Editorial
A price on data, life without patches, and full metal hacking
Positive Research is a journal for those who care about technology and have a feeling for what's ahead, with an understanding of the enormous responsibility imposed on us by our digital reality. Everyone shoulders this responsibility, whether as consumers or creators of digital products.
We have worked to pack this issue with the latest and most insightful analysis, plus original security research.
Latest cyberthreats
Over the last year, our experts observed an increase in data theft attacks, growing use of social engineering for malware distribution, and development of illicit darkweb services. Get our take on the most important cyberthreats, related trends, and near-term forecasts on page 14.
Forever day
Most hackers don't care about prizes for originality. Why look for zero-day vulnerabilities when potential victims use millions of devices with vulnerabilities that are already known and easy to exploit? This is especially true when manufacturers stop releasing updates for their products. Is the unpatched life worth living? See page 40 for the details.
ICS: time to dust off the cobwebs
Last year was eventful for ICS security. Incidents involved the Triton cyberweapon, as well as the WannaCry virus used against Boeing and Taiwan Semiconductor Manufacturing Company plants. Although the attacks targeted IT infrastructure, their consequences also affected operational technology used for production. This goes to show that attackers do not always need specific knowledge about a target's operations in order to disrupt them. To learn about known vulnerabilities in ICS components and how commonly they are found online, see page 48.
For the love of money
Card payments are increasingly accepted everywhere, and mobile point of sales terminals have propelled this growth. What are the security implications of this phenomenon? And what are the risks associated with continued reliance on old technologies? For answers, jump to page 110.
Detecting web attacks
The attack detection industry has been churning out products for years. Methods vary, but most products work by matching attacks to certain rules. Application security experts at Positive Technologies sought a method for detecting attacks that would sort out the good from the bad as if by magic. Their hope was to avoid the risks associated with human error, when operators are having to decide manually what is (or isn't) a sign of an attack. So our experts designed a method for detecting web application attacks using neural networks (page 130).
Full metal hacking
Even now, many people think that the only way to rob an ATM involves the brutest of brute force: pulling up in a pickup, attaching a hook, and pushing hard on the gas pedal, before savaging the ATM with a circular saw, crowbar, and welding kit... But there are some other ways. See attack scenarios involving ATMs on page 84. For those who love low-level nitty-gritty, our experts explain more about ATM hacking on page 160.
Finding Neutrino
In August 2018, our experts started to record mass scans of phpMyAdmin systems. These incidents became a jumping-off point for our investigation. Our experts gradually uncovered the whole chain of events, discovering a major malicious campaign that had started back in 2013! For the full scoop, see page 198.
Facing facial recognition
Biometrics are everywhere. We unlock gadgets by showing our faces. Banks are testing facial recognition on ATMs. Networked security cameras, hooked into facial recognition systems for law enforcement's benefit, are helping to catch criminals. You can use your face to log in to services and confirm payments. And this is only the beginning. Our faces may well replace ID, business cards, and credit cards. But is this technology secure? To read about how we tried to outwit facial recognition and where this got us, flip to page 244.