Tag Archives: IoT

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. TimesFacebooktwitterredditlinkedinmailby feather

Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.

 

Source: ZDNet Dark ReadingFacebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.ComFacebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.

 

National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.

 

Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week

 

Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register

 

Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.Facebooktwitterredditlinkedinmailby feather

The Internet of Things is Still a Privacy Dumpster Fire

No, not literally, but close.

Image result for dumpster fire

Researchers investigated 81 Internet of Things (IoT) devices like smart TVs or security cameras.

The researchers ran 34,000+ experiments and found that 72 of those devices contacted someone other than the manufacturer.  For example, almost all of the TVs contacted Netflix, even if you don’t have a Netflix account.  For the most part, the manufacturers do not tell you who they are talking to.

Much of the data is sent unencrypted, so anyone listening to the traffic can see what is being sent.

Vizio got caught at it (collecting and selling your data) and paid a small fine ($17 million), so they figure the risk is low.

Since most of these devices have horrible security, they are easy to hack.  That fact has not been lost on the intelligence community in both friendly and not so friendly countries.  That makes your smart devices extra smart – they are a listening post for the good guys and the bad guys.

For example, one camera talked to 52  unique IP addresses and one TV talked to 30 different locations.

This data is aggregated with other data to build profiles – where do you live plus where do you work plus how much do you make plus what are your TV habits.   You get the idea.

Companies sell these datasets.  For anyone in the United States they might be able to produce 2,000 to 3,000 different pieces of information.

Obviously, if the device has a camera or microphone, that adds more data to the mix.

If that camera is on the same network as your computer is and if your smart camera gets hacked, it is certainly possible that an attacker could use that camera to attack your computer.  Actually, that is not far fetched at all – it has already happened.

So what can you do?

The easy answer, of course, is to ask if you really need that smart refrigerator or microwave.  If you don’t, then do get that model.  The dumb model is probably cheaper anyway.

Sometimes you can’t find a dumb device.  That doesn’t mean that you MUST connect that device to the Internet if you don’t need those features.

Finally, if you are going to make that device smart, then isolate it from the rest of your network.  Depending on what you are trying to accomplish, that can be hard, however,   Often times you want that smart device to interact with your phone or your computer.  Building rules that allows that data to travel in one direction.

I am not counting on smart devices actually getting smart until there are laws that either force the issue or change the economics.  GDPR is changing the economics of privacy in Europe.  British Airways, for example, just got hit with a $200 million fine.  A few of those and your average CEO is going to think differently about privacy.   Those laws have already started coming, but it will be at least a few years before they cause manufacturers to change their habits.  Source: Motherboard.Facebooktwitterredditlinkedinmailby feather