Tag Archives: question

[ISN] When the Internet of Things Starts to Feel Like the Internet of Shit

motherboard.vice.com/read/when-the-internet-of-things-starts-to-feel-like-the-internet-of-shit By LORENZO FRANCESCHI-BICCHIERAI STAFF WRITER Motherboard.vice.com December 17, 2015 If you listen to tech companies’ marketing reps, the future is made of internet connected devices that seamlessly talk to each other, as well as your smartphone, and turn your good-old house into a truly sci-fi-esque smart home where you don’t even need to think about turning up the heat or turning off the lights. Behold the shiny and intelligent future of the Internet of Things. What they don’t tell you is that as we put software into old-fashioned home appliances, there will be bugs that’ll make those appliances useless. The WiFi goes down? Put on a sweater because your smart thermostat might stop working. A lightbulb malfunctions? Your whole smart home stops working. And with bugs, there will be hackers ready to exploit them, either to creep out babies through hackable baby monitors, or to steal Gmail credentials through smart fridges. But that hasn’t stopped companies and questionable visionaries from imagining internet connected air fresheners, toilet paper holders, and even jump ropes. As more things from the Internet of Things start trickling into people’s homes, one Twitter account called “Internet of Shit” has been trying to shine a light into this bizarre and scary future with a steady stream of funny and smart (as in clever, not internet-connected) jokes. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Police make arrest in hack of toymaker VTech, which exposed data on 6 million kids

www.chicagotribune.com/business/ct-vtech-toy-hack-20151216-story.html By Andrea Peterson The Washington Post December 16, 2015 Police in Britain arrested a 21-year-old man Tuesday as part of an investigation into the massive hack against Hong Kong-based toymaker VTech. VTech sells popular toys for young children, including smartwatches and tablets. The November breach of several company databases exposed information about approximately 5 million adults and more than 6 million children around the world, including names, genders and birth dates. The tech website Motherboard reported that pictures, chat logs between parents and their children, and audio recordings also were leaked, but the company has said it “cannot confirm” that data was reached by the hacker. VTech’s systems were reportedly vulnerable to a well-known hacking technique. The alleged hacker told Motherboard that he attacked the company and then went to the media to highlight its poor security practices. The incident raised new questions about the digital security of toys at a time when big corporations are increasingly marketing dolls and other devices that connect to the Internet and collect data about children. This month, researchers publicly disclosed security problems with Hello Barbie, a new doll that relies on artificial intelligence and an online connection to carry on conversations with children. ToyTalk, the company that Hello Barbie’s voice features, worked with the researchers to help fix “many of the issues they raised” before they were revealed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ‘Most complex malware ever’: Security experts smash system that stole cash from millions

www.rt.com/news/323641-modpos-complex-cash-malware/ RT.com 27 Nov, 2015 Security experts have exposed a cash register malware of previously unseen complexity and secretiveness. It is unknown who created the virus and profited from it, but it has been stealing personal data for years, affecting millions of people. Malware, or ‘malicious software’, is software that is used to disrupt computer systems or gather secret or sensitive information from them. The malware in question, dubbed ModPOS (for Modular Point Of Sale), has been exposed by security experts from cyber intel firm iSight, who say they’ve seen nothing like it in eight years of exploring malicious point-of-sale (POS) software. It took three weeks of constant work for the researchers to perform reverse engineering of the ‘scumware’, compared to the no more than half an hour usually needed to crack most POS malware. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A change in wording could attract more women to infosec

www.csoonline.com/article/3005406/it-careers/a-change-in-wording-could-attract-more-women-to-infosec.html By Lysa Myers CSO Nov 17, 2015 Information security is an endeavor that is frequently described in terms of war: Red team. Blue team. White hat. Black hat. Battle plan. Kill chain. Command and Control. Trojan horse. Payload. Demilitarized zone. Reconnaissance. Infiltration. Adversary. But what would the gender balance of this industry be like if we used more terms from other disciplines? At the recent National Initiative for Cybersecurity Education (NICE) conference, I found myself in several discussions about the possibility that battlefield verbiage caused girls to avoid pursuing InfoSec careers. Answering the question above is not a simple task, but we may take some clues from history, as well as other industries, to view the possibilities. The biggest reason we use so many battle-related security phrases is probably because the military has long been an incubator for new technology. Protecting that machinery and knowledge from prying eyes is no small feat; the military trains and employs a great number of people to secure its systems. As a result, many people involved in cybersecurity started their careers in military or government organizations. As far as gender imbalances go, the military is nearly as lopsided as the InfoSec industry: 14.5 percent of the active duty force as of 2013 was comprised of women, with only 7.1 percent of the top ranks being held by women. In cybersecurity specialties 14 percent of personnel are female. Though, as is described in the previous link, many of those women have gone on to high-ranking positions in government and private sector organizations. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] When Security Experts Gather to Talk Consensus, Chaos Ensues

http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ By Kim Zetter Security Wired.com 10.01.15 SECURITY RESEARCHERS AND vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That’s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. “I spent $2,000 [to come to this meeting],” Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there’s a second meeting, “should at least be an option” for discussion. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Can the U.S. Stop Chinese Hackers? Q&A With Cyber Sleuth Austin Berglas

http://blogs.wsj.com/chinarealtime/2015/09/24/can-the-u-s-stop-chinese-hackers-qa-with-cyber-sleuth-austin-berglas/ By Josh Chin The Wall Street Journal Sep 24, 2015 Is there anything the U.S. can do to stop Chinese hackers from getting into sensitive computer networks? The short answer, according to former Federal Bureau of Investigation cyber sleuth Austin Berglas, is not really. It’s a question that looms large over Washington D.C. as it prepares to welcome Chinese President Xi Jinping for a state visit. Mr. Xi rolls into town just a few months after Chinese hackers were fingered as the main suspects in the worst-ever publicized breach of U.S. government computer systems: the cybertheft of personal information on at least 21 million government employees and contractors from the Office of Personnel Management. As head of the cyber branch in the FBI’s New York office, Mr. Berglas spent years tracking and battling intrusions by state-sponsored hackers into strategic U.S. networks. He recently jumped to the private sector, taking up a position as senior managing director with cyber defense firm K2 Intelligence. With new insight emerging into the Chinese military’s role in hacking, China Real Time’s Josh Chin recently sat down with Mr. Berglas to discuss how Chinese hackers work and whether a recent U.S. threat of sanctions is likely to slow them down. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NCSC says OPM hack exposing data of 21 million wasn’t their responsibility

http://www.theguardian.com/us-news/2015/sep/16/ncsc-opm-hack-wasnt-their-responsibility By Sam Thielman The Guardian 16 September 2015 One of the largest breaches of US government data in history is somebody else’s responsibility, counterintelligence officials told senator Ron Wyden in a formal letter passed to the Guardian on Wednesday. The Democratic senator from Oregon last month submitted three questions to the National Counterintelligence and Security Center (NCSC) about the hacking earlier this year of the Office of Personnel Management (OPM), in which the personal information of 21 million people was exposed. In August, Wyden asked whether the NCSC had identified as a security risk the OPM’s giant database of federal security clearances, which includes personal and identifying information as private as psychiatric evaluations and social security numbers. Wyden also asked whether the NCSC had made any recommendations related to better securing the database, which retains data going back to 1985. The theft of the information exposed some 21 million current, former and prospective government employees and has been attributed to Chinese hackers by the US government. The placement of blame is at the forefront of many minds in the nation’s capital. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Here’s what Ashley Madison members have told me

http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html Monday, 24 August 2015 I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? (HIBP) [1] and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that most people are not privy to and one that doesn’t come across in the sensationalist news stories which have flooded every media outlet in recent days. When sent to me as an unknown third party in a (usually) foreign location, people tended to be especially candid and share stories that really illustrate the human impact of this incident. I thought I’d share some of those here – de-identified of course – to help people understand the real world impact of this incident and ’for those caught up in it to realise that they’re among many others going through the same pain. I responded to every legitimate email I received. Very early on I wrote up a Q&A and the following is the canned response I sent in response to almost every query: My apologies for not being able to respond to you personally, I’m addressing questions of this nature via a Q&A you can find here: http://www.troyhunt.com/2015/08/ashley-madison-data-breach-q.html Here’s what Ashley Madison members have told me: [1] https://haveibeenpwned.com/ […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail