Tomorrow afternoon, Security Ledger, with help from our sponsor Veracode, will record its first video conversation. The show’s name: Talking Code (#talkingcode). The topic: application security, and – in particular – securing the supply chain. Joining me for the discussion will by Chris Wysopal, the co-founder and CTO of Veracode and Joshua Corman, the Director of Security Intelligence at Akamai Inc. Two things: you can send us questions or comments on Twitter. Our discussion will be filmed in studio, not live, but we’ll be tweeting comments live and engaging in realtime via Twitter. Just use the hashtag #talkingcode to pose questions. Say the term “supply chain,” and people immediately think of automobile and electronics manufacturers, who must assemble products from components makers scattered around the globe. These days, however, its not just manufacturers who have to worry about supply chains. Almost every company has a “supply chain” in one form or […]
Telecommunications
Update: Serial Server Flaws Expose Critical Infrastructure
A survey conducted by the firm Rapid 7 has found evidence that widespread vulnerabilities and insecure configuration of ubiquitous networking components known as serial port (or “terminal”) servers, may expose a wide range of companies and critical assets – including point of sale terminals, ATMs and industrial control systems – to remote cyber attacks.(*) The vulnerable devices connected hardware like retail point-of-sale systems at a national chain of dry cleaners, providing direct access to employee terminals from which customer payment information could be accessed. Other exposed systems were used to monitor the location of cargo containers, train cargo as well as HVAC and industrial control systems, Rapid7 said. In the Rapid7 survey, over 114,000 unique IPs were identified in a scan using the Simple Network Management Protocol (SNMP), the vast majority manufactured by one company: Digi International. If left unaddressed, the vulnerable devices give remote attackers direct, administrative access to hardware devices […]
ACLU Complaint Shows Android Insecurity Getting Political
The American Civil Liberties Union has filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the Federal Government to take action to stem an epidemic of unpatched and insecure Android mobile devices – a public scourge that the ACLU blames on recalcitrant wireless carriers. The civil liberties group’s complaint for injunctive relief with the FTC, noting that “major wireless carriers have sold millions of Android smartphones to consumers” but that “the vast majority of these devices rarely receive software security updates.” Calling the unpatched phones “defective and unreasonably dangerous,” the ACLU says that carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to” third parties. “A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have […]
Home Invasion: Home Routers May Be The Next Big Hack
Most of us have broadband at home. It’s always there. It works and, for the most part, we don’t think about it until it goes down. Our amnesia extends to the humble home gateway or broadband router that is our connection to the global Internet. That piece of CPE (or customer-premises equipment) probably sits on our desk, or down in our basement gathering dust. Strong password? Meh. Firmware update? Hey, ‘if it ain’t broke…don’t fix it!” But all those small, insecure devices could add up to a major security crisis for users and their Internet Service Provider (ISP), according to researchers at the firm IOActive. Writing on the IOActive blog, researchers Ehab Hussein (@_obzy_) and Sofiane Taimat (@_sud0) say that millions of vulnerable home routers and gateways are vulnerable to trivial attacks. Those devices could be harnessed by cyber criminal groups, state-backed actors or hacktivists for malware distribution, spam or […]
Mobile Phone Use Patterns: The New Fingerprint
Mobile phone use may be a more accurate identifier of individuals than even their own fingerprints, according to research published on the web site of the scientific journal Nature. Scientists at MIT and the Université catholique de Louvain in Belgium analyzed 15 months of mobility data for 1.5 million individuals who the same mobile carrier. Their analysis, “Unique in the Crowd: the privacy bounds of human mobility” showed that data from just four, randomly chosen “spatio-temporal points” (for example, mobile device pings to carrier antennas) was enough to uniquely identify 95% of the individuals, based on their pattern of movement. Even with just two randomly chosen points, the researchers say they could uniquely characterize around half of the 1.5 million mobile phone users. The research has profound implications for privacy, suggesting that the use of mobile devices makes it impossible to remain anonymous – even without the use of tracking […]
