Archive for Security

US Government Wants To Regulate IoT Devices…. Good Luck With That

Posted in Commentary with tags on August 2, 2017 by itnerd

Yesterday the US Senate introduced legislation that would regulate the Internet of Things. Basically, anything with an IP address. The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. The bill also directs Homeland Security to come up with a vulnerability disclosure program so that departments can get patched and updated. Another requirement says the Office of Management and Budget must come up with reasonable standards as to what IoT security should actually entail.

Now, I’ve been saying for a very long time that governments have to step in and regulate IoT devices if companies can’t build secure devices. I however don’t think this will make any difference. Why? Two reasons come to mind.

  1. I question whether US Government agencies have the ability to come up with and update any standards as to what IoT security means. Though, they are free to prove me wrong on that point.
  2. The average consumer isn’t affected by this because this bill if passed only applies to government. Thus, you and I are still at the mercy of IoT vendors.

So, while this is a good start, I don’t think this is the solution that this problem needs. Maybe someday there will be a bill to regulate ALL IoT devices backed by standards that make sense and are enforceable. But until then, you and I will still have to worry about craptastic security in our IP cameras, robotic vacuums, and every other IoT device we own.

Advertisements

#Fail: Dow Jones Exposes Data Of Millions Of Customers Via “Semi Public” S3 Storage

Posted in Commentary with tags on July 21, 2017 by itnerd

Hot off the heels of Verizon exposing the data of 14 million people via a wide open Amazon S3 data bucket, comes this story of the security firm who found that #Fail finding that Dow Jones had a “semi public” Amazon S3 data bucket that exposed the records of 2+ million customers to the entire planet:

The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.

The exposed data includes the names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications like The Wall Street Journal and Barron’s. Also exposed in the cloud leak were the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations.

What’s worse is that Dow Jones had a “sluggish” response to this when it came to notifying their customers. That too is a #fail. This is why this sort of thing needs to be aggressively policed and punished. Otherwise, we are all at risk.

#Fail: Verizon Suffers Data Breach…. Data From 14 Million Customers Exposed

Posted in Commentary with tags , on July 13, 2017 by itnerd

US cellphone carrier Verizon has one hell of a data breach on its hands. A security firm by the name of UpGuard found out about this security blunder which involved technology supplier Nice Systems who left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. This data was publicly accessible to anyone who had the “easy-to-guess” URL, the security firm said. The data in question included names, phone numbers and PINs that could be used to access customers Verizon accounts. The number of customers potentially affected totaled 14 million.

#fail

Verizon has admitted to the breach, but has downplayed the potential damage that could have been caused. Still this highlights what could happen when a company loses control of your personal information.

UPDATE: Clearly Verizon is touchy about this because I got this via Twitter no less than 5 minutes after posting this story:

#Fail: US Health Insurer Mails Coverage Information On USB Keys Which Could Lead To Pwnage

Posted in Commentary with tags on July 13, 2017 by itnerd

From the “this seemed like a good idea at the time” department comes BlueCross and BlueShield of Alabama and their decision to mail out policy details on a USB key, along with instructions to insert the key into a PC. Here’s the problem according to the fellow who brought this to light via a LinkedIn post:

You should never insert an unknown usb device into your computer or run an unknown program. If you do, it is possible for that device to install software on your computer that may not have the best of intentions.

I am not accusing BCBS of creating software that is less than aboveboard. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.

This, to me, should be something that even the most junior cyber security consultant would understand is a bad idea. A corporation the size of BlueCross should have the resources to make sure ideas like this never see the light of day.

Clearly someone at this organization didn’t think this through. Thus I suspect heads will roll over this as in the age of epic pwnage, this would be an easy to exploit attack vector.

Samsung Galaxy S8 Iris Scanner Security Pwned By Hackers

Posted in Commentary with tags , on May 23, 2017 by itnerd

If you bought a Samsung Galaxy S8 for the security that the iris scanner provided you, then you may have to rethink that decision. Motherboard is reporting that hackers have used a fake iris to bypass the phone’s security:

Despite Samsung stating that a user’s irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner’s protections and unlock the device. “We’ve had iris scanners that could be bypassed using a simple print-out,” Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera’s night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.And, that’s it. They’re in.

So, why does this work? Here’s my guess. I am guessing that the S8 is only checking for the pattern of the iris and it has no ability to tell if it is a real eye or not. Thus it is easily pwnable.  If any of this sounds familiar, it should. The facial recognition in the S8 can be fooled in the same manner.  And according to Motherboard, the fingerprint scanner has been pwned too. Samsung hasn’t commented on this, but it will be interesting to see what they do to fix this as this was a key selling feature for the phone.

Hackers Can Pwn Your Computer Via Flaws In Media Players Exploited Via Subtitles

Posted in Commentary with tags on May 23, 2017 by itnerd

This is something that I never figured was possible. Security company Check Point has come out with a blog post that has details about a new type of exploit that leverages flaws in various media players to pwn computers. The vehicle for the pwnage is subtitles in videos:

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

There’s also a proof of concept video that you can see here:

Now the four media player apps that are mentioned have mitigations against this threat. But there are likely plenty that are not mentioned that are easily pwnable. Or at least will be pwnable now that this is out in the open and hackers start to figure out how to exploit this. Thus, I have two pieces of advice. First if you use any of the media players mentioned above, then I would say that you should update to the latest version of these players. Second, if you’re running something else, maybe you should switch to one of these four to protect yourself from the threats that are sure to come.

“EternalRocks” Is The Next NSA Inspired Malware That May Make Life Miserable For You

Posted in Commentary with tags on May 23, 2017 by itnerd

Having just got over the ransomware known as “WannaCry” which caused global havoc just over a couple of weeks ago, we now have something new to worry about. Meet “EternalRocks” which like “WannaCry” utilizes exploits found by and acquired from the NSA, but is far more dangerous according to this as it uses seven NSA sourced exploits to the two that “WannaCry” used. Antivirus and security company Symantec already has a write up about this new threat, which means that their products likely have countermeasures for it. Other companies are likely to follow suit as this is a clear and present danger. But at least it’s one that people see coming.