Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Future Shock: The Internet of Compromised Things
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryB
50%
50%
TerryB,
 User Rank: Ninja
1/24/2014 | 1:13:17 PM
Rise of the Machines
Isn't this exactly why John Conner could not break into HQ and destroy Skynet? It had already distributed itself to every toaster and fridge on the plant!
MartinL923
50%
50%
MartinL923,
 User Rank: Apprentice
1/24/2014 | 11:22:42 AM
Re: Compimise your services?
Marilyn: The internet of things will happen and it will be awesome. I see there is another article on the business models of IoT by Ido Sarig on Information Week today http://ubm.io/1aPnuye We know how to secure these systems by design, it takes some thought but it is not impossible.  Systems have been succombing to the same attacks again and again since the time of the Trojan wars and the invention of a certain horse. I'd be very happy buying a system that was secure against today's attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/24/2014 | 11:01:37 AM
Re: Compimise your services?
That's a great point about the scale of the IoT. It's fun to talk about smart toasters, Google glass and all the gee whiz technology that entrepeneurs are imagining for the future. But security-after-the-fact will be a nightmare. On the other hand, how do you defend against attacks on products that haven't yet been invented? 
Lorna Garey
100%
0%
Lorna Garey,
 User Rank: Ninja
1/24/2014 | 11:00:03 AM
Re: Compimise your services?
Like we might look for an EnergyStar label! Maybe there should be an independent lab, like Consumer Reports, testing and certifying security in a way consumers can understand.
MartinL923
100%
0%
MartinL923,
 User Rank: Apprentice
1/24/2014 | 10:50:06 AM
Re: Compimise your services?
Lorna: I think that by then it will be too late. If we're to secure internet enabled smart-devices we need to ensure that these are secure by design *now*. By the time that such attacks are hitting the headlines, there will already be many thousands of these devices in circulation that we will not be able to secure. We need to raise the profile of security to make sure that buyers are raising the issue with the vendors. In this way we can make security a competetive advantage for manufacturers, in the same way that anti-lock brakes and airbags are for cars.
Lorna Garey
50%
50%
Lorna Garey,
 User Rank: Ninja
1/24/2014 | 10:21:59 AM
Re: Compimise your services?
Maybe a few of just that sort of attacks would make the public finally demand that either the agencies charged with protecting us go on the offensive against those using ransomware in a real and meaningful way, or demand that makers of these appliances get serious about secure application development.

Re the former, the concept of offensive security is not talked about much yet outside security circles. What will it take to bring it into the mainstream?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
MartinL923
100%
0%
MartinL923,
 User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
MartinL923
50%
50%
MartinL923,
 User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
50%
50%
MartinL923,
 User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
Page 1 / 2   >   >>


News
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...