Let the record show that one of the most dramatic expressions of discontent over rampant government surveillance of U.S. citizens and private companies during last week’s RSA Conference in San Francisco went down at a taco joint. As the world’s cyber security elite gathered in San Francisco’s Moscone Center for the RSA Security Conference, a group of privacy and online rights activists that go by the name “Vegas 2.0” used donated funds to rent out Chevy’s, a popular Mexican food restaurant located next to the exhibit halls and frequented by conference goers. As reported by ZDNet’s Violet Blue, paying RSA attendees and speakers – identifiable by red badges – were refused entry to Chevy’s and handed flyers explaining the protestors’ grievances against the Conference’s parent company, RSA Security, which is alleged to have colluded with the NSA to weaken encryption standards in its products. Among those reported to have been […]

The privacy issues surrounding the use of license plate scanners isn’t exactly a new story. After all, none other than the ACLU published a report on the topic last year. The title of that report: “You Are Being Tracked” left little to the imagination.   But The Boston Globe presents a troubling picture of how far and fast license plate scanning has come, and how the combination of super-efficient scanning with cloud based applications and Big Data analytics are empowering private companies to surveil law abiding citizens across much of the country. OnTuesday, reporter Shawn Musgrave reported on the phenomenon of automobile repossession firms in Massachusetts using powerful, car-mounted license plate readers to troll mall parking lots and commuter stations for cars whose owners are behind in their payments. The cameras scan the plates of all vehicles that they pass – delinquent or not – and send the images to […]

A string of reports in recent weeks has focused a spotlight on rising attacks against an often-overlooked piece of equipment that can be found in almost every home and business: the wireless router. Just this week, the security firm Team Cymru published a report (PDF) describing what it claims is a widespread compromise of small office and home office (SOHO) wireless routers that was linked to cyber criminal campaigns targeting online banking customers. Cymru claims to have identified over 300,000 SOHO devices (mostly in Asia and Europe) that were compromised. According to the report, the compromises first came to light in January, after Team Cymru analysts noticed a pattern of SOHO routers with overwritten DNS settings in central Europe. The affected devices are from a range of manufacturers, including well-known brands like D-Link, Micronet, Tenda and TP-Link. The devices were vulnerable to a number of attacks, including authentication bypass and cross-site […]

Most folks are still trying to figure out what “security” in the context of “The Internet of Things” actually means. But that didn’t stop Cisco Systems from throwing down a challenge to the tech sector: develop security solutions that address problems specific to The Internet of Things and win a cash prize.   In a blog post, Chris Young, a Senior Vice President in Cisco’s Security Group, announced The Internet of Things Security Grand Challenge, saying the contest would offer “visionaries, innovators, and implementers…the opportunity to define a future of a secure IoT,” and pledging up to $300,000 in prizes and awards up to $75,000 for six winners. Cisco has set its sights on the emerging “Internet of Things” in a big way – leveraging its deep roots as a networking infrastructure provider to carriers and enterprises, and ancillary businesses such as set top boxes and low-cost networking equipment for […]

The Internet of Things (IoT) promises to revolutionize the way people live and work. But while the media’s attention is focused on high-profile Internet of Things firms like NEST, the smart-home products vendor that Google acquired for more than $3 billion last month, much of the innovation in IoT – at least in the consumer market – is a bottom-up, grass roots phenomenon. Quietly, the combination of ready-made components, point and click development environments and cloud based back end management tools has enabled an army of (mostly) novice developers to assemble novel, connected products for a public enraptured with the idea of using their mobile devices to control something — anything. At the same time, crowd-funding platforms like Kickstarter and Indiegogo have created a platform for products to get funded and distributed to hundreds, thousands or even tens of thousands of customers – once a monumental task.  That’s great for the […]

The RSA Security Conference starts next week in San Francisco: the central event of a week-long orgy of IT security wheeling and dealing in the Bay Area. Though its roots are as a small and clubby gathering of cryptographers, RSA long ago stopped being that, and started resembling a kind of speed dating event for technology and IT security firms. Sure – there are plenty of interesting talks at RSA, but the important work takes place in private suites of adjoining hotels and chance encounters in the halls of the Moscone. If there’s a big IT security deal in the offing – like IBM’s $1 billion acquisition of Trusteer, or FireEye’s purchase of the firm Mandiant – chances are good that the conversation started at RSA. Long and short: RSA is a snapshot of the security industry at a particular place and time. As such, it tends to be a […]

[This story was updated to include response from Belkin describing its response to the vulnerabilities identified by IOActive, including firmware updates. - PFR Feb 19, 2014] A researcher with the respected security firm IOActive says that he has found a number of serious security holes in home automation products from the firm Belkin that could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes or as a stepping stone to other computers connected on a home network. In a statement released on Tuesday, IOActive researcher Mike Davis said that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday.  Belkin did not […]

In a little more than a week, executives from world’s leading technology firms will gather in San Francisco for the RSA Conference, the cyber security industry’s biggest show in North America. No hacker con, RSA is something akin to corporate speed dating for companies in the security industry. But, like so much else in the technology world, this year’s conference has become mired in controversy stemming from Edward Snowden’s leak of classified documents related to government surveillance. In December, Reuters broke the story that, among the documents leaked by Snowden was evidence that RSA, the security division of EMC and parent company to the conference, accepted a $10m payment from the NSA to implement what turned out to be a vulnerable encryption algorithm as the default option for its BSafe endpoint protection product. RSA, the security division of EMC, has denied the allegations that it accepted the money while knowing that […]

The firm Duo Security* said that it has discovered a vulnerability that affects a range of two-factor authentication plugins for the WordPress content management platform. The vulnerability could allow a malicious insider to use credentials for one WordPress site to log into a different site that is part of a ‘multi-site’ WordPress deployment without needing to pass a multi-factor authentication test. In a blog post on Thursday, DUO co-founder and CTO Jon Oberheide said that the vulnerability was discovered as part of an internal review of DUO’s two factor WordPress plugin, but that researchers realized it affects at least two other multi-factor plugins. DUO issued a warning to users of its plugin. The company also reached out to WordPress and to the publishers of other multi factor authentication plugins to address the issue, Oberheide wrote. DUO makes multi-factor authentication technology that allows users to log-in using a combination of username, […]

Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.   Some visitors to the web site of the Veterans of Foreign Wars (VFW), vfw[dot]org, were the victim of a ‘watering hole’ attack that takes advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. The VFW site was hacked and then altered to redirect users, silently, to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system.  The VFW did not immediately respond to e-mail and phone requests for comment. According to a write-up by the security firm FireEye, the vulnerability allows the attacker to “modify one byte of memory at an arbitrary address” stored […]