The SANS Internet Storm Center dialed down the panic on Monday, resetting the Infocon to “Green” and citing the increased awareness of the critical OpenSSL vulnerability known as Heartbleed as the reason.   Still, the drumbeat of news about a serious vulnerability in the OpenSSL encryption software continued this week. Among the large-font headlines: tens of  millions of Android mobile devices running version 4.1 of that mobile operating system (or “Jelly Bean”) use a vulnerable version of the OpenSSL software. Also: more infrastructure and web application players announced patches to address the Heartbleed vulnerability. They include virtualization software vendor VMWare, as well as cloud-based file sharing service Box. If history is any guide: at some point in the next week or two, the drumbeat will soften and, eventually, go silent or nearly so. But that hardly means the Heartbleed problem has gone away. In fact, if Heartbleed follows the same […]

It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable.  IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]

We’ve interviewed security researcher Nitesh Dhanjani before. In the last year, he’s done some eye-opening investigations into consumer products like the Philips HUE smart lightbulbs. We did a podcast with Nitesh in December where we talked more generally about security and the Internet of Things. Now Dhanjani is in the news again with research on one of the most high-profile connected devices in the world: Tesla’s super-smart electric cars. In a presentation at Black Hat Asia on Friday, he  released findings of some research on the Tesla Model S that suggests the cars have a weakness common to many Web based applications: a weak authentication scheme. (A PDF version of the report is here.) Specifically: Tesla’s sophisticated cars rely on a decidedly unsophisticated security scheme: a six-character PIN. Dhanjani’s research discovered a variety of potentially exploitable holes that would give even an unsophisticated attacker a good chance at breaking into […]

Security problems abound in the mobile device space – and many of them have been well documented here and elsewhere. While mobile operating systems like Android and iOS are generally more secure than their desktop predecessors, mobile applications have become a major source of woe for mobile device owners and platform vendors. To date, many of the mobile malware outbreaks have come by way of loosely monitored mobile application stores (mostly in Eastern Europe and Russia). More recently, malicious mobile ad networks have also become a way to pull powerful mobile devices into botnets and other malicious online schemes. But my guests on the latest Security Ledger podcast point out that mobile application threats are poised to affect much more than just mobile phone owners. Jon Oberheide, the CTO of DUO Security and Zach Lanier, a researcher at DUO, note that mobile OS platforms like Android are making the leap […]

Ralph Langner is one of the foremost experts on the security of critical infrastructure that we have. So, generally, when Ralph says something – whether its about Stuxnet, or cyberwar or the security of nuclear power plants – folks listen. And these days, Ralph is wondering, out loud, whether our reliance on digital systems to manage critical infrastructure has gone too far. The answer, he suggests, may be to go “back to the future,” as it were: reintroducing analog systems into the control process chain as a backstop for cyber attacks. Case in point: the Department of Homeland Security’s ICS-CERT warned on Friday that firmware for Siemens SIMATIC S7-1500 CPUs (Central Processing Units) contain nine vulnerabilities that could enable attacks such as cross site request forgery, cross site scripting and URL redirection. (Siemens has issued a firmware update that patches the holes.) Langner is among the world’s foremost experts on […]

A string of reports in recent weeks has focused a spotlight on rising attacks against an often-overlooked piece of equipment that can be found in almost every home and business: the wireless router. Just this week, the security firm Team Cymru published a report (PDF) describing what it claims is a widespread compromise of small office and home office (SOHO) wireless routers that was linked to cyber criminal campaigns targeting online banking customers. Cymru claims to have identified over 300,000 SOHO devices (mostly in Asia and Europe) that were compromised. According to the report, the compromises first came to light in January, after Team Cymru analysts noticed a pattern of SOHO routers with overwritten DNS settings in central Europe. The affected devices are from a range of manufacturers, including well-known brands like D-Link, Micronet, Tenda and TP-Link. The devices were vulnerable to a number of attacks, including authentication bypass and cross-site […]

The Internet of Things (IoT) promises to revolutionize the way people live and work. But while the media’s attention is focused on high-profile Internet of Things firms like NEST, the smart-home products vendor that Google acquired for more than $3 billion last month, much of the innovation in IoT – at least in the consumer market – is a bottom-up, grass roots phenomenon. Quietly, the combination of ready-made components, point and click development environments and cloud based back end management tools has enabled an army of (mostly) novice developers to assemble novel, connected products for a public enraptured with the idea of using their mobile devices to control something — anything. At the same time, crowd-funding platforms like Kickstarter and Indiegogo have created a platform for products to get funded and distributed to hundreds, thousands or even tens of thousands of customers – once a monumental task.  That’s great for the […]

[This story was updated to include response from Belkin describing its response to the vulnerabilities identified by IOActive, including firmware updates. - PFR Feb 19, 2014] A researcher with the respected security firm IOActive says that he has found a number of serious security holes in home automation products from the firm Belkin that could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes or as a stepping stone to other computers connected on a home network. In a statement released on Tuesday, IOActive researcher Mike Davis said that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday.  Belkin did not […]

After months evaluating the safety and security of vehicle-to-vehicle (V2V) communications technology, the U.S. government announced that it will begin taking steps to enable the technology for light vehicles. In a statement Monday, U.S. Transportation Secretary Anthony Foxx said that V2V technology represents the next generation of auto safety improvements – a modern analogue to seat belts and air bags. “By helping drivers avoid crashes, this technology will play a key role in improving the way people get where they need to go while ensuring that the U.S. remains the leader in the global automotive industry.” Vehicle-to-Vehicle Communications comprises wireless technology that allows automobiles to exchange information with each other in realtime, as well as with roadside or road-based devices. V2V systems communicate in the 5.9 GHz band and can also use common WiFi signals to communicate. V2V communications allow a vehicle to sense and respond to threats and road […]

I’ve been amazed at the herds of Johnny Come Lately’s who have glom’d onto the amazing Nest thermostat since Google purchased the company that makes it, Nest Labs, for a whopping $3.2 billion last week. Nest – and even its sister Protect smoke alarm – were hardly new, but that didn’t stop CNN from posting a ‘gee whiz’ video in the days that followed that had all the ‘we were here first’ excitement of a hand-held broadcast from the floor of CES. That – even though Nest is coming up on its third birthday and its cousin, the Protect, was released to considerable fanfare in October. The question for Google, of course, is ‘how is Nest really worth?’ I use one at my house, and I think it’s gorgeous and smart – but $3.2 billion? That’s why I was interested to check out this article over at Postscapes.com about an open source […]