Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Future Shock: The Internet of Compromised Things
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/24/2014 | 1:13:17 PM
Rise of the Machines
Isn't this exactly why John Conner could not break into HQ and destroy Skynet? It had already distributed itself to every toaster and fridge on the plant!
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 11:22:42 AM
Re: Compimise your services?
Marilyn: The internet of things will happen and it will be awesome. I see there is another article on the business models of IoT by Ido Sarig on Information Week today http://ubm.io/1aPnuye We know how to secure these systems by design, it takes some thought but it is not impossible.  Systems have been succombing to the same attacks again and again since the time of the Trojan wars and the invention of a certain horse. I'd be very happy buying a system that was secure against today's attacks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 11:01:37 AM
Re: Compimise your services?
That's a great point about the scale of the IoT. It's fun to talk about smart toasters, Google glass and all the gee whiz technology that entrepeneurs are imagining for the future. But security-after-the-fact will be a nightmare. On the other hand, how do you defend against attacks on products that haven't yet been invented? 
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 11:00:03 AM
Re: Compimise your services?
Like we might look for an EnergyStar label! Maybe there should be an independent lab, like Consumer Reports, testing and certifying security in a way consumers can understand.
MartinL923
100%
0%
MartinL923,
User Rank: Apprentice
1/24/2014 | 10:50:06 AM
Re: Compimise your services?
Lorna: I think that by then it will be too late. If we're to secure internet enabled smart-devices we need to ensure that these are secure by design *now*. By the time that such attacks are hitting the headlines, there will already be many thousands of these devices in circulation that we will not be able to secure. We need to raise the profile of security to make sure that buyers are raising the issue with the vendors. In this way we can make security a competetive advantage for manufacturers, in the same way that anti-lock brakes and airbags are for cars.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 10:21:59 AM
Re: Compimise your services?
Maybe a few of just that sort of attacks would make the public finally demand that either the agencies charged with protecting us go on the offensive against those using ransomware in a real and meaningful way, or demand that makers of these appliances get serious about secure application development.

Re the former, the concept of offensive security is not talked about much yet outside security circles. What will it take to bring it into the mainstream?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
MartinL923
100%
0%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
Page 1 / 2   >   >>


How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).