Updates from December, 2016 Toggle Comment Threads | Keyboard Shortcuts

  • case

    case 9:08 pm on December 27, 2016 Permalink
    Tags: government, , , standards   

    Reality Check: Getting Serious About IoT Security 

    The Department of Homeland Security is fully justified in urging security standards for the Internet of Things.

    “In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS “Strategic Principles for Securing the Internet of Things” acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.

    How this effort could affect upcoming product releases is yet to be seen, but these questions remain: How secure must products be before delivery to consumers? Will the liability of insecure Web devices translate to a burden for consumers unaware of proper security? This uncertainty could cause problems for those who produce or use IoT devices.

    This move by the DHS was necessary. The recent Dyn DDoS attack made the susceptibility of these devices clear, and the sheer destructive potential makes the risks impossible to ignore.”


  • case

    case 9:00 pm on December 27, 2016 Permalink
    Tags: , iot village,   

    IoT Village at DEF CON 24 Uncovers Extensive Security Flaws in Connected Devices 

    “One of the most unnerving exploits was presented by researcher Fred Bret-Mounet, who showed an attacker could shut down the equivalent of a small to mid-sized power generation facility by accessing the flaw in solar panels manufactured by Tigro Energy.

    In another, researcher Anthony Rose discovered that 75% of the smart locks he investigated could be easily compromised, letting an attacker open the lock on a victim’s front door. Another researcher, who goes by the handle “jmaxxz,” discovered a series of vulnerabilities with August locks which, if exploited, would mean that “anyone you’ve ever let use your phone, or ever given access to your home as a guest via your smart lock could enter your home without your knowledge or permission.” he said. Smart locks are one of the fastest growing consumer products serving the smart home.


  • case

    case 8:58 pm on December 27, 2016 Permalink
    Tags: ccc, german, germany, ,   

    Lockpicking in the IoT at Chaos Communications Congress 2016 

    Lockpicking in the IoT
    …or why adding BTLE to a device sometimes isn’t smart at all

    “Smart” devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren’t always that smart after all. And that even AES128 on top of the BTLE layer doesn’t have to mean “unbreakable”. Our main target will be electronic locks, but the methods shown apply to many other smart devices as well…

    This talk will hand you all the tools you need to go deeply into hacking smart devices. And you should! The only reason a huge bunch of these products doesn’t even implement the most basic security mechanisms, might be that we don’t hack them enough!

    We start by looking at the hardware layer, dissecting PCBs and showing which chips are usually used for building those devices. Even if the firmware is read protected they still can be used as nice devboards with unusual pheripherals – if you can’t flash it, you don’t own it!

    But you don’t always have to get out your JTAG interfaces. The most simple part is intercepting an Apps communication with its servers. We show an easy Man-in-the-middle setup, which on the fly breaks the TLS encryption and lets you read and manipulate the data flowing through. This was enough to completely defeat the restrictions on a locks “share to a friend” feature and of course helps you recover your password…

    Understanding the API also is the best way to actually OWN your device – giving you the option to replace the vendors cloud service with an own backend. We show how this can be for example used to continue using your bike lock when the kickstarter you got it from goes bankrupt after a presentation about it’s bad crypto. Just kidding, they are already notified and working on a patch.

    Also going for the wireless interface and sniffing BTLE isn’t as difficult as it might sound. Turning a cheap 10 EUR devboard into a sniffer we show how to use Wireshark to dissect the packets going from and to the device and analyze the payload. In some cases this is all what’s needed to get the secret key from a single interaction…

    Finally we will turn into reverse engineers, showing how to decompile an android app and analyze it’s inner working or even modify it to your needs. Using this we show, that a quite popular electronic padlock indeed correctly claims to use AES128, but due to a silly key exchange mechanism we can break it by listening to a single opening command. All details of this 0-day attack will be released during the talk – the vendor has been notified in May.

    Last but not least we will go back for the hardware layer, showing that sometimes even simple things like magnets or shims can be used to defeat $80+ electronic locks in seconds…

    Speaker: Ray
    Ray’s mainly known for only taking questions as an answer, but also is an active lockpicker and electronics hacker.

    Besides presenting Hacker Jeopardy for over ten years now, Ray is also known for his presentations about lockpicking. He created the first 3D printed key and used laser cutters to circumvent key control of high security handcuffs. For three years now he is also going for electronic locks, bypassing mechanical actors as well as flashing own firmwares “just because he can”.



  • case

    case 8:56 pm on December 27, 2016 Permalink
    Tags: ,   

    IoT Village 

    Organized by security consulting and research firm Independent Security Evaluators (ISE), IoT Village™ delivers thought leadership advocating for security advancements in Internet of Things (IoT) devices. The village consists of workshops on hacking numerous off-the-shelf devices (e.g. medical devices, home appliances, routers, and storage devices), live educational talks and a variety of contests. IoT Village’s™ contests are brought to you by SOHOpelessly Broken™, the first-ever router hacking contest at DEF CON, which delivered 15 new 0-day vulnerabilities to the research community.


  • case

    case 8:56 pm on December 27, 2016 Permalink
    Tags: cyberattacks, ,   

    US hospitals lack new technologies and best practices to defend against threats, new report says.Major Cyberattacks On Healthcare Grew 63% In 2016 

    US hospitals lack new technologies and best practices to defend against threats, new report says.

    Some 93 major cyberattacks hit healthcare organizations this year, up from 57 in 2015, new research shows.

    TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).

    Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).

    Sophisticated attackers are now responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.


  • case

    case 11:54 pm on December 26, 2016 Permalink
    Tags: , data trash   

    Data Trash Arthur Kroker Author Michael A Weinstein… 

    Data Trash

    Arthur Kroker, Author, Michael A. Weinstein, With Palgrave MacMillan $18 (160p) ISBN 978-0-312-12211-9

    Authors Kroker (Spasm) and Weinstein have written a primer that speculates on the state of things to come when we become the Internet. They have anticipated the debris that will be left by the traffic of the information highway-and they can’t ignore the roadkill. What follows is a survey exploring the consequences of technology on culture, economy, class and individuality. They hold that virtual reality will supplant reality itself, that use of information will reinforce extant caste systems, and that ultimately the information highway will not be so much a tool providing us with usable data but rather it will provide those who control it with data to use us. Their findings, while alternately compelling and repellent, are undermined as they single-handedly double the lexicon of technobabble. While the suppositions of the authors should not be dismissed, one must note that they prescribe no action. A cautionary note is a useful check against technological autocracy, but in this format the hypotheses take on a cast of conspiracy theory, since supporting evidence is often neglected at the expense of covering a multitude of topics.


  • case

    case 9:29 pm on December 15, 2016 Permalink
    Tags: data ownership   

    Own your own data 

    No matter how good Evernote is…

    No matter how stable Evernote looks…

    Evernote is still a startup.

    That means that at some point, like everything, your data will need to move.

    It’s why I use my own system. I’ve always used my own system. And if you like data, you should have one too. I don’t use Evernote and I never have.

    How to Jump Ship From Evernote and Take Your Data With You http://lifehacker.com/how-to-jump-ship-from-evernote-and-take-your-data-with-1782841075

  • case

    case 8:57 pm on December 15, 2016 Permalink

    Original article: https://www.bloomberg.com/news/articles/2016-12-15/verizon-weighs-scrapping-yahoo-deal-on-hacking-liability

    Comments: https://news.ycombinator.com/item?id=13185620

    bmh100 3 hours ago [-]

    One benefit of these incidents at Yahoo! is that they represent salient, clear examples of the cost of poor information security. CIOs and security directors will be able to point to this deal as evidence that poor security can have material impact on the business and destroy massive shareholder value, even years after the fact. A 6.5% intra-day dip sends a clear message. Even a CFO can now see that information security should be viewed as vital insurance that directly impacts shareholder value.


compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc