Recent events like Passwords15, Black Hat USA and DEF CON have raised visibility about the evolving cyber security threat landscape – focusing on high profile hacks, new regulations and innovative approaches for protecting organizations’ most precious assets.
Sessions and demonstrations focusing on topics like defeating pass-the-hash attacks, managing active directory backdoor risks, and taking control of everything from a car to a power plant highlight vulnerabilities that exist in nearly everything we interact with.
Several of these sessions, including our own that examined Kerberos attack trends, incorporated a privileged account security connection. One of the more surprising connections was the hack of the TrackingPoint sniper rifle scope. Wired covered the hack in detail, but sitting in the audience hearing about how persistent the research duo was in finding different avenues for breaking into (hint: it got destructive) and gaining control over the WiFi-enabled scope was impactful.
Understanding the sheer determination of attackers – whether motivated by simple curiosity or malicious intent– has valuable lessons for any organization: Attackers will get in, it’s just a matter of when and how.
In this case, the researchers took advantage of multiple vulnerabilities including the rifle scope’s default passwords and used SSH keys to gain root access and make changes to the Linux-based system – altering factors such as ballistics values and temporarily locking the trigger. One of the overall messages was that vendors and development teams often ignore “low hanging fruit”– like better managing passwords in embedded devices. In the new world order of interconnected devices, security must be built in.
One of the lighter moments of the talk came when sharing a note to customers from the gun manufacturer’s website in response to the well-publicized hack: “… Please note the following: Since your gun does not have the ability to connect to the internet, the gun can only be compromised if the hacker is actually physically with you. You can continue to use WiFi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet.”
Shifting gears slightly to the Intel Developer Forum, security was center stage when GM of Intel Security Group, Chris Young, addressed security through the perspectives of consumer and enterprise users. The messages were consistent: security must be baked into everything – every application, every device, every system. Most importantly, it must complement the user experience, not impede it.
Intel CISO Brent Conran spoke about the complexity of his own IT environment and the company’s partnership with CyberArk to go beyond perimeter defenses to protect privileged accounts – which are often sought by attackers as a powerful pathway to accessing sensitive data. A Data Center Knowledge article highlights CyberArk CEO Udi Mokady joining Conran on stage to talk about the real and increasingly dangerous cyber threats posed by a lack of control over privileged accounts and credentials – including those used to enable applications to communicate with other enterprise applications or databases.
The Intel security session concluded with the on-stage hack of a spider-looking robot (technically a hexapod), which was protecting an enormous donut. While far less threatening than the rifle example, in the on-stage demonstration, “Hacker Jenny” was able to get root access to the software controlling the robot via the cloud, and simply put it to sleep, presumably so she could steal the delicious donut.
So whether it’s a rifle, a robot or a car – privilege really is everywhere. In the end, it doesn’t matter if the attackers are 100 feet or 2,000 miles away. Privileged accounts are just too tempting for a persistent attacker to resist.