June 10, 2019

Security researchers from hardware wallet company Ledger have discovered a vulnerability in the specialised hardware security modules (HSMs) IT teams use to protect sensitive information.

HSMs are network devices that use advanced cryptography to store and secure sensitive data such as passwords, PINs, and digital keys.

They are commonly used in environments where the highest-level of security is required: government agencies, cryptocurrency exchanges, telecommunications firms, and financial institutions.

They can take the form of add-in computer cards, network-connectable appliances, or small portable devices resembling USB thumb drives.

The vulnerabilities discovered by Ledger would enable an unauthenticated remote user to take full control of at least one major vendor’s flagship HSM product.

Once control has been gained, a new infected version of the device’s firmware can be uploaded and installed. It leaves a persistent backdoor open for cybercriminals – even if the firmware is updated again later.

We’ve said it before

And we’ll say it again. Total reliance on cybertechnology to keep an organisation’s systems and information in lock down is a recipe for failure.

A few weeks ago we reported that three of the world’s biggest anti-virus companies were themselves victims of a major breach.

A criminal gang infiltrated the firms and took source code for new anti-virus and other software products – then put it up for auction to the highest-bidding hacker.

They took sensitive source code from antivirus software, AI, and security plugins. Then ‘reviewed’ the capabilities of each company’s new software for potential buyers – even making assessments about likely effectiveness.

The group claimed to have hoarded 30 TB of stolen data, roughly equal to all the video uploaded to YouTube on a normal day.

Hugely embarrassing for any anti-virus firm, which probably explains why the three outed companies have only reluctantly admitted to the breach, or denied it.

Why cyber needs a human edge

Cybersecurity devices – hacked.

Cybersecurity vendors – hacked.

Against such a determined and ingenious opponent, technology on its own can’t give us much of an edge.

Finding a backdoor into the devices used to better secure supposedly secure systems is an escalation in the battle, but it’s only the latest one.

  • Two of the UK’s major police services have had their systems and data compromised this year.
  • Well-known brands like Equifax, Amazon, and Uber have all been breached in the last few years.
  • While Facebook – with tens of millions available for cyber defence and due diligence almost routinely loses data – or shares it recklessly with third parties.

And then there was attack on networking equipment giant Citrix, where hackers had been regularly accessing the company’s network for months before being found out.

From technical exploits to poor processes and human error, all companies have weaknesses that can make them vulnerable to breach – they just haven’t been found yet.

Sometimes the vulnerability lives in the technology we use every day — something unforeseen at the time of manufacture. Other times it’s down to people.

Either way, its not a matter of ‘if’ you’ll be breached. It’s a matter of when.

A programme of security awareness training can strengthen them by switching everyone in the organisation on to the risk of attack, whether from a dodgy firmware update, phishing email, or botnet infection.

With better training and education, staff can help spot the signs of a breach, and avoid enabling them through misadventure and error.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: