tag:blogger.com,1999:blog-4503292949532760618.post7277910087844866917..comments2024-03-28T13:39:27.601-07:00Comments on DSHR's Blog: Bruce Schneier on the IoTDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4503292949532760618.post-88287270643584400142016-10-05T11:18:02.816-07:002016-10-05T11:18:02.816-07:00Today's Things in the Internet, according to K...Today's Things in the Internet, according to Kaspersky, are <a href="http://www.thenewspaper.com/news/50/5049.asp" rel="nofollow">speed cameras</a> and their associated routers, etc.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-38264000592371725342016-09-11T20:32:59.616-07:002016-09-11T20:32:59.616-07:00Today's news is of stealthy malware targeting ...Today's news is of stealthy <a href="http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html" rel="nofollow">malware targeting devices running Linux firmware</a> with a default password on an open Telnet or SSH port. They're co-opted into a DDOS botnet and scan for more victims.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-11182167503565918342016-09-10T21:02:48.651-07:002016-09-10T21:02:48.651-07:00More than 70% of all Seagate Central NAS drives co...More than <a href="http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" rel="nofollow">70% of all Seagate Central NAS drives</a> connected to the Internet are running crypto-currency mining malware, netting the perpetrators $86,400 so far. The drives have a public folder that anyone can write to. What could possibly go wrong?David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-65733678149291352692016-08-26T15:09:51.022-07:002016-08-26T15:09:51.022-07:00Jean-Louis Gassée's The Internet of Poorly Wor...Jean-Louis Gassée's <a href="https://mondaynote.com/the-internet-of-poorly-working-things-cda7a147af" rel="nofollow"><i>The Internet of Poorly Working Things</i></a> contrasts the run-of-the-mill Thing in the Internet with all its failings versus Amazon's Echo, a Thing built by a company that knows what its doing and how to support its users. The exception that proves the rule.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-47873263329197442442016-08-26T07:12:19.162-07:002016-08-26T07:12:19.162-07:00Kieren McCarthy at The Register reports that, to t...Kieren McCarthy at <i>The Register</i> reports that, to their credit, one of the "smart lock" manufacturers whose vulnerabilities <a href="http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html" rel="nofollow">Anthony Rose exposed</a> actually <a href="http://www.theregister.co.uk/2016/08/25/iot_manufacturer_caught_fixing_security_holes/" rel="nofollow">patched the problem</a>:<br /><br />"But what was surprising was that just 10 days later, August had put out patches that fix the holes. Even Rose was surprised, <a href="https://twitter.com/jmaxxz/status/766752209493225472" rel="nofollow">tweeting</a>: "August just patched their web services to stop guest from being able to insert backdoor keys in homekit locks! Kudos to their engineers."<br /><br />He noted in a subsequent <a href="https://jmaxxz.com/blog/?p=550" rel="nofollow">blog post</a> that the fix is not an all-encompassing one – that will take longer to effect – but a 10-day turnaround? What is August thinking? ... Among the many models of smart locks that Rose identified as being fundamentally flawed, so far it seems that none other than August have fixed the flaws or even acknowledged they exist. In fact, of the 12 manufacturers that Rose contacted because he was able to unlock their locks without approval, only August even responded."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-62711127671678340062016-08-19T08:44:51.630-07:002016-08-19T08:44:51.630-07:00Today's Things in the Internet are power socke...Today's Things in the Internet are <a href="https://slashdot.org/story/315141" rel="nofollow">power sockets</a>:<br /><br />" that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-66908462175350902872016-08-17T13:17:13.319-07:002016-08-17T13:17:13.319-07:00Today's Things in the Internet that are totall...Today's Things in the Internet that are totally vulnerable are <a href="https://boingboing.net/2016/08/15/its-pretty-easy-to-hack-traf.html" rel="nofollow">traffic signals</a>:<br /><br />"The networking protocol is proprietary and unencrypted, and uses non-modifiable default passwords that are published online by the systems' vendors. By default these systems have the debugging port turned on, which allows untrusted parties to seize control over the system. Controlling a traffic signal also yields control over its sensors, including traffic cameras."<br /><br />The opportunities for (a) speeding up your commute and (b) causing mayhem are obvious.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-12640417382307123182016-08-10T12:14:08.041-07:002016-08-10T12:14:08.041-07:00Among the Things in the Internet that are much sma...Among the Things in the Internet that are much smaller but no more secure than semi-tractors and cars are <a href="http://fusion.net/story/334603/sex-toy-we-vibe-privacy/" rel="nofollow">vibrators</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-73545588284654423022016-08-09T09:42:27.093-07:002016-08-09T09:42:27.093-07:00John Leyden at The Register reports on research by...John Leyden at <i>The Register</i> <a href="http://www.theregister.co.uk/2016/08/09/vehicle_security_research/" rel="nofollow">reports on research by IOActive</a> into the catastrophic state of Things with Wheels in the Internet:<br /><br />"half of the vulnerabilities discovered by security researchers at IOActive could result in "complete or partial loss of control" of a vehicle.<br /><br />IOActive’s study is based on real-world security assessments with the world’s leading vehicle manufacturers, covering three years’ worth of data and active vulnerabilities. An alarming 71 per cent of the vulns uncovered during the research could be exploited without much difficulty, or are almost certain to be exploited."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-78120459728021718242016-08-08T12:14:23.148-07:002016-08-08T12:14:23.148-07:00Among the stupidest Things to connect to the Inter...Among the stupidest Things to connect to the Internet are <a href="http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html" rel="nofollow">doorlocks</a>:<br /><br />"Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit."<br /><br />The ridiculously easy included:<br /><br />"Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air."<br /><br />and the slightly less easy ones that encrypted the password:<br /><br />"But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."<br /><br />Hat tip to <a href="http://boingboing.net/2016/08/08/75-percent-of-bluetooth-smart.html" rel="nofollow"><i>Boing-Boing</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-79398728316528059932016-08-03T07:54:17.213-07:002016-08-03T07:54:17.213-07:00Miller and Valasek, famed for last year's remo...Miller and Valasek, famed for last year's <a href="https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/" rel="nofollow">remote Jeep attack</a>, have now shown that it is possible to <a href="https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/" rel="nofollow">bypass the security checks on the Jeep's CAN network</a>:<br /><br />"causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed."<br /><br />These are local attacks, but:<br /><br />"Their full-speed attack on the Jeep’s steering and acceleration is what could happen the next time sophisticated hackers find a wireless foothold on a vehicle’s network."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-59577229078831471122016-08-02T19:54:34.013-07:002016-08-02T19:54:34.013-07:00Among the Things in the Internet With Wheels That ...Among the Things in the Internet With Wheels That Kill People with catastrophically insecure systems are <a href="https://www.usenix.org/conference/woot16/workshop-program/presentation/burakova" rel="nofollow">semi tractors and school buses</a>:<br /><br />"We test our attacks on a 2006 Class-8 semi tractor and 2001 school bus. With these two vehicles, we demonstrate how simple it is to replicate the kinds of attacks used on consumer vehicles and that it is possible to use the same attack on other vehicles that use the SAE J1939 standard. We show safety critical attacks that include the ability to accelerate a truck in motion, disable the driver's ability to accelerate, and disable the vehicle's engine brake."<br /><br />Via <a href="https://boingboing.net/2016/08/02/big-rigs-can-be-hijacked-and-d.html" rel="nofollow"><i>Boing Boing</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-2487409989387756852016-07-27T00:40:20.832-07:002016-07-27T00:40:20.832-07:00At Ars Technica Karl Bode's commentary on Schn...At <i>Ars Technica</i> Karl Bode's <a href="https://www.techdirt.com/articles/20160725/09460835061/internet-things-is-security-privacy-dumpster-fire-check-is-about-to-come-due.shtml" rel="nofollow">commentary on Schneier's Motherboard article</a> is worth reading.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-75290947107474111802016-07-25T23:58:11.075-07:002016-07-25T23:58:11.075-07:00Bruce Schneier is still on the case with The Inter...Bruce Schneier is still on the case with <a href="http://motherboard.vice.com/read/the-internet-of-things-will-cause-the-first-ever-large-scale-internet-disaster" rel="nofollow"><i>The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters</i></a>:<br /><br />"Disaster stories involving the <a href="https://motherboard.vice.com/tag/The+Internet+of+Hackable+Things" rel="nofollow">Internet of Things</a> are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios <a href="https://www.schneier.com/essays/archives/2005/09/terrorists_dont_do_m.html" rel="nofollow">overhype the mass destruction</a>, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-11404335058439149382016-06-27T19:23:57.824-07:002016-06-27T19:23:57.824-07:00Not to be outdone by home routers and cable modems...Not to be outdone by home routers and cable modems, the <a href="http://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/" rel="nofollow">security cameras strike back</a> with a 25K IP botnet delivering 50K/s HTTP requests to a jewellery store.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-5267874938494854702016-06-22T09:22:18.586-07:002016-06-22T09:22:18.586-07:00Once again, after the Sony/Microsoft gaming networ...Once again, after the Sony/Microsoft gaming networks taken down by the Lizard Squad, we see the power of <a href="https://it.slashdot.org/story/16/06/19/226250/one-million-ip-addresses-used-in-brute-force-attack-on-a-bank" rel="nofollow">botnets running on home routers and cable modems</a><br /><br />"Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses -- and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign. ... Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-31281648001005904702016-06-17T12:05:16.625-07:002016-06-17T12:05:16.625-07:00The Economist manages to write an entire article o...<i>The Economist</i> manages to write an entire article on <a href="http://www.economist.com/news/business/21700380-connected-homes-will-take-longer-materialise-expected-where-smart" rel="nofollow">Smart Home technology's slow uptake</a> without a single mention of the catastrophic insecurities with which the technology is infested.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com