press release that highlighted how their voice systems work for Smart TVs. Any voice communication within the TVâ€™s area is captured and sent to cloud servers. This means that private conversations are sent to Samsung and processed from voice to text. Samsung collects this data to determine if they need to improve their devices. Unfortunately, this means that any personal conversations are also recorded among voice commands. Should law enforcement subpoena Samsung, these conversations would no longer be private. The official recommendation by Samsung is to not have private conversation in rooms with a Smart TV which is not a practical mitigation for end users.
Samsung is yet another IoT device that was shown to have severe security flaws, mainly in the area of privacy. Until engineers for these devices begin thinking like hackers, the hacking community will continue to find critical flaws in the systems.