Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

8/14/2017
05:32 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Looking Back on Security: The Week of August 7, 2017

What do you need to know about what happened in security last week? This article gives you the news.

The upfront: This now-biweekly column is going to focus on security. But, the scope is going to be beyond just telling you about what the latest ransomware variant does. While that kind of focus is important, the optics of security reporting of late has gotten rather limited. The context of security has at the same time grown ever wider, rising from just computer programs to a societal dissemination and effect.

It's all been fueled by the rise of computer networking, you see. Our information now lives on those networks, and once it is there it stays in some form. It can be surveilled by those who are well-connected or those who are savvy enough to find weaknesses in the systems. It can be manipulated by those with a goal.

When there are consumer-facing ads for protection services against "identity threat," even Joe Sixpack has to know that security matters.

I will discuss things in the comments section, if I feel like it. You can follow the notices I generate on Twitter (@larryloeb). Jump aboard, the train is leaving the station.

This week's IoT frack-up
AirBnB has a deal with a door lock manufacturer (LockState) that works on WiFi. That way, renters can get in without a physical key, using a code that they are given.

LockState tried an over-the-air firmware update and bricked the locks. Oops.

They said they would replace those locks in two weeks. Owners were not pleased.

The dynamics of using Internet-connected devices in people-critical situations is just starting. This is a blatant example of one such device causing harm. But the Ukraine's power grid was brought down by an attack directly on the device controllers last year. Someone was sending them a message, and not subtly. It didn’t take an army marching across a border to do it, either.

Interconnections will bring vulnerabilities in their wake. Having paper copies of critical information stored in an offsite location doesn’t seem so paranoiac these days.

Kaspersky wants you
Much towel twisting of late has been going on about Kaspersky Labs and how they are related to the Russian government. It seems obvious they have government consent to even operate. But what would the Russians gain from this?


Get real-world answers to virtualization challenges from industry leaders. Join us for the NFV & Carrier SDN event in Denver. Register now for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

My answer is: information about your computer. One must trust an “anti-virus” program vendor to both protect and not exfiltrate data. It seems the US government does not now trust them, for they are trying to remove their products from any government machines.

One might put this down to simple idealogical bias, given the current political fog. But Kaspersky did something radically unusual.

They offered the world a free AV product to replace the one they had been charging you for. Free? Really? With all the labor necessary to update the virus definition files for a product of global scale? What will Kaspersky get for that in a free product? Why are they almost desperate to get some product of theirs on your machine?

TANSTAAFL: "There ain't no such thing as a free lunch" as the saying goes.

Kaspersky wants to be on your desktop very badly, and will give you the feel-good without charge, just to be there. Maybe they have a backdoor hiding inside the AV scanner. Maybe they just phone home any interesting files their scanner finds. Maybe they think you're a fool.

Don't buy into this. Don't use it or install it. Friends don't let friends get pwned.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16961
PUBLISHED: 2021-01-15
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
CVE-2020-35733
PUBLISHED: 2021-01-15
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
CVE-2021-23836
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
CVE-2021-23837
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
CVE-2021-23838
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...