Archive for Security

List Of Pwnable IoT Devices Floating In The Wild

Posted in Commentary with tags , on August 29, 2017 by itnerd

A list of IoT devices and associated telnet credentials has gone viral in the last few days. The list has the IP addresses of over 33,000 IoT devices and associated logins via Telnet which are things like the username and password being root or admin. This would make it trivially easy to create a botnet of IoT devices like the Mirai botnet that hit several sites recently. The list has existed since June, but has become viral when it was Tweeted out in the last few days. Now according to this article on Threat Post, there is an all out effort to stop the exploitation of this list by tracking down the owners of these IoT devices so that they can take remedial action which could include updating firmware, changing passwords, or taking the devices offline among other possibles.

Now, this sort of thing is precisely the reason why I have said for a long time that people who make IoT devices have to seriously step up their game when it comes to securing them. And if they are unable or unwilling to do so, governments should be prepared to force them to. By not making these devices as secure as possible,  an event that would be catastrophic in nature is possible. And by then, it would be way too late.



Tech Companies Team Up On Android Botnet Takedown

Posted in Commentary with tags , on August 29, 2017 by itnerd

In an unprecedented move, a half dozen tech companies have teamed up to take down the “WireX” botnet which may have had tens of thousands of compromised Android devices as part of it. Noted security expert Brian Krebs has the details:

News of WireX’s emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands.

More worrisome was that those in control of the botnet were now wielding it to take down several large websites in the hospitality industry — pelting the targeted sites with so much junk traffic that the sites were no longer able to accommodate legitimate visitors.

Experts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different mobile apps scattered across Google‘s Play store that were mimicking seemingly innocuous programs, including video players, ringtones or simple tools such as file managers.

That’s right, apps from the Google Play Store were central to the existence of this botnet. Proving once again that Google has a bit of a problem when it comes to what is available to download and install onto Android devices. But I digress. Several hundred apps that had the code to power this botnet have been removed from the Google Play Store. But this case illustrates the fact that the botnet is now at a whole new level that requires companies who aren’t friendly towards each other to team up to take down these botnets. It will be interesting to see if this sort of co-operation is the new normal, or just a one time event.

US Government Wants To Regulate IoT Devices…. Good Luck With That

Posted in Commentary with tags on August 2, 2017 by itnerd

Yesterday the US Senate introduced legislation that would regulate the Internet of Things. Basically, anything with an IP address. The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. The bill also directs Homeland Security to come up with a vulnerability disclosure program so that departments can get patched and updated. Another requirement says the Office of Management and Budget must come up with reasonable standards as to what IoT security should actually entail.

Now, I’ve been saying for a very long time that governments have to step in and regulate IoT devices if companies can’t build secure devices. I however don’t think this will make any difference. Why? Two reasons come to mind.

  1. I question whether US Government agencies have the ability to come up with and update any standards as to what IoT security means. Though, they are free to prove me wrong on that point.
  2. The average consumer isn’t affected by this because this bill if passed only applies to government. Thus, you and I are still at the mercy of IoT vendors.

So, while this is a good start, I don’t think this is the solution that this problem needs. Maybe someday there will be a bill to regulate ALL IoT devices backed by standards that make sense and are enforceable. But until then, you and I will still have to worry about craptastic security in our IP cameras, robotic vacuums, and every other IoT device we own.

#Fail: Dow Jones Exposes Data Of Millions Of Customers Via “Semi Public” S3 Storage

Posted in Commentary with tags on July 21, 2017 by itnerd

Hot off the heels of Verizon exposing the data of 14 million people via a wide open Amazon S3 data bucket, comes this story of the security firm who found that #Fail finding that Dow Jones had a “semi public” Amazon S3 data bucket that exposed the records of 2+ million customers to the entire planet:

The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.

The exposed data includes the names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications like The Wall Street Journal and Barron’s. Also exposed in the cloud leak were the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations.

What’s worse is that Dow Jones had a “sluggish” response to this when it came to notifying their customers. That too is a #fail. This is why this sort of thing needs to be aggressively policed and punished. Otherwise, we are all at risk.

#Fail: Verizon Suffers Data Breach…. Data From 14 Million Customers Exposed

Posted in Commentary with tags , on July 13, 2017 by itnerd

US cellphone carrier Verizon has one hell of a data breach on its hands. A security firm by the name of UpGuard found out about this security blunder which involved technology supplier Nice Systems who left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. This data was publicly accessible to anyone who had the “easy-to-guess” URL, the security firm said. The data in question included names, phone numbers and PINs that could be used to access customers Verizon accounts. The number of customers potentially affected totaled 14 million.


Verizon has admitted to the breach, but has downplayed the potential damage that could have been caused. Still this highlights what could happen when a company loses control of your personal information.

UPDATE: Clearly Verizon is touchy about this because I got this via Twitter no less than 5 minutes after posting this story:

#Fail: US Health Insurer Mails Coverage Information On USB Keys Which Could Lead To Pwnage

Posted in Commentary with tags on July 13, 2017 by itnerd

From the “this seemed like a good idea at the time” department comes BlueCross and BlueShield of Alabama and their decision to mail out policy details on a USB key, along with instructions to insert the key into a PC. Here’s the problem according to the fellow who brought this to light via a LinkedIn post:

You should never insert an unknown usb device into your computer or run an unknown program. If you do, it is possible for that device to install software on your computer that may not have the best of intentions.

I am not accusing BCBS of creating software that is less than aboveboard. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.

This, to me, should be something that even the most junior cyber security consultant would understand is a bad idea. A corporation the size of BlueCross should have the resources to make sure ideas like this never see the light of day.

Clearly someone at this organization didn’t think this through. Thus I suspect heads will roll over this as in the age of epic pwnage, this would be an easy to exploit attack vector.

Samsung Galaxy S8 Iris Scanner Security Pwned By Hackers

Posted in Commentary with tags , on May 23, 2017 by itnerd

If you bought a Samsung Galaxy S8 for the security that the iris scanner provided you, then you may have to rethink that decision. Motherboard is reporting that hackers have used a fake iris to bypass the phone’s security:

Despite Samsung stating that a user’s irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner’s protections and unlock the device. “We’ve had iris scanners that could be bypassed using a simple print-out,” Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera’s night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.And, that’s it. They’re in.

So, why does this work? Here’s my guess. I am guessing that the S8 is only checking for the pattern of the iris and it has no ability to tell if it is a real eye or not. Thus it is easily pwnable.  If any of this sounds familiar, it should. The facial recognition in the S8 can be fooled in the same manner.  And according to Motherboard, the fingerprint scanner has been pwned too. Samsung hasn’t commented on this, but it will be interesting to see what they do to fix this as this was a key selling feature for the phone.