Heating systems, cooling systems, thermostats, videoconferencing equipment, and even vending machines, are all part of the expert hacker’s toolset for breaching corporate security. But in a recent turn of events, hackers used a Chinese restaurant menu to gain access; not by using a secret QR code printed on a physical menu that’s only visible to webcams and NFC chips, or anything as cool as that, but by infecting the online menu with malware. When employees viewed the menu they inadvertently downloaded the worm.
The Chinese-menu-assault is an example of the watering hole attack, where a fragment of malware is disguised as a .pdf file, when in fact it is an .exe file. Seeing the fake-pdf as something recognizable, obtained from a familiar source will prompt many people to open the file and even absent mindedly click “Yes” when prompted “Do you want to allow Chinese-resaurant-garden.exe to make changes to your computer?” It’s the virtual equivalent of a predator waiting by a watering hole for a feeble-minded animal.
Situations like this have grown increasingly more common and sophisticated over the years, even if businesses are constantly fighting to keep ahead of hackers. With the internet-of-things slowly permeating all things digital, and the increasing number of third-party entities being granted access to company systems, the problem will only be compounded. Outside entree can come from software controlling all manner of services a company needs: cooling, heating, ventilation, billing, expenses, human-resources management systems, graphics and data analytics functions, health insurance providers. Anything third party software being used by an employee is a potential security breach, even electric vending machines.
According to security research firm, the Ponemon Institute, 23% of all breaches are attributed to third-party negligence. To the contrary, this figure is low by the estimates of other security experts. Arabella Hallawell, vice president of strategy at Arbor Networks in Burlington, Mass., estimates that third-party suppliers were implemented in 70% of the cases of security breach she’s reviewed. Researching corporate breaches is proving to be tedious for security experts, who are being met by the weary objections of companies too hesitant to release any information that may potentially garner bad press.
Overall, experts speculate that vendors who are still running older operating systems such as Microsoft’s Windows XP are prime targets for the initial point of entry, but harmless gadgets like thermostats and printers ─ anything capable of remote control ─ are easy targets if their security settings remain off. Once malware has made its way in, it may often hide in plain sight. “The beauty is no one is looking there,” George Kurtz, the chief executive of Crowdstrike, a security firm, said to the New York Times. The bottom should be apparent: attacks can come from the unlikeliest of places.
Via Gizmodo and New York Times
Advertisement
Learn more about Electronic Products Magazine
