Security News

14/May/2020     Consumer IoT Devices: 50% actively spying on you

Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. [...] Using the largest known set of controlled experiments (34,586) comprising 81 devices in the US and UK, along with uncontrolled experiments consisting of an IRB-approved user study, we are the first to quantify such information exposure across different networks, geographic regions, and interactions with devices.

• Information exposure from consumer IoT devices - moniotrlab.ccis.neu.edu

• Yes, China is probably watching us through our IoT devices - www.digitaltrends.com

19/Jul/2018    IOT vulnerabilities let hackers spy on victims

Vulnerabilities discovered in IOT devices, with Wi-Fi capabilities and smartphone-controlled navigation controls, would allow control over the device as well as the ability to intercept data on a home Wi-Fi network. "That's not even the worst-case scenario, at least for owners"...

• Experimental security assessment of BMW cars - keenlab.tencent.com

• Detecting IoT user behavior and sensitive information in encrypted IoT-app traffic - www.mdpi.com

• IOT robot vacuum vulnerabilities let hackers spy on victims - www.threatpost.com

• Authenticated remote code execution vulnerability - Positive Technologies

• A firmware update process executes code as root - Positive Technologies

18/May/2018    NSA backdoors and bitcoin

Many cryptographic standards widely used in commercial applications were developed by the US Government's National Institute of Standards and Technology (NIST). Normally government involvement in developing ciphers for public use would throw up red flags, however all of the algorithms are part of the public domain and have been analyzed and vetted by professional cryptographers who know what they're doing. Unless the government has access to some highly advanced math not known to academia...

• NSA backdoors and bitcoin - Escape Velocity

• Unexpected ways in which bitcoin dodged some cryptographic bullets - www.bitcoinmagazine.com

04/Mar/2017    SHA1 has been broken - Upgrade to SHA2!

SHA-1 is weak and can't be trusted. This is bad news because the SHA-1 hashing algorithm is used across the internet, from Git repositories to file deduplication systems to HTTPS certificates used to protect online banking and other websites. Now researchers at CWI Amsterdam and bods at Google have managed to alter a PDF without changing its SHA-1 hash value. Now you can trick someone into thinking the tampered copy is the original. The hashes are completely the same.

• First ever SHA1 hash collision calculated - www.theregister.co.uk

• We have broken SHA-1 in practice - www.shattered.io

• The first collision for full SHA-1 - www.marc-stevens.nl

02/Mar/2017    Hidden backdoor found in chinese internet of things devices

The Telnet interface of the GoIP is documented as providing information for users of the device through the use of logins "ctlcmd" and "limitsh". An additional undocumented user, namely "dbladm" is present which provides root level shell access on the device. Instead of a traditional password, this account is protected by a proprietary challenge-response authentication scheme.

• We found a hidden backdoor in chinese internet of things devices - www.theregister.co.uk

• Undocumented backdoor account in dbltek goip - www.trustwave.com

08/Feb/2017    Faulty emulators - A threat for your machinery

Installing a faulty emulator on your machinery is a severe threat, specially when it's about emulators with internal design flaws that may show up only after a long term usage. Checking the lifetime and endurance of the media supports being used inside your emulators, and apply preventive maintenance is not enough. Emulators should be ground checked before installation on machinery, to make sure that no crash test reports have been created by other "unlucky" customers and related security alerts issued.

• Accudual - SCSI emulator - crash test report

• Accudual - SCSI emulator - crash test report

• Sintechi - CF/SDCARD emulator - crash test report

• Adtron - SCSI emulator - crash test report

15/May/2015    Sourceforge & Slashdot - The ultimate spy

It's important to check and be aware of the privacy policy that is being applied by different platforms & services. Some privacy policies are really too extended and intrusive. Should you explicitely (or implicitely!) accept them, then you are de facto completely giving away any right to have a minimum degree of privacy.

• Sourceforge & Slashdot - The ultimate spy - www.slashdotmedia.com

23/Jan/2014    Skype, Google, Microsoft, ... they are all spying us

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

• Skype with Care - Microsoft is Reading Everything you Write - www.h-online.com

• Whistleblower - Google Chrome Can Listen to Your Conversations - www.infowars.com

12/Nov/2012    All the crypto code is probably broken

Do you keep up on the latest proceedings of the IACR CRYPTO conference? No? Then chances are whenever you have tried to use a cryptographic library you made some sort of catastrophic mistake which would lead to a complete loss of confidentiality of the data you're trying to keep secret.

• All the Crypto Code You've Ever Written is Probably Broken - www.tonyarcieri.com

• Defeating Encrypted and Deniable File Systems: TrueCrypt - www.schneier.com

• TrueCrypt is Now Detectable - www.forensicinnovations.com

• The Future of the Internet - The End of Crypto

02/Jul/2012    The Flame attack

The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.

Discovery

• Iran Confirms Attack by Virus That Collects Information - www.nytimes.com

• Identification of a New Targeted Cyber-Attack - www.certcc.ir

Cyber-Warfare

• Why Flame Can't Be the World's Most Complex Malware - www.cso.com.au

• US, Israel's electronic attacks on Iran and Palestinians - www.electronicintifada.net

• Stuxnet Expert Calls US the "Good Guys" in Cyber-Warfare - www.arstechnica.com

Deep in Details

• Back to Stuxnet: the Missing Link - www.securelist.com

• The Flame: Questions and Answers - www.securelist.com

• sKyWIper (Flame): A Complex Malware for Targeted Attacks - www.crysys.hu

15/Jan/2011    The Stuxnet Worm analysis

The worm itself now appears to have included two major components. One was designed to send Iran's nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

Cyber-Warfare

• Israeli Test on Worm Called Crucial in Iran Nuclear Delay - www.nytimes.com

• A Report about Stuxnet Activity In IRAN - www.u0vd.org

Deep in Details

• www.digitalbond.com

• Report on the Worm Stuxnet Attack [www.antiy.net]

• Stuxnet - Case Technology White Paper - www.casecomms.com