It seems that is the time once again to talk about the relationship between software vendors and the security posture of different business verticals. Why are we beating this particular dead horse? Well with the Covid-19 Pandemic, the rush to shift to remote work force and an increase in attacker activity aimed at the remote workforce and healthcare you would think that there would be an increase level of effort to fix vulnerabilities in remote access and healthcare services software. If you thought that, you would be wrong. Instead during this time, we are seeing more software vendors pushing FDA as law and healthcare organizations even refusing opportunities to patch critical software. This on top of an extremely slow response to threat to the remote workplace.
In December 2019 a new virus was detected in Wuhan China, this virus (COVID-19 or the Coronavirus) has spread rapidly through out China and the rest of the world. With its apparent ease of transmission and difficulty in detecting (early stages can look like the Flu), many companies are looking into allowing employees to work from home more in an effort to slow down the spread of this potentially deadly virus. The question is, are these companies really ready to have so many people connecting in from home, or are we potentially opening or a massive hole that threat actors are bound to exploit.
The IT Security industry has spent billions of dollars on software to keep you “safe” from malware and attackers. Whether that money was spent in marketing or actual product improvement is up for debate. Still the fact remains that each year we hear about new advances that can keep you and your systems safe from Malware and or threat actors. Almost all of these systems rely on software to do their job and in most cases cannot even see beyond the OS they reside on. This focus has caused the development of a massive blind spot, hardware-based attacks.
Although not a new subject here at DecryptedTech we thought it was time for us to dive into three of serious issues in the security world (out of many). The three we are covering today are emerging technologies, stale technologies and how the security, and IT, skill set seems to be diminishing. All three are cause for concern and often seen as at least contributing factors in breaches. What make this more interesting is that in many cases the three are connected.
When you think about operating system updates you probably do not think about the security team. Sure, there are security patches and such, but those are on the operations team and not really pushed out by the security team. Well, that is when they are done properly by the OS vendor.
Technology has brought us a ton of interesting and fun devices. We have smart phones, Smart TVs, Wireta… I mean home personal assistants and even home automated brewing systems. The latter is going to be the subject of our review toady. The concept of home brewing is not new at all. People have been spending lots of money to boil grain (and adding hops) to ferment it into the magnificent substance we call beer. However, boiling grain and inserting hops into your different mash stages can be both boring and time consuming for many. Enter IoT and the concept of the connected device. Beer enthusiasts realized that they could use a certain level of technology to pre-program temperature, mash time, bittering etc. all into a computer and push that information to the cloud. There are a few products on the market that fit this bill, today we will be looking at one of the more popular and efficient systems, the Pico Pro. The Pico Pro is not new technology, but I felt it was time to take look at this from both a “it makes beer” and a technology perspective.
When Red Digital Cinema first announced they were looking to build a phone many people were very interested. The idea that the company who turned the world of cinema cameras on its head taking on the stagnant world of smartphones with mediocre cameras was a big one. Sadly, after the announcement there were significant delays for the new device. Happily, for the rest of the smartphone world, newer generations of cameras and camera software began to up their game on what we can do with our smartphone cameras. Still, this is Red we are talking about here, so despite these advances they were sure to have a significant product. If you read most of the “reviews” out there you would not think that was the case. Personally, I was not deterred by the reviews as most of them came off as incomplete. I decided to take it for a spin, but not a quick 15 minutes, but a 30-day plus test run including taking it around to get reactions from other people. So, with that in mind, let’s see what we found.
It seems that PC makers are not happy with the Intel’s Management Engine (IME) and the flaws that keep being found in it. The original flaw allowed attackers a clean way to compromise a system including uploading malware and exfiltrating data. This could be done in a way that bypassed most security systems and even allowed for tampering with the UEFI BIOS if the attacker was sophisticated enough. To their credit, Intel did warn people and manufacturers about this and patched it fairly quickly. The problem is, now that the cat is out of the bag about one flaw; there are sure to be more.
Every now and then, we get a chance to take a look at something that is a little outside of the tech world. A few months ago as I was contemplating a vlog series entitled “Bits, Bytes and Beer”; we received a very cool package in the mail. It was a set of shot glasses made from Himalayan Pink Rock Salt. It seemed a very fortuitous product to hit our lab and one that we certainly want to go into detail on now. So, let’s take a quick look at the Root7 Pink Himalayan Rock Salt shot glasses.
Def Con 25, Las Vegas, NV –
Your phone rings and you check the number as a precaution against marketing calls and it looks like it is from your office. The voice on the other end says that there is an issue on the network and they need your assistance to troubleshoot. The person is calm, friendly and helpful so you agree to assist. By the time it is all done you have in advertently given away vital information about your network to a potential attacker.