Cyber Threat Analysis for 3/18/16

Apple employees may quit rather than comply with FBI encryption orders

Compelling Apple to break its own security measures may not be as simple as it sounds. A new New York Times report suggests that even if the company loses its court fight and is legally compelled to produce security-breaking software, the employees tasked with creating the software may quit or simply stop working rather than comply with the court order. If enough of the company's employees participate in the action, it could make the FBI's goal nearly impossible to achieve. (The Verge)

Should the Bureau succeed in court they will almost assuredly be reveling in a Pyrrhic victory. The price of access to a phone of questionable intelligence value is the loss of any friction-free future cooperation or good will with any U.S. technology company of note. Do not be surprised if a Bureau victory leads to a number of leading U.S. technology companies becoming former U.S. technology companies (at least on paper). Such a move does not place an entity outside the reach of Uncle Sam, but some firms may view being a target for SIGINT (company = person; foreign person = legitimate NSA target) is better than having to respond to subpoenas from the FBI.

Lack of IoT Security Awareness Opens up companies to hack attacks

Speaking at the Wearable Technology Show in London, Brian Witten, senior director of IoT security at Symantec, said companies of all sizes lack the know-how to secure low-powered IoT devices, which leaves them vulnerable to skilled attackers.

“What we see a lot of is a lack of awareness mainly because there are a lot of companies out there that are great at device engineering but aren’t security companies. And there are a lot of security companies that have never done engineering in these extremely constrained devices,” (V3)

All the king's commodity IT security horses and men are of little value when it comes to making sure you're refrigerator is not a threat or if you can trust your toaster. It is not that such devices cannot be secured, it just requires people with a sufficient amount of knowledge and experience working at lower-levels of technology to do the job. Users of such technology also need to understand that thinking obscurity or isolation means you are immune to threats is how so many of your peers become victims of seemingly trivial issues.

4 reasons not to pay up in a ransomware attack

Online extortion is on the increase, as criminals use a variety of attack vectors, including exploit kits, malicious files, and links in spam messages, to infect systems with ransomware. [...] Whether or not the organizations should pay the ransom is not a security decision -- it's a business decision. Paying encourages criminals to attack again. Not paying means lost revenue while waiting for IT to recover the files. This isn’t an easy choice, but read on for reasons to not pay the ransom. (CSO Online)

When it comes to ransomware, no amount of digital forensics or incident response will save you; your moral or ethical code is not going to put food on the table. I don't know how many infected firms have gone under because of ransomware, but it is not 0. A few hundred dollars in ransom is a small price to pay to learn the importance of a sound backup scheme. Once you've implemented such a scheme you are more resilient to such attacks. I know of no ransomware crews that are not consummate (if illicit) professionals: there is more money in the long game. Advice to the contrary is inevitably issued by people on a high horse who have not fallen victim to a ransomware attack and have the luxury of dealing with hypotheticals.


Motor Vehicles Increasingly Vulnerable to Remote Exploits

As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles. The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. (FBI)

Given that it is St. Patrick's Day I definitely have concerns about automobile safety, they just have nothing to do with my sedan being pwned and everything to do with the number of people who have partaken of three-too-many pints of Guinness. At this stage car backing is not something a significant number of people need to be concerned about. because the risk of some very old fashioned threats to your safety while rolling are dramatically higher. Car hacking is in vogue, but its a specialty issue until someone figures out how to fuse car hacks with ransomware at scale.