Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Future Shock: The Internet of Compromised Things
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryB
TerryB,
User Rank: Ninja
1/24/2014 | 1:13:17 PM
Rise of the Machines
Isn't this exactly why John Conner could not break into HQ and destroy Skynet? It had already distributed itself to every toaster and fridge on the plant!
MartinL923
MartinL923,
User Rank: Apprentice
1/24/2014 | 11:22:42 AM
Re: Compimise your services?
Marilyn: The internet of things will happen and it will be awesome. I see there is another article on the business models of IoT by Ido Sarig on Information Week today http://ubm.io/1aPnuye We know how to secure these systems by design, it takes some thought but it is not impossible.  Systems have been succombing to the same attacks again and again since the time of the Trojan wars and the invention of a certain horse. I'd be very happy buying a system that was secure against today's attacks.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 11:01:37 AM
Re: Compimise your services?
That's a great point about the scale of the IoT. It's fun to talk about smart toasters, Google glass and all the gee whiz technology that entrepeneurs are imagining for the future. But security-after-the-fact will be a nightmare. On the other hand, how do you defend against attacks on products that haven't yet been invented? 
Lorna Garey
Lorna Garey,
User Rank: Ninja
1/24/2014 | 11:00:03 AM
Re: Compimise your services?
Like we might look for an EnergyStar label! Maybe there should be an independent lab, like Consumer Reports, testing and certifying security in a way consumers can understand.
MartinL923
MartinL923,
User Rank: Apprentice
1/24/2014 | 10:50:06 AM
Re: Compimise your services?
Lorna: I think that by then it will be too late. If we're to secure internet enabled smart-devices we need to ensure that these are secure by design *now*. By the time that such attacks are hitting the headlines, there will already be many thousands of these devices in circulation that we will not be able to secure. We need to raise the profile of security to make sure that buyers are raising the issue with the vendors. In this way we can make security a competetive advantage for manufacturers, in the same way that anti-lock brakes and airbags are for cars.
Lorna Garey
Lorna Garey,
User Rank: Ninja
1/24/2014 | 10:21:59 AM
Re: Compimise your services?
Maybe a few of just that sort of attacks would make the public finally demand that either the agencies charged with protecting us go on the offensive against those using ransomware in a real and meaningful way, or demand that makers of these appliances get serious about secure application development.

Re the former, the concept of offensive security is not talked about much yet outside security circles. What will it take to bring it into the mainstream?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
MartinL923
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
MartinL923
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
MartinL923,
User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31884
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has an Improper Access Control vulnerability which allows a low privilege user to delete other users API Keys including high privilege and the Administrator users API Keys.
CVE-2022-31887
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password.
CVE-2020-19896
PUBLISHED: 2022-06-28
File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.
CVE-2020-19897
PUBLISHED: 2022-06-28
A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.
CVE-2021-41559
PUBLISHED: 2022-06-28
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.