FCC repeals net neutrality

As I write this, the Federal Communications Commission (FCC) is going through the motions, live streaming its commissioners as they (mostly) express support for what turned out to be the inevitable killing of net neutrality: the 3-year-old landmark rule – imposed during the administration of President Obama – that prevents internet service providers (ISPs) from favoring some sites over others by slowing down connections or charging customers a fee for streaming or other services.

…at least, the FCC had been going through the motions, until around 12:51 pm, when the room was evacuated and bomb sniffing dogs were led through the emptied room by their handlers.

 

image

Commissioners were let back into the room around 1pm after it had been cleared by security. Within minutes, the room, the internet, and the telecom industry had also been cleared of net neutrality.

There has been much gnashing of teeth.

Clearly, this has been a contentious few months of debate: on one side, telecom giants like AT&T, Charter, Comcast and Verizon have been urging the repeal, which was put forward and championed by Republican FCC Chairman Ajit Pai. They view it as a major victory that will peel back what they see as onerous government regulation.

Getting rid of net neutrality is going to be great for innovation, Pai has been saying, though “blaring from every computer screen in the nation” is actually a joke news piece from The Onion:

image

Robert Reich, founding fellow of The Sanders Institute – a nonprofit, educational organization founded last year by Jane Sanders, wife of Sen. Bernie Sanders, I-Vt., to help raise awareness of “enormous crises” facing Americans – called industry claims that net neutrality hurts consumers because it discourages investment in their networks “rubbish.”

Since Net Neutrality was adopted, investment has remained consistent. During calls with investors, telecom executives themselves have even admitted that Net Neutrality hasn’t hurt their businesses.

This is what cable companies can inflict on us in the absence of net neutrality, Reich predicts:

  1. Drive up prices for internet service. Broadband providers could charge customers higher rates to access certain sites, or raise rates for internet companies to reach consumers at faster speeds. Either way, these prices hikes would be passed along to you and me.
  2. Give corporate executives free reign to slow down and censor news or websites that don’t match their political agenda, or give preference to their own content – for any reason at all.
  3. Stifle innovation. Cable companies could severely hurt their competitors by blocking certain apps or online services. Small businesses who can’t afford to pay higher rates could be squeezed out altogether.

No, says former FCC Chairman Michael K. Powell: that’s the rubbish.

Powell, now a lobbyist for the cable and telecom industry, came out with an opinion piece in which he declared that opponents’ protests amount to “hyperbole, demagoguery and even personal threats.”

More from his article, which was published by Recode on Wednesday:

New-age Nostradamuses predict the internet will stop working, democracy will collapse, plague will ensue and locusts will cover the land.

The biggest threat to Silicon Valley innovation and improving consumer experiences isn’t net neutrality; he says; it’s “an internet that stalls and doesn’t get better.”

Powell says that the “vibrant and open internet” that Americans cherish “isn’t going anywhere.” Not for days, not for weeks, not for years: we’ll also still be merrily shopping online for the holidays, oversharing our photos on Instagram, harping on about our political grievances on Facebook, and asking Alexa what the score of the game is. Everything is going to be Just Fine, and the internet Will Not Blow Up.

Why the confidence? Because ISPs value the principles of net neutrality and the open internet more than activists would have you believe, Powell says. After all, it’s easier to make money with an open internet:

A network company makes the most money when its pipe is full with activity. The more consumers use, the more profitable the business. With new, compelling services, consumer demand rises for higher speeds. Degrading the internet, blocking speech and trampling what consumers now have come to expect would not be profitable, and the public backlash would be unbearable. Economic self-interest and the pursuit of profits tilts decidedly toward an open internet.

His optimism is not mirrored throughout the internet.

Senior analyst Michael Fauscette, Chief Research Officer at G2 Crowd, a review website for business software, says that letting a business self-regulate hasn’t gone well in the past, either for the businesses or the public.

Neither is this struggle over. Fauscette predicts that “there will be plenty of lawsuits attempting to put the protections back in place.” Besides whatever happens in the court, there are things happening inside Congress to restore net neutrality by passing a law to protect it. On Tuesday, Sen. John Thune (R-SD) asked net neutrality supporters on “both sides of the aisle” to work with him on a legislative solution.

Would such a law pass anytime soon, given the makeup of the Republican majority House and Senate? Maybe not, but “soon” might come sooner rather than later, given Democrat Doug Jones’ upset victory to become senator in conservative Alabama, plus the fact that influential Republican Ted Cruz is seen as the next conservative in Democrats’ cross-hairs.

In the meantime, take your pick between alternating views of the near future: either everything will be hunky dory, per Powell, or we can all start reaching for our wallets to pay for internet fast lanes or kicking back with a beer as we get shunted onto slow lanes.

 

via:  nakedsecurity


Save pagePDF pageEmail pagePrint page

Disney is acquiring Foxs film and TV divisions for $52.4 billion

We’re about to see two entertainment behemoths come together, as The Walt Disney Company and 21st Century Fox have officially announced a deal. As a result, Disney will acquire Fox’s film division and much of its TV operations for a price of over $52 billion in stock.

Disney will take over the Nat Geo network, Star TV, Fox’s movie and TV studios and its stakes in both Sky and Hulu, as well as the parts of the business that focus on regional sports broadcasting. It’ll gain a majority stake in Hulu through the deal, too. Fox News, Fox’s basic broadcast network and its national sports channels will be spun off into a new company.

One of the reasons Disney already dominates the entertainment landscape is because of big acquisitions under CEO Bob Iger — Pixar, Marvel and most recently Lucas film. The move will bulk up Disney’s content library in advance of the planned launch of the studio’s streaming service in 2019. It could also end up posing a significant business threat to Netflix, since Disney has shown it wants to put more of its own original content on its own streaming service which is set for launch in 2019, vs. on its soon-to-be rival.

Among other properties, Fox owns the Avatar franchise and the original Star Wars film.

And while Disney already does pretty well on the superhero side thanks to its ownership of Marvel, the deal brings the film rights to the X-Men and Fantastic Four back in-house — so maybe that Avengers/X-Men cinematic crossover you’ve been dreaming about will finally happen. In fact, Disney pointed out as much in it is official announcement, which includes the following note:

The agreement also provides Disney with the opportunity to reunite the X-Men, Fantastic Four and Deadpool with the Marvel family under one roof and create richer, more complex worlds of inter-related characters and stories that audiences have shown they love. The addition of Avatar to its family of films also promises expanded opportunities for consumers to watch and experience storytelling within these extraordinary fantasy worlds. Already, guests at Disney’s Animal Kingdom Park at Walt Disney World Resort can experience the magic of Pandora—The World of Avatar, a new land inspired by the Fox film franchise that opened earlier this year. And through the incredible storytelling of National Geographic—whose mission is to explore and protect our planet and inspire new generations through education initiatives and resources—Disney will be able to offer more ways than ever before to bring kids and families the world and all that is in it.

Another way to look at the deal: Disney and Fox rank number two and four, respectively, in the domestic box office for the year thus far, and collectively pulled in more than 30 percent of total domestic grosses.

In recent weeks, there’s been plenty of reporting and speculation around the deal, with CNBC saying that the announcement would come today. As expected, Disney CEO Iger has also announced his intent to remain Chairman and CEO of Disney as part of the deal through 2021, instead of retiring in 2019 as previously planned.

Disney says it expects the acquisition to close in 12 to 18 months. The deal still needs regulatory approval, which is hardly guaranteed, especially given the Department of Justice’s resistance to the AT&T-Time Warner deal.

 

via:  techcrunch


Save pagePDF pageEmail pagePrint page

5 Security Things to Know for the Week of Dec. 11

 

1) Microsoft issued an emergency fix for a nasty remote code execution bug in its Malware Protection Engine.

2) Phishing attacks are more believable than ever, so users must respond with increased vigilance.

3) Spurred on by breaches and compliance demands, global security spending will top off at nearly $100 billion by next year, roughly one-fifth of which will go toward outsourced security.

4) A years-old vulnerability patched in May in open-source software Samba has given rise to a new ransomware attack.

5) Another massive botnet consisting of hacked Internet of Things devices – dubbed Satori – is poised to strike at any time.

 

via:  trustwave


Save pagePDF pageEmail pagePrint page

Hidden keylogger found on HP laptops

The keylogger came bundled with drivers for the company’s laptop keyboards.

A security researcher has discovered that keylogging software has been pre-installed on hundreds of models of HP laptops inside the company’s own keyboard drivers.

The keylogging code was discovered by the security researcher Michael Myng while he was trying to control the backlighting on his HP laptop.

The company has revealed that over 460 of its laptop models have been affected by the “potential security vulnerability” though it has since released a software patch to remove the keylogger from its devices.

Laptops in HP’s Envy, Pavilion, ProBook and EliteBook ranges all contain the issue and HP has published a full list of affected devices all the way back to its 2012 models.

Myng was in the process of inspecting the company’s Synaptics Touchpad software to figure out how to control the backlight on his own HP laptop when he first discovered the keylogger.  Fortunately, the keylogger is disabled by default but if an attacker gained access to an HP laptop they could enable it to record a users’ keystrokes.

HP noted that the keylogger was originally built into its Synaptics software to aid in debugging errors and the company has acknowledged that the software could lead to a “loss of confidentiality.”

Earlier this year, a similar keylogger was discovered that came pre-installed in the audio drivers on several HP laptops though at the time, the company said that the software had been mistakenly included with the drivers.

A spokesperson for HP has since reached out concerning the issue, saying:

“HP was advised of an issue that exists with Synaptics’ touchpad drivers that impacts all Synaptics OEM partners. HP uses Synaptics’ touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on HP.com.”

 

via:  itproportal


Save pagePDF pageEmail pagePrint page

56K patient records compromised during separate data breaches at specialty clinics in Kentucky and North Carolina

Two separate data breach incidents at specialty practices in Kentucky and North Carolina have led to nearly 60,000 compromised patient records.

On Friday, the University of North Carolina Health Care’s Dermatology and Skin Cancer Center reported a data breach involving a laptop stolen during an Oct. 8 break-in. In a release, UNC Healthcare said the laptop contained information on patients seen at dermatology clinic called Burlington Dermatology, acquired by the health system in 2015.

The information was on a password protected-database that included identifying personal information like social security numbers and birthdates, but the provider does not believe the database included any treatment or diagnostic information.

“UNC Health Care is committed to providing patients with superior health care services and takes its obligation to protect the privacy of patients’ medical information very seriously,” David Behinfar, Chief Privacy Officer, UNC Health Care said in the release. “We have ensured that all remaining computers acquired from, or kept for use by Burlington Dermatology have been properly secured. UNC Health Care has also implemented process improvements to ensure that future acquisitions of physician practices include a process to properly secure legacy computers and electronic patient information.”

Meanwhile, a pulmonary specialty practice in Louisville, Kentucky, sent out a notification indicating an unauthorized third-party accessed its EHR system on Sept. 26. Pulmonary Specialists of Louisville, PSC filed a report with the Department of Health and Human Services late last month indicating the hacking incident potentially compromised 32,000 patient records.

A letter from an attorney representing the practice posted by the New Hampshire Department of Justice stated the unauthorized user could have viewed or access patient information, adding that the provider has taken steps to secure patient information, “including reviewing and revising its information security policies and procedures and updating the security systems on its EHR.”

Healthcare data breaches are on pace to exceed 2016 figures both in the number of breach incidents and the number of affected records. A larger portion of those threats are linked to insiders despite an uptick in hacking incidents.

Last week, Henry Ford Health System notified 18,000 patients that a third party may have accessed their personal information after learning that someone had gained access or stolen email credentials from some employees.

 

via:  fiercehealthcare


Save pagePDF pageEmail pagePrint page

Putting Off Plans to Strengthen Data Security? It Could Cost You Your Job

When considering the consequences of a data breach, plummeting stock prices, deserting customers and diminishing brand reputations immediately come to mind. These damaging and costly repercussions impact the livelihood of a company. However, a cybersecurity incident can also adversely affect individuals within an organization, costing an employee their job, career and possibly their future.

For examples of post-data breach job casualties, look no further than recent news headlines: Equifax CEO Richard Smith suddenly “retired” after the company’s breach exposed 143 million consumers’ sensitive information, while the credit data firm’s chief information officer (CIO) and chief security officer (CSO) resigned. Similarly, after Target’s infamous 2014 breach, both the CEO and CIO were forced to step down. While these are examples of job loss at the C-level, the effects of a data breach can resonate and impact many other staff members. In fact, a Trustwave and Osterman Research survey showed that 38 percent of organizations consider a data breach that becomes public a fireable offense for IT professionals (not just the C-suite).

The problem is that today’s security and compliance professionals are extremely busy people, with high-priority projects coming in from all different departments. At the same time, they must attempt to keep abreast of constantly evolving cyberthreats and industry regulations, while devising and implementing a security strategy that addresses these ever-changing elements. In spite of this fast-paced work environment, it’s easy to allow the seemingly less-pressing tasks fall off a “to-do” list. From there, it’s even easier to justify procrastination. “We’ve never been breached, so we must be doing everything right. We can put off our compliance audit a couple more months, or worry about our software security patch next week.”

Alas, many professionals put off security and compliance initiatives for these reasons and others, often with catastrophic results. Take Equifax, again, for example: the company allegedly waited months to patch a well-known software security vulnerability, which perhaps, if addressed in a timely manner, could have prevented the breach. Now, imagine if you were the person who must explain why you didn’t act sooner and allowed your firm to experience a data breach. Keep in mind that if you’re subsequently fired, you’ll have to justify your failure to act to all future potential employers, and you may find it extremely difficult to land another job.

Are you a security procrastinator?

No matter how long their “to do” lists, security and compliance professionals must take a proactive approach to safeguarding data, thereby protecting their company’s reputation and their own careers. Yet many continue to put off the company’s most crucial security and compliance efforts. The primary reasons I hear in the field, include:

  1. Lack of internal expertise: While some executives understand the need for a compliance program, the majority don’t recognize the work needed to implement and maintain an ongoing, successful program. This means that less-motivated compliance managers could get away with reporting, “We’re working on it,” for an extended period. Maintaining this façade may work in the short term, but it sets you up for massive failure if a breach does occur.
  2. Cost-cutting: Compliance doesn’t necessarily create new functionality, nor does it garner a pat on the back from your superiors. “Nothing happened today and that is a good thing,” may ring a little hollow to those that don’t understand change control. So, many security personnel are likely to look elsewhere to spend their money. After all, if nothing happened at the end of the day, and you can report that to your boss, you’ve done your job, right? Wrong. With the average cost of a data breach hovering above $3.6 million, a single security incident could render all your “cost savings” completely futile.
  3. Seemingly low odds of a data breach: Data breaches are in the news just about every week, leading many to falsely believe that other companies present a bigger, more attractive target. Or, some security professionals may simply hope that their organization is not hit by a cyberattack. I’m all for wishing for the best, yet, the reality is that the odds of a experiencing a data breach are as high as one in four, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. This is a gamble with your company’s and your own future that is not worth taking.
  4. Urgency exceeds importance: Some security and compliance personnel begin the process of searching for a new solution with a high sense of urgency. They reach out to vendors, looking to get their project started immediately. But, at the drop of a dime, they’ll turn right around and say, “Never mind. We’ll come back to you in three months.” Most of the time, these people know what they must do, but will find every reason to wait. Whether it’s because their compliance assessment isn’t until next year, or they found something seemingly more pressing, there are a million ways to avoid doing the compliance tasks that need to be done.

Many or all of these circumstances may ring true to you and your company. In the future, it doesn’t always have to.

Why wait? How to convey urgency for data protection

Of course, not every company is guilty of playing the waiting game for strengthening data security. Even the biggest brands, with large budgets and robust security systems are vulnerable to data breaches. Regardless of where you and your company stand in your security and compliance initiatives, take heed of the following advice to convey a sense of urgency for protecting your most sensitive data:

  1. Share your vision: Serve as a champion to your cause. Emphasize to your team and other executives the importance of protecting your company’s reputation through proactive compliance. Help them understand that such programs are actually investments in your brand, your customers and your colleagues’ future – not another line item expense.      
  2. Talk costs to the C-suite: Upper management may not necessarily care about how a security incident may affect your job, but they will certainly take notice when you talk money. Share how protecting your company from a data breach also protects the organization from reputation damage and loss in customer trust, which directly impact the bottom line. You’ll find it’s much easier to obtain buy-in for supporting your security efforts if you speak their language.
  3. Stress compliance as an ongoing initiative: Compliance isn’t a check-the-box, one-and-done exercise; it requires continuous effort. For example, you could receive a Payment Card Industry Data Security Standard (PCI DSS) Report on Compliance (ROC) one day, and then be vulnerable to a breach the next, if even one security control changes. Therefore, assure your executives that you are “working on it,” and mean it.
  4. Remove sensitive data from your business infrastructure: Because you cannot predict or prevent every potential breach, the above advice will only go so far. The most effective way to strengthen data security is also the simplest approach: remove any sensitive information from your business infrastructure. Simply put, no one can hack the data you don’t hold or process. Investigate and deploy technologies that keep data away from your network and business systems, and you’ll be far less vulnerable (and less attractive) to hackers, fraudsters and other cybercriminals.

No matter what your industry, compliance and security are not something you can put off until next year, next month, or even tomorrow. It takes just a single incident to not only adversely impact your organization, but also your current job and future career. Act now and act decisively. Once you’ve acted, understand that the work still isn’t done. Take an ongoing, proactive approach to security. Make compliance a living and breathing part of your organization, and you’ll have both greater data security and increased job security.

 

via:  infosecisland


Save pagePDF pageEmail pagePrint page

Colleges don’t teach cloud skills, so AWS will do it in high school

Amazon is expanding AWS Educate to high school students. Will enterprises benefit from this “get them while they are young” approach?

AWS Educate serves as a path for younger students to understand and get excited about the capabilities of the cloud, namely Amazon’s own AWS cloud. At AWS’s Re:Invent conference in last week, AWS announced the company is expanding its cloud education initiative to students ages 14-17.

Obviously, AWS is trying to create customer loyalty early on. Apple did that in the 1980s through heavy discounts and outright gifts to K-12 school students of their respective computers. This was such as influence that, back in my 20s when I was working on PCs and LANs, I noticed a huge bias from students and teachers for using Apple Macs. As a result of spending millions on this program, I’m sure that Apple made billions in shifting customer loyalty to Apple.

But there’s another reason Amazon is promoting its cloud to high-schoolers. Cloud is an essential skill for IT, as well as other professsions. But universities do a poor job in educating students about it. In addition to promoting its own AWS cloud, Amazon is trying to remediate that education gap, not only to help populate a future employee pipeline but to populate businesses with cloud-savvy—and cloud-oriented—employees once these students get out of school

Although there are a great deal of cloud computing courses in course catalogs at colleges and universities, many educational institutions are slow to offer courses in the cloud computing field, according to a new report from Clutch, a research firm.

Clutch identified three main obstacles that may be hindering universities’ and colleges’ ability to implement cloud computing courses, including the higher cost of resources for cloud computing courses, the fast-paced innovation inherent in the cloud computing field, and limited on-campus cloud computing expertise. I was a college professor for ten years, and I saw these self-inflected limitations firsthand. For whatever reason, colleges and universities have been slow to react to the need for cloud skills.

That’s both a risk and an opportunity for Amazon. And for students, too.

Indeed, if you teach 14- to 17-year-olds some of the better tactical skills around the use of AWS, as well as general cloud skills such as architecture and security, you will get18-year-olds who can command $40,000 to $60,000 a year—at the entry level.   That’s sure more than I got for cleaning pools and washing dishes when I was 18 years old!

Should enterprises support this effort, as well as efforts at colleges and universities, along with AWS and I’m sure some other major cloud providers?  Of course. Even if it means that some students may opt out of college to follow the cloud computing money right out of high school using their hot new AWS skills and certifications.  Those will be fewer student loans to pay off.

Is AWS in this for their own selfish interest? You bet. So will be other cloud providers that follow with similar programs at both the high school and college levels. However, considering the benefit to the enterprise, AWS, and the students, it’s an all-around win.

 

via:  infoworld


Save pagePDF pageEmail pagePrint page

Terabytes Of US Military Social Media Spying S3 Data Exposed

Once again the old, default Amazon AWS S3 settings are catching people out, this time the US Military has left terabytes of social media spying S3 data exposed to everyone for years.

It’s not long ago since a Time Warner vendor and their sloppy AWS S3 config leaked over 4 million customer records and left S3 data exposed, and that’s not the only case – there’s plenty more.

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.

The archives were found by UpGuard’s veteran security-breach hunter Chris Vickery during a routine scan of open Amazon-hosted data silos, and the trio weren’t exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive.

CENTCOM is the common abbreviation for the US Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for US Pacific Command, covering the rest of southern Asia, China and Australasia.

Vickery told The Register today he stumbled upon them by accident while running a scan for the word “COM” in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.

“For the research I downloaded 400GB of samples but there were many terabytes of data up there,” he said. “It’s mainly compressed text files that can expand out by a factor of ten so there’s dozens and dozens of terabytes out there and that’s a conservative estimate.”

I’m curious to know if anyone else found these buckets before, I should hope being the US Military they at least have access logging turned on for these buckets, but considering the fact they were open to World – that may not be the case.

It just goes to show (as with MongoDB) you can’t trust people with lax defaults because most of the time developers wont change them.

Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens.

The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Vickery found the Outpost development configuration files in the archive, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch. Another file refers to Coral, which may well be a reference to the US military’s Coral Reef data-mining program.

“Coral Reef is a way to analyze a major data source to provide the analyst the ability to mine significant amounts of data and provide suggestive associations between individuals to build out that social network,” Mark Kitz, technical director for the Army Distributed Common Ground System – Army, told the Armed Forces Communications and Electronics Association magazine Signal back in 2012.

“Previously, we would mine through those intelligence reports or whatever data would be available, and that would be very manual-intensive.”

I guess tools like this are just making it easier to find exposed buckets:

AWSBucketDump – AWS S3 Security Scanning Tool.

There is definitely going to be more of these cases popping up and more people jump on the cloud bandwagon without really understanding the security implications, “Hey the URL is not public so we don’t need to protect it because no one can find it” – etc.

 

via:  darknet


Save pagePDF pageEmail pagePrint page

5 Steps to a More Secure IoT Baseline

Enterprise access point maker Ruckus once again patched up command injection vectors that could completely compromise both the ZoneDirector controller, as well as the Unleashed AP. One of the vulnerabilities is in fact strikingly similar to an issue in another Ruckus Web-GUI I disclosed last year.

While vulnerability is essentially an inevitable fact of life for any sufficiently complex software, there are several mitigating factors that can often greatly reduce the impact of a successful exploit.

In the year 2017, there is no reason for some of these design failures to be happening in product after product. It is time that we as security professionals start expecting more from vendors.

With this in mind, I have compiled a list of some security practices we should consider as part of a baseline of security.

1. STOP RUNNING EVERYTHING AS ROOT!

Perhaps in the early days of embedded Linux, resource constraints drove developers to drop the traditional user-based security model and do everything as root. Today, there is no excuse for having web servers running with full uid 0 permissions.

By default, management interfaces should be running with reduced privileges and only have the ability to perform a limited set of privileged operations. If Ruckus had taken the time to employ any form of privilege separation, it is unlikely that any of the vulnerabilities I’ve reported to them could be directly used for a complete compromise.

2. ANTI-CSRF TOKENS SHOULD BE EVERYWHERE!

Cross-site request forgery (CSRF) is one of the most ubiquitous security defects that I see in embedded devices. This is compounded by the fact that most IoT products are designed to blindly trust the local network or simply fail to properly validate authentication tokens.

If Ruckus had implemented CSRF protections after my last disclosure to them, these new vulnerabilities would be effectively limited to insider threat. As it stands, however, it is not hard to write JavaScript capable of locating a device on the local network and relaying attacks to it.

3. ENABLE EXPLOIT MITIGATIONS!

Defensive technologies have come a long way in recent years, but it is rare to find embedded devices making use of them. Many of the devices I’ve examined fail to use things like address randomization (ASLR), position independent executables (PIE), or NX. While this is not a vulnerability in itself and these technologies are not perfect, they do definitely raise the bar required for reliable exploitation of memory corruption issues.

It would also, of course, be great to see vendors make use of newer technologies like control flow integrity (CFI) or even certain runtime sanitizers, but there is simply no excuse for not making use of security features that have been available in Linux for more than 15 years.

4. AUTHENTICATE REQUESTS!

All too often, I find that the default behavior of a device is to treat any requests from the local network as authenticated. For example, the Belkin WeMo will allow anyone on your home network to take control and become associated with your home account. The Mios Vera home automation controller requires the user to dig through settings to enable any form of authentication, and doing so makes the device inoperable if there is an Internet service outage.

Meanwhile, Control4’s system requires authentication to login to their app, but devices will accept commands over an XML based protocol without any tokens or passwords. Weak or missing authorization schemes have a compounding effect with CSRF by allowing malicious web pages to directly manipulate devices without requiring that the victim has previously authenticated with the device.

5. STOP USING SO MUCH HTTP!

Even if you don’t access a device through a web browser, there is a good chance it is running a web server anyway. Web management interfaces for things like routers and smart home controllers are typically the biggest attack surface for a device. Although the management page of something like a router is used only very rarely, the HTTP server runs all the time just waiting for requests.

The use of an HTTP server means that an attacker hosting malicious web content (malvertising perhaps) has the ability to direct requests to the server. Even if CSRF mitigation is in place, vulnerabilities in the web server implementations themselves can often be lethal. As an example, several models of NETGEAR router that make use of a timestamp-based CSRF protection for all administrative functions could be trivially exploited through cross-site request forgery due to a ridiculous bug in the web server.

Ideally, I would like to see most device communication move away from HTTP to other more purpose-built protocols like MQTT, which should be generally immune to cross-site and cross-protocol exploitation attempts. In some cases like a configuration page, it may be the case that HTTP/HTTPS is the best option, but there is no reason for these systems to run all the time when they are only used very rarely.

An easy solution to this would be to require a button press (or some other non-HTTP trigger) to start the management interface and then have it automatically disable itself again after some specified timeout.

CONCLUSION

These five relatively simple strategies are certainly not a complete list, but I do believe implementing them does a lot to reduce attack surface. With real-world IoT attacks on the rise with Mirai and now IoT Reaper, it is increasingly critical that we curtail the proliferation of Internet-connected devices lacking basic security controls.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Ransomware Attacker Demands $23K from Mecklenburg County

A criminal who infected the computer systems of Mecklenburg County with ransomware has demanded a ransom payment of $23,000 for the decryption key.

On 5 December, the government for Mecklenburg County, North Carolina informed its Twitter followers that it was “experiencing a computer-system outage.”

 

image

In a statement posted to the County’s website, government officials explain the impact of the incident:

“… [A]ll County-wide Information Technology Services (ITS) systems will be shut down until further notice. This will affect email, printing and other County applications, including the ability to conduct business at most County offices. At this time, there is no Estimated Time of Recovery (ETR) available.

Each County department is activating its Continuity Of Operations Plan, which is designed to address situations like this. If you are planning to go to a County office to conduct business, please contact the office prior to going to ensure you can be served.”

Mecklenburg County doesn’t go into further detail about what happened. Local news outlets do, however.

According to the Charlotte Observer, the County suffered a ransomware attack when an employee opened a malicious email attachment. The unknown ransomware subsequently encrypted the County’s files. International Business Times reports that the attachment also loaded a crypto-mining program designed to consume the County’s collective network CPU to mine for Bitcoin.

Officials have until 13:00 Wednesday to meet the attacker’s demands of $23,000 for the decryption key.

County Manage Dena Diorio says she’s still deciding whether to fulfill that command. She told the Charlotte Observer it’s a tough choice that involves many elements of uncertainty:

“If you pay the bitcoin, there is always a risk they won’t give you the encryption key. And they could go back for more (money). We need to determine how much it would cost (to pay) versus fixing it on our own. There are a lot of places that pay because it’s cheaper.”

As of this writing, the Mecklenburg County is working with third-party experts to figure out what to do. Several of its departments are attempting to switch to paper in the meantime so that they can continue to do business.

Diorio doesn’t think the County was targeted specifically, which points to the reality that ransomware threatens all organizations and users. It’s essential, therefore, that companies invest in security controls such as data backups.

News of this attack comes close to a year after a county located in Ohio suspended its IT system following a ransomware attack that affected computers inside its government center.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page