open source Archives

open source

Is IoT Innovation Outpacing Our Ability To Keep It Safe?

October 20, 2014 Paul Roberts

GigaOm has an interesting, high-level piece that looks at the issue of law, liability and the Internet of Things. The article takes off from a discussion at the Download event in New York City earlier this month, wondering whether adoption of Internet of Things technologies like wearables is starting to run far ahead of society’s ability to manage them. Specifically: is the pace of technology innovation outstripping the ability of our legal system to reign in excess and protect public safety and civil liberties? On the list of ‘what-if’s’ are some familiar questions: How to assign liability. (“If one of Google’s automated cars crashes, is it the fault of the driver or Google?”) Read more Security Ledger coverage of Internet of Things here. What responsibility to users have to take advantage of safety features in connected products? (Does a parent’s failure to password-protect a baby monitor change the manufacturer’s liability when and […]

AllSeen Alliance Announces Smart Lighting Framework

October 8, 2014 Paul Roberts

Smart lightbulbs aren’t anything new. In fact, products like the Philips Hue bulb have been in the market for years. The devices, which typically couple a standard incandescent or CF bulb with a wireless transmitter, allow lights to be managed via mobile device and also respond to environmental changes monitored by other sensors. But – as with much of the Internet of Things – each family of smart bulbs is something of an island: interacting- and communicating mostly with other smart home products from the same manufacturer. That’s good for the lightbulb maker, but bad for smart home advocates, see out-of-the box connectivity across product silos as a precursor to broad adoption of smart home technologies. It’s also been the case that the products that have been released have often fallen short in areas like security. In August, 2013, security researcher Nitesh Dhanjani disclosed a proof of concept hack […]

Unpatchable USB Malware Now Open Source | WIRED

October 2, 2014 Paul Roberts

Andy Greenberg over at Wired has an interesting piece of news coming out of last week’s Derbycon hacker conference in Louisville, Kentucky. According to Greenberg and Wired, researchers Adam Caudill and Brandon Wilson showed off their own version of Karsten Nohl and Jakob Lell’s BadUSB malware, and that they’d released the code on Github. Their presentation raises the stakes for USB manufacturers to fix the BadUSB problem or leave hundreds of millions of users vulnerable, Greenberg writes. At a presentation at the Black Hat Briefings in August, Nohl and Lell, both of Security Research Labs (SRLabs), showed how the controller chips inside common USB devices can be reprogrammed, allowing USB peripherals to impersonate other kinds of devices. Among other things, Nohl demonstrated how a BadUSB infected device could emulate a USB keyboard, issuing commands to a connected machine using the permissions of the logged-in user. Alternatively, an infected USB could spoof a […]

Whack-A-Bash: New Vulnerabilities add to Patch Confusion

September 29, 2014 Paul Roberts

The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka “Shellshock”) is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed. The bad news about the quick fixes for the two issues, CVE-2014-6271 and CVE-2014-7169, from the likes of Red Hat, Ubuntu, Debian and others is that – in being early- they fail to fix the problems we don’t yet know about. And that’s what we’re seeing in the wake of last week’s storm of patches: a steady drip-drip of disclosures that suggest that Bash may contain other problems worthy of new fixes. Within hours of the disclosure of the first holes, there were problems discovered by Red Hat Product Security researcher Todd Sabin, who found additional “off by one” errors in Bash that were assigned CVE-2014-7186 and CVE-2014-7187 and […]

Update: ShellShock’s Long Tail in the Enterprise

September 26, 2014 Paul Roberts

The recently disclosed vulnerability in the Linux Bash function dubbed “ShellShock” is creating a firestorm of coverage – and rightly so. The 22 year-old security hole is remotely exploitable and affects Linux based web servers and an unknown number of other devices that might run on linux and contain vulnerable services. However, unlike the recent “Heartbleed” OpenSSL vulnerability, identifying systems vulnerable to Shellshock won’t be easy. Shellshocked first came to light on Wednesday, when Linux vendors including Red Hat began warning about the security hole. The vulnerability allows a malicious actor to take advantage of built in Bash functions, wrapping them in environmental variables and then appending malicious code to the end of function definitions within the variable. In a blog post, Redhat said that any application that runs a shell script using Bash as the command interpreter, or that is hooked onto a shell is vulnerable to attack. Paul Venezia, writing over at InfoWorld, gives one […]