The Internet of Things loves to share

Subject: General Tech | November 26, 2015 - 12:22 PM |
Tagged: idiots, iot, security

You would think people would be be taken aback if someone suggested saving money by using the same key on every new house built in a neighbourhood, if so you don't work for companies developing hardware for the Internet of Things.  In a recent survey of  4,000 embedded devices from 70 hardware makers, Sec Consult found that many had the same hardwired SSH login keys and server-side SSL certificates.  The numbers they provided The Register were a total 580 private keys were found distributed over all the analyzed devices, of which at least 230 are in already in use on the internet.  To be fair this is not uncommon in consumer level firmware as companies do not even bother to check over the source code let alone change the security keys held within but it is a huge security risk.  For a glimpse at how bad some of these supposedly secure certs and keys are read on at The Register.

sec-consult-79037376.jpg

"Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

What the hell Dell?

Subject: General Tech | November 24, 2015 - 12:42 PM |
Tagged: dell, superfish, security, edellroot

As Scott mentioned yesterday, Dell refused to learn from Lenovo's lesson and repeated the exact same mistake with eDellRoot, a self-signed root CA cert with an unknown purpose.  Unlike SuperFish which was to allow targeted ads to be displayed eDellRoot serves an unclear purpose apart from a mention of Microsoft-like "easier customer support" but it exposes you to the exact same security risks as SuperFish does.  You could remove the cert manually, however as it resides in Dell.Foundation.Agent.Plugins.eDell.dll it will return on next boot and can return on fresh Windows installs via Dell driver updates, something which will be of great concern to their business customers.

Dell has finally responded to the issue, "The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability." and provided a process to remove the certificate from the machine permanently in this Word Document.  You can check for the presence of the cert on your machine in those two links. 

However the best was yet to come as researchers have found a second cert as well as an expired Atheros Authenticode cert for BlueTooth and private key on a limited amount of new Dell computers as well.  As Dell made no mention of these additional certificates in their statement to the press it is hard to give them the benefit of the doubt.  The Bluetooth cert will not make you vulnerable to a man in the middle attack however the second cert is as dangerous as eDellRoot and can be used to snoop on encrypted communications.  The second cert was found on a SCADA machine which is, as they say, a bad thing. 

We await Dell's response to the second discovery as well as further research to determine how widespread the new certs actually are.  So far Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops have been found to contain these security issues.  The chances of you falling victim to a man in the middle attack thanks to these security vulnerabilities are slim but not zero so be aware of them and keep your eyes out for them on your systems.  With Lenovo and Dell both being caught, it will be interesting to see if HP and other large vendors will learn this lesson or if it will take a third company being caught exposing their customers to unnecessary risks.

dell_root_ca.png

"A second root certificate and private key, similar to eDellRoot along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Should you fear SilverPush?

Subject: General Tech | November 20, 2015 - 02:22 PM |
Tagged: security, silverpush, fud

SilverPush has been around for a while but was recently reverse-engineered so that it could be investigated by anyone with an interest in their phones security.  It is software that is often bundled in advertisements or streamed media that takes advantage of your phones the far greater range of audio sensitivity and the fact that you can communicate information via audio signals.  This could allow an app to communicate with your phone without your knowledge, to collect data from your phone or even to provide contextual ads on your phone.

However as you can see from the list of apps which The Register links to, there is not much likelihood that you have an app which has SilverPush enabled installed on your phone and that is the real key.  If you do not have an app which is listening for audio signals on those frequencies then you will not suffer the effects of SilverPush.  The moral of the story is that your phones security starts with you, if you download random free apps and allow them full access to your phone then you should not be surprised by this sort of thing.

silverpush_crop.png

"SilverPush's software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Jamming WiFi on the cheap

Subject: General Tech | October 13, 2015 - 01:07 PM |
Tagged: security, Raspberry Pi

With a Raspberry Pi and a cheap WiFi dongle a researcher has shown an effective way to completely block 2.4Ghz transmissions in a 120 metre radius.  By disabling the backoff wait time, aka Short Interframe Space (SIFS), which is accomplished by firmware modification the WiFi dongle will continually resend a frame and block any device with a higher bitrate.  This will block WiFI, Bluetooth and most IoT devices including security systems.  They did not provide the source code used in this procedure, so you won't be able to block your friends for your own amusement but security researchers can reach out to the inventor for access to see if there are ways to circumvent this vulnerability.  The story at The Register also has some information on TKIP vulnerabilities and possible ways to block transmissions on the 5GHz band.

wifi-ant.jpg

"The wireless security boffin presented his work at the BruCon conference last week and revealed his weapon of choice is a bargain WiFi dongle bought off Amazon that, when paired with a Raspberry Pi and a small amplifier, can block 2.4Ghz transmissions for up to 120 metres."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Google your local nuclear plants infrastructure? That's not terrifying at all.

Subject: General Tech | October 6, 2015 - 01:11 PM |
Tagged: nuclear, security

Stuxnet hit the news five years ago when it was discovered infecting the industrial Supervisory Control And Data Acquisition systems of factories all across the world, up to and including nuclear plants.  The breadth of the attack was a bit more than what Israeli intelligence and the NSA originally intended but they did succeed in severely damaging their actual target which was an Iranian uranium enrichment plant.  Unfortunately it seems the development of Stuxnet might have been somewhat of a waste of resources as they could probably have achieved the same results with a simple man in the middle attack. 

The  Chatham House recently released a report on the state of security in nuclear power plants and facilities across the globe and the results are horrifying to say the least.  From the overview that The Register provides the level of security present in many of these facilities is commensurate with your average high school.  The idea that these plants are air-gapped is a fallacy and the code for the control systems can be easily altered remotely without the need to design a complex virus to infect them.  Thankfully it is very difficult to cause a nuclear plant to go critical but these vulnerabilities can still cause damage to machinery and interfere with the plants ability to provide power to customers.  You may not want to read the whole story if you want to sleep well tonight.

wargames-website.png

"The report adds that search engines can "readily identify critical infrastructure components with" VPNs, some of which are power plants. It also adds that facility operators are "sometimes unaware of" them."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

You thought Stagefright was just taking a bow? Surprise! It's an encore.

Subject: General Tech | October 1, 2015 - 12:44 PM |
Tagged: stagefright, security, Android

Assuming you have a carrier with a sense of responsibility and a reasonably modern phone the chances are you are patched against the original Stagefright vulnerability.  This is not the case for the recently reported vulnerabilities dubbed Stagefright 2.0.  If you open a specially and nefariously modified MP3 or MP4 file in Stagefright on Android 5.0+ it has been confirmed that those files can trigger remote code execution via libstagefright.  If you are on an older model then the vulnerability lies in libutils and can be used for the same purpose, gaining access to the data stored on your device.  From the security company reports that The Register has linked, it sounds like we can expect many repeat performances as the Stagefright library was poorly written and contains many mistakes; worse is the fact that it is not sandboxed in any way and has significantly higher access than an application for playing media files should ever have.

stagefright-android.jpg

"Joshua Drake from the security outfit Zimperium zLabs introduced us to StageFright earlier this summer, and he is now back with a similar warning and a brace of problems, according to a post on the Kaspersky Threatpost news site."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

'Learn to trust us, because we're not about to stop.'

Subject: Editorial, General Tech | September 29, 2015 - 03:30 PM |
Tagged: trust, security, rant, microsoft, metadata, fud

Privacy of any nature when you utilize a device connected to the internet is quickly becoming a joke and not a very funny one. Just to name a few, Apple tracks your devices, Google scans every email you send, Lenovo actually has two programs to track your usage and of course there is Windows 10 and the data it collects and sends.  Thankfully in some of these cases the programs which track and send your data can be disabled but the fact of the matter is that they are turned on by default.

The Inquirer hits the nail on the head "Money is simply a by-product of data." a fact which online sites such as Amazon and Facebook have known for a while and which software and hardware providers are now figuring out.  In some cases an informed choice to share personal data is made, but this is not always true. When you share to Facebook or post your Fitbit results to the web you should be aware you are giving companies valuable data, the real question is about the data and metadata you are sharing of which you are unaware of.

im_from_the_government_im_here_to_help.jpg

Should you receive compensation for the data you provide to these companies?  Should you always be able to opt out of sharing and still retain use of a particular service?  Perhaps the cost of utilizing that service is sharing your data instead of money?   There are a lot of questions and even a lot of different uses for this data but there is certainly no one single answer to those questions. 

Microsoft have been collecting data from BSoD's for decades and Windows users have all benefited from it even though there is no opt out for sending that data.  On the other hand is there a debt incurred towards Lenovo or other companies when you purchase a machine from them?  Does the collection of patterns of usage benefit Lenovo users in a similar way to the data generated by a Windows BSoD or does the risk of this monitoring software being corrupted by others for nefarious purposes outweigh any possible benefits?

3adb62458565e775daf44731fabf2b92.jpg

Of course this is only the tip of the iceberg, the Internet of Things is poised to become a nightmare for those who value their security, there are numerous exploits to track your cellphone that have nothing to do with your provider and that is only the tip of the iceberg.  Just read through the Security tag here on PCPer for more examples if you have a strong stomach.

Please, take some time to think about how much you value your privacy and what data you are willing to share in exchange for products and services.  Integrate that concern into your purchasing decisions, social media and internet usage.  Hashtags are nice, but nothing speaks as loudly as your money; never forget that.

"MICROSOFT HAS SPOKEN out about its oft-criticised privacy policies, particularly those in the newly released Windows 10, which have provoked a spike in Bacofoil sales over its data collection policies."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

PINs and Patterns are preferable after this Android 5 issue

Subject: General Tech | September 16, 2015 - 12:49 PM |
Tagged: hack, smartphone, Android, security

You can see in the video that The Register linked to that this particular vulnerability is neither quick nor elegant but it is most certainly effective.  By entering an extremely long string of digits into the password field, accomplished with multiple copies and pastes, while the camera app is active you can cause the lock screen application to crash on all but the newest version of Android 5.  Unfortunately the effect of that crash is to drop you onto the phones home screen, thus allowing complete access to the phone.  If you are running a version of Android 5 you should consider switching to a PIN or pattern unlock, at least for the time being.

sk.jpg

"If you've got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it's best to use a PIN or pattern to secure your lock-screen – because there's a trivial bypass for its password protection."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Intel is offering a much better deal than "Hack your car; go to jail"

Subject: General Tech | September 15, 2015 - 12:58 PM |
Tagged: security, Intel, hack

Intel is bucking the trend of FUD and overreaction when someone reveals a major flaw in a product that is on the market and are instead rewarding those who find ways to hack their automobiles.  As we have seen recently, remotely exploiting onboard software and causing a car to crash is no longer something only possible in the movies and it seems that Intel is far more interested in working towards secure solutions as opposed to the auto manufacturers reliance on lawsuits and security through obscurity.  Intel's Automotive Security Review Board is looking for bright minded individuals who will help bring PC style security to cars and is offering a free car (or cash equivalent) to the member who provides the best contribution.  Check out the links at The Register if you are interested.

48440-smartphone-outside-car-rwd.jpg.rendition.intel_.web_.576.324.jpg

"Intel is getting serious – dead serious, apparently – about car hacking. And nothing says serious like a prize giveaway. If you join Chipzilla's new Automotive Security Review Board and make all the right noises, you can win a free new ride."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Move over Twinkies and cockroaches; meet the unkillable cookie

Subject: General Tech | August 18, 2015 - 01:11 PM |
Tagged: super cookie, security

Congratulations, if you use Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de Espantilde;a, Viettel Peru S.a.c., Vodafone NL or Vodafone Spain as your provider your browsing is being tracked and there is nothing you can do about it.  These providers have assigned your device a unique token which the provider injects into every HTTP request your device makes, the cookie is actually external to your device and so you have no way to remove it.  You will see targeted ads based on your browsing no matter how many times you remove cookies or even factory reset your phone.  Verizon has now made it an opt-out feature and The Register has been told that AT&T no longer injects the 'super cookie' into headers but based on businesses recent behaviour it is probably because they have found a better way to track you.

Screen-Shot-2013-09-15-at-9.09.53-AM.png

"At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register