Hacking Baby Monitors

Only at Defcon.  There was a session on hacking baby monitors.  When my kids were little, a baby monitor would allow me to listen to my baby from at most a hundred feet away.  Now baby monitors allow me to see and listen to my baby from anywhere on the planet where I have a smart phone and an internet connection.  Not only that, but I can talk to my baby using that same software on my smartphone.

It seems to me that the old fashioned baby monitor was safer and apparently, it was.

We have already seen cases where pervs have looped into those baby monitors and watched mom and/or dad and baby and in some cases, even talked to the baby.  Think about what someone might see.  That’s creepy.

When your security cameras are outside your house then I am less concerned about someone watching those cameras – and, yes, I know, there are plenty of problems with that scenario.

When the security camera is inside your house, you have a whole different problem.

In addition, if the monitors are vulnerable, potentially, so are any other computers on the same network in your house.

Some of the baby monitors had hard coded userids and passwords (and even if they don’t, many people won’t change the default password.

Others had web servers in the camera that were vulnerable.

Still others allowed for non encrypted transmission of the traffic.

And, others had public web sites that broker access to your camera that were vulnerable.

All of the vendors were notified as was the CERT.

One vendor, Phillips, quickly provided a timeline for a fix (September 4) even though they no longer are responsible for these devices – they are being managed by Gibson Innovations.

Likely other vendors aren’t going to respond as quickly or positively.

More importantly, how many parents will patch their baby monitors – if they even have a clue for how to do that.   How do you know that you need to patch your baby monitor?   I bet many monitors are not designed to allow parents to patch the code at all.

Assuming Internet of Things vendors don’t want to get dragged into messy lawsuits, they better start thinking about how they are going to patch the millions or billions of IoT devices that will be out there in the upcoming decades.

And, they will need to patch them for years.  Just because you came out with a new model next year does not mean that you don’t need to patch the old model any more.

I suspect that plaintiffs lawyers are going to use product liability and lemon laws against vendors that do not fix security holes quickly and without complaining.

Something to ponder whether you are buying or selling IoT devices.

Information for this post came from Rapid7.

Facebooktwitterredditlinkedinmailby feather

Boards Still Not On Board With Cyber Security

Price Waterhouse surveyed 500 business executives, law enforcement services and government agencies and here are some of the results:

  • 28 percent say that their security leaders make NO presentations to the board ever
  • 26 percent say that their boards receive a single security presentation per year.

Neither of these answers warms my heart, but they don’t surprise either.

That means that only a third of the boards receive regular (typically quarterly) updates on cyber risk.

One third of the respondents from small companies and 18% of the security leaders at large companies say they never present to their boards (this is the opposite view of the numbers above – what the CISOs say vs. what the boards say).

  • Only 42% of the respondents view cyber security as a corporate governance issue.  I guess when the rest of their companies are breached and they have to spend millions of dollars to deal with it, that won’t be a corporate governance issue either.  I guess.
  • 30 percent say that no board members or committees are involved in cyber security.  That means that 70% have some form of involvement.

What all this tells me is that Information risk folks still have some room to go to explain to boards why they should care.

Recently, we had 3 CEOs or similar roles that have lost their jobs over breaches (Sony, Target and Ashley Madison).  That certainly is a board issue.

Costs of dealing with breaches run from a million dollars on the very low end to several hundred million dollars on the high end.  Either expense should be one that boards are concerned about.

And then there is reputation.  Whether you are in retail (Target), government (OPM) or healthcare (Anthem) to name a few, when people are asked about these companies, what they remember is that they were breached.

That is great brand recognition, but for the wrong reason.

This does not mean that we should hang up our security cleats and go out and get drunk.

Rather it means that we need to continue to educate boards so that they understand that it is a governance issue and that if they ignore it, so will their CEOs.

The education needs to be in business terms because – IT RISK IS BUSINESS RISK.  If you present it in any other context, you are highly unlikely to be listened to.  What is the impact of a breach on sales, fines, litigation, brand reputation and distraction of key executives?  These are things that board members can understand.  Do not tell them about the number of malware laced emails that you stopped – they don’t really care.

Just my two cents.



Information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

OPM Awards Contract For ID Protection From Second Breach

There are reports in the news that Identity Theft Guard Solutions won the contract to offer identity theft protection for the 21.5 million victims of the second OPM breach.

This is 90 days after the breach was disclosed.  It is unclear how long it will be before people get letters and have the ability to sign up with this company.

If this was a private company that had been breached, people would be screaming about this.  The government usually gets a free pass because it is hard to sue the government.

The contract will cost us, the taxpayers between $133 million and $329 million over 3 years, depending on the options (power windows, maybe, the news is not reporting the details).

This is separate from the $500 million contract request posted by the GSA to prepare for future breaches.

The lack of preparation by the OPM (and many private companies) is the cause of the delay in notifying breach victims.  Any business executive watching this who does not have an incident response plan already approved might use this as a lesson,

Earlier, OPM had said that they expected the winner to start sending out letters within a week, but that it would take a couple of months to get all the letters sent out.

This means that it could be Thanksgiving or Christmas before breach victims get the official notification letter.  Merry Christmas.  If it does wind up taking 6 months after the breach was announced to just get the letters out, I suspect that may spark some interest in lawsuits.

This, of course, has nothing to do with the issue that credit monitoring will do nothing to protect you from, say, a blackmailer who has your entire criminal record or mental health history as disclosed on the forms that the government was supposed to protect.

Also, it is certainly possible that there will be a protest of the contract award  – that is fairly common in federal contract awards.

Stay tuned for the next chapter.

Information for this post came from the Washington Times.

Facebooktwitterredditlinkedinmailby feather