ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Kiwicon and CERT - New Zealand goes cyber

Paul Brislen, Editor. 14 December 2015, 6:59 am

Kiwicon, New Zealand's best known and possibly only computer security conference, has just wrapped up in Wellington producing the usual array of eyebrow raising concerns, this year taking a close look at the impending Internet of Things (IoT) and whether putting your coffee machine on the internet is a good thing from a security point of view.

The short version is: probably not.

Coffee machines aside, the most alarming suggestion surrounds a popular cheap car tracking and immobilisation gadget.

Kiwi hacker Lachlan Temple has found a security flaw that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles. The flaws allow attackers who log into any account - including a universal demonstration account - to gain access without needing a password.

The units, from Chinese company ThinkRace, are also used in children's watches sold by ThinkRace which could potentially contain the same flaws allowing users to be tracked and, via the microphone capability, listened to.

"You just brute force everyone account, you can increment each one," Temple told The Register.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Meanwhile in Auckland the government has announced the launch of its new initiative, the Computer Emergency Response Team (CERT).

Tasked with being the first port of call when cyber-trouble strikes, CERT is to be a public-private partnership that will ensure "New Zealanders are safe, resilient and prosperous online".

According to the government's press release "56 per cent of New Zealand businesses experience an information technology security attack at least once a year and only 65 per cent of businesses are confident that their IT security systems are effective".

CERT is not the first time the government has had a look at working with business to thwart cyber-villains. In 2001 the government of the day launched the Centre for Critical Infrastructure Protection (CCIP) which was later subsumed into the GCSB. Since then the government has also launched the New Zealand National Cyber Security Centre and the New Zealand Police has maintained its e-crimes lab for many years.

One of the biggest problems the police have faced is hacked corporates erasing all evidence in their rush to repair the damage. Generally the police aren't called in until after the servers have been wiped/patched/upgraded/taken offline/put back online and so on. Any evidence has been trampled on in the process.

The government hopes the new CERT team will be able to engage with the victims of cyber-crime and help catch the cyber-ratbags in the process.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio