The year 2016 has become the year of Ransomware. What started as a new emerging type of vulnerability, spread and targeted whole globe including Sri Lankan financial sector. FINCSIRT members were affected by most variations of Ransomware that are out there. At the same time, we as FINCSIRT were instrumental in directly attending to several of these incidents while the events are occurring and therefore were able to minimize the damage that was inevitable. While this trend is not expected to slow down during the coming years, just like last year, there is an emerging threat that we need to look out for.
Internet of Things (IoT) is a term that was once loved by all the techno geeks, but now it automatically gives a creep to the audience. All these started with concepts like smart-home and smart-world where our surrounding devices are being interconnect to make our life simpler, to make more knowledgeable decisions in our day-today life. Simply to have actions like, to have our coffee made up automatically when we are waking in the morning, or to have our fridge reorder the milk and essentials automatically and delivered to us before we realize it's over. These are not science fictions anymore. Even-though not directly get marketed in Sri Lanka right now, other countries like USA, these are more than a reality. Amazon offers “Amazon Dash” a simple button where when it is pressed, will automatically reorder the allocated goods from their shop and get delivered to the home. Some may think these are long due on Sri Lanka. Think again, these solutions are already being marketed to Sri Lankan customers and it is been widely used.
Now what could go wrong with this dreamy reality? Sadly, as always, new technology developers have not looked into the security of IoT at all. Some of the devices that are marketed right now does not have the basic security requirements whatsoever. Last year renowned car manufacture released its latest Connected Electric Car (Nissan Leaf) with a companion mobile app to control the car's properties using your mobile. This app was released with extremely little to no security at all and thus got immediately hacked by a renowned security researcher. You would think, we could save our organizations by not moving into these IoT devices at this stage until proper security evaluations are satisfied. Sadly, you cannot live in isolation. Due to the inherit lack of security in these devices, attackers are piling up these devices for massive botnets and in return using them for massive DDOS attacks. Last year we experienced one of most massive DDOS attacks in human history, targeted to high profile targets such as Netfilx, AirBnB. This was a result of a massive IoT botnet created by a malware called Mirai. Therefore, it's alarming to see these devices and solutions shows at our doorstep without concerning the security in the year 2017. But that’s the reality.
So what can we do today? To start with, we can educate relevant parties on our organizations about the threat at hand so that in-depth reviews will go into these technologies when adopting to our organizations. Also, as a collective we could drive these device manufacturers have more security built-in to their devices from the design phase rather than at the post production stage. And finally, hope for the best that Sri Lankan financial sector will be able to face these attacks in the year 2017 and develop necessary resources that are required to be ahead on the game.
As always, FINCSIRT will try to educate our members and stakeholders on these threats and are invited to work closely as a collective to face these new threats so that everyone can “Be Aware and Be Secure”.