now browsing by tag


Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices

Source: National Cyber Security – Produced By Gregory Evans Cybersecurity researchers today uncovered details of two new vulnerabilities in the GoAhead web server software, a tiny application widely embedded in hundreds of millions of Internet-connected smart devices. One of the two vulnerabilities, assigned as CVE-2019-5096, is a critical code execution flaw that can be exploited […] View full post on

#cybersecurity | #hackerspace | End-of-Life Devices Pose Data Breach Risk

Source: National Cyber Security – Produced By Gregory Evans End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies […] View full post on

#infosec | #ISC2Congress: IoT Devices Pose Off-Network Security Risk

Source: National Cyber Security – Produced By Gregory Evans

Internet of Things (IoT) devices can still be a serious security threat even when they are off network.

Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, 802 Secure CSO Michael Raggo shared research that demonstrated the risks posed by everyday IoT devices. 

In his talk titled “Cyber Physical Security: Addressing IoT Risks,” Raggo cited examples of threat actors gaining access to data centers via WiFi thermostats and spying on conferences by hacking into smart TVs mounted on boardroom walls.

“The problem goes far above and beyond the potential breach of data or risks to that data. It also has an impact on safety, privacy, and the whole operation of your entire network, especially if it’s an industrial IoT type of network,” said Raggo.

“What that means in terms of your policies and how you approach the problem, is that this is more than just protecting data and avoiding data exfiltration. Now we are talking about the safety and the privacy of people and employees.”

The impact of IoT security issues is far-reaching. According to Raggo, “roughly 50% of the new buildings being built in the United States have some kind of IoT functionality.”

Raggo said that ensuring the reliability and security of the lighting, power, and HVAC systems of your home and your business is a real challenge if those systems aren’t connected to your own network.

Although many people are familiar with Wi-Fi and Bluetooth, according to Raggo they often don’t have a clear understanding of how IoT devices are configured and who can actually connect to them.   

Raggo referenced experiments conducted in his own lab that had produced worrying results, exposing vulnerabilities in smartphones and surveillance cameras. In one test, he used a wireless thumb drive to access data on a hub.

“I simply plugged it into a USB port in the back of the hub and immediately videos started being recorded to my thumb drive. There was no authentication required,” said Raggo.

One threat Raggo drew attention to was Bluetooth skimming, where threat actors steal money by breaching credit card details used in transactions. After being asked to investigate a fast-food restaurant that had suffered a breach, Raggo used readily available Bluetooth scanning tools to detect a long-range Bluetooth device placed under the cash register that had been used to skim data.


#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

Source link

The post #infosec | #ISC2Congress: IoT Devices Pose Off-Network Security Risk appeared first on National Cyber Security.

View full post on National Cyber Security

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”


The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Gov’t to #put new #cybersecurity #measures in #place for smart #devices

Source: National Cyber Security News

As the number of devices grows, so does the level of security needed. The UK government is aiming to tackle this with a new initiative, but what is the tech sectors take on it?

The Government has announced new cybersecurity guidelines will need to be put in place to ensure smart devices are made safer.

Following a stream of cyber security breaches among Internet of Things (IoT) devices, the UK Government has said new cyber security guidelines are necessary to better protect users. The aim is to change the way devices are manufactured, as well as increasing the safety of individuals.

The government has predicted that each household across the UK has at least 10 internet connected devices, which is set to increase to 15 by 2020. With this increase of devices comes a bigger increase in security threats, meaning more must be done from a cybersecurity perspective. Recently, attacks have been carried out on various IoT devices such as smart watches, CCTV cameras and even children’s dolls.

The governments initiative has been developed alongside the National Cyber Security Centre (NCSC), and coincides with the new £1.9bn Cyber Security Strategy that is set to be implemented.

Read More….


View full post on National Cyber Security Ventures

Forever 21 #POS #Devices Contract #Malware #Infections

Source: National Cyber Security – Produced By Gregory Evans

Apparel retailer Forever 21 said in the end-week of December 2017 that malware infection on its point-of-sale machines resulted in hacking of data related to payment cards from a few specific stores during the year. Reportedly, the attack got aggravated due to encryption absent on those machines.

The $4bn retail firm based in Los Angeles published one news release on December 28 to confirm that some party with sinister intentions gained admission into data from the credit and debit cards of a section of customers during the period April 3-November 18, 2017. The attacker could do so via a malware-laced assault combined with inadequate POS security.

With a cyber forensics company that Forever 21 hired, investigation into the problem started. Initially when concrete details couldn’t be obtained, the retail firm cautioned about a few POS devices within certain Forever 21 stores as being impacted where there was little utilization of encryption. posted this dated January 2, 2018.

It got determined from the investigation that encryption was halted while malicious software was loaded onto certain devices within a few stores in USA at different times from 3rd April-18th November, 2017.

In addition, Forever 21 stated that a machine which logged entire transaction authorizations on payment cards too had malicious software planted onto it within a few of the outlets.

And while it isn’t yet known about the data hack’s intensity it’s also still not clear about the number of outlets and customers impacted albeit Forever 21 is presently having suppliers of POS machines and cyber-security experts with whom it’s working for enhancing its future security.

‘Forever 21’ was as well working with the hacked point-of-sale device manufacturer, the payment processors along with law enforcement for additional probe into the online infiltration, the business firm stated.

Meanwhile, the apparel shop isn’t alone in being victimized with the kind of attack. Point-of-sale contaminations are an increasingly frequent mode by which crooks carry out big-scale seizures of credit and debit card information. Among the targets so far, the Hilton hotel chain, Target the big-box retailer as well as restaurant chains are also included.

The post Forever 21 #POS #Devices Contract #Malware #Infections appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Turn off #cameras and #tracking devices in children’s #Christmas #presents to prevent #hacking, Information #Commissioner tells #parents

Source: National Cyber Security – Produced By Gregory Evans

Parents should turn off the cameras and automatic tracking devices in their children’s Christmas presents because of the risk of hacking, the Information Commissioners’ Office has warned.

With a rise in the number of ‘smart’ toys and devices gracing the wish list this year, parents should consider the safety of them being connected directly to the internet before giving them as gifts, according to the data regulator.

When adults are not going  to personally use cameras in toys to view what is happening remotely then they should consider turning the function off all together, Deputy Commissioner Steve Wood said.

The warning comes amid growing concerns about the ability of criminals to hack into toys containing sensors, microphones, cameras, data storage and other multi-media capabilities.

In a blog on the regulators website Mr Wood wrote: “You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?

“In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into.

“Unlike Santa, those looking to hack into your devices don’t care whether you’ve been naughty or nice.”

Parents are advised that they should ensure that they are buying products from a reputable source, that all passwords and usernames are changed from the default option and to use two-step identification where available.

Mr Wood continued: “Some toys and devices are fitted with web cameras. The ability to view footage remotely is both their biggest selling point and, if not set up correctly, potentially their biggest weakness, as the baby monitor hacking issue of a few years ago demonstrated.

“If you have no intention of viewing footage over the internet, then turn the remote viewing option off in the device’s settings, or else use strong, non-default passwords.”

He added: “One of the main selling points of children’s smart watches is the ability for parents to know where their children are at all times. However, if this isn’t done securely, then others might have access to this data as well. Immediately get rid of default location tracking and GPS settings and set strong, unique passwords.”

Parents are also advised to turn off Bluetooth or set strong passwords to protect their child’s data from hackers.

The Deputy Commissioner concluded: “If you aren’t convinced a smart toy or connected/wearable device will keep your children or your personal information safe, then don’t buy it. If consumers reject products that won’t protect them, then developers and retailers should soon get the message.”

The post Turn off #cameras and #tracking devices in children’s #Christmas #presents to prevent #hacking, Information #Commissioner tells #parents appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Source: National Cyber Security – Produced By Gregory Evans

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Security researchers demonstrate new zero-day vulnerabilities in fully patched Apple, Samsung and Huawei mobile devices at the Mobile Pwn2Own 2017 security event in Tokyo.

On the first day of the Mobile Pwn2Own 2017 hacking competition in Tokyo, security researchers demonstrated new zero-day attacks against fully patched mobile devices.

On Nov. 1, different groups of security researchers made a total of seven exploit attempts, five of which were successful. Among the successful exploit targets were fully patched Apple iPhone 7, Samsung Galaxy S8 and Huawei Mate9 Pro devices.

Researchers who demonstrated the successful exploits were rewarded with a total of $350,000 in prize money from Trend Micro’s Zero Day Initiative (ZDI), which runs the Pwn2Own contest. All of the flaws discovered at the event are privately reported to the impacted vendors and are subject to the ZDI’s disclosure policy, which provides vendors with 90 days to fix the vulnerabilities before they are publicly 

Three of the five successful exploits were made against Apple devices, including two browser exploits against Safari and one WiFi exploit. Apple just updated iOS to 11.1 on Oct. 31, which is the version the researchers were able to exploit.

“The team updated all devices to the latest OSes prior to the contest kicking off this morning, including iOS 11.1, as late as 5 a.m. this morning, Tokyo time,” Brian Gorenc, director at Trend Micro’s Zero Day Initiative, told eWEEK.

The iOS 11.1 update patches 14 vulnerabilities, including six that were memory corruption issues in Safari’s WebKit browser rending engine. As it turns out, there are apparently still security issues in iOS 11.1 that Apple will need to patch in a future update.

Security researchers from Tencent Keen Security Lab were able to demonstrate multiple exploits against the fully patched iOS 11.1. Among those exploits was an arbitrary code execution, via a WiFi bug, that also provides privilege escalation and can persist through a reboot. The whole exploit chain included four different bugs and resulted in an award of $110,000.

A second exploit attempt by Tencent Keen Security Lab made use of two different bugs, including one in an iOS system service and one in the browser to exploit Safari. That exploit earned an additional $45,000 in awards from ZDI.

Security researcher Richard Zhu, also known by his alias fluorescence, took aim at iOS 11.1 as well and demonstrated two bugs. Zhu’s bugs were able to exploit Safari and escape the iOS system sandbox, enabling him to run arbitrary code. For his efforts, Zhu was awarded $25,000 by ZDI.


Apple wasn’t the only target at Mobile Pwn2Own 2017, with researchers also taking aim at Android devices from multiple vendors.

Researchers from 360 Security were able to demonstrate a chain of flaws on the Samsung Galaxy S8 that led to arbitrary code execution. The exploit chain included a bug in the Samsung internet browser paired with a privilege escalation in a Samsung application that enabled code execution to persist through a reboot. ZDI awarded the 360 Security team $70,000 for its efforts.

Among the most impactful types of mobile device vulnerabilities are cellular baseband flaws. The baseband is the component that manages all the radio functions on a cellular device. Tencent Keen Security Lab was able to successfully demonstrate a baseband exploit using a Huawei Mate9 Pro smartphone that would allow an attacker to spoof the device. ZDI awarded $100,000 to Tencent Keen Security Lab for the baseband exploit.

“The baseband attack was exciting, and we’re looking forward to seeing another attempt in this category tomorrow [Nov. 2],” Gorenc said. “It’s always interesting to see jailbreaks as well, and we saw two today. Also there was persistency demonstrated with three of the attacks, which is impressive.”

The post Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

University of Washington students can hack smart devices, track body movement

Source: National Cyber Security – Produced By Gregory Evans

Computer science students at the University of Washington have found a way to remotely hack into people’s personal devices, such as cell phones and smart TV’s, to track individual movement, raising serious security questions, the university announced Wednesday. The hacking method uses CovertBand, a software program the student team created,…

The post University of Washington students can hack smart devices, track body movement appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How can smart and connected devices improve office security?

Source: National Cyber Security – Produced By Gregory Evans

Smart technology has the potential to add a much needed additional layer of security to our offices. Over the last 10 years, technology in offices has been constantly evolving. Office staff no longer rely on fax machines and slow, low quality printers; a huge number of employees now work from…

The post How can smart and connected devices improve office security? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures