application security

Nest, Samsung and AMD Back Thread For Home Automation

A week that has already been full of standards news for the Internet of Things added more with the unveiling of Thread, a proposed communications standard backed by Google’s NEST group that promises a “new and better way to connect products in the home.” Google was joined by Samsung, Freescale Semiconductor, ARM, smart lock maker Yale Security and Big Ass Fans (favorite company name ever) in forming The Thread Group to promote Thread. In a press release on Tuesday, the group said that the Internet of Things presents unique challenges that are not well met by existing wireless communications technologies such as Wi-Fi, ZigBee and Z-Wave. In contrast to those technologies, Thread focuses exclusively on network connectivity, not application-layer exchanges and connection management. Thread Group says existing application protocols and IoT platforms can easily run on Thread networks. Specifically, it uses 6LoWPAN (IPV6 over Low power Wireless Personal Area Networks) to create 802.15.4-standard mesh networks of smart […]

Continue Reading

Google Unveils Project Zero Hacking Team

Google has unveiled an all-star team of hackers and security researchers it is calling “Project Zero.” According to a post on Google’s security blog, the company is hoping to use its security research muscle to investigate the security of “any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.” Research like Google employee Neel Mehta’s, which helped expose the “Heartbleed” vulnerability in OpenSSL is a good example of the kinds of stuff Project Zero will do. Researchers will devote their time to finding and reporting software vulnerabilities and researching new exploits, mitigations and “program analysis.” The company said it plans to disclose any vulnerabilities it finds to the vendor first, then to the public in an external database. The public can monitor “time to patch” (given that the vulnerability is disclosed ahead of a patch). Project Zero brings Google’s elite hackers under […]

Continue Reading

Researchers Warn Of Flaws In Popular Password Managers

Researchers from the University of California, Berkeley have published a paper describing security holes in five, web-based password managers including LastPass, My1login and Roboform. According to the paper  (PDF), four out of the five password managers inadvertently leaked a user’s credentials for stored web sites due to all-too-common web based security flaws like Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). The researchers, Zhiwei Li, Warren He, Devdatta Akwawe and Dawn Song, all of the University of California Berkeley, said that they disclosed the holes in August of last year and that all of the affected firms and that all but one – NeedMyPassword – have since patched the vulnerabilities. All the password managers tested were found to contain one of a short list of security problems. Either they were vulnerable to classic web-based holes (like XSS), or they were found to be susceptible to user interface-focused attacks, like […]

Continue Reading

Intel Promotes ‘Trustlets’ To Secure Embedded Devices

The integrity of data stored on- and transmitted between Internet-connected embedded devices is one of the biggest technical hurdles standing in the way of widespread adoption of Internet of Things technology. For one thing: embedded devices like wearable technology and “smart” infrastructure are often deployed on simple, inexpensive and resource constrained hardware. Unlike laptops or even smart phones, these are purpose-built devices that, by design, run for long periods in remote deployments, with extremely constrained features and low power consumption that is the result of limited processing power and memory. [Read Security Ledger’s coverage of connected vehicles.] Now Intel is promoting a platform that it says can bridge the gap and provide robust security features even for resource-constrained Internet of Things devices like wearables and connected vehicles. Back in April, the Intel Labs  unveiled the results of joint research with Technische Universität Darmstadt in Germany. The researchers have developed a platform, dubbed TrustLite […]

Continue Reading

Industrial Control Vendors Identified In Dragonfly Attack

Two of the three vendors who were victims of a targeted malware attack dubbed ‘Dragonfly’ by the security firm Symantec have been identified by industrial control system security experts. Writing on Tuesday, Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm. The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS’s ICS CERT, the Industrial Control Systems Computer Emergency Response Team, said it was alerted to compromises of the vendors’ by researchers […]

Continue Reading
1 25 26 27 28 29 47