The surprising thing about reportage of the security breaches suffered yesterday by the Post Office and Talk Talk is not that they happened, nor that they were covered widely. It is that the story is not front page lead or lead story on a news website for many.
Consider that for a moment: 100,000 people’s details are compromised and this is not deemed particularly big news any more. This may say something about the inevitability of a hack of some sort. It’s just as likely to be symptomatic of low expectations of security professionals and what they can actually achieve. This could lead to another even more serious problem.
If expectations are low, then disillusionment can set in and people can stop even aspiring to run secure networks. It’s worth mentioning that the Mirai attacks, of which these are examples, take advantage of people using the default passwords on their routers. “Unfortunately, default-itis still plagues large organisations,” said Andy Green, senior technical specialist at security company Varonis. “As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.
“Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.”
If he’s right, then there may be a hefty element of easy precautions being ignored. Meanwhile Mike Ahmadi, global director for critical systems security at Synopsys, observed: “Massively scalable attacks are the current trend in cybersecurity, and this should raise concern among all users and organisations. We have multiple issue to deal with here. One is the fact that most product vendors and organisations deploying the products remain unaware of the level of vulnerabilities in their systems. The other issue is for those that are aware, strategies to mitigate against large, scalable attacks are either rudimentary or non-existent.”
Gavin Millard, EMEA Technical Director of Tenable Network Security, added: “Any device that requires an inbound connection from the internet should have a strong, non default, password rather than one of the list Mirai is currently targeting. If you do have something with default credentials, reboot it and change the passwords immediately.”
Is insecurity inevitable?
The problem is that the tone in the media at least suggests that there is an acceptance that this stuff is going to happen. It’s not front page stuff, it’s not a surprise any more. Commentators are noting that once the hackers have exhausted the big companies for data raids they’ll almost certainly start looking to the smaller companies as well, so nobody is safe.
One first step in the fight back could be simply to change the default passwords on a router. Yesterday New Statesman Tech published an item on how to have an awkward conversation with the board˚; a good start would be if that conversation didn’t have to contain the phrase “because we forgot the basics”.