In this week’s episode (#110): the second major flaw in Apache Struts 2 in as many years and has put the information security community on alert. But is this vulnerability as serious as the last, which resulted in the hack of the firm Equifax? We talk with an expert from the firm Synopsys. And: we’ve heard a lot about the risk of cyber attacks on the critical infrastructure used to generate and distribute electricity. But what would happen if someone figured out to how to hack electricity demand? The Internet of Things just might make that possible. We talk to a Princeton University researcher behind a paper that discusses how even small changes in demand can have big consequences for the grid.
Struts 2: why this is bigger than a patch
Last week brought us news of yet another remotely exploitable vulnerability in Apache Struts 2, the open source framework that powers many modern web applications. This is the second major flaw in Struts 2 in as many years and has put the information security community on alert. A similar flaw in Struts in 2017 was weaponized by cybercriminals and used to hack into high profile organizations including Equifax.
The alarm bells about another round of Struts focused attacks rang louder over the weekend, after a proof of concept exploit for the hole was discovered on the open source code repository known as GitHub.But is the newly discovered vulnerability as serious as the 2017 flaw that led to the Equifax hack? The security community is of two minds about that.
To understand better what the latest Struts 2 vulnerability is all about, we invited Tim Mackey of Synopsys into the studio to talk about it. Tim is a technology evangelist in Synopsys Software Integrity Group and authored an excellent analysis of the latest Apache Struts vulnerabilities, which you can read here.
In the first part of our podcast, Tim and I talk about what’s behind the latest vulnerability and why patching this hole is just the beginning of the work that application development shops need to do to harden their applications against attacks.
Hacking Electricity Demand with IoT
As smart homes and businesses take root, more and more power hungry appliances are being connected to the Internet. Already, products like air conditioners and HVAC systems, water heaters and kitchen appliances sport IP addresses and web-based interfaces that allow their owners to monitor and control them from a distance. But what if all those power-hungry devices could also be compromised and – like the hundreds of thousands of webcams and video recorders that made up the Mirai botnet – made to do the bidding of a malicious actor?
According to our next guest, one consequence might be a serious stress test for the electrical grid. Saleh Soltan is a researcher and graduate student at Princeton University. He’s a co-author of a new research paper, BlackIoT, that studied the question of whether botnet’s of “high wattage” devices could be used to disrupt power grids (PDF).
In this conversation with The Security Ledger, Soltan talks about his research and his team’s discovery that botnets of power hungry devices really could pose a threat to the stability of the electric grid and why the threshold for causing disruption is lower than many people assume.
To start off I asked Saleh to talk about how he came to look at the link between IoT insecurity and the grid.