Vulnerabilities / Threats
1/23/2014
01:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail

Future Shock: The Internet of Compromised Things

It's doubtful that the average consumer would be aware that his or her refrigerator was participating in a DDoS attack. Even fewer would have any idea how to stop it.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/24/2014 | 1:13:17 PM
Rise of the Machines
Isn't this exactly why John Conner could not break into HQ and destroy Skynet? It had already distributed itself to every toaster and fridge on the plant!
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 11:22:42 AM
Re: Compimise your services?
Marilyn: The internet of things will happen and it will be awesome. I see there is another article on the business models of IoT by Ido Sarig on Information Week today http://ubm.io/1aPnuye We know how to secure these systems by design, it takes some thought but it is not impossible.  Systems have been succombing to the same attacks again and again since the time of the Trojan wars and the invention of a certain horse. I'd be very happy buying a system that was secure against today's attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 11:01:37 AM
Re: Compimise your services?
That's a great point about the scale of the IoT. It's fun to talk about smart toasters, Google glass and all the gee whiz technology that entrepeneurs are imagining for the future. But security-after-the-fact will be a nightmare. On the other hand, how do you defend against attacks on products that haven't yet been invented? 
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 11:00:03 AM
Re: Compimise your services?
Like we might look for an EnergyStar label! Maybe there should be an independent lab, like Consumer Reports, testing and certifying security in a way consumers can understand.
MartinL923
100%
0%
MartinL923,
User Rank: Apprentice
1/24/2014 | 10:50:06 AM
Re: Compimise your services?
Lorna: I think that by then it will be too late. If we're to secure internet enabled smart-devices we need to ensure that these are secure by design *now*. By the time that such attacks are hitting the headlines, there will already be many thousands of these devices in circulation that we will not be able to secure. We need to raise the profile of security to make sure that buyers are raising the issue with the vendors. In this way we can make security a competetive advantage for manufacturers, in the same way that anti-lock brakes and airbags are for cars.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 10:21:59 AM
Re: Compimise your services?
Maybe a few of just that sort of attacks would make the public finally demand that either the agencies charged with protecting us go on the offensive against those using ransomware in a real and meaningful way, or demand that makers of these appliances get serious about secure application development.

Re the former, the concept of offensive security is not talked about much yet outside security circles. What will it take to bring it into the mainstream?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
MartinL923
100%
0%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.