Category Archives: Internet of Things

22nd October AVIEN updates

Updates to Anti-Social Media 

Wired: How a suspicious Facebook page is pushing pro-Brexit ads to millions – “The UK’s fake news inquiry says the website Mainstream has spent around £257,000 on pushing a pro-Brexit advertising campaign on Facebook in the last 10 months. The problem? Nobody knows who runs the page or where the money comes from”

And I somehow didn’t get round to posting this nearly a year ago, but it’s still worth reading. The Verge: Former Facebook exec says social media is ripping apart society – ‘No civil discourse, no cooperation; misinformation, mistruth….He went on to describe an incident in India where hoax messages about kidnappings shared on WhatsApp led to the lynching of seven innocent people.’

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Researchers found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.

Refers to this blog by Zimperium: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

Updates to Tech support scams resource page

Lawrence Abrams for Bleeping Computer: McAfee Tech Support Scam Harvesting Credit Card Information. A scam that has its cake and attempts to eat it. Several times.

“Essentially, these scammers are not only earning commissions on affiliate sales, but also stealing your credit card and personal information. This information can then be used to charge other purchases or perform identity theft using your credentials.”

David Harley

Advertisements

IoT updates

Updates to Internet of (not necessarily necessary) Things

Added a few days ago, in fact, but I’ve been a bit busy…

  • Threat Post: Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers – “The flaw impacted patients with pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.”
  • The Register: Last year, D-Link flubbed a router bug-fix, so it’s back with total pwnage – “Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check….Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.”
  • The Register: Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound – “Gadgets taught to identify actions via always-on mics” What could go wrong?
  • Pierluigi Paganini: A Russian cyber vigilante is patching outdated MikroTik routers exposed online – “Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.” As Paganini points out, this is still ‘cybercrime’. Well, in most jurisdictions. Indeed, I remember dissuading a friend from taking somewhat similar action to remediate the impact of the Code Red worm in 2001 . Even if the motivation is pure, it’s still unauthorized access and modification. I talked about related issues in the context of the BBC’s purchase of a botnet in 2009 here and elsewhere linked in the article. Unfortunately, the ESET link there no longer works, and it’s on ESET’s blog that I did most of my writing on the topic, but you could try this.
  • The UK’s National Cyber Security Centre (NCSC), in collaboration with the Department for Digital, Culture, Media and Sport (DCMS) , has published a Code of Practice for Consumer IoT Security (a differently-formatted – i.e. picture-free – version is available here). It is based on the following guidelines:
    • No default passwords
    • Implement a vulnerability disclosure policy
    • Keep software updated
    • Securely store credentials and security-sensitive data
    • Communicate securely
    • Minimise exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Monitor system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

Commentary from The Register: GCHQ asks tech firms to pretty please make IoT devices secure – “Hive, HP Inc sign up to refreshed code of practice”

 

AVIEN resource updates: 13th October 2018

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit – “The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants.”

Updates to Specific Ransomware Families and Types

David Bisson for Tripwire: New Sextortionist Scam Uses Email Spoofing Attack to Trick Users – “As reported by Bleeping Computer, an attack email belonging to this ploy attempts to lure in a user with the subject line “[email address] + 48 hours to pay,” where [email address] is their actual email address.”

In the Bleeping Computer article, Lawrence Abrams says: “In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.”

Updates to Mac Virus

Krebs/Sager interview on supply chain security (also published on this site).

David Harley

AVIEN resources update 10th October 2018

Updates to Anti-Social Media 

Catalin Cimpanu for ZDnet: Google sets new rules for third-party apps to access Gmail data – “All Gmail third-party apps with full access to Gmail user data will need to re-submit for a review by February 15, 2019, or be removed.” Meanwhile, according to the Hacker News: Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ Data.

“The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.”

The Register comments: Google now minus Google Plus: Social mini-network faces axe in data leak bug drama – “Project Zero would have been all over this – yet it remained under wraps”


Pierluigi Paganani: Hackers can compromise your WhatsApp account by tricking you into answering a video call

The Register:  Rap for WhatsApp chat app chaps in phone-to-pwn security nap flap – “Memory corruption flaw present in Android, iOS builds. Aaand it’s been fixed”

Updates to Cryptocurrency/Crypto-mining News and Resources

Cecilia Pastorino for ESET: Blockchain: What is it, how it works and how it is being used in the market – “A closer look at the technology that is rapidly growing in popularity”


Help Net, citing a report by Webroot: Cryptomining dethrones ransomware as top threat in 2018

Updates to GDPR page

Amber Welch for Security Boulevard: Phishing the GDPR Data Subject Rights – “Companies across the globe are now working toward compliance with the EU GDPR, while phishers may be preparing to exploit their new compliance processes. Airbnb first fell prey to a GDPR-related scam, with more surely to come. Unfortunately, many GDPR security efforts have focused primarily on Article 32 while overlooking new ancillary compliance program risks.”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

SEC Consult: MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

Shaun Nichols for The Register: World’s largest CCTV maker leaves at least 9 million cameras open to public viewing – “Xiongmai’s cloud portal opens sneaky backdoor into servers….Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.”


Netlab 360: 70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS – “Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.”

Tomáš Foltýn for ESET: Most routers full of firmware flaws that leave users at risk
– “If you own a Wi-Fi router, it may well be riddled with security holes that expose you to a host of threats” There’s a comment to this piece by TrevorX that’s well worth reading.


The Register: Which? That smart home camera? The one with the vulns? Really? – “Which? Magazine has been called out for recommending a line of smart home cameras with known vulnerabilities.”


Pierluigi Paganini: Expert presented a new attack technique to compromise MikroTik Routers – “The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.”

Updates to Meltdown/Spectre and other chip-related resources

Thomas Claburn for The Register: Intel’s commitment to making its stuff secure is called into question – ‘In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel’s Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel’s statement “a blatant lie.”‘

Updates to: Ransomware Resources

Help Net, citing a report by Webroot: Cryptomining dethrones ransomware as top threat in 2018

Updates to Tech support scams resource page

Probably won’t get to be a full post, but a comment on one of my ESET blog articles pointed out that “A similar variation is still going round starting with the assertion that your broadband speed is below par and he was working on behalf of my ISP. When we got as far as typing “assoc” in the command window I looked for proof of identification (which I should have asked for at the start!). As tempers flared I hung up the line.”

Updates to Mac Virus

More commentary on China, Apple, and supply-chain hacking

Android, iOS, and macOS issues

 

David Harley

AVIEN resource updates 3rd August 2018

Updates to Anti-Social Media 

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

David Harley

AVIEN Resource updates 2nd August

Updates to Anti-Social Media 

(1)

New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”

Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”

Facebook’s own blog post: Removing Bad Actors on Facebook

(2)

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

(3)

The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul  “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”

(4)

Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Steam game Abstractism pulled after cryptomining accusations

The Register: ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – “A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

Updates to GDPR page

The Register: India mulls ban on probes into anonymized data use – with GDPR-style privacy laws – “Thought having your call center in India was a good idea? Maybe not so much now”

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Updates to Mac Virus

Android and OneDrive, and iOS-targeting phish

David Harley

Who says there’s no IoT in Idiot?

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Tomáš Foltýn for ESET: Bluetooth bug could expose devices to snoopers – “The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the Israel Institute of Technology. It impacts two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.”

Dave Cartwright for The Register: Some Things just aren’t meant to be (on Internet of Things networks). But we can work around that “Plus: Did you know ‘shadow IoT’ was a thing? It is.” Indeed it is, by analogy with “shadow IT”, where users install unapproved computing devices to the company network. Shadow IoT extends that to devices such as network cameras.

Richard Chirgwin for The Register: If you’re serious about securing IoT gadgets, may as well start here – “Mohit Sethi’s ambitious proposal … sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.”

The 2018 SANS Industrial IoT Security Survey report considers security concerns about  the use of the IIoT. Commentary from Help Net Security here. The report gives rise to particular concerns about the security of connected devices within critical infrastructure.

Pierluigi Paganani: Korean Davolink routers are easy exploitable due to poor cyber hygene [sic] – “Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.”

ZDnet: Flaw let researchers snoop on Swann smart security cameras – “Anyone could watch and listen to the live stream from the internet-connected smart camera.”

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

David Harley

IoT, ID IoTs, and other loose cannons

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary in the modern world. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

1. Malwarebytes: What’s the real value—and danger—of smart assistants?

“…technologies such as Siri, Alexa, Google Assistant, and Cortana have become ubiquitous in our culture…Here’s what you need to know about smart assistants and the real value (and danger) they provide.” Looks at issues such as kids and smart assistants, and whether it’s a good idea to use a smart assistant to control your IoT devices.

2. Positive Technologies: Positive Technologies experts discover dangerous vulnerabilities in robotic vacuum cleaners. “The first vulnerability, CVE-2018-10987, involves remote code execution…Attackers need physical access to exploit the second vulnerability, CVE-2018-10988…these vulnerabilities may also affect other IoT devices using the same video modules … Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.”

John Leyden for The Register: Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me – “Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*”

Lindsay O’Donnell for ThreatPost: IoT Robot Vacuum Vulnerabilities Let Hackers Spy on Victims – “Two vulnerabilities were discovered in Dongguan Diqee 360 vacuum cleaners, which tout Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled navigation controls. These would allow control over the device as well as the ability to  intercept data on a home Wi-Fi network.”

3. Shaun Nichols for The Register: US voting systems (in Oregon) potentially could be hacked (11 years ago) by anybody (in tech support) – “ES&S admits a handful of systems were shipped with PCAnywhere tool … The software was not in the voting machines themselves, but rather in the election management system (EMS) terminals used to manage the voting machines to do things like configuring scanning equipment or formatting ballots.”

4. John Leyden for The Register: IoT search engine ZoomEye ‘dumbs down’ Dahua DVR hijackings by spewing passwords – “And noone wants to fix it … Many Dahua DVR devices can be hijacked by exploiting a five-year-old firmware-based vulnerability (CVE-2013-6117).”

5. Bleeping Computer: Researchers Mount Successful GPS Spoofing Attack Against Road Navigation Systems – “Academics say they’ve mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations.” Paper available from Microsoft here.

David Harley

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary (routers, for instance, in the story that leads below). But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is always necessary, or even desirable, given how often that connectivity widens the attack surface.]

Stephen Cobb for ESET: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”

Catalin Cimpanu for Bleeping Computer: The VPNFilter Botnet Is Attempting a Comeback – “…APT28 appears to be unphased by the FBI’s takedown of its original VPNFilter botnet and is now looking for new devices to compromise, and maybe this time, get to carry out its planned attack.”

Talos: VPNFilter Update – VPNFilter exploits endpoints, targets new devices “In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

Zeljka Zorz for Help Net Security: How Mirai spawned the current IoT malware landscape (with particular reference to Satori, JenX, OMG and Wicked.

Gareth Corfield for The Register: UK.gov lobs £25m at self-driving, self-parking, self-selling auto autos – “Not just the vehicle tech but a data marketplace too” What could go wrong? Well, maybe stay away from Westworld and Jurassic Park…

John Leyden for The Register: Crappy IoT on the high seas: Holes punched in hull of maritime security – “Researchers able to nudge ships off course … Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse”

David Harley

The FBI and VPNFilter

Updates to Internet of (not necessarily necessary) Things

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

Updates to GDPR page

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

 

David Harley