The niner noteworthy stories of 2017 (week 23)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

The Next Device in Your House to Get Hacked May Be Your Vibrator

Or as another tech platform wrote down: “sex toy doesn’t pass penetration test”.
All jokes aside, the opinion and related problem in this article are all too real. We have seen even more sex toys being hackable, but a lot more then that as well.
If you access the right search engine on the Internet (not even the dark web) you can find a lot of IP camera’s from all over the world watching homes from the inside and outside as well as possibly bedrooms too. Those camera’s are most of the time not even hacked, but simply have a default configuration that makes them accessible from the Internet without credentials or default ones at best.
Okay not a hack as such, but it highlights the total scope of the problem which is broader then lacking good software including also default settings that are vulnerable or outright silly from a security and privacy by design point-of-view.
This problem is only to get worse in the coming years. Legislation is proposed, but that may take some time and always will run behind the technical innovation making this possible.
source: Wired (external link)

Bluetooth-Equipped Card Skimmer Found In Essex Gas Pump

Yep, this way you don’t need to retrieve your skimmer and can access it remotely. Though do note that the range is limited for bluetooth devices with up to 10 meters maximum. If there was enough metal in the pump housing, this could be severely reduced as well.
That’s with standard equipment and no knowledge of directional antenna systems that can increase that range significantly. Since it is possible to build such an antenna hidden in a Pringles chips can, called the cantenna, they probably won’t look very suspicious either.
Next time I would opt for Wifi though as that might be easier on a larger distance. (obviously some other frequencies and transmission modes are even better suited, but I will keep these to myself).
source: Hartford Courant (external link)

goodcat /

Raspberry PI attack compromises networks, steals admin credentials

Physical access is almost always game over. Specifically with standard installations and no extra measurements, including disallowing certain USB devices to connect in the first place. Although I will admit that’s not a foolproof method either.
This not only holds for USB ports though, firewire is even worse as there is no bus structure (master/slave) available it is relatively easy to misuse these ports to gain access to hardware on the targeted machine. In one case, where as much as absolute security needed to be guaranteed, I know they actually glued these ports shut to make a physical connection impossible.
If that all doesn’t help, why not activate the remote management feature and simulate a serial port over a network connection? Yep that’s possible too, although usually for legitimate reasons and not for the ones described in this Ars Technica article (external linK). Whilst not undetectable if you are not looking for it, it probably will stay under the radar of your monitoring tools.
source: SC magazine (external link)

News and sports websites ‘vulnerable to attack’

Okay this is one of the few articles on the BBC technology site that make me feel that they asked a total idiot to comment on this topic. First of all HTTPS using SSL or TLS does absolutely nothing for the security of your website, it secures the traffic to your website.
And cross-side scripting has nothing to do with SSL/TLS either, it’s a bug in your programming code that allows malicious code to be executed in the browser of the visitor that shouldn’t be there in the first place. This XSS attack will work even if you are using SSL/TLS which has no effect on it whatsoever (except maybe for a warning that the page is loading insecure elements, which a lot of users probably will ignore anyway).
Yes if you click on the padlock you can see who gave out the certificate and to which website it was given, but that’s about the only correct comment in this article by the professor quoted in it. Shame on you BBC!
source: BBC News (external link)

HPE ignored SAN failure warnings at Australian Taxation Office, had no recovery plan

This all seems to me close to the following scenario: outsourcing storage, as cheap as possible, not having the required expertise in-house at the ATO to fully govern the solution, a vendor that puts in a halfhearted effort to put everything in as soon as possible, made a lot of stupid mistakes and has to pay for it afterwards.
Not testing recovery and even having those tools stored on the drives you may need to recover is right out a lack of knowledge. Stripe-sets will fail completely if one disk in the set fails, everyone who knows a little basic bit about RAID configurations (redundant arrays of inexpensive disks) will know this.
As for all those errors? Well nobody was looking at them obviously. OH yeah and those cables causing an outage? probably all routed through the same cable location so if you pull one you pull them all.
We probably will never know exactly how close I am, but probably too close for comfort for HPE at least.
source: The Register (external link)

Birgit Reitz-Hofmann /

Federal report: Hospital cybersecurity is in ‘critical condition’

The most important and key notice in this article is the small sentence stating that “if the system is connected to the Internet”, this is precisely what the problem is in the healthcare sector.
Yes the lack of skilled people certainly doesn’t help, using regular IT staff to do security as well neither.
But why are those systems connected in the first place? Who took that decision and evaluated the risks associated with that decision? What would happen if we take all that equipment off a direct connection with the Internet?
Complementary to this is the fact that a lot of hospital equipment still relies heavily on older software versions and even older versions of operating systems that are known to be extremely vulnerable and should never be connected to the network.
However, similarly to the industrial sector, we have seen a craze of connecting everything to everything else without fully evaluating de consequences and risks. So if you want to secure your hospital, look at disconnecting or at least isolating stuff before you are the next target.
source: Cyberscoop (external link)

Europe’s looming data protection rules look swell – for IT security peddlers. Ker-ching!

I fully disagree with this article. Not only are a lot of firms, large and small, not scrambling at all to ready themselves for the incoming GDPR, this regulation is not an information security regulation at all (yes there is overlap with information security I know).
I don’t know what their research is based on, probably questionnaires to senior management as per usual. What that says is only what the senior level believes their company is ready for or what is known about certain regulations and standards, which certainly does not have to match the reality on the company floor.
Besides that, information security spending will do almost nothing for compliance with the general data protection regulation. Data protection, specifically the legal aspects, have nothing to do with information security. Where as the latter certainly has it’s place in GDPR alignment and may even be mandatory to implement certain requirements, it will do nothing for the adherence to the articles the larger 20 million or 4 percent annual turn-over fines can be applied. Those articles have to do with data subject rights which means with how your company hanldes, uses and processes the data. Specifically not on how it is all secured.
source: The Register (external link)

Ai Weiwei Gets Artsy-Fartsy About Surveillance

Maybe this is one of the few ways to show visitors in what kind of surveillance society we are living these days. As unfortunately it’s not only governments that try to keep an eye on us, the private sector in the form of advertising networks as well as large tech companies are more and more pervasive in our everyday lives and everywhere we go.
Whilst this project only shows what the CCTV camera systems can see and what impact this may have, the virtual (Internet) side of things is probably even more scary.
If I am asked about these things, my standard remark is that George Orwell was an optimist when he wrote the book 1984 in 1948 and 1949. We have gone far beyond what he describes in his story for the most part.
Let’s hope the part about the thought police won’t come true either.
source: Wired (external link)

Dmitry Guzhanin /

Boeing preps pilotless passenger flights – once it has solved the Sully problem, of course

Okay so artificial intelligence needs to become as smart as a real pilot with X number of flight hours beneath his or her belt. Besides the fact that computers can fail, power can fail too (as we have seen recently on a Boeing 787-900 which lost one engine and power failed in some critical systems including communication and navigation) and even auto-pilot systems can do unexpected things (e.g. if your kid is behind the stick and the parent doesn’t realise the plane actually is not kept on-course by the auto-pilot at all).
Another weird remark in this article has to do with that automatic landing and take-off system. Well how do you suppose planes and in heavy fog conditions? Yep, by using not one but two auto-pilots taking full control. A system present in a lot of the recent Boeing 737 fleet already so not particularly new for the dreamliner.
And then I haven’t even mentioned the fly-by-wire (or computer) systems that control most if not all currently flying Airbus models.
Pilot error is a cause of a lot of crashes, however there are also many stories of pilots actually saving their plane and most if not all of their passengers and crew by handling an incident in an unexpected way. The Hutson river landing referred to in the article is one of those examples, but there are many more which in several cases were also a struggle against the technology in the plane itself.
source: The Register (external link)