5 New Network Attack Techniques That Will Keep You Awake at Night

  /     /     /  
Publicated : 22/11/2024   Category : security


5 New Network Attack Techniques That Will Keep You Awake at Night


You cant trust anything -- not the cloud, not hardware, not industrial control systems. Take nothing for granted, advise the experts, and trust nothing.



Get ready for insomnia. Attackers are finding new techniques, and here are five that will give you nightmares worse than after you watched the slasher film everyone warned you about when you were a kid.
At a panel at the
2018 RSA Conference in San Francisco
last week, we learned that these new attack techniques arent merely theoretically possible. Theyre here, theyre real, and theyre hurting companies today. The speakers on the panel laid out the biggest attack vectors were seeing -- and some of them are either different than in the past, or are becoming more common.
Heres the list:
1. Repositories and cloud storage data leakage
People have been grabbing data from unsecured cloud storage for as long as cloud storage existed. Now that the cloud is nearly ubiquitous, so are the instances of non-encrypted, non-password-protected repositories on Amazon S3, Microsoft Azure, or Google Cloud Storage.
(Source:
Werner22brigitte via Pixabay
)
Ed Skoudis, the Penetration Testing Curriculum Director at the
SANS Institute
, a security training organization, points to three major flaws here. First, private repositories are accidentally opened to the public. Second, these public repositories are allowed to hold sensitive information, such as encryption keys, user names, and passwords. Third, source code and behind-the-scenes application data can be stored in the wrong cloud repository.
The result? Leakage, if someone happens to find it. And Hackers are constantly searching for repositories that don’t have the appropriate security, Skoudis said.
2. Data de-anonymization, and correlation
Lots of medical and financial data is shared between businesses. Often that data is anonymized. That is, scrubbed with all the personally identifiable information (PII) removed so its impossible to figure out which human a particular data record belongs to.
Well, thats the theory, said Skoudis. In reality, if you beg, borrow or steal enough data from many sources (including breaches), you can often correlate the data and figure out which person is described by financial or health data. Its not easy, because a lot of data and computation resources are required, but de-anonymization can be done, and used for identity theft or worse.
3. Monetizing compromised systems using cryptominers
Johannes Ullrich, who runs the
SANS Internet Storm Center
, said that hackers care about selling your stuff, like any other criminal. Some want to steal your data, including bank accounts, and sell that to other people, say on the Dark Web. A few years ago, hackers learned how to steal your data and sell it back to you, in the form of ransomware. And now, theyre stealing your computers processing power.
Whats the processing power used for?
Theyre using your system for crypto-coin mining, the experts said. This became obvious earlier this year, he said, with a PeopleSoft breach where hackers installed a coin miner on thousands of servers – and never touched the PeopleSoft data. Meanwhile, since no data is touched or stolen, the hack could stay undetected for months, maybe years. (See
Malwarebytes: Cryptomining Surges as Ransomware Declines
.)
4. Hardware flaws
Meltdown and Spectre, which exploited flaws in microprocessor design, were not flukes, Ullrich said. Spectre and Meltdown allowed hostile programs to access other programs memory. But other hacks can allow unintended code to execute on the microprocessor, or leak information from caches. (See
In Wake of Spectre & Meltdown, Intel Shifts Memory Scanning to GPU
.)
The fundamentals of network security are being redefined -- dont get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual
Big Communications Event
. Theres still time to register and communications service providers get in free!
Ullrich warns against relying upon the hardware features of a system for security, and backing that up with robust software.
Hardware has complexity issues. You have to think, how much can you trust your hardware, especially if youre depending on hardware features to separate processes, Ullrich said. If you cant trust hardware, he asks, who can you trust? Trust no one.
5. Exploitability in industrial control systems
Everyone running a power plant or a dam is probably kept awake by the ability of hackers to target, infiltrate and manipulate industrial controls -- like those which ran Irans nuclear enrichment centrifuges, and which were successfully damaged by the Stuxnet.
Attacks on industrial controls, including widely used Supervisory Control and Data Acquisition (SCADA) systems, are becoming more widespread. James Lyne, Head of R&D for SANS, is concerned that these systems rely upon obscurity and isolation for protection -- and may not have been robustly tested for flaws.
Perhaps its only a matter of time before hackers use hijacked industrial control systems to turn things off, turn things on, damage things or worse. Thats good stuff for your nightmares.
How prepared are we? asks Lyne.
Sweet dreams.
Related posts:
At-Risk Routers & Russian Hacking Plans Stir Talk at RSA
Firewall Fail: IT Cant Identify All Network Traffic
Microsoft Security Is Channeling the Terminator
Microsofts Brad Smith: 2017 Was a Cybersecurity Wake-Up Call
— Alan Zeichick is principal analyst at
Camden Associates
, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him
@zeichick
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
5 New Network Attack Techniques That Will Keep You Awake at Night