Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

8/14/2017
05:32 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Looking Back on Security: The Week of August 7, 2017

What do you need to know about what happened in security last week? This article gives you the news.

The upfront: This now-biweekly column is going to focus on security. But, the scope is going to be beyond just telling you about what the latest ransomware variant does. While that kind of focus is important, the optics of security reporting of late has gotten rather limited. The context of security has at the same time grown ever wider, rising from just computer programs to a societal dissemination and effect.

It's all been fueled by the rise of computer networking, you see. Our information now lives on those networks, and once it is there it stays in some form. It can be surveilled by those who are well-connected or those who are savvy enough to find weaknesses in the systems. It can be manipulated by those with a goal.

When there are consumer-facing ads for protection services against "identity threat," even Joe Sixpack has to know that security matters.

I will discuss things in the comments section, if I feel like it. You can follow the notices I generate on Twitter (@larryloeb). Jump aboard, the train is leaving the station.

This week's IoT frack-up
AirBnB has a deal with a door lock manufacturer (LockState) that works on WiFi. That way, renters can get in without a physical key, using a code that they are given.

LockState tried an over-the-air firmware update and bricked the locks. Oops.

They said they would replace those locks in two weeks. Owners were not pleased.

The dynamics of using Internet-connected devices in people-critical situations is just starting. This is a blatant example of one such device causing harm. But the Ukraine's power grid was brought down by an attack directly on the device controllers last year. Someone was sending them a message, and not subtly. It didn’t take an army marching across a border to do it, either.

Interconnections will bring vulnerabilities in their wake. Having paper copies of critical information stored in an offsite location doesn’t seem so paranoiac these days.

Kaspersky wants you
Much towel twisting of late has been going on about Kaspersky Labs and how they are related to the Russian government. It seems obvious they have government consent to even operate. But what would the Russians gain from this?


Get real-world answers to virtualization challenges from industry leaders. Join us for the NFV & Carrier SDN event in Denver. Register now for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

My answer is: information about your computer. One must trust an “anti-virus” program vendor to both protect and not exfiltrate data. It seems the US government does not now trust them, for they are trying to remove their products from any government machines.

One might put this down to simple idealogical bias, given the current political fog. But Kaspersky did something radically unusual.

They offered the world a free AV product to replace the one they had been charging you for. Free? Really? With all the labor necessary to update the virus definition files for a product of global scale? What will Kaspersky get for that in a free product? Why are they almost desperate to get some product of theirs on your machine?

TANSTAAFL: "There ain't no such thing as a free lunch" as the saying goes.

Kaspersky wants to be on your desktop very badly, and will give you the feel-good without charge, just to be there. Maybe they have a backdoor hiding inside the AV scanner. Maybe they just phone home any interesting files their scanner finds. Maybe they think you're a fool.

Don't buy into this. Don't use it or install it. Friends don't let friends get pwned.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.