In relation to the news that security firm Verkada, is investigating a massive hack said to have affected 150,000 of its security cameras, where the security company provides cameras to companies including carmaker Tesla and stolen footage included the insides of hospitals, schools, and businesses; cybersecurity experts reacted below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>In this case, hackers used relatively unsophisticated methods to penetrate Verkada’s systems. However, it illustrates that this attack could have been prevented by using zero trust techniques like multi-factor authentication, which requires more than a simple username and password to gain access. Moreover, this attack spotlights the extent of resources that can be exfiltrated if an attack is successful – not only nearly 150,000 camera feeds, but records of 24,000 Verkada customers, and Verkada company records and financial statements. It is imperative that organizations deploy zero trust mechanisms today to reduce the chance of unauthorized network access.</p>
<p>While this breach is related to IoT security cameras, it underscores the importance of protecting and managing multimedia content (photos, videos, audio recordings) that employees capture. This is especially critical when it comes to mobile devices; the photos and videos captured on the job are often left unprotected and outside the sphere of IT control.</p>
<div class=\"adn ads\" data-message-id=\"#msg-f:1693846013004000764\" data-legacy-message-id=\"1781bff97550adfc\"> <div class=\"gs\"> <div class=\"\"> <div id=\":pe\" class=\"ii gt\"> <div id=\":nm\" class=\"a3s aiL \"> <div dir=\"ltr\"> <div class=\"gmail_quote\"> <div> <p>Every computer system in the cloud has one major weakness. The password to access the accounts that matter most. In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. Everyone will be wondering what the impact is on them personally along with the companies directly affected. What did Verkada do wrong? Well, they allegedly didn’t have control over the one account that they needed to. It is possible that the account wasn’t monitored and that the password wasn’t regularly changed on a rotation basis. But the biggest error was underestimating the power of one single account to undo their business and grant access to everyone’s data. At the very least, there should have been some form of multifactor authentication to protect the account. Whenever anyone accessed it, they would have to prove that they were who they said they were. Simple, cheap and effective as a first line of defence.</p> <p> </p> <p>Once a hacker is inside, however, there is little to stop them without further controls. Locking away the password completely in a vault is one solution and the admins have to “break glass” to get it out, or even better just offer the admins a session on their screen that they can use without ever knowing a password. Therefore, there is nothing to hack as no one knows the password and it will be encrypted in a deeply secured vault.</p> <p> </p> <p>Password vault and session management systems like this are almost mandatory in today’s GDPR – defined landscape and there is no excuse for ignorance. This exact scenario has been widely documented and even seen in modern fiction (“Invasion of Privacy” – Ian Sutherland). It isn’t that video surveillance companies that store their data in the cloud, are easy to break, I feel it has much more impact to the public. Anyone that stores their data in the internet has to expect their security to be tested as some point. You cannot keep your head in the sand and take the risk any more, as fines and repercussions have real teeth.</p> <p> </p> <p>Access to the video data is one thing but the hackers won’t be able to use Verkada’s code to run facial recognition against it unless they had access to the client software. However, with that said, any data stored about personnel that have been recognised and then documented may be fair game. </p> <p> </p> <p>How many people haven’t changed their home systems passwords? Ring, Nest, etc. doorbells? All with facial recognition and all much more personal and close to home and all potential targets. I bet everyone will change their own passwords after reading stories like this. As we’ve seen that is only half the story, if the back end systems aren’t maintained and using mechanisms, as above, to protect the master and super user passwords then it’s in vain.</p> </div> </div> </div> </div> </div> </div> </div> </div>
<p>The reports of the hacktivist breach of more than 150,000 surveillance cameras used inside Tesla\’s warehouses, police stations, jails and hospitals around the world, is a reminder that even though recent nation-state cyber attacks on SolarWinds and Microsoft Exchange Servers are garnering headlines, hacktivist groups are still players in the global cyber ecosystem. This isn\’t a one-time breach as this international group of hacktivists have claimed responsibility for other breaches in the past. It makes no difference if the motives of any threat actor are social, political or financial in nature, when crimes are committed and laws broken. It is also a reminder how vast the threat landscape is. This breach appears to have been preventable if the administrator\’s username and password weren\’t exposed on the Internet. Preventative medicine starts when user credentials are frequently updated and security awareness training is regularly offered. Today, there are more than 1 billion surveillance cameras in use around the world and security is an afterthought in many of them, resulting in spying and unlawful monitoring of unsuspecting victims.</p>
<p>The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer.</p> <p> </p> <p>While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact. And while Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed.</p> <p> </p> <p>“Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”</p>