Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
'MouseJack' Attack Bites Non-Bluetooth Wireless Mice
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
2/25/2016 | 12:55:32 AM
Thought experiment
I'm curious to see when/if there will be a response by states with strong privacy system/data protection laws like Massachusetts amending their regulations to govern behavior not just of companies that actively store resident PII but also vendors that substantially participate in their respective jurisdictions.

Such regulation could have huge ramifications.  The problem, however, is that it would be difficult to enforce without the guidance in crafting the regulations by top InfoSec and data-protection experts.

And, unfortunately, few InfoSec people are also lawyers -- and lawyers are usually the ones drafting these things.
Dr.T
Dr.T,
 User Rank: Ninja
2/24/2016 | 2:24:19 PM
Encryption is not optional
As article mentioned main issue is unscripted communication, solution is easy encrypt it. There should not be any unscripted communication between two devices in this word.
Dr.T
Dr.T,
 User Rank: Ninja
2/24/2016 | 2:23:47 PM
Re: Unencrypted
Additional cost and performance is my guess. There is always cost of decryption when you do encryption.
Dr.T
Dr.T,
 User Rank: Ninja
2/24/2016 | 2:22:04 PM
Re: Unencrypted
One thing I could guess, old legacy devices would not be talk to the new devices if they utilize a new encryption.
Dr.T
Dr.T,
 User Rank: Ninja
2/24/2016 | 2:19:26 PM
Vulnerability vs. attacks
 

We may be taking things too far from time to time. Not all vulnerabilities will be exploited easily. It would be perfect if do not have a vulnerability but not all vulnerabilities will be resulting into attacks.
Kelly Jackson Higgins
Kelly Jackson Higgins,
 User Rank: Strategist
2/23/2016 | 3:10:18 PM
Re: Unencrypted
No one knows for sure why they didn't encrypt here--maybe a shortcut, maybe cost, etc.--but it just goes to show that even the benign things like a wireless mouse can be exploited. 
RyanSepe
RyanSepe,
 User Rank: Ninja
2/23/2016 | 3:05:53 PM
Unencrypted
Is there any justifiable reason as to why any communication/data transmission should be unecrypted nowadays?
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
2/23/2016 | 10:10:06 AM
Re: Broken Link
Thanks for letting us know. Link is working now!
dritchie
dritchie,
 User Rank: Strategist
2/23/2016 | 9:46:15 AM
Broken Link
Link to "list of Vendors" is broken (https://www.darkreading.com/admin http://www.mousejack.com).

Trying to use just the www.mousejack.com sends to a Login Page with no ability to register or anything.

 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.