The secrets of malware success in the Google Play Store
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

Regular readers of Naked Security will know that when it comes to Android malware, we have three primary tips:

  • Install patches for your device as soon as they are available. (Sadly, for some devices, that’s rarely or never.)
  • Use a product such as Sophos Free Antivirus and Security to keep an eye out for malware, dodgy websites, adware and other potentially unwanted apps.
  • Turn off Allow installation of apps from unknown sources in the Android security settings if you can.

The last option means that you lock your phone voluntarily to the Google Play Store, in much the same way that iPhones and Windows Phones are locked, like it or not, to their respective app stores.

The Google Play app market has a barrier to entry that includes numerous automated app vetting procedures that help to keep out ripped-off, risky, or downright criminally-minded apps.

So, given that the Play Store has an official gatekeeper, operated by Google itself, you may wonder why we also urge you to run a third-party anti-virus tool, and to go out of your way to grab patches as soon as you can.

The problem is easily explained: about 50,000 new apps are admitted to Google Play each month, with just under 2,000,000 apps in there altogether.

At that rate – more than one new app each minute – there isn’t a whole lot of time for scrutiny and due diligence, whether by human, or computer, or both.

Mistakes happen, to the point that during 2015, malware samples from more than 10 different families made it past Google’s checks and were installed more than 10,000,000 times.

Wouldn’t you love to know more about the techniques that crooks use to bypass Google’s safeguards, and what we can do to fight back?

Well, Rowland Yu, a researcher at SophosLabs, would love to tell you, in his paper The Secrets of Malware Success on Google Play Store.

The thing is, he’ll only get to present the paper, at this year’s RSA conference in San Francisco in March 2016, if he gets enough votes.

And that’s where you, dear readers, can help: by voting for him. (Anyone can vote, but if you’re registered for the conference, your vote apparently counts for a bit more.)

Rowland is a great friend of Naked Security, being a regular contributor to our Android articles.

When you read about Android security issues here on Naked Security, the behind-the-scenes research that makes the article possible is often Rowland’s work.

So, we’ve voted for him, as a sort of “thank you” to recognise the quality of his work on our behalf over the years…

…and we’d love you to vote for him, too!

Read more
Deadline looms for Safe Harbor framework successor
Insec Ethical Hacking Hub Facebook’s New Security Tool Will Remove Malware From Your Computer

Just days before a deadline to replace the Safe Harbor framework, which was ruled invalid last year by the European Court of Justice, a key bill has advanced in the U.S. Senate that could impact data privacy for foreign citizens.

The Senate Judiciary Committee advanced the Judicial Redress Act on Thursday, which, if passed, will give foreign citizens or organizations the right to recover damages if their data is misused or mishandled. However, an amendment added on Wednesday by Sen. John Cornyn (R-Texas) placed limits on the rights granted.

Privacy regulators in the European Union had supported the passage of the bill as a sign of good faith by the U.S. for data privacy. The act is “a very, very important signal of trust and reliability,” European Commission Director for Fundamental Rights Paul Nemitz told Reuters, which reported that the last-minute amendments were causing some concern among those involved in the negotiations.

Cornyn’s amendment stated that “in order to qualify as a covered country, a foreign country must permit commercial data transfers with the United States and may not impede the national security interests of the United States.” The amendment requires that a successor to the Safe Harbor framework be in place with the EU before its citizens are granted rights under the bill.

“The progress of the Judicial Redress Act is a welcome development. However, it is unlikely to have a huge impact on Safe Harbor negotiations,” said Mike Weston, CEO of Profusion, a data science consultancy in London. “If the bill becomes law and the U.S. confers the same data protection to European citizens, it will do little to appease the EU, simply because the U.S. currently puts little emphasis on data privacy — especially for non-U.S. citizens.”

“It will take a monumental shift in how the U.S. government balances the rights of users online with national security to make a complete replica of the original Safe Harbor deal possible,” Weston said.

Government officials on both sides of the Atlantic are still scrambling to reach an agreement before the next meeting of the EU government body concerned with data privacy, which is scheduled for Feb. 2.

Importance of the pact

Speaking at the World Economic Forum in Davos, Switzerland last weekend, U.S. Secretary of Commerce Penny Pritzker said that there is a national security component to the framework — in particular, “what kind of information is available about activities done for national security and how do those affect privacy.” She added that “our intelligence community and law enforcement have detailed for the [European Commission] the legal authorities and oversight that has been put in place, particularly post-Snowden.”

“The other big issue is the issue of how to address if a European citizen has a complaint about privacy, and we’ve taken that issue very seriously,” Pritzker said. “We take privacy very seriously in the United States, and we take the issue of addressing this very seriously.”

The Safe Harbor agreement, set in place in 2000, allowed companies to transfer and store personal and private information of EU citizens in the U.S., under the condition that the data remained private. Max Schrems brought his suit challenging the Safe Harbor framework on privacy grounds before Edward Snowden’s revelations of mass surveillance by the National Security Agency in 2013. However, those revelations helped decide the issue.

A process, not a complete solution

Pritzker said at Davos that the new framework will “set up mechanisms to recognize that the landscape will change and that the solutions today will have to evolve.”

Speaking on the same Davos panel as Pritzker, European Commission Vice President Andrus Ansip, who is involved with the Safe Harbor framework replacement negotiations, said that he was confident a consensus would be reached and that “it will be a process to make Safe Harbor even more safe.”

The negotiations are “both fraught with peril, but also ripe with opportunity,” said Brad Smith, president and chief legal officer at Microsoft, also speaking at Davos. “If people in Europe are going to trust American companies, we need to be accountable. People will not trust institutions that are not accountable.”

In other news

  • Basic security lapses in Ukraine’s power grid were to blame for the BlackEnergy malware attack that caused power cuts in December, security consultant Oleh Sych told Reuters this week. The attack was apparently carried out via targeted phishing emails with infected data files, according to Sych. And he claimed that other industrial facilities in Ukraine could also be at risk for similar attacks. Meanwhile, what some news outlets were calling a “massive cyberattack” on Israel’s power grid turned out to be merely a ransomware phishing attack against their Electricity Authority, a department of the government tasked with setting electricity rates and payments.
  • Impressive new records were reported this week for various types of cyberattacks in 2015. Concerns about healthcare data security are well-founded, as healthcare breaches were up tenfold in 2015 over the previous year, with over 113 million Americans — one in three — affected, according to cloud and mobile security firm Bitglass. Meanwhile, it was a record year for distributed denial-of-service attacks, with the largest DDoS attack reported at 500 Gbps, and another eight attack events rated at over 200 Gbps, as well as a “record number of 100 Gbps+ attacks,” according to a report from DDoS and advanced threat protection firm Arbor Networks. “This year’s survey results indicate a sharp uptick, with nearly 25% of respondents seeing peak attack sizes over 100 Gbps.” And if that’s not enough, Google blocked a record 780 million “bad ads” in 2015, according to Sridhar Ramaswamy, senior vice president of ads and commerce at Google. The advertising giant blocks “ads that carry malware, cover up content you’re trying to see or promote fake goods.”
  • This week, Synology became the first hardware manufacturer to deploy Let’s Encrypt free certificates, as the network-attached storage manufacturer announced: “As part of the company’s DSM 6.0 beta, it’s added the ability to secure your NAS device with a Let’s Encrypt free security certificate, rather than Synology’s own self-signed one.”
  • Several vulnerabilities, including some critical ones, were found and patched in almost all versions of the e-commerce platform Magento. Web security firm Sucuri discovered a stored cross-site scripting vulnerability in November and worked with Magento to fix it. Security updates with extensive patches were released late last week for both Magento 1.x and Magento 2.x. Although no exploits have been detected in the wild, users are urged to apply the patches as soon as possible.

Next Steps

Read about Max Schrems, the law student who brought down Safe Harbor.

Learn about how to comply with international data privacy laws.

Find out how the new EU General Data Protection Regulation will affect U.S. industry.

Read more
OpenSSL patch fixes encryption flaw and strengthens Logjam defense
Insec Ethical Hacking Hub Group of cyber-criminals bases in different countries nabbed in joint international operation

The OpenSSL project team has released a patch for its cryptographic library to fix a severe vulnerability that could allow an attacker to decrypt HTTPS communications, as well as to harden defenses against the Logjam flaw.

The decryption attack vulnerability was discovered in the way OpenSSL handles the Diffie-Hellman (DH) key exchange in certain scenarios. Usually, OpenSSL only uses so-called “safe” prime numbers, but in OpenSSL 1.0.2 a new way of generating parameter files will reuse a prime number. Theoretically, an attacker could then use this value to decrypt secure communications.

However, the advisory noted that this attack would be difficult to perform because it would require “the attacker complete multiple handshakes in which the peer uses the same private DH exponent.”

Garve Hays, Solutions Architect at Micro Focus, said the risk should be limited because the main exposure is in services that provide Forward Secrecy, such as Gmail, Twitter, and Facebook..

“The good news is those organizations are diligent in their patch management process so the risk will be quickly mitigated,” Hays said. “Forward secrecy is a protocol feature wherein the possession of a private key does not allow for the decryption of past messages. Thus if a private key were obtained, it could not be used to go back and recover older communications.”

OpenSSL 1.0.1 is not vulnerable to this kind of attack, so users running version 1.0.2 are urged to install the OpenSSL patch version 1.0.2f.

The new patch also adds new features to further reduce the impact of a Logjam attack. Logjam could allow a man-in-the-middle attacker to downgrade vulnerable TLS connections. A previous OpenSSL patch protected against this attack by rejecting handshakes with DH parameters shorter than 768 bits, and the new patch hardens that protocol to reject parameters shorter than 1024 bits.

Those running OpenSSL 1.0.1 should upgrade to version 1.0.1r to get the additional Logjam security.

Next Steps

Learn more about how the Logjam vulnerability can affect TLS encryption.

Learn how the Diffie-Hellman key exchange compares to RSA.

Learn how to fix Windows Server SSL/TLS security flaws.

PRO+

Content

Find more PRO+ content and other member only offers, here.

Read more
Never fear, home IT heroes – Sophos has a security solution for you
Info Security Solution

Chances are, you’re pretty savvy about technology, computers and security (you’re reading Naked Security, after all).

You know all about the web threats, online scams, and privacy pratfalls that await less-knowledgable people at every turn; you’re capable and keep your computers and devices up-to-date and secure as best you know how.

Because of this, your friends, family and co-workers probably come to you for troubleshooting problems.

Sure, you’re happy to do it, most of the time. But there are a lot of people counting on you.

Not long ago we asked how much extra work home IT heroes like you are doing for the people in your life, and who you’re most worried about when it comes to keeping them safe.

Now, the results are in.

Home IT heroes are taking care of a lot of people – 43% said they’re watching over between three and five people and another 16% said they’re looking after between six and ten people!

And the people home IT heroes are most worried about?

Parents, followed by friends (under the “other” column, many also commented that they’re worried about the in-laws, too).

If you’re a home IT hero, you’re not just worried about protecting the people in your home, like significant others, spouses or your kids. You’ve got to look after people who live all over the place, too.

Friends, neighbors, parents, grandparents … how can you keep track of them all?

Sophos has the answer in the new(ish) free tool, Sophos Home.

With Sophos Home, you can protect the PCs and Macs of everyone you look after – up to 10 in all – from a simple web-based console that’s a snap to use.

All you need to do is sign up for an account, download Sophos Home on to your own computer, and send a link to the people whose security you’re going to manage.

Once they download Sophos Home, their computer is connected via the cloud to your Sophos Home account, and you can manage their security from the Sophos Home Dashboard, using any web browser.

Sophos-Home-Dashboard

If mom or dad inadvertently downloads malware from a dodgy email attachment, or gets hit by drive-by malware when surfing the web, they’ll be protected automatically.

If it’s the kids’ computers you’re protecting, built-in web filtering software allows you to select categories of websites to block, such as adult content, gambling, drugs or violent websites.

You’ll see an alert in the dashboard about cleaned threats and blocked websites – plus any “potentially unwanted applications” (PUAs) like adware, which you can Allow or Delete.

There’s no time limit – your free Sophos Home account will never expire – and you won’t be bugged with “nagware” asking you to upgrade to a paid version.

With Sophos Home, you have nothing to fear, home IT heroes, and much to gain.

Try out Sophos Home today.

Image of hero courtesy of Shutterstock.com.

Read more
CISO salaries and demand for cyber-skills skyrockets, surprising no-one
Insec Ethical Hacking Hub The 5 Stages of Job Rejection

Two new reports from recruitment company BeecherMadden have shown demand for cyber-skills to be rising massively with few able to meet that demand while CISO salaries are also going up.

Bigger salaries for CISOs and more jobs on offer, say BeecherMadden's new reports.
Bigger salaries for CISOs and more jobs on offer, say BeecherMadden’s new reports.

Two new studies have shown that vacancies in cyber-security positions have skyrocketed as have CISOs salaries. In line with the new trend of growing cyber-insurance prices and headline grabbing breaches, it appears as though the world has started to wake up to just how much it needs cyber-security professionals and just how few there are.

BeecherMadden, the recruitment company that put out these studies, saw a rise in such vacancies of 68 percent and expect that same increase to continue, ultimately with 50 percent of cyber-security vacancies going empty.

This is not driven by some kind of exodus from the cyber-sec industry but rather a large increase in demand. Meanwhile CISO salaries have gone up considerably in the last two years, with very few dropping below £100,000 a year.

David Emm, principal security researcher at Kaspersky Lab, spoke to SCMagazine, offering some insight as to this skills gap:  “The growth in demand for cyber-security professionals is a consequence of the growing role of IT in our lives. Technology and internet connectivity is now woven into the fabric of our lives – there are few areas of society that aren’t dependent on both now.”

The readers of this publication will not find these revelations all that revelatory. The cyber-skills gap is a theme that never fails to show up in news stories, official speeches and day to day chitchat within the industry.

SC spoke to Karla Jobling, COO at BeecherMadden, who said that we’re seeing “continued demand, and increased demand from different sectors. We’ve seen jobs this year coming from the companies you might expect that have had big cyber-attacks. Industries that traditionally wouldn’t have recruited cyber-professionals are now putting whole teams in place.”

The financial and technology industries, large targets for cyber-attacks that they are, remain the hungriest for cyber-sec professionals, with a small increase among telecommunications firms. Industries such as retail remain comparatively low which may seem strange considering the headline making breaches like Target or Carphone Warehouse.

Strangely enough, despite this increased demand, wages for sub-CISO roles have not risen to meet it. The report notes that salaries have been stagnant for the last 12 months, “with no real increases at the grades below CISO”. According to Jobling, despite the increased demand “companies are no longer willing to write a blank cheque.” While candidates are asking for big increases in salary without the necessary increase in credentials or skills, companies are just saying no.

The salaries, such as they are, aren’t too shabby. 80 percent of the industry earn in excess of £500 a day, with rates more than twice that  common for particularly experienced people. The second report on the other hand mentions that 75 percent of the CISOs surveyed are paid over £120,000, around four times that of the average UK salary.

Roles are also changing,and new ones are appearing requiring the same cyber-security skills. The report notes that cyber-data analytics jobs as well as training positions are popping up more and more, “Behavioural analytics, identity management and awareness look to be the trends for 2016.” 

Read more
This Facebook bug could have allowed hackers to take over your account
Insec Ethical Hacking Hub Penn State University Becomes Victim To Yet Another Cyberattack

A UK security researcher who goes by fin1te has just published the fascinating story of a Cross-Site Scripting (XSS) bug he found in Facebook’s content delivery network.

Fin1te (whose real name is Jack Whitton) reported the bug in July 2015, and apparently received $7500 for his efforts, but nevertheless waited until this week before going public.

He wrote that Facebook closed the hole with a few hours of his report, but he held off from disclosing the bug for six months to give Facebook time to implement a more complete fix.

XSS EXPLAINED

We’ve described XSS attacks before.

Very simply put, XSS refers to the sort of bug where you send a website content that deviously includes embedded JavaScript, and the website later (and incorrectly) includes that poisoned content in its reply.

For example, you’ve probably visited many websites that show your username at the top of every page once you’ve logged in.

That’s handy, as long as your name is something innocent like pducklin, and not something treacherous like <scr­ipt>ReadSomeCookie()</scr­ipt>.

If the website wrongly sends your browser a script in place of regular text or HTML, your browser will run it instead of simply displaying it, which amounts to a Remote Code Execution (RCE) attack.

Whenever a website displays or serves up any content that originally came from outside, whether buried inside an uploaded file or included in a URL, it needs to be very careful to filter out risky characters.

Dangerous characters notably include angle brackets (< and > signs), because they are used to denote parts of a webpage that should be treated as images, links, scripts and so on.

THR “CROSS-SITE” PART

Fin1te’s complete hack is quite involved.

Like many successful exploits, it requires a series of steps, or pivots, by means of which booby-trapped content uploaded in one place is then deviously made to show up somewhere else.

That’s the “cross-site” part of the attack.

Fin1te figured out how to upload hidden JavaScript to Facebook’s content delivery network (CDN), where files such as videos, images and so on get stored.

But CDN files typically get served up from a domain such as fbcdn.net or akamaihd.net, so even if you can sneak rogue scripts in there, when you load them back, they can’t read web data such as session cookies from facebook.com, because of a browser safety measure called the same-origin policy.

The same-origin policy stops me putting code on my website that retreives private web data set by your website, and is a key component of web security.

BYPASSING THE SAME-ORIGIN POLICY

Fin1te found a way to create a URL on the domain photos.facebook.com that was redirected to serve up his booby-trapped file from the CDN.

In short, he now had a way to upload a hidden script to the CDN, and then to retrieve that script via an innocent-looking link that a user could be tricked into clicking from a facebook.com domain.

His script would then run in the victim’s browser as if it were an official Facebook script.

If the user were logged in, the attack script could, at least in theory, do just about anything the user could do, including posting status messages and retrieving private data.

Of course, if I can surreptitiously send messages to your friends that include the same treacherous link to the script hidden on the CDN, then as soon as they read the messages, they’ll surreptitiously broadcast the script link to their friends, and so on, and so on.

An XSS attack that can be abused in this way is known as wormable, because it can be used to spread itself automatically across the network, making it a network worm or virus, much like the infamous Morris Worm of 1988, or Slammer from 2003.

THE NEAT PART

The really neat part of the vulnerability?

To upload the hidden script, Fin1te buried it inside the data part of a PNG-format image file so that Facebook’s CDN would recognise it as an image file, and thus incorrectly treat it as unexceptionable and therefore “mostly harmless.”

To do this, he needed to create well-formed image file that would load and display properly if treated as an image, but if processed in its raw form as plain HTML, would contain text such as <scr­ipt>DOBADSTUFF()</scr­ipt>.

But the data part of a PNG image is compressed with an algorithm called Deflate (the same compression as used in ZIP files), so Fin1te actually needed to find data that when used as input to Deflate, produced JavaScript as its compressed output.

Like a lot of security reesearch, it’s only easy once you know how!

Read more
Sysadmin held at gunpoint by man demanding he fix his computer
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

Joseph “Joe” Nestor Mondello was arrested last month for allegedly refusing to let a Dell technician leave his house to get a part he said he needed to fix Mondello’s computer, pointing a gun at him and ordering him to fix the computer lest he kill him.

According to the local paper Arlington Patch, police in Arlington County, Virginia, said that the confrontation began on 28 December around 11 a.m. when the computer tech showed up at a house in Arlington to try to fix a computer.

The homeowner was 50-year-old Mondello.

Police said that the tech told Mondello that he needed to leave to get a part to fix the computer.

Arlington County Police spokesman Dustin Sternbeck told the paper that the request to go get a part “sent our subject over the edge.”

Arlington Patch quotes Sternbeck:

He became furious and clearly agitated, [telling the tech that] you’re not leaving this house until the computer is fixed.

Then Mondello left the room, returning with what looked like a gun held at his side.

Sternbeck said that Mondello started pacing back and forth, making threats along the lines of:

I’m going to kill you slowly.

Police said that’s not a direct quote; they know that threats were made against the tech and he was in fear of his life, but they haven’t provided direct quotes.

At that point, Mondello’s wife, having heard her husband making threats, came downstairs and got between her husband and the computer tech.

That gave the tech the chance to escape, so he fled, called his office, and then called the emergency number 911 for assistance, Sternbeck said.

Police sent a SWAT team to the house and executed search warrants, but Mondello turned himself in after a brief period of time.

The gun turned out to be fake.

Such replicas can have serious consequences, Sternbeck said – a fact underscored by the tragic killing of 12-year-old Tamir Rice, whom Cleveland police shot to death last year when they encountered the boy playing with what turned out to be a black toy pellet gun.

Mondello, charged with abduction by force/intimidation and use of a firearm in a felony, was taken into custody.

He posted bail and has already received a preliminary hearing.

At Naked Security, we have a lot of fun celebrating system administrators and other computer techs who, every day, talk down frustrated users.

These professionals often carry out what can be a stressful job with creativity, wit and style.

We’re relieved that the technician got away safe, with nobody being hurt, that a toy gun didn’t lead to yet another pointless death, and that Mondello’s wife had the bravery necessary to step up and be a hero.

Image of Gunpoint courtesy of Shutterstock.com

Read more
Dad found not guilty for taking away his daughter’s iPhone
Insec Ethical Hacking Hub WPA2 Broken with KRACK - Biggest HIT on IOT ? ?

Have you ever taken your child’s mobile phone away, as punishment?

Be careful: it could get you thrown in jail.

That’s what happened to Ronald Jackson, a 36-year-old dad who took away his daughter’s iPhone 4 in 2013, when she was 12, after finding rude texts she’d sent about another girl.

He took the phone away to teach her a lesson, he said.

Jackson, from Grand Prairie, Texas, told CBS that it seemed to him to be simply a case of a parent disciplining his child:

 I was being a parent. You know, a child does something wrong, you teach them what’s right.

You tell them what they did wrong and you give them a punishment to show that they shouldn’t be doing that.

According to Mashable, Jackson’s lawyer, Cameron Gray, said his client’s daughter had been trying to organize an attack on another minor, and that’s why Jackson took her iPhone away.

The girl’s mother didn’t quite see it that way.

In fact, Michelle Steppe saw it as theft and called police. Around 2 am, Jackson heard a knock on his door.

It was Grand Prairie police, asking for the phone.

Jackson refused.

What he told CBS:

I didn’t want the police department telling me how to parent my child. It made no sense to me for them to show up and make a big deal out of something that was a small thing.

I couldn’t believe they would go to this extent for a cell phone. It didn’t seem right.

It got ever more not right: he was handcuffed and hauled off to jail, where he spent the night before paying $1,500 in bail money.

The mom’s rationale: “Number one, the property belongs to me,” Michelle Steppe told WFAA News8.

Number two, she couldn’t tell her daughter that what her dad did was OK, she said:

You can’t take someone’s property, regardless if you’re a parent or not.

The station reports that three months after the phone incident, Jackson received a citation in the mail, for theft of property less than $50 in value, a Class C misdemeanor.

Court documents reportedly show that the city attorney’s office offered a plea deal in January 2014 if Jackson returned the phone.

He did not return the phone. Instead, he hired an attorney and requested a trial by jury.

That’s when the city attorney’s office ratcheted it up a notch, asking that the case be dismissed and refiled as a more stringent Class B misdemeanor, punishable by six months in jail and a $2,000 fine.

On Tuesday, Jackson was found not guilty.

Dallas County Criminal Court Judge Lisa Green ordered the jury to find Jackson not guilty after ruling that the state failed to present sufficient evidence to continue the case.

Steppe told News8 that the verdict confused her, given that she bought the phone and that the coverage plans were under her name.

Even if you purchase something with your own money and have a receipt, it’s not yours. Someone can take it from you.

Jackson told reporters that the saga has alienated him from his daughter and her mother:

I have to separate myself from them. I can’t ever have a relationship with them again.

But it’s not going to stop there.

Jackson’s lawyer, Gray, said he plans to file a federal complaint for civil rights violations for the way Jackson was treated by the Grand Prairie Police Department and the city attorney’s office.

You probably won’t be surprised to hear that Jackson still hasn’t given back the phone.

Readers, who do you sympathize with in this case?

On one hand, we have a dad who deserves credit for attempting to stop what sounds like a brewing case of cyberbullying.

That’s good, responsible parenting.

On the other hand, we have a woman who paid for the phone and its coverage plan.

Shouldn’t she have some say in what’s done with it?

More than anything, I sympathize with the police, who had to put themselves between these warring parents as they tried to get the phone back.

News8 quotes Grand Prairie Detective Lyle Gensler:

We do not like these kinds of instances to go into the criminal justice system. We prefer to keep it out and the phone be returned and let the parents, the two adults, work it out among themselves.

Work it out? Well, that’s a pipe dream, obviously!

Readers, do you have any horror stories about the repercussions of taking gadgets away from kids?

Head south for the comments section, and do tell!

Image of phone courtesy of Windyboy / Shutterstock.com.

Read more
FDA releases draft guidelines to improve cybersecurity in medical devices
Insec Ethical Hacking Hub Horror of Horrors: Smartphones From Xiaomi, Lenovo & Huawei Have Pre-Installed Malwares Says GData 1

There’s no doubt that the global Internet of Things (IoT) healthcare market is growing.

Sadly, the IoT is a bit of a cybersecurity nightmare; many smart things aren’t secured properly, leaving sensitive data, and sometimes people’s health, at risk.

Cybersecurity in medical devices has been of concern for some years now – last year a security hole was found in some drug pumps which could have allowed a fatal dose to be administered, and back in 2013, the wireless capabilities of Dicky Cheney’s pacemaker were disabled to thwart hacking attempts (read assassination attempts).

The US Food and Drug Administration (FDA) is well aware of the cybersecurity risks in medical devices and for a while has been asking makers to see medical device security as a serious concern.

Now, it has issued draft guidelines to give device makers a clearer picture of the steps that need to be followed to ensure the safety of their devices.

In a statement, the agency said:

Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

Some of the key elements of this draft guidance include:

  • Apply the 2014 NIST voluntary framework for improving critical infrastructure cybersecurity.
  • Define essential clinical performance to develop solutions that offer protection from cybersecurity risks and also help respond to and recover from them.
  • Keep on top of sources that help identify and detect cybersecurity vulnerabilities.
  • Understand and assess the implications of a vulnerability.
  • Create and follow a seamless vulnerability management process.
  • Put in place and practice a well-coordinated vulnerability disclosure policy.
  • Cybersecurity risk mitigations must be deployed early and prior to exploitation.

The document is in its draft stages, and a work in progress. We’re glad to see it.

Image of stethoscope courtesy of Shutterstock.

Read more
NYC launches investigation into hackability of baby monitors
info security solution

The point of baby monitors is to ensure the safety of children.

It’s most certainly not to let cyber marauders invade a nursery’s privacy, swivel the camera around at will, use it to spy on infants, swear at the child, insult parents, give running commentary to diaper-changing nannies, play creepy music, make sexual noises, stream the footage to a website, or have its images indexed along with feeds from all the other unsecured webcams a spidering search engine can dig out from the web.

But that, unfortunately, is exactly what’s happened in a string of incidents involving baby monitors.

Now, months after researchers demonstrated the existence of serious vulnerabilities in the devices, New York City is launching an investigation into monitor manufacturers to learn more about the devices, their security practices, and whether known vulnerabilities have been patched.

The city’s Department of Consumer Affairs (DCA) announced on Wednesday that it’s issued subpoenas to a number of manufacturers.

At the same time, the DCA issued a warning to parents, advising them to research the devices to see if a given model, or its applications, has any known security vulnerabilities.

The DCA also posted a list of tips on how to keep the internet-connected cameras safe.

The agency wouldn’t name the companies it’s subpoenaed, but Wired reports that the agency has targeted a total of four manufacturers.

According to Wired, the DCA says that the subpoenas “demand to see evidence to back up claims that the companies make about the security of their devices, complaints they’ve received about unauthorized access to the cameras, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches, and whether those patches were actually implemented by the devices’ owners.”

Consumer Affairs Commissioner Julie Menin told the publication that if the companies aren’t living up to the promises of security they’ve made in their marketing, they could face civil fines for deceptive marketing practices.

Wired quotes her:

This is a situation where parents purchase a video monitor intending for it to give them peace of mind…and instead what we’re seeing is some terrifying instances of people hacking into them.

When these manufacturers say they keep your babies safe, and yet they’re not taking precautions they need to protect families’ data, that’s a real problem, and it’s deceptive marketing.

Insecure webcams are nothing new.

We’ve written about them before, notably when a site called insecam.com allegedly tapped into insecure cameras to produce live copies of the feeds they were streaming.

Note that there are many other types of webcams being picked up by hackers, not just babycams.

We recently wrote about Shodan, a search engine for internet-connected devices that crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.

Besides babies being spied on, Shodan has been picking up streams from a motley list of webcams. Ars Technica reports that it’s already made public images from “marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.”

Sextortion is of course another subgenre of the crimes pulled by cyber creeps accessing unsecured webcams.

But the New York DCA says that it’s focusing its investigation on baby monitors because of all of the real-world incidents underscoring the validity of security researchers’ warnings.

The consumer protection agency is advising parents to conduct thorough research on devices before purchasing one; to use a strong, non-default, unique password (here’s how); to register the products and keep them patched; and to turn them off when they’re not in use.

To add to that list, we’ve put together some tips on how to secure your baby monitor.

Image of Baby Monitor courtesy of Shutterstock.com

Read more