Know what vulnerabilities and fix them?
Sensitive data is available for download due to misconfiguration. Encrypted connections are not necessarily secure. Consumer electronics, networked storage and home automation systems can be accessed directly on the Internet with little or no security measures. These are some of the problems revealed by this year's Swiss Vulnerability Report.
For the fourth time, First Security Technology AG (FST) publishes the Swiss Vulnerability Report (SVR). The annual report to learn more about the security of the Swiss Internet landscape. FST is the Swiss manufacturer of IT vulnerability analysis systems.
Reports of hacked companies are increasing dramatically and do not seem to have reached their peak yet. No industry is safe from this and supposedly well-protected companies are affected just as much as smaller companies, which think that nothing can be taken from them. Cyber criminals, as well as intelligence agencies, exploit vulnerabilities to successfully break into IT systems and misuse data. The first thing that comes to mind when thinking about vulnerabilities is that of the software manufacturer. Incorrect configuration of IT systems, for example by using no or standard passwords or offering services that one is not aware of, occurs more often than first suspected.
Passwords challenge
Offered services and data are mostly protected with usernames and passwords. If these services do not offer any vulnerabilities to bypass authorization, it is at most as secure as the chosen password. In the case of FTP, it was checked how many of them allow a login without a password. At over 2,600, equivalent to 4.2%, this is possible and most offer this unintentionally because they did not configure their systems properly. It is estimated that over 10% of these systems contain sensitive data such as backups, customer data, internal documents and even tax returns. Malware also spreads via such unprotected file repositories by storing itself there and waiting to be opened.
The usual suspects are web and email
Web services are by far the most frequently offered services. The number of HTTPS services has increased this year. The encrypted variant can be found over 225,000 times on the Swiss Internet. In contrast, the unencrypted variant has decreased to less than 180,000. This is a clear trend to make connections over the Internet more secure through encryption. Security awareness has also made its way into databases. Far fewer databases can now be accessed directly from the Internet
Not all encryption is created equal
The last two years have shown that there are a number of vulnerabilities in SSL and TLS encryption, some with serious consequences. There are still 78,000 servers vulnerable on Poodle and 25,000 on Freak. In over 26,000 services, the private key can be read using the Drown attack. By additionally measuring the multiple use of the same certificates on different services and servers, it quickly becomes clear that by exploiting Drown, the keys are available to decrypt encryption that is currently considered unbreakable.
Consumer electronics etc. also used by companies
The visibility of consumer electronics and NAS has increased by quite a bit. These systems were usually not developed with security in mind. Such devices as smart TVs are increasingly found in companies and provide a gateway if they can be accessed directly from the Internet. It's a similar story with home automation systems. Many of these are visible and not protected enough.
Press release First Security Technology, Chur
