Home > Resources > Security News
Security News
14/May/2020
Consumer IoT Devices: 50% actively spying on you
Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality
for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy
risks, since these devices can communicate information about their users to other parties over the Internet.
[...] Using the largest known set of controlled experiments (34,586) comprising 81 devices in the US and UK,
along with uncontrolled experiments consisting of an IRB-approved user study, we are the first to quantify such
information exposure across different networks, geographic regions, and interactions with devices.
19/Jul/2018 IOT vulnerabilities let hackers spy on victims
Vulnerabilities discovered in IOT devices, with Wi-Fi capabilities and smartphone-controlled navigation
controls, would allow control over the device as well as the ability to intercept data on a home Wi-Fi network.
"That's not even the worst-case scenario, at least for owners"...
18/May/2018 NSA backdoors and bitcoin
Many cryptographic standards widely used in commercial applications were developed by the US
Government's National Institute of Standards and Technology (NIST). Normally government
involvement in developing ciphers for public use would throw up red flags, however all of the
algorithms are part of the public domain and have been analyzed and vetted by professional
cryptographers who know what they're doing. Unless the government has access to some highly
advanced math not known to academia...
04/Mar/2017 SHA1 has been broken - Upgrade to SHA2!
SHA-1 is weak and can't be trusted. This is bad news because the SHA-1 hashing algorithm
is used across the internet, from Git repositories to file deduplication systems to HTTPS
certificates used to protect online banking and other websites. Now researchers at CWI Amsterdam
and bods at Google have managed to alter a PDF without changing its SHA-1 hash value. Now you can
trick someone into thinking the tampered copy is the original. The hashes are completely the same.
02/Mar/2017 Hidden backdoor found in chinese internet of things devices
The Telnet interface of the GoIP is documented as providing information for users of the
device through the use of logins "ctlcmd" and "limitsh". An additional undocumented user,
namely "dbladm" is present which provides root level shell access on the device. Instead of
a traditional password, this account is protected by a proprietary challenge-response
authentication scheme.
08/Feb/2017 Faulty emulators - A threat for your machinery
Installing a faulty emulator on your machinery is a severe threat, specially when it's
about emulators with internal design flaws that may show up only after a long term usage.
Checking the lifetime and endurance of the media supports being used inside your emulators,
and apply preventive maintenance is not enough. Emulators should be ground checked before
installation on machinery, to make sure that no crash test reports have been created by
other "unlucky" customers and related security alerts issued.
15/May/2015 Sourceforge & Slashdot - The ultimate spy
It's important to check and be aware of the privacy policy that is being
applied by different platforms & services. Some privacy policies are really
too extended and intrusive. Should you explicitely (or implicitely!) accept them,
then you are de facto completely giving away any right to have a minimum degree
of privacy.
23/Jan/2014 Skype, Google, Microsoft, ... they are all spying us
Anyone who uses Skype has consented to the company reading everything they write.
The H's associates in Germany at heise Security have now discovered that the
Microsoft subsidiary does in fact make use of this privilege in practice.
Shortly after sending HTTPS URLs over the instant messaging service, those
URLs receive an unannounced visit from Microsoft HQ in Redmond.
12/Nov/2012 All the crypto code is probably broken
Do you keep up on the latest proceedings of the IACR
CRYPTO conference? No? Then chances are whenever you have tried to use a
cryptographic library you made some sort of catastrophic mistake which
would lead to a complete loss of confidentiality of the data you're
trying to keep secret.
02/Jul/2012 The Flame attack
The computers of high-ranking Iranian officials appear to have
been penetrated by a data-mining virus called Flame, in what may be the
most destructive cyberattack on Iran since the notorious Stuxnet virus,
an Iranian cyberdefense organization confirmed on Tuesday.
Discovery
Cyber-Warfare
Deep in Details
15/Jan/2011 The Stuxnet Worm analysis
The worm itself now appears to have included two major components.
One was designed to send Iran's nuclear centrifuges spinning wildly out of control.
Another seems right out of the movies: The computer program also secretly recorded
what normal operations at the nuclear plant looked like, then played those readings
back to plant operators, like a pre-recorded security tape in a bank heist, so that
it would appear that everything was operating normally while the centrifuges were
actually tearing themselves apart.
Cyber-Warfare
Deep in Details