53149049
submission
chicksdaddy writes:
The U.S. Federal Trade Commission (FTC) used a one-day workshop to highlight security and privacy issues prompted by so-called “Internet of Things.” But attendees at the event may have walked away with a more ambiguous message, as prominent technologists and industry representatives questioned whether conventional notions of privacy had much relevance in a world populated by billions of Internet-connected devices.
“I don’t feel like privacy is dead,” keynote speaker Vint Cerf, a Vice President and Chief Internet Evangelist at Google, told an audience at the FTC workshop (http://www.ftc.gov/bcp/workshops/internet-of-things/). “I do feel like privacy will be increasingly difficult for us to achieve,” Cerf warned.
And Cerf wasn’t alone in wondering whether that might not be such a bad thing – or even that unusual. “Is privacy an anomaly,” he asked attendees in a keynote speech on Tuesday.
Recalling his experience living in a small, German town where the “postmaster knew what everyone was doing," Cerf argued that the modern concept of being ‘alone in the crowd’ is a fairly recent one, borne of the industrial revolution and the growth of urbanization.
Tensions between the social benefits and costs of new technologies and the Internet of Things cropped up in many discussions during the one-day event, which featured workshops on Internet-connected “Smart Homes,” “Connected Vehicles,” and “Connected Health and Fitness.” The panel on “Connected Vehicles” saw noted researcher Tadayoshi Kohno of the University of Washington sparring with Christopher Wolf of the tech industry-backed Future of Privacy Forum over the benefits of connected car features like geo-tracking and crash detection versus the cost: potential privacy violations or remote attacks on connected car systems.
52950803
submission
ancientribe writes:
Key clues are emerging that provide a clearer picture of how Edward Snowden may have pulled off the most epic insider leak in history. Security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents, Venafi has concluded based on public information on the breach and their analysis. Venafi is also publicly challenging the NSA and Snowden to prove its conclusion wrong.
52925269
submission
chicksdaddy writes:
Veracode's blog has an interesting post on how the fast adoption of "Internet of Things" technology will empower application developers as never before.
Picking up on a post by Jim Morrish over at Bosch's Internet of Things blog (http://blog.bosch-si.com/m2m-platforms-recast-for-the-age-of-the-internet-of-things/), Veracode notes that the an ecosystem is fast developing that abstracts information from a wide range of data sources – including traditional corporate and IT systems, as well as legacy M2M platforms. The effect of that is to put power into the hands of application developers, who have free(er) reign to shape the applications that will define the Internet of Things.
Application developers can already tap off-the-shelf development tools, protocols, and features that connect them to a much wider pool of data (and, thus, possible applications). That frees them from the onerous task of mastering proprietary application logic or stove piped platforms.
Of course, the security and privacy implications of all that abstracted logic (and the boilerplate code that enables it) have yet to be worked out. Veracode has noted before that third party code in its various incarnations is already a frequent source of computer security vulnerabilities. (http://www.veracode.com/blog/2013/10/third-party-components-and-the-owasp-top-10-talking-code-part-6/)
52924891
submission
chicksdaddy writes:
All those sensors on your smartphone are great. They enable all kinds of cool features – from finding the nearest Starbucks to mobile payments. But they also pose a risk to the privacy of the phone’s owner, as malicious actors (and the occasional national government) look for ways to turn cameras and other sensors into powerful, cheap and convenient spying tools.
Now researchers at The University of Cambridge have demonstrated one possible, new attack type (http://www.lightbluetouchpaper.org/2013/11/08/5653/): harnessing the built-in video camera and microphone on Samsung Galaxy and Nexus devices to spy on an owner’s hand movements and guess his or her password, The Security Ledger reports. The technique could be a way for cyber criminals to defeat anti-keylogging technology like secure “soft” keyboards used to enter banking PINs and other sensitive information, the researchers report. (http://www.cl.cam.ac.uk/~rja14/Papers/pinskimmer_spsm13.pdf)
The lesson for mobile application developers and device makers is that “mobile devices are fundamentally different from traditional servers (and) desktops in the way we use them," Laurent Simon, one of two Cambridge University researchers who conducted the research told The Security Ledger. ”Smart phones and other devices that are “aware” of the physical world are vulnerable to new types of attacks. “This physical-world interaction needs to be considered when designing secure devices,” he wrote.
52884783
submission
chicksdaddy writes:
Fresh off their discovery of a previously unknown (‘zero day’) security hole in Microsoft’s Internet Explorer web browser (http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html), researchers at the security firm Fireeye say that they have evidence that a string of sophisticated attacks have a common origin.
In a report released on Monday (http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf), the firm said that many seemingly unrelated cyber attacks identified in the last year appear to be part of a “broader offensive fueled by a shared development and logistics infrastructure” — what Fireeye terms a ‘supply chain’ for advanced persistent threat (APT) style attacks.
At least 11 APT campaigns targeting “a wide swath of industries” in recent months were found to be built on a the same infrastructure of malicious applications and services, including shared malware tools and malicious binaries with the same timestamps and digital certificates, Fireeye reports.
“Taken together, these commonalities point to centralized APT planning and development,” Fireeye wrote.
52671835
submission
chicksdaddy writes:
Factory-installed and even aftermarket identity management applications may soon be standard components on automobiles, as the federal government looks for ways to leverage automation and collision avoidance technology to make the country’s highways and roadways safer. That’s the conclusion of a new report from the Government Accountability Office. Vehicle to vehicle communications are poised to take off, but that significant security and privacy challenges must first be met, identity management top among them, GAO found.
The report, GAO 14-13 (http://gao.gov/assets/660/658709.pdf) said that the US Dept. of Transportation (DOT) is looking at public-key infrastructure (PKI) deployments that would allow automobiles to authenticate to each other and ensure that the data being transmitted has not been tampered with.
GAO quotes officials at one auto industry consortium known as “CAMP VSC 3,” which includes Ford Motor Company, GM, Honda and Mercedes, saying that the security system will need to be able to detect “misbehaving devices—such as devices that are malfunctioning, used maliciously, or hacked,” then “automatically revoke certificates from vehicles with such devices.”
52541997
submission
chicksdaddy writes:
The über-popular Nest smart thermostat (http://nest.com/) has become the poster child for the wonderful possibilities of "The Internet of Things." The sleek, device is an object lesson in how software driven, smartly designed and cloud-connected devices will transform our physical spaces. Under the hood, however, many of these devices – the Nest included – fail to live up to their slick and polished exteriors and graphical interfaces.
To that point, The Security Ledger has an interview with Daniel Buentello, an independent security researcher who most recently made the rounds with his "Weaponizing your Coffee Pot" talk at DerbyCon and ToorCon Seattle. (https://www.youtube.com/watch?v=9YwF7cj_OKc#t=1972)
Buentello talks to Security Ledger about his new research on The Nest — a powerful, sensor rich device about which little is known. Buentello said the Nest's reliance on cloud-based management infrastructure is a particular concern.
"The situation here is a lot worse than what meets the eye," he said. "These connected (device) clouds are basically web apps without a user interface." And, like any web app, they're vulnerable to attack.
As Buentello showed with research on the Belkin WeMo platform, would-be Nest hackers could use Nest APIs to fuzz the Nest cloud, finding exploitable vulnerabilities. This would be similar to what happened to many social network and e-commerce operations in the early days of mobile phone app craze, when hackers figured out that they could manipulate mobile APIs.
The lack of "traditional" user interfaces on devices like the Nest might give developers the (false) security that the devices can't be hacked by traditional means. As for a Nest botnet, Buentello said that he's conducting research that might show how it might be possible to hijack the Nest cloud and use it to control devices in the field, but he isn't talking.
52286685
submission
chicksdaddy writes:
It's another day, another face-palm moment for the home surveillance camera industry.
Just one month after the Federal Trade Commission (FTC) settled a complaint (http://www.ftc.gov/opa/2013/09/trendnet.shtm) with the maker of SecurView, a line of poorly secured home surveillance cameras, a researcher at the firm Duo Security (http://www.duosecurity.com) has found a slew of even more serious security holes in the IZON Camera — a popular product that is sold in Apple Stores and Best Buy, among others. A review by The Security Ledger found dozens of such systems accessible via the public Internet, in some cases allowing anyone to peer into the interiors of private residences and businesses.
Mark Stanislav (@markstanislav), the Security Evangelist at the firm Duo Security conducted an audit of the IZON hardware and corresponding iOS mobile application software used to manage it. He documented a slew of troubling security lapses including an easily guessed, default user account for the Web-based GUI used to view live video streams, wide-open configuration with wide-open ports for accessing the device by Telnet and HTTP, unencrypted communications and video streaming to and from IZON devices and hard-coded, undocumented root account for the linux based devices.
Using the search engine Shodan.org, Stanislav compiled a list of scores of IP addresses of IZON cameras exposed on the Internet – some deployed behind simple DSL broadband connections. A review of that list by The Security Ledger revealed a handful of exposed Web interfaces that allow anyone with an Internet connection and knowledge of the default user name and password to take control of the camera: viewing a live video feed, making video recordings that can be automatically uploaded to YouTube or other cloud-based services, and even sounding audio alarms. In one case, the camera appeared to be deployed in a private residence in Kissimmee, Florida, where an elderly couple were seen caring for an infant. Others showed the interiors and exteriors of private residences – some occupied, others obviously vacant. (https://i1.wp.com/securityledger.com/wp-content/uploads/2013/10/IZON-Photos.jpg)
The CTO for Stem Innovation of Salt Lake City (http://steminnovation.com/), which makes the IZON cameras said that the IZON firmware, server system and iOS applications tested by Stanislav have been updated since the Summer, when Stanislav's research was conducted. He claims the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies.
52075867
submission
chicksdaddy writes:
More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack.
In a blog post (http://blog.ioactive.com/2013/10/strike-two-for-emergency-alerting.html), Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of “bad and predictable” login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials.
Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the “dead are rising from their graves,” and advising residents not to attempt to apprehend them. (http://www.reuters.com/article/2013/02/12/us-usa-zombie-montana-idUSBRE91B1IA20130212) CAP refers to the Common Alerting Protocol, a successor to EAS.
A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware, The Security Ledger reports.
52033285
submission
chicksdaddy writes:
Security Ledger brings news that the Norwegian firm, ThinFilm (http://www.thinfilm.no/) has successfully tested a printable electronics component that it claims is the first, fully-functional “smart” label. (http://www.thinfilm.no/news/stand-alone-system/) The company claims its disposable Smart Sensor Label can track the temperature of perishable goods and is a “complete closed system built from printed and organic electronics.”
Smart Sensor is being marketed to pharmaceutical makers as a way to keep temperature-sensitive drugs and to food wholesalers, which can track the temperature their product is kept at throughout the supply chain. When "critical temperature thresholds" are reached, the Smart Sensor label will change to indicate that using an integrated display driver. Such labels could make it possible to easily monitor the condition of large quantities of product, keeping it safe and effective and preventing perfectly useable products from being destroyed. But the possible applications of printable electronics are huge: they can be produced for a fraction of the cost of comparable technologies because they don’t need to be assembled. And, because they’re flexible and paper-like, they can be deployed pretty much anywhere you can stick a label — something ThinFilm's CEO says could provide an extensible platform for the much-ballyhooed "Internet of Things."
51818453
submission
chicksdaddy writes:
Google has been increasingly vocal in calling "bulls**t" on attempts by security software firms to paint its Android mobile operating system as 'the next Windows" and a malware-ridden mess. Now the company says it has the numbers to prove it.
Speaking at the Virus Bulletin Conference in Berlin last week, Android team member Adrian Ludwig told an audience of antivirus experts and industry-folk that reports about Android malware (many of them propagated by AV firms) were overblown and obscured the real story: Android’s success at blocking actual infections. Citing Google data (https://docs.google.com/presentation/d/1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPw/pub?start=false&loop=false&delayms=3000), Ludwig told the assembled that new security features, such as the Bouncer app testing service and Verify Apps technology make actual infections of Android devices a one-in-a-million occurrence, the Security Ledger reports.
Data collected by the Verify Apps service, which logs events involving a hazardous applications, found that only 1,200 of 1.5 billion application install attempts were incidents in which “potentially harmful applications” ended up being installed on an Android device, Ludwig said.
This is just the latest effort by Ludwig to throw cold water on feverish reports about skyrocketing Android malware. (http://www.eweek.com/security/mobile-malware-threat-growth-hits-record-in-q2-mcafee) In June, Ludwig told an audience at an FTC-sponsored event in Washington D.C. that reports of widespread infections due to the recently discovered "BadNews" malware were simply not true.“We’ve observed the app(lication) and we’ve reviewed all the logs we have access to,” he said. “We haven’t seen a single instance of abusive SMS applications being downloaded as a result of BadNews,” Ludwig said at the time. (https://securityledger.com/2013/06/google-badnews-malware-not-so-bad-after-all/)
51817661
submission
pacopico writes:
A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up.
51582011
submission
chicksdaddy writes:
The Security Ledger has a story about the next-stage of interactivity: focus-based marketing. The story profiles technology by CrowdOptic, a Bay Area startup that is positioning its technology as the “killer app” for companies and marketers looking to leverage wearable technology like Google Glass.
Long and short: "Liking" stuff on Facebook is not cool. You know what's cool? Knowing what people like without them having to do or say anything. “If I know where you’re looking, I can interact with you in an elegant way. I know that you’re interested if you’re looking at something. I don’t need a hashtag, I already know its significant,” says CEO Jon Fisher.
CrowdOptic has been working with companies like L’Oreal to try to leverage the current generation of “ubiquitous” technology – smart phones. In June, the two companies partnered on an “augmented reality” demonstration at the Luminato Festival in Toronto.(http://www.forbes.com/sites/tarunwadhwa/2013/06/03/crowdoptic-and-loreal-are-about-to-make-history-by-demonstrating-how-augmented-reality-can-be-a-shared-experience/) Festival goers who downloaded a special mobile phone application could point their phones at different places around David Pecaut Square and view a “virtual gallery” of artworks that they could interact with using their mobile phones. Just replace those interactive pieces of art with product advertisements or location-based offerings, and you get a sense where all this is leading.
But wearable technology like Google’s Glass is a huge leap forward for a company like CrowdOptic. “I think the entire DNA of our company is to fulfill for wearable technology like Google Glass,” Fisher told Security Leder. Last month, CrowdOptic demonstrated an application for Glass and mobile devices that allowed users to launch a Hangout On Air based around a group focus — that is: what multiple people are looking at. (http://www.kurzweilai.net/crowd-activated-google-hangout-on-air-broadcasts)
51537229
submission
chicksdaddy writes:
The government-run online health exchanges designed to connect millions to private insurance plans under the Affordable Care Act got off to a rocky start on Tuesday, with reports of web sites paralyzed by a flood of traffic from millions of uninsured people, desperate to get covered. (http://www.nytimes.com/2013/10/03/us/problems-persist-on-second-day-of-insurance-markets.html)
With the stakes so high and so much attention on the online healthcare marketplaces, should we be surprised that many state exchanges and Healthcare.gov (https://www.healthcare.gov/) the federal government’s main health insurance storefront for 30 states were overwhelmed when the doors swung open and millions of eager customers poured in?
“No,“ according to web application and security experts. "I’d never rule out government incompetence,” Jeremiah Grossman of the security firm WhiteHat Security said of the problems. “But I think if you ask people who build scalable web systems if they would expect to stand up a system and have two million people use it on the first day without any problems, they’d say ‘no way.’”
The problems facing such web-based applications are legion. Sites must have adequate bandwidth to handle the volume of traffic and simultaneous connections that such a spike creates. The backend database must be programmed in a manner that can manage thousands or tens of thousands of simultaneous queries.
Grossman noted that popular sites like Google, Facebook and Twitter all had their share of availability problems. (Remember the Fail Whale?) (http://www.nytimes.com/2009/02/15/magazine/15wwln_consumed-t.html) But those sites had months or years to work out the kinks before their user base grew to millions, or tens of millions of users – the situation healthcare.gov and other exchanges now find themselves in.
Which isn't to say that the problems experienced by healthcare.gov (designed by CGI Federal with a $71 million federal grant) and other exchanges were unavoidable. The federal government (and states) would have been smart to roll the new online marketplace out slowly — perhaps opening the doors to one (small) state at a time, or limiting access to users by birth date or some other criteria. Many of the same problems would have almost certainly cropped up with a smaller rollout, but their impact would have been muted.
51297129
submission
chicksdaddy writes:
Pay as you Drive programs are all the rage in the auto insurance industry. The (voluntary) programs, like Progressive Insurance's Snapshot (http://www.progressive.com/insurance/snapshot/ps-brand/auto/buy/default.aspx) use onboard monitoring devices to track information like the speed of the automobile, sudden stops, distance traveled and so on. Safe and infrequent drivers might see their rates drop while customers who log thousands of miles behind the wheel and/or drive recklessly would see their insurance rates rise.
GPS data isn't generally collected, and insurance companies promise customers that they're not tracking their movement. No matter. A study ((http://cs.du.edu/~rdewri/data/MyPapers/Conferences/2013WPES-Extended.pdf) ) by researchers at the University of Denver claims that the destination of a journey can be derived by combining knowledge of the trip's origin with the metrics collected by the "pay as you drive" device, The Security Ledger reports.
The data points collected by these remote sensing devices are what the researchers call “quasi-identifiers” – attributes that are “non-identifying by themselves, but can be used to unique identify individuals when used in combination with other data.”(https://securityledger.com/2013/03/mobile-phone-use-patterns-the-new-fingerprint/) In one example, researchers used a strategy they called “stop-point matching,” to compare the pattern of vehicle stop points from a known origin with various route options. They found that in areas with irregular street layouts (i.e. "not Manhattan"), the pattern will be more or less unique for any location.
The study raises important data privacy questions for the (many) “pay as you drive” programs now being piloted, or offered to drivers – not to mention other programs that seek to match remote sensors and realtime monitoring with products and services.
