IP Expo: People don't understand that they are the target [video]
James Lyne, global head of security research at Sophos, says he is trying to understand why the average person thinks they are not a target for cyber-criminals and how to get that message across to them.
James Lyne at IP Expo 2016
Beyond wanting to steal their credit card details, most people don't understand why cyber-criminals would want to target them, but according to James Lyne at Sophos, the public needs to understand the threat in more detail in order to protect themselves.
“A focus for me in 2016 has been the issue that the average person doesn't really understand why they are valuable to cyber criminals,” Lyne told an audience at IP Expo this week. “They think, I'm not really that interesting. They understand why a credit card is useful but anything but anything beyond that, the new types of data or new devices that we possess, people kind of struggle to understand why a cyber-criminal might care.”
He then went on to demonstrate with data from cyber-criminal trading websites that a username/password pair was worth between $US0.25 and $3 (20p and £2.30) – because of the propensity of people to reuse the same credentials on multiple sites.
Because the news is filled with stories of super hackers from countries like Russia, China and elsewhere using very sophisticated malware to hack into systems, it distracts users from the more prevalent and low level hacking which can later turn into something more targeted and tailored.
While Lyne specialises in reverse engineering sophisticated attack software, even he has to concede that the greatest threat comes from social engineering which is becoming more sophisticated.
“There is a wealth of interesting new [hacking] techniques but we have seen a massive shift from cyber criminals in the use of social eng techniques. I talked about it a lot. But it's quite terrifying looking back over the past month how often these prolific ransomware campaigns are propagated through simplistic word-based malware, really simplistic snare around invoices and payments,” he said.
One of the things that attackers are interested in is your IOT devices. Everything from fridges and kettles to doorbells and electric plugs is being internet enabled without the requisite security you would expect from these ubiquitous devices that are sitting on your home network.
Compromised IOT devices are becoming more of a problem and have been implicated in huge DDoS attacks such as the one that took security blogger Brian Krebs and the French firm OVH offline.
Typical flaws – which Lyne demonstrated by poking around in a “smart” plug – include hard-coded passwords, outdated encryption, poorly implemented encryption, incorrect certificate handling, broken versions of OpenSSL and more.
“The point is, while a lot of us are going on about IOT is bad, when you actually dig into these devices as a researcher and look there are some fundamental and quite scary weaknesses,” he said. “It's not hype, there are real problems.”
He added: “The only reason we haven't seen bigger attacks – Brian Krebs and his DDos aside – is that attackers are only now choosing to be interested in them.”
Watch the video below to hear more from James Lyne.