9b Flashcards
(21 cards)
Front
Back
What is a common challenge for modern software developers regarding security?
Security is often deprioritized behind performance and flexibility—until something goes wrong, making it suddenly critical.
What major risk do insecure IoT systems pose?
They often use weak security designs and outdated components, leading to vulnerabilities like those found in hospital robots and transport systems.
What was the issue with Aethon TUG hospital robots?
Unauthenticated attackers could access hashed user credentials via HTTP GET requests; MD5 hashes used were easy to brute-force.
What makes MD5 unsuitable for password hashing?
It is vulnerable to birthday attacks and collisions, declared formally unsuitable by 2008.
What types of cyberattack motivations exist?
Financial (e.g. ransomware), ideological (e.g. nation-state), curious or revenge-driven individuals, and opportunists.
What example shows financially motivated attacks beyond ransom?
The Norsk Hydro attackers may have been speculating on aluminium prices.
What is a surprising real-world hack mentioned in the slides?
A Polish teen used a modified TV remote to change tram tracks, demonstrating low-skill but impactful access.
Why are mobile/pervasive systems especially vulnerable?
They are often built by engineers without security backgrounds, using commodity components and minimal oversight.
What makes complex transport systems a cybersecurity concern?
They can contain thousands of Linux systems and millions of lines of code, increasing attack surface and difficulty of updates.
What is the OWASP Mobile Top 10 vulnerability M1?
Improper credential usage, especially hardcoded credentials, which are common and easy to exploit.
What is the OWASP Mobile Top 10 vulnerability M2?
Inadequate supply chain security—developers failing to vet third-party components or allowing malicious updates.
What is M3 in OWASP Mobile Top 10?
Insecure authentication/authorization—such as assuming backend requests are always from valid users.
What is M4 in OWASP Mobile Top 10?
Insufficient input/output validation—often underestimated but very common, enabling attacks like SQL injection.
What is M5 in OWASP Mobile Top 10?
Insecure communication—such as failing to inspect TLS certificates, making apps vulnerable to man-in-the-middle attacks.
What is M6 in OWASP Mobile Top 10?
Inadequate privacy controls—like logging personal data or storing credentials in logs, as Facebook once did.
What is M7 in OWASP Mobile Top 10?
Insufficient binary protection—allowing reverse engineering or theft of proprietary AI models in apps.
What is M8 in OWASP Mobile Top 10?
Security misconfiguration—like default passwords, excessive permissions, or enabling debugging in production.
What is M9 in OWASP Mobile Top 10?
Insecure data storage—storing sensitive data on mobile devices insecurely, with high risk if the device is lost.
What is M10 in OWASP Mobile Top 10?
Insufficient cryptography—e.g., Sony’s ECDSA bug where non-random keys allowed attackers to extract the private key.
What did the Colonial Pipeline attack reveal?
The ransomware attack halted critical infrastructure, prompting operational shutdowns and emergency declarations across multiple states.
