Tag Archives: IoT

The Strategy is “Wait to get Hacked and then Panic”

As millions upon millions of IoT and Industrial IoT devices get deployed every month, we seem to have forgotten what we learned the hard way about our computers: if we don’t patch them, the hackers will invade.

#1: A set of bugs called Urgent/11 affected a network module that has been around since the 90s and is in use by a couple hundred million IoT and IIoT devices. No important devices, just ones that control factories and hospitals. While the vendor released a patch for the bugs, this software is buried deep in systems where the hospitals and factories have no clue it even exists and the vendor that they bought the system from stopped patching it – if they ever did – years or decades ago. As a result, millions of devices – possibly as many as 97% of the affected devices – are still not patched and likely never will be. Credit: Threatpost

#2: Amnesia 33 is another set of bugs, again in networking software. This time the software is open source meaning there is no vendor to go to for patches. The researchers have already identified over 150 vendors who used the software at some time. Again this affects millions and millions of devices like cameras, badge readers and factory equipment. And again, most of these devices will never be patched. Credit: ZDNet

#3 is the Ripple20 family of bugs. This family of 19 bugs discovered earlier this year. It affects, again, a networking software module that is used in IoT and IIoT devices. Again, the vendor has released patches but most devices will never be patched. The number of impacted devices is estimated to be “in the hundreds of millions”. Credit: ZDNet

The number of devices affected by these bugs is not much of a surprise given the estimate of 75 billion connected devices by 2025.

Given that software licenses provide a “get out of jail free” card to software companies, there is no reason to expect this is going to change any time soon.

Unless, maybe, if we have an attack similar to this week’s Solar Winds announcement which may have compromised the information of as many as 18,000 businesses and government agencies (I can just hear the class action attorneys jumping for joy).

In this case, a lot of sensitive information will be analyzed in Moscow and used against us for decades. The good news is that these organizations will close the hole. Granted it is after the horse is out of the barn and the barn burned down, but it will get closed.

But what if North Korea decides to use these IoT bugs to say, blow up factories. After all, the Russians blew up an oil pipeline in the Ukraine a few years ago because they were made at the Ukraine government. This is not so far fetched.

Or maybe the Chinese will decide to say, turn off all of the ventilation in hundreds of hospitals. Or worse. Certainly possible.

That probably (hopefully? maybe?) keeps the folks that run these businesses up at night and may cause them to do something about it.

But when it comes to consumers, to be honest, all they care about is the price and does it do what I want it to do.

Until it damages their home or apartment or car. By the way, insurance likely does not cover this sort of damage – ask your agent. So if a nation state decides to launch an attack on the consumer base and it damages your car or home or apartment, you may be facing a large bill.

There is no simple answer, but making sure that your vendor is going to patch your device FOR AS LONG AS YOU PLAN TO OWN IT (note that a one year warranty is not terribly useful for an appliance that you plan to keep for say ten years).

Something to consider before falling in love with that bright, shiny new IoT thingee. I just bought a new washing machine. It comes with an app for my phone. So that I can start the washer remotely. Really? Do I need that? Nope, not going to connect it.

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. Times

Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.

 

Source: ZDNet Dark Reading

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com