The Internet of Things, or IoT, Connected Devices, Smart devices whatever you want to call them have become a fixture in most homes. It has gotten to the point where you have to look hard to find a device that is not “Smart”. Manufacturers love to push the marketing term smart onto the consumer as it becomes a value add proposal; hey this can do all of this and you can control it using your phone from anywhere. What they do not disclose is exactly how insecure these devices are and how much privacy you can end up giving up just by having them in your home.
Black Hat 2016, Las Vegas, NV
We had the chance to sit down with Chris Carlson, vice president of product management for Qualys and talk a little about what Qualys is up to and where they are moving to in the security market. For many Qualys is a name that brings vulnerability management and reporting to mind. This is due to the fact that this has been their bread and butter for a number of years. Now they are moving into new verticals in the market to expand on their knowledge in this arena. One of the highlights of the talk was in coving their Cloud Agent which brings a whole new set of features to the Qualys product line.
Last year at Black Hat we had an interesting conversation with Tammy Moskites from Venafi. Although Tammy is both the CIO and CISO of Venafi the conversation did not focus on that company or the product as a whole. Instead we talked at length about trust and controlling the keys to data and devices. This conversation is still a very important one as continue to see attacks and vulnerabilities in the systems that control access to and the encryption of important data.
These days it is not unheard of for something as simple as a printer to have all sorts of bells and whistles. You can find wireless, remote file access, remote (web) printing and more. These devices also have very advanced controls that are often accessible through a web interface. All of this technology can be had for very little money making advanced printers a common thing in the market. The downside? Well there is also very little security in these products. Walking through a business the other day with my WiFi sniffer on I found multiple, unprotected wireless networks screaming at me to join. Without exception these were all printers connected to the company’s network. All easy prey if I was up to no good.
In the last week the world saw what appeared to be another attempt to violate privacy by government law enforcement. In this case the FBI opened a “pilot” program to capture iris imprints for a searchable database. To date they have captured more than 400,000 of these imprints. The major concern here is that there was (and remains) no public debate, or oversight on the program. The program stands on its own outside the many restrictions that protect privacy and also other rights that people have. Well at least that is how things look on the surface. We took a little bit of a deeper look and tried to peel away some of the FUD and hype over the collection.
It seems that the US Air Force has taken a pretty big hit when it comes to the storage of the data related to internal investigations. The system that they have been using has had a glitch that resulted in the loss of around 12 years of data. Normally this would only be a big deal until the backup was restored, but… there was no back up of this data as a complete set. There might be subsets of this data in other systems scattered throughout the US Air Force systems, but even that is not for sure.
We have written numerous articles on how bad corporate mentality is shaping security and risking your data, but we have one more to share with you today. We can also guarantee that this will not be the last one we write about. According to news reports the company EagleSoft has responded to a security researcher (part time) by asking the FBI to treat him like a criminal, instead of just fixing the issue as reported. The researcher’s name is Justin Shafer and his crime was reporting unencrypted patient data left on an open FTP server by EagleSoft. The FTP server did not require a logon to access the data, but EagleSoft, in order to protect themselves are trying to play this off as a criminal act.
It seems that the recent $81 million dollar attack against the Bangladesh Central Bank might have also been about the Seth Rogan Movie “the interview”... ok, not really, but the attack that happened at Sony in 2014 seems to have many things in common with the recent attack that resulted in the theft of $81 million. During the Sony attack the initial blame was centered on the release of the Interview, but that was never confirmed and seemed to be way off base.
Three years ago today DecryptedTech published an article calling out a software distribution company for installing Bitcoin mining software on subscribers’ systems. We highlighted the danger of the trust people put in web services by allowing agent software to run on their systems in order to use a service. Now we hear about a French company Tuto4PC that has taken this one step further and included some nasty little surprises in a utility they require for use of their free tutorial service. The discovery was made by Cisco’s Talos Security Intelligence group and, of course, is being refuted aggressively by the guys at Tuto4PC.
There is nothing like finding out that all of your protections are useless. This is almost what happened when security researchers found a massive hole in the Windows App Locker protection. Although the news that there is a flaw in any software, much less Windows will come as no surprise it is still a little odd that this one made it through QA testing. The flaw is one that very simple and has already been seen in the wild over the last couple of days. All you need to do to execute code on a system is to direct Regsvr32 to a remotely hosted file. Security researcher Casey Smith found this handy little tidbit of information and states that you do not even need to elevate privileges to get it to work.