third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
An attacker can abuse devices linked to the internet in a number<br />
of ways:<br />
»»<br />
Direct abuse of processing capacity, connectivity and bandwidth:<br />
an attacker can takeover systems and then make them part<br />
of a botnet. Botnets such as these can be used for lots of<br />
dishonest purposes.<br />
»»<br />
Abuse as a stepping stone: from a system he has taken over,<br />
an attacker can crawl and attack other systems.<br />
»»<br />
Steal (confidential) personal or business data: an attacker<br />
can steal sensitive data that is stored on the system (e-mail,<br />
documents, databases).<br />
»»<br />
Profiling of personal behaviour: an attacker can collate details<br />
of a user’s behaviour from the device (location details, websites<br />
visited, purchases made). Abuse of this information is of interest<br />
for targeted attacks.<br />
»»<br />
Detecting and stealing personal identity: an attacker pretends<br />
to be someone else (spoofing) and uses this to his benefit. An<br />
attacker can also find out a user’s identity under a pseudonym<br />
and abuse this (doxing).<br />
»»<br />
Stealing credentials for access to services: an attacker can capture<br />
the user’s identification details (account name, password, access<br />
code, cryptographic key) and use these to access the user’s<br />
services (web services, e-mail, cloud services, internet shops,<br />
banks) and send messaged or complete transactions.<br />
»»<br />
Denial of service, sabotage: an attacker can sabotage the device<br />
and cause harm.<br />
Direct abuse<br />
Stepping<br />
Stone<br />
Data theft<br />
Profiling<br />
Identity<br />
theft<br />
Credentials<br />
theft<br />
Denial<br />
of Service<br />
Consumer computer devices Practice Practice Practice Practice a Practice Practice Practice<br />
Consumer network devices Practice b Practice Practice Theory PoC Practice Practice<br />
Mobile consumer devices<br />
Theory<br />
Practice<br />
PoC / Practice c Practice Practice Theory Practice -<br />
Fixed consumer devices Theory Theory - PoC d - - Theory<br />
Fixed technical and<br />
business devices<br />
PoC e Practice Theory - - Practice PoC<br />
Mobile technical devices - - - PoC f - - PoC<br />
Table 6. Matrix of abuse potential per category of device<br />
a) Consumer computer devices such as laptops and PCs generally<br />
do not have a location sensor. However the user can be profiled<br />
using cookies, the IP address and by using location software such<br />
as Google Maps.<br />
b) Consumer routers require attention with respect to security. This<br />
was the warning the Consumers’ Association gave to its members<br />
at the beginning of this year, alerting them to easily cracked<br />
router passwords. [146]<br />
c) Previously refuted rumours of a botnet on mobile devices were<br />
later confirmed by the BBC. [147] There was further speculation from<br />
McAfee Labs [22: McAfee 2013-2] concerning a Near Field Communication<br />
(NFC) worm.<br />
d) In part following on from alleged large-scale electricity metre<br />
fraud, the European network security organisation ENISA issued a<br />
[9: ENISA 2012]<br />
report in May 2012 on the security of electricity networks.<br />
e) As far back as 2010, Barnaby Jack demonstrated at the Black Hat<br />
security conference that cash machines were vulnerable to abuse.<br />
Abusing technical vulnerabilities would allow large amounts of<br />
money to be obtained. [148]<br />
f) During the RSA security conference in 2012 in San Francisco, a<br />
security investigator demonstrated that a wireless insulin pump<br />
could be abuse remotely to administer a lethal dose of insulin. [149]<br />
146 Consumentenbond, Actueel, (3 January 2013), http://www.consumentenbond.nl/actueel/<br />
nieuws/nieuwsoverzicht-2013/Half-miljoen-wifi-routers-lek/<br />
147 BBC news, China mobile users warned about large botnet threat, (15 January 2013),<br />
http://www.bbc.co.uk/news/technology-21026667<br />
148 Wired Threat Level,(July 2010), Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat<br />
Conference, http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ en IT SECURITY<br />
BLOG, (Augustus 2012), Exploiting ATMs: a quick overview of recent hacks, http://security.<br />
blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/<br />
149 Bloomberg Tech Blog, (29 February 2012), Hacker Shows Off Lethal Attack By Controlling<br />
Wireless Medical Device.<br />
72