Impact

now browsing by tag

 
 

Ring Flaw Underscores Impact of IoT Vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

A vulnerability in Amazon’s Ring doorbell cameras would have allowed a local attacker to gain access to a target’s entire wireless network.

A vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby attacker to imitate a disconnected device and then sniff the credentials of the wireless networks when the owner reconfigured the device, according to a report issued by security firm Bitdefender.

The issue, which was fixed by Amazon in September, underscores the impact of a single insecure Internet-of-Things device on the organization in which it is deployed. While the vulnerability may only occur in a single network device, the result of the flaw could be leaked information — the wireless network password, for example — which  would have far more serious repercussions.

“IoT is a security disaster, any way you look at it,” says Alexandru Balan, Bitdefender’s chief security researcher. “Security is not the strong suit of IoT vendors — only rarely, do we see vendors who take security seriously.”

The discovery of a serious vulnerability in a popular IoT product comes as businesses and consumers increasingly worry about the impact that such devices may have on their own security. Only about half of security teams have a response plan in place to deal with attacks on connected devices, according to recent report from Neustar. Even critical-infrastructure firms, such as utilities that have to deal with connected operational technology, a widespread class of Internet-of-Things devices, are ill-prepared to deal with vulnerabilities and attacks, the report says.

Vulnerabilities in IoT devices can have serious repercussions. In July, a team of researchers found widespread flaws in the networking software deployed in as many as 200 million embedded devices and found millions more that could be impacted by a variant of the issue in other real-time operating systems.

The issue with Amazon Ring is not as serious but it is a reminder that vulnerabilities can still be easily found in the devices by attackers paying attention, says Balan“We tend to look at the popular devices, and those tend to have better security than the less popular devices,” 

The rest of the Ring device’s communications are encrypted and secure, according to Bitdefender. The mobile application only communicates with the device through the cloud, even if the app and device are already on the same network, the company’s analysis stated. Cloud communications are conducted over encrypted connections to API services using Transport Layer Security (TLS) and certificated pinning. 

The device’s initial connection with the local network is the only time that it sends data without encryption, Balan says. “This is a proximity based attack, so its not that big of a threat on a global scale. You need to be with a hundred meters or so to issue the deauthentication packets and force the user to reset the password.”

The existence of the vulnerability is not an indicator of the commitment of Ring’s security team, Balan adds, noting that within a few days Amazon responded and two months later closed out the report. By September, the company issued a patch — within three months after the initial communication, according to Bitdefender’s disclosure timeline. As of November, all affected devices had been patched, which Balan says is a better outcome then the majority of disclosures that Bitdefender works on with other IoT vendors.

“Amazon is one of the few that take security seriously,” he says. “Inherently everything has some flaw that will be discovered. The only challenge with IoT is whether you take that disclosure seriously.”

The trend that more vulnerabilities are being discovered in popular products is a sign that the manufacturers are paying attention and responding to researchers, Balan observes. “If someone does not have vulnerabilities disclosed in their product, then that is likely the most risky product, from a security perspective. If the vulnerabilities were discovered, then props to them — that’s a good thing.”

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

More Insights

Click here for the news story.

The post Ring Flaw Underscores Impact of IoT Vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | The impact of Brexit on CISOs

Source: National Cyber Security – Produced By Gregory Evans

UK firms aren’t ready for a no-deal Brexit
Large numbers of small and medium-sized tech businesses haven’t made any preparations for the UK leaving the EU – and many believe the government isn’t listening to the concerns they have ahead of Brexit.

Today we see some signs of optimism from the EU and the UK about the potential to conclude a withdrawal agreement following private talks between the UK and Ireland yesterday. Since I last wrote a blog about this, we have seen a change of UK government, a brand-new UK negotiating position, a Conservative Party leadership contest, and an EU watching on the sidelines wondering what on earth is going on in the UK politically. 

We can’t predict whether Brexit will really happen on October 31 and whether a deal will be concluded or not. However, we do now know that we are likely to leave with a withdrawal agreement that affects security at the institutional level — not dissimilar to the broad outline of what Theresa May and the EU concluded in November 2018 — or that we will leave all current security and defense cooperation arrangements. For security leaders wondering how all of this may affect them, we advise CISOs to focus on three primary areas of concern: 

  • International data flows between the UK and the EU. We know that, one way or the other, the continued legal basis for data flow relies on the UK’s data protection regulatory regime being judged equivalent to the EU’s. The various parties would begin working on this key adequacy decision, as it is known, following the UK’s exit from the EU (deal or no deal). While there are a lot of similarities with the regimes as they currently stand, there is no way of guaranteeing that the decision will occur and in what time frame. In the event of a “no-deal Brexit,” the legal default will be that the regimes are not equivalent and the EU will treat the UK as a third country, invalidating the legal basis currently used to promote legal data transfer between the UK and the other EU member states. We recommend that CISOs and DPOs start looking into alternative means now for guaranteeing the legal basis for their international data flows between the UK and EU. This can either be through model clauses or a binding corporate rules program, for example, which are already widely used for transfers outside of the EU. 
  • Staffing. Thankfully, both sides have agreed that whether a deal is agreed or not, they will work hard to provide some certainty to EU and UK citizens working outside of their home countries. For CISOs, this means that your staff will need reassurance and support if they need help with application procedures or, in some cases, the costs of applying. The area that is going to be most problematic is in the realm of recruitment — a challenge that is already difficult enough with the security skills shortage. Brexit will require you to think more carefully about where you deploy your staff and security services. Restrictions on the numbers of EU citizens entering the UK and vice versa are generally expected, so review your operating model carefully to mitigate the impact that restrictions on freedom of movement could bring to your security organization structure and headcount deployment. In addition, consider the implications for business travel for any service providers and staff supporting you from outside of your main headquarters locations. 
  • Regulatory relationships and obligations for reporting cybersecurity breaches. Whatever your views on it, the EU has been one of the most active legislators of cybersecurity and privacy regulations, creating a myriad of regulatory relationships across the EU. Many of these, particularly NISD, PSD2, and GDPR, contain requirements to report certain types of security events and incidents to regulatory bodies. The relationships have been set up, and many organizations in the scope of this regulation will need to review and update regulatory reporting lines, as current regulatory relationships may change. Review and update incident response plans and supporting operational processes carefully to ensure that you capture these changes in regulatory relationships. 

While there are many other implications to Brexit for CISOs to consider, these are some of the most common that come up in our conversations with clients. We will continue to watch the politics unfold and hope to gain clarity as to what will happen next. 

This post was written by Senior Analyst Paul McKay and originally appeared here. 

Source link

The post #hacking | The impact of Brexit on CISOs appeared first on National Cyber Security.

View full post on National Cyber Security

How Will #Quantum #Computing #Impact #Cyber Security?

Quantum computing is not an incremental improvement on existing computers
It’s an entirely new way of performing calculations, and can solve problems in a single step that would take traditional computers years or even longer to solve. While this power is great in a number of fields, it also makes certain types of computer security techniques trivial to solve. Here are a few of the ways quantum computing will affect cybersecurity and other fields.

Today’s Security
Cryptography powers many of today’s security systems. Although computers are great at solving mathematical problems, factoring especially large numbers can be effectively impossible for even the most powerful computers, with modern algorithms requiring decades or even longer to crack. The nature of quantum computing, however, means that cryptography based on factoring numbers will be effectively useless.

Fortunately, many cryptography approaches in use today are designed to be safe from quantum computers that haven’t yet been built. Business, governments agencies, and other entities that place a high priority on security don’t necessarily need to switch to quantum-safe approaches just yet, but it’s important that organizations are able to make the transition promptly should quantum computing technology develop faster than anticipated. It’s also worth noting that other forms of security won’t be affected by quantum computing. Two-factor authentication, for example, will be just as effective.

Tomorrow’s Security
The basics on quantum computing sound almost unbelievable, but they’re based on well-established science and mathematics. Modern computers rely on discrete values; a bit is either a 0 or a 1. Quantum computers, on the other hand, are able to store both of these possibilities simultaneously in what are called qubits, and the value only truly forms when it is observed.

Combined with the equally baffling concept of quantum entanglement, which allow qubits to be bound no matter how far away they’re located, and quantum computing can open the door to cryptography techniques that are theoretically unbreakable. No matter how much computing power is dedicated to solving quantum-based security implementations, they’ll still provide a safe conduit to send data through. With certain implementations, keys used to encrypt data will instantly stop working if anyone attempts to uncover them, leading to inherent security.

Quantum Arms Race
The ability to defeat common security implementations makes quantum computers a goal for intelligence agencies. Anticipating their eventually invention, many intelligence agencies are believed to be intercepting traffic that can’t yet be cracked but that may be vulnerable in the future if it can be decrypted. The first agencies to gain access to quantum computing power will have a substantial edge on their counterparts in other nations, and news of quantum computing success will spur further investment in other nations.

Unlike the development of weapons, however, there are also commercial and academic interests in quantum computers, so developing an arms treaty seems unlikely. Furthermore, non-government entities can likely gain access to quantum computers as well, presenting even more risk for compromising data. These threats underline the importance of ensuring new security measures are able to handle existing computers as well as potential quantum computers.

Who Will be the First?
The first intelligence agency with access to a quantum computer will gain a significant edge, and the first company with quantum computers for sale will stand to gain tremendously. Some of the names are long-time staples, including IBM, which has made slow but steady progress toward quantum computing over the years and expects major advances during the next decade. Another big name is Microsoft. We recently spoke to their senior technologist Rob Fraser about the transformative impact of quantum computing.

While other companies are attempting to build quantum computers, IBM seems most likely to be the first to succeed.

However, it’s important to appreciate the role academia is playing. The concept of quantum computing is built on quantum mechanical theory, a field where typical hardware engineers have no experience. Contributions to the field have come from academic institutes with a strong history in technology, including MIT and Harvard. The perplexing nature of quantum mechanics, which is difficult to comprehend even for the world’s leading researchers, means that development will always be largely based on theory and not just engineering.

What to Expect
Although quantum computing can perform some tasks impossible or impractical on standard computers, they may never replace the typical computer architecture we’re used to. Quantum computers in development now are incredibly sensitive, and there doesn’t seem to be an engineering solution to this sensitivity. Furthermore, the calculations quantum computers excel at aren’t especially useful for standard computer tasks.

However, quantum computing will lead to scientific advances that can benefit society at large. Furthermore, they may play a role for internet infrastructure, potentially improving performance. Although there may not be a quantum computer in every home, the impact of quantum computing will be substantial if, much like quantum mechanics itself, unpredictable.

advertisement:

The post How Will #Quantum #Computing #Impact #Cyber Security? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How Will ‘New Collar’ Skills Impact the Cybersecurity Skills Gap?

Source: National Cyber Security – Produced By Gregory Evans

How Will ‘New Collar’ Skills Impact the Cybersecurity Skills Gap?

If you follow me at all, whether it’s here on SecurityIntelligence, on Twitter or on LinkedIn, you know that one of my hot buttons is the cybersecurity skills gap. Cybercrime is a global problem that cost organizations $450 billion in 2016 alone. Fighting it requires skills to prevent, detect, respond and remediate attacks. Unfortunately, there is no silver bullet to …

The post How Will ‘New Collar’ Skills Impact the Cybersecurity Skills Gap? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

China Cyber Security Update – How Do the Recent Regulations Impact Your Business?

Source: National Cyber Security – Produced By Gregory Evans

Cyber security has been a top priority concern of the Chinese government since the Snowden revelations and the disclosure of the US PRISM project (click to read our earlier article). In this regard, the most remarkable move on legislation side …

The post China Cyber Security Update – How Do the Recent Regulations Impact Your Business? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Barack Obama Says He Underestimated Impact Of Russian Hacking

Source: National Cyber Security – Produced By Gregory Evans

Barack Obama Says He Underestimated Impact Of Russian Hacking

President Barack Obama on Sunday admitted that he “underestimated” the impact misinformation and hacking can have on democracies, following an intelligence report on Russian meddling in the US presidential election.
In an interview on ABC’s “This Week,” Obama also warned

The post Barack Obama Says He Underestimated Impact Of Russian Hacking appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Researchers to help shine blue light on Social media’s impact on public safety and security

13734604_10208772557926955_1676788593_n

Source: National Cyber Security – Produced By Gregory Evans

Researchers to help shine blue light on Social media’s impact on public safety and security

A Europe wide research team led by the University of Warwick has won European funding to bring together communities, policing and policy makers to tackle how to protect the public on social media, and use social media to tackle crime

The post Researchers to help shine blue light on Social media’s impact on public safety and security appeared first on National Cyber Security.

View full post on National Cyber Security

How Do You Know When You’ve Made an Impact?

I love Teacher Appreciation Week. Certainly, it is nice to feel appreciated, but I find it to be a great opportunity to reflect upon teachers who have made a difference our lives. While it is […]

The post How Do You Know When You’ve Made an Impact? appeared first on EducationCloset.

View full post on EducationCloset







#pso #htcs #b4inc

Read More

The post How Do You Know When You’ve Made an Impact? appeared first on Parent Security Online.

View full post on Parent Security Online

Good news: Smoking marijuana as a teen may not impact your health as an adult after all

Hear that? It’s the sound of teen stoners everywhere telling their parents, “I told you so.”

A new study published in Psychology of Addictive Behaviors found that smoking pot as an adolescent is not linked to problems with physical or mental health later in the users’ life, including asthma, allergies, high blood pressure, or mood disorders.

“What we found was a little surprising,” said Jordan Bechtold, the lead researcher and a psychology research fellow at the University of Pittsburgh Medical Center, in a press release.

The study used data collected through the Read More

The post Good news: Smoking marijuana as a teen may not impact your health as an adult after all appeared first on Parent Security Online.

View full post on Parent Security Online

New Hacking Threat Could Impact Traffic Systems

Motorists drive by traffic lights every day and trust they will work. But NBC 5 Investigates found that as more cities turn to wireless traffic systems, some of those systems are unprotected and open to a cyber-attack. “We implicitly trust […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

View full post on National Cyber Security