Home

now browsing by tag

 
 

Working from Home? These Tips Can Help You Adapt

Source: National Cyber Security – Produced By Gregory Evans

COVID-19 means many people are doing their jobs from outside the confines of the office. That may not be as easy as it sounds.

So, you’re working from home …

For a while.

You’ve probably worked remotely before, and you’re thinking, “I’ve got this!”

Odds are, you’re mistaken. You don’t have this. That’s OK; this is an opportunity to learn new skills.

You can think of working from home much like someone moving into an entirely new environment. Your patterns of work might be optimized for working in an office, and they might not quite fit at home. You can think of this post as moving you from accommodating yourself to including yourself — reducing the friction that misspends your energy just to exist.

Now it’s time to adapt. You need to adapt, your workday needs to adapt, and your environment needs to be adapted. So what can you do? Below is some advice — take it in the spirit of unsolicited advice on self-improvement. Some of these things will work for you; some of them won’t. Many of these ideas work for me or people near me; they might or might not work for you. Give them a try, and be willing to learn and adapt.

Your Workspace
Maybe you’ve been getting by with sitting on the couch or on the floor in the corner of your bedroom. Those might be all the choices you have, but you should consider some changes:

  • Use an external monitor. One of the biggest productivity gains comes from useful screen real estate, so finding a way to get more is incredibly helpful to you. Paired with an external keyboard and mouse, you’re also on your way to better ergonomics.
  • Use a desk and a chair. Sitting on a couch for a long period is probably not healthy in a lot of ways. Can you fit in a sit/stand desk? Maybe you do need a different ergonomic choice, but make it deliberately.
  • If you can dedicate a workspace, that’s ideal. If you can’t, consider a space that you can set up at the start of the workday, then tear it back down in the evening — so you have clearly delineated boundaries of when you’re “in the office” instead of just chilling.
  • Even if you can’t dedicate a workspace, make a conscious effort to not take a meal (be it lunch, dinner, etc.) from where you are working. If you have a dedicated workspace, leave it and go to your kitchen, another room, or, if possible, outside for your meal. This should be time to mentally recharge as much as physically recharge. If you don’t have a dedicated space, still take the time to close your laptop and do something that is not work. Your brain (and your similarly stressed co-workers) will thank you.
  • Do you have a headset with a microphone to take meetings with? Gaming headsets can be an affordable and high-quality solution, or possibly Bluetooth earbuds. Anything is an improvement over just using your laptop’s speakers. But also think about how your ears might feel after multiple hours using a device you’re not familiar with. Maybe change between earbuds and a headset … or even just take a long break from videoconferencing.   
  • Wired Ethernet makes an enormous difference for videoconferencing — and for many of our other tools. Even if the cable has to get unplugged when you roll up your desk at the end of the day, this can be worth the trouble.

Your Family
There’s a good chance you’re sharing your space with other people — a partner, some children, maybe roommates. Their needs will matter, too, and it’s better for you to plan ahead with your schedules so that no one is disappointed.

  • Do you have to homeschool small children? What does your plan look like for that, and how are you trading it off with your partner?
  • Do you need to add daily household meetings to identify any issues?

Your Commute
You might be really excited about not having to waste time getting to the office because you can just hit work running. But take a moment to think about what you also do during your commute. Are you thinking about your schedule for the day? Working on a hard problem? Thinking about your kids? That’s valuable mental time, which you should consider how to keep in your day so that you can gracefully transition between parts of your life.

  • Can you go for a walk around the block (or further)?
  • Can you set aside quiet time at the start and end of your day, before you dive into email?
  • Make sure you take time for lunch. This might make a good time to check in with your colleagues in your co-working space or take quiet time for yourself. You might want to think about planning for those lunches to make sure you’re making healthy choices rather than just grabbing whatever is available.
  • Make a hard break. “Bye, kids, I’m headed to work!” can be a really powerful boundary to set.

Your Meetings
Meeting culture is very location-centric, especially when that location is your headquarters. Some of that is a product of enterprise tools (many video solutions makes it hard to see more than a few participants at once, and the slight added latency over the Internet interacts with the human desire to jump in as the next speaker), some is a product of our organizations (meetings where 80% of the attendees are physically in one place), and some is a product of habit (sitting in a circle, which then excludes the video participants). This is an opportunity to work on more-inclusive meeting structures.

  • Consider nonverbal cues for meeting participants to use to call for attention. If everyone is visible, that can be a raised hand; if that’s not the case, then a chat backchannel can help.
  • Work more on pauses between speakers. There is rarely a need to jump in instantly, and that’s often seen as a behavior that is exclusionary anyway, so this is a good opportunity to evaluate it. Past three people, a moderator helps enormously — perhaps defaulting to whomever called the meeting or wrote the agenda.
  • Consider working off a shared document with an agenda and notes so that some information flows can be faster-than-verbal. This might rely on everyone having more screen real estate.
  • Think about the lighting. You should be able to clearly see your face, which generally means lights and windows should be in front of you, not behind you. It’s always possible to learn from one call and revise or improve for the next one.
  • Thirty-minute blocks are not fundamental to the universe. You can meet for 5 minutes or 15 — and jumping from chat to a video call for 5 minutes can unlock great work for you or your colleagues.
  • As a last resort, disabling video can improve audio distortions, jitter, and latency in meetings.

Your Physical Wellness
When working from home, it can be really easy to fall into a rut with no physical activity. Perhaps you roll out of bed, grab a quick bite, and hop on a call. For a day, that’s only a little bad, but that’s a bad long-term pattern. Schedule your exercise time.

  • Maybe take that long walk at the start of your day or after lunch.
  • If you’re fortunate enough to have a treadmill or stationary cycle in your house, maybe you take a walking meeting with a colleague.
  • Look at how you can keep your body from stiffening from a lack of movement or poor ergonomics. Take stretch breaks. Take a 20-second break every 20 minutes and look out at something at least 20 feet away to prevent eyestrain. Consider how to incorporate physical wellness into your everyday routine.

(Story continues on next page.)

Andy Ellis is Akamai’s chief security officer and his mission is “making the Internet suck less.” Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai’s IT … View Full Bio

Previous

1 of 2

Next

More Insights

Source link

The post Working from Home? These Tips Can Help You Adapt appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Malproxying: Leave your malware at home

Source: National Cyber Security – Produced By Gregory Evans

Endpoint protection plays a critical role in
the modern organizational security stack. Yet the very nature of this security
model is fundamentally flawed. Endpoint security solutions, and the malicious
actors trying to breach them, are locked into a perpetual game of cat and
mouse. Each side must continually adapt and react to the tactics of the other.
And, unfortunately for organizational security specialists, the playing field
is radically unbalanced.

Security solutions and professionals need to
maintain perfect endpoint protection; hackers, meanwhile, need only a single
successful attempt to wreak extraordinary damage. Yet security solutions do
have one point in their favor: The most common endpoint security evasion
techniques require constant updating which limits the pool of attackers and the
scale at which attacks are launched.

This leads to a troubling
question — what if a technique existed that allowed attackers to evade defense
mechanisms while requiring little in the way of adjustments to malicious code?
That was the topic of a well-received recent presentation I gave along with my
colleague security researcher Hila Cohen at DEF CON 27 in Las Vegas, Nevada.

Let’s take a closer look at this technique
and its implications for endpoint security.

The Current State of Endpoint Security

Existing security solutions use three
mechanisms to maintain protection:

  • Static signatures — these can be a simple hash from a sequence
    of bytes in a file. Signatures sign file segments (or memory blocks), enabling
    a check against common IOCs (Indicators of Compromise) to see if the file is
    infected.
  • Heuristic rules — these rules can inspect the imported
    function list, executable uses, its sections sizes and structure, and many more
    properties including entropy. Heuristic rules attempt to discern properties
    that are common among malicious files yet don’t exist in safe executables. They
    are not based on IOCs and don’t examine binary sequences or hashes included in
    the static signature category.
  • Behavioral signatures –these
    signatures attempt to identify, evaluate and block all malicious activity.
    Because of the limitations of static signatures and heuristic rules, infected
    files are often miscategorized as safe. Behavioral signatures take a different
    approach, as they are based on an operational sequence executed in the system,
    rather than the implementation of malicious logic.

As mentioned above, endpoint protection
solutions have a variety of weaknesses. Attackers can change the IOCs,
properties and behavior of malicious files, allowing them to evade detection
and quarantining. However, these techniques are highly manual and require significant
expertise, making it difficult for attackers to implement at scale.

There is, however, another approach enabling
the circumvention of endpoint security without the need for extensive labor or
expertise: Malproxying.

How Malproxying Works

The core operational model of endpoint
security solutions is simple: Identify and analyze code, then classify and
(potentially) block. Yet what if an attacker could obscure that code entirely?

That’s the premise of the malproxying
technique, which avoids deploying malicious code on target machines and
therefore separates that code from any interaction with the target operating
system. Here’s how it works:

A piece of code interacts with its operating
system and environment through a set of API calls. The attacker redirects those
API calls, and instead of running them on his operating system, he proxies them
over the network to the target machine. So, the malicious code resides on the
attacker side, where it is not monitored by any security solution (as the
attacker completely controls the environment), but the actions performed by
that malicious code actually interact with the target environment, allowing it
to bypass common endpoint security protection mechanisms. The malicious code,
meanwhile, cannot tell that it has not been executed on the targeted machine.

On a deeper level, the technique involves two
key components: attacker and target stubs. The attacker code loads and executes
malicious instructions, controls its API function calls and redirects them over
a network tunnel to the target stub.

The target code appears innocent and has no
malicious activity pre-coded. It receives the API requests and parameters,
executes those requests and returns the results back to the attacker stub.
These results are returned to the malicious code, in the exact way they would
be returned if the malicious code had called the API functions locally. The
malicious code is totally unaware of the long journey the response went through
until it arrived at its destination.

Countering Malproxying

The malproxying technique is designed to
evade the primary mechanisms used by endpoint detection solutions. The target
stub contains no malicious logic in its base form, rendering it hard to
identify and easy to modify if caught. Static signatures and heuristic rules
are easily bypassed.

Behavioral signatures, however, are another
matter. In the bottom line, a “malicious” sequence of API calls must be
executed on the target machine to achieve the attacker’s malicious goals. A
sophisticated monitoring tool can detect that malicious flow and trigger an
alarm. This merely invites another protracted cat and mouse battle, as the
attackers have to find new ways to make it very hard for monitoring tools to
assemble the trace of their malicious actions.

For example, an attacker could trigger each
API function call in a different thread, making it harder for security
solutions to identify a single code flow to check whether it is malicious or
not. Second, the attacker could bypass the detection points, where the security
solution tracks the activity of our process. Once those detection points are
bypassed, the security solution is blind to any API-based activity.

Continual improvement and refinement of
behavioral detection capabilities represent a better option. Actions triggered
by malicious logic can be tracked using various techniques to ensure that calls
are fully tracked. By building a more robust log of executed system function
calls — and the signatures that define malicious behavior — organizations can
develop a more viable line of defense against this novel attack technique.

Amit Waisel, Senior Technology Lead in Security Research, XM Cyber

The post Malproxying: Leave your malware at home appeared first on SC Media.

Original Source link

The post #cybersecurity | hacker | Malproxying: Leave your malware at home appeared first on National Cyber Security.

View full post on National Cyber Security

How to Secure Your Wi-Fi Router and Protect Your Home Network

Source: National Cyber Security – Produced By Gregory Evans If you’re lucky, the process will be automatic; you might even get alerts on your phone every time a firmware update gets applied, which usually happens overnight. If you’re unlucky, you might have to download new firmware from the manufacturer’s site and point your router towards […] View full post on AmIHackerProof.com

#cybersecurity | hacker | Inside the connected home and its implications for cybersecurity and privacy

Source: National Cyber Security – Produced By Gregory Evans

Over
the last few years, the introduction of connected devices into our homes has
become a boon for consumer convenience and entertainment. But this dynamic has
important cybersecurity and privacy considerations. The astounding increase of
connected devices has not only given attackers new points of entry but also
allows more of our information to be collected and potentially shared than ever
before.

To
find out how consumers address cybersecurity and privacy risks of connected
devices in their homes, ESET, in September 2019, surveyed 4,000 people – 2,000 in the United
States, 2,000 in Canada. Overall, the results show a large disconnect between
what people say they do to protect themselves and what they are actually doing
in practice.

The Heart of the Connected Home

Starting at the central point of a connected home, the router, ESET polled respondents if they had changed their router username and password, either directly or through a technician when it was first acquired. About 57 percent of Americans either said the username and password were not changed or they do not know if they were changed. In a similar vein, 57 percent either could not or do not know if they could name every device connected to their home network.

A
secure router is the basis of an effective home network. The router is both the
heart of the network and is in the majority of scenarios the single internet-facing
device, taking ineffective security measures (or taking none at all) makes
every device connected to it more vulnerable. At a minimum, passwords and usernames
should be changed from either their factory or ISP/cable provider default. As
the public-internet facing device attackers may be able to gain some
information by default and even the slightest knowledge about a device will
open the opportunity to try connecting to it using the default administrative
credentials, making the device an incredibly easy target.

The devices connected to that network pose a risk as well. Almost 44-45 percent of respondents have between one and five connected devices, which one would think should be easy to keep track of. The respondents that have more than 10 devices is where keeping track of them all starts to get tricky. Giving each device a recognizable name is a must to make it easier to keep track of the authorized vs. unauthorized devices on a network.

Connected Device Security

Consumers claim to be worried about cybercriminals targeting connected home devices, yet 42 percent of respondents are not worried about something they sit in front of for hours every week – their connected TVs.

When
connected to the internet a connected TV can potentially be taken attacked by
ransomware, the resources abused by coinminers or the credentials used to
access your favorite streaming service could be stolen. Anything connected to
your home router can be targeted by cybercriminals.

Interestingly, about 17 percent of total respondents have connected devices (not just smart TVs) that they did not connect to the internet. Some didn’t have time to set up the features, while others simply don’t care enough about the additional features to connect the devices to the internet.

We found that more than half (61 percent) of Americans don’t turn off features that they do not use. Keeping with the television example, consumers may buy a smart TV for its streaming features only to realize after-the-fact that there are certain apps they want to use to connect to these services are not available on the device. The consumer purchases an additional streaming device, such as Apple TV or uses a gaming console to stream, but they never turn off the internet connection on the TV. That device is now connected to the home network and is likely not monitored or updated. That’s a hazard to home network security.

Start with the Basics

It’s
clear there is still a learning curve for many consumers with connected homes.
A whole host of problems can be avoided simply by changing the default username
and password on the router and keeping the software up to date. This is
especially important as consumers add new types of devices to their networks
every year, a trend this set to continue.

Consumers would do well to remember the saying, “an ounce of prevention is worth a pound of cure.” Our survey found that, even though 35 percent of Americans and 37 percent of Canadians said they were concerned about the security of their connected homes, only 20 percent of Americans and 29 percent of Canadians did any type of research on the data collection and storage policies of connected home device manufacturers.

Consumers
who spend hours evaluating price, features and the aesthetics of their home
devices would do well to spend a few minutes researching the reputation of the
manufacturer, the security of the device, known issues and vulnerabilities and
the degree to which their data is shared or sold to third parties.

Original Source link

The post #cybersecurity | hacker | Inside the connected home and its implications for cybersecurity and privacy appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | How HIPAA-Compliant Communication Tools Can Prepare Home Healthcare for PDGM

Source: National Cyber Security – Produced By Gregory Evans The new home healthcare Patient-Driven Groupings Model (PDGM) released by the Center for Medicare & Medicaid Services (CMS) goes into effect after January 1, 2020. With it, payment periods will be cut in half and therapy volume will no longer be considered when determining home health […] View full post on AmIHackerProof.com

#deepweb | Stocks making the biggest moves premarket: Home Depot, Boeing, Disney

Source: National Cyber Security – Produced By Gregory Evans Check out the companies making headlines in the premarket Tuesday: Home Depot — Home Depot shares dropped more than 5% in the premarket after the home improvement retailer reported disappointing same-store sales. The company said global same-store sales rose 3.6% in the previous quarter. Analysts polled […] View full post on AmIHackerProof.com

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

Source: National Cyber Security – Produced By Gregory Evans

hacking voice controllable devices with laser light

A team of cybersecurity researchers has discovered a clever technique to remotely inject inaudible and invisible commands into voice-controlled devices — all just by shining a laser at the targeted device instead of using spoken words.

Dubbed ‘Light Commands,’ the hack relies on a vulnerability in MEMS microphones embedded in widely-used popular voice-controllable systems that unintentionally respond to light as if it were sound.

According to experiments done by a team of researchers from Japanese and Michigan Universities, a remote attacker standing at a distance of several meters away from a device can covertly trigger the attack by simply modulating the amplitude of laser light to produce an acoustic pressure wave.

“By modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” the researchers said in their paper [PDF].

Doesn’t this sound creepy? Now read this part carefully…

Smart voice assistants in your phones, tablets, and other smart devices, such as Google Home and Nest Cam IQ, Amazon Alexa and Echo, Facebook Portal, Apple Siri devices, are all vulnerable to this new light-based signal injection attack.

“As such, any system that uses MEMS microphones and acts on this data without additional user confirmation might be vulnerable,” the researchers said.

Since the technique ultimately allows attackers to inject commands as a legitimate user, the impact of such an attack can be evaluated based on the level of access your voice assistants have over other connected devices or services.

Therefore, with the light commands attack, the attackers can also hijack any digital smart systems attached to the targeted voice-controlled assistants, for example:

  • Control smart home switches,
  • Open smart garage doors,
  • Make online purchases,
  • Remotely unlock and start certain vehicles,
  • Open smart locks by stealthily brute-forcing the user’s PIN number.

As shown in the video demonstration listed below: In one of their experiments, researchers simply injected “OK Google, open the garage door” command to a Google Home by shooting a laser beam at Google Home that was connected to it and successfully opened a garage door.

In a second experiment, the researchers successfully issued the same command, but this time from a separate building, about 230 feet away from the targeted Google Home device through a glass window.

Besides longer-range devices, researchers were also able to test their attacks against a variety of smartphone devices that use voice assistants, including iPhone XR, Samsung Galaxy S9, and Google Pixel 2, but they work only at short distances.

According to the researchers, these attacks can be mounted “easily and cheaply,” using a simple laser pointer (under $20), a laser driver ($339), and a sound amplifier ($28). For their set up, they also used a telephoto lens ($199.95) to focus the laser for long-range attacks.

How can you protect yourself against the light vulnerability in real-life? The best and common solution is to keep your voice assistant of the line of sight from outside and avoid giving it access to things that you don’t want someone else to access.

voice activated smart assistant hacking

The team of researchers—Takeshi Sugawara from the Japan’s University of Electro-Communications and Mr. Fu, Daniel Genkin, Sara Rampazzi, and Benjamin Cyr from the University of Michigan—also released their findings in a paper [PDF] on Monday.

Genkin was also one of the researchers who discovered two major microprocessor vulnerabilities, known as Meltdown and Spectre, last year.

The Original Source Of This Story: Source link

The post Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Home Insurance valuation MCQ Quantity Surveyors research underinsurance

Source: National Cyber Security – Produced By Gregory Evans

Thousands of Australian property owners could have their homes dramatically underinsured thanks to error-prone online valuation calculators.

New research by MCG Quantity Surveyors claims that some owners could be under-insured by up to 66 percent, heightening the risk of financial losses as Australia lurches into bushfire and flood season.

The find comes after MCG conducted a review of web-based calculators against a detailed professional cost estimation of a home in Sydney’s south-west.

Some properties could be underinsured by up to 66 percent – leaving owners with deep financial losses in the event of a claim. (Nine)

A professional valuation was made on a property in Airds, which calculated the construction cost plus sums for demolition, removal of site debris and consultant’s fees to be $668,559.

Information for the same property was then plugged into five online home insurance calculators which produced a vast array of sums.

Marty Sadlier, director of MCG Quantity Surveyors, said the difference between the professional estimation and the web-based calculator was hundreds of thousands of dollars.

An example of an online home insurance calculator. (Cordell Sum Sure)

“The lowest value calculator assessed the insurance value at $226,160 – or 66 percent below the needed amount, while the highest web-based estimate was $535,000 which is still 20 percent underinsured,” Mr Sadlier said.

“Not only do these calculators tend to under estimate construction costs overall, most don’t include amounts for demolition, debris removal, cost escalations and consultant’s fees.”

Mr Sadlier said the reliance on web-based calculators by insurance companies could see vulnerable home owners at risk.

Mr Sadlier claims that web-based calculators do not take into account the myriad of costs associated with rebuilding. (AAP)

“This epidemic of underinsurance could prove totally shattering, and is due almost entirely to the ongoing use of web-based insurance calculators,” Mr Sadlier said.

“Worst of all, these erroneous calculators continue to be recommended by insurance companies and even government departments, despite long-term evidence of their failings.”

According to the Australian Securities and Investments Commission (ASIC), estimating how much to ensure your home by can become a complex process.

“When estimating how much home building insurance you need, it’s important not only to consider the cost to rebuild your home, but also factor in other costs you may not have thought about, such as accommodation while you rebuild,” ASIC recommends on its money smart website.

“Underinsurance is when you don’t have enough insurance to cover all the costs of rebuilding your home.

“You are considered to be underinsured if your insurance covers less than 90 percent of the rebuilding costs.”

Source link
——————————————————————————————————

The post #deepweb | <p> Home Insurance valuation MCQ Quantity Surveyors research underinsurance <p> appeared first on National Cyber Security.

View full post on National Cyber Security

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”

advertisement:

The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Helping #insureds reach #corporate levels of #cyber security’ at #home

Source: National Cyber Security News

Cyber security has become a top of mind issue for commercial organizations across the world. Most big corporations have strong disciplines and risk management procedures in place to ensure cyber resilience is tight. Unfortunately, the same cannot be said for a typical home network.

Poor cyber hygiene at home is the gateway that enables cyber criminals to get personal. An open home Wi-Fi connection versus a password protected system could make all the difference if a bad actor attempts to hack a personal bank account or bitcoin wallet.

High net worth (HNW) individuals with deep pockets are particularly at risk of personal cyberattacks. Member-owned PURE Insurance, which serves HNW clients, has developed an innovative cyber fraud offering to protect PURE members from falling prey to cybercrime.

PURE Starling, available as an add-on to homeowners’ insurance, provides broad coverage for fraud and cybercrime, including financial loss resulting from online and offline fraud, and services to help assess and respond to cyber extortion threats, remove malware and reinstall software after an attack.

“The issue of cyber insurance was born out of feedback from our PURE members, who were starting to express concerns about data security and the privacy of their personal information,” explained Martin Hartley, chief operating officer, PURE.

Read More….

advertisement:

View full post on National Cyber Security Ventures