Posted on 10/23/2016 4:42:29 PM PDT by Tilted Irish Kilt
Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet,
as hackers build vast networks of Internet of Things devices to bombard websites with traffic.
The attack on Dyn, a domain name service provider, that disrupted access to high-profile sites such as Twitter, Spotify and the New York Times on Friday,
highlighted the risks posed by the billions of devices connected to the internet with little or no cyber security protections.
Unidentified hackers took over tens of millions of devices using malicious software called Mirai, making the attack much more powerful and harder to defend against than the average distributed denial of service attack.
In a rush of excitement about the prospect of controlling houses and office buildings from smartphones changing the temperature or detecting burglars using cameras
many manufacturers with little experience of cyber security have connected devices to the internet.
Regulators have not yet created clear rules on how they should be protected and even businesses are finding well meaning suppliers
or facilities managers have accidentally created holes in their corporate networks by adding connected devices.
(Excerpt) Read more at ft.com ...
Security in the hardware industry is a decade behind where it is in the software industry, he says. Mirai was successful because so many webcams,
digital video recorders, etc have been produced with default passwords that have never been changed.
A simple internet scan identifies them and they can quickly be compromised.
Cyber security experts have been warning about the risk of Internet of Things devices for years, staging high-profile hacks
at their annual conference Def Con that show how everything from connected cars to insulin pumps could be hacked.
But often it has been hard to see why a cyber criminal would target an individuals device,
unless to expose the activity of a person in the public eye or cause harm to a political figure.
This attack showed even if a connected device is not necessarily a huge threat to its owner, it could be used maliciously to attack others.
Being prepared also may mean turning your back on convenience
Protect your privacy - it's your responsibility !
BUMP!
Privacy / Security is earned not promised.
Study free an easy or at least cheap internet security. A VPN, Yubikey, Tor, Tails, Hushmail, Signal, Burner, PGP email etc along with security software such as Kaspersky or Norton for your gadgets ...... secure your wifi router with an “outstanding” password like “Q#/\LoP74+?Saq!” versus “1234567890”.
Folks need to consider the more anonymous one is ....so is their software, hardware and the data on it.
Gibberish passwords are not a good idea. (Click on comic to enlarge.)
Internet Of Things Contains Average Of 25 Vulnerabilities Per Device
Dark Reading | Security | Protect TheBusiness
Vulnerabilities / Threats
7/29/2014 09:15 AM
Ericka Chickowski
Internet Of Things Contains Average Of 25 Vulnerabilities Per Device
New study finds high volume of security flaws in such IoT devices as webcams, home thermostats, remote power outlets, sprinkler controllers, home alarms, and garage door openers.
A new study published this week found that among even among just a small sample of some of the most popular and prevalent Internet of Things (IoT) devices, researchers uncovered 250 vulnerabilities — many of which were severe and resulted in remote code execution, including vulnerabilities to Heartbleed, denial of service, and cross-site scripting.
Conducted by researchers at HP Fortify, the study was meant to demonstrate what may be found when a more comprehensive and disciplined approach is taken to examining this growing new class of devices.
Daniel Miessler, practice principle for Fortify On Demand at HP Fortify, who led the project, says many of the vulnerability discoveries announced about IoT devices over the last couple of years have been one-off findings.
“We haven’t really seen a comprehensive approach when people talk about it — they might talk about one vulnerability on the device or one relevant Internet vulnerability,” he says, explaining that what makes IoT devices different is their multi-faceted nature. “When you think about what all is involved in an Internet of Things device, you’ve got the device itself, network access, authentication, the Internet component; and all these pieces together are what stack up to be the Internet of Things device. If you’re not looking at the big picture, you’re missing a lot of stuff.”
This is why Miessler earlier this year collaborated with researchers Craig Smith and Jason Haddix to come up with the OWASP Internet of Things Top Ten Project, which delineates the top 10 security problems seen in IoT devices and tips on how to prevent them. For the study, he used that list as a backbone for testing 10 common devices, including a webcam, home thermostat, sprinkler controller, home alarm, and garage door opener.
Among those 10 devices, HP Security Research found an average of 25 vulnerabilities per device. Seven out of 10 of the devices when combined with their cloud and mobile applications gave attackers the ability to identify valid user accounts through enumeration. Nine out of 10 devices collected at least one piece of personal information through the device or related cloud or mobile app; and six of the devices had user interfaces vulnerable to a range of web flaws such as persistent XSS.
“We had one where you were able to log in and get root access to the device, and from there you could actually run and execute commands, pivot over to various locations on the internal network,” Miessler tells us.
He explains that, though many IoT devices are marketed to consumers, these rampant vulnerabilities have quite a bit of relevance for enterprises as well.
“They’re not going to be closed to the devices we have here: TVs, webcams, home thermostats. They’re not adverse to rolling out prosumer versions of these products, and we’re already getting pings from our large corporate customers asking how secure these exact devices are.”
And that’s not to mention other very corporate devices such as SCADA networks, which exhibit the same multi-faceted attack surfaces as consumer IoT devices, he says. The biggest thing he wants enterprises to realize is they need to broaden their testing horizons lest they miss some very glaring vulnerabilities.
“It’s not just cloud, it’s not just the device, and it’s not just network security,” says Miessler. “People shouldn’t view it as a one-dimensional problem.”
OWASP (open web application security project) Internet of Things Project - OWASP
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
What is the OWASP Internet of Things Project?
The OWASP Internet of Things Project provides information on:
IoT Attack Surface Areas
IoT Vulnerabilities
Firmware Analysis
ICS/SCADA Software Weaknesses
Community Information
IoT Testing Guides
IoT Security Guidance
Principles of IoT Security
IoT Framework Assessment
Developer, Consumer and Manufacturer Guidance
Design Principles
Oh I can remember em..... :o)
Use random phrases mixed with dates also.
Dam ! You guessed my password - 1234567890 !!.. but do I have to change it ?
"I'll bet you can't guess my router password " - which happens to be my street address
I'll name my router after my business - "Henry's Confidential CPA and Financial Investment Services"
- is just an open invitation to an online hacker or passersby.
Still want to synch all your electronics ?
All of this is .. /s !!
I study here ...... legal, educational and eye opening retirement hobby..
Noooo never sync gadgets.....
Personally, I can’t wait for these phones to go away.
And port80 internet. You know, the browser garbage.
The phones are a great device, but our astronomical cellular bills have paid for an 80 billion dollar merger that works against us, and countless billions in shoddy towers, equipment and projects.
And I’m in the cellular industry, I know what I’m talking about here. Billions of dollars wasted on garbage and mistakes.
Peeping into 73,000 unsecured security cameras thanks to default passwords
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html
View 73,000+ cameras around the world. I see you!
http://www.insecam.org
As far as everything else, we are a couple of throwbacks.
Being able to lock my doors with my phone means that someone else can unlock them and frankly the convenience is not worth the risk.
I don’t want any of my household appliances or vehicles connected.
Thanks for the ping. I have a question for any and all. I would like to have a battery operated immersion blender that would be strong enough to make smoothies with frozen fruit.
I also would like to use regular c or d batteries, but AA would also be ok, as I have a solar charger as well as an electric one.
I would use it all the time now as a convenience, and it would be nice to have in case of emergencies too - could use it for icing for cakes etc.
I did a quick search, and the only ones I found seem to be very light-weight, for mixing drinks and such.
There are others, but they fit onto a charging stand, so you’re still using electricity to recharge the battery.
I would check Lehman’s - they probably have a manual food processor, or something like that.
".. or any vehicles connected"
Sorta like Michael Hastigns vehicle,
going 130 Mph in a 35 Mph zone, and fatally hitting a tree
at 4:20 AM, after he nervously thought someone had tinkered with his new car
and then 15-20 minutes later a couple of Feds show up since "they were in the neighborhood"
Imagine that ! I didn't know that there was a donut shop in a residential neighborhood, much less at that hour !
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.