Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Future Shock: The Internet of Compromised Things
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TerryB
TerryB,
 User Rank: Ninja
1/24/2014 | 1:13:17 PM
Rise of the Machines
Isn't this exactly why John Conner could not break into HQ and destroy Skynet? It had already distributed itself to every toaster and fridge on the plant!
MartinL923
MartinL923,
 User Rank: Apprentice
1/24/2014 | 11:22:42 AM
Re: Compimise your services?
Marilyn: The internet of things will happen and it will be awesome. I see there is another article on the business models of IoT by Ido Sarig on Information Week today http://ubm.io/1aPnuye We know how to secure these systems by design, it takes some thought but it is not impossible.  Systems have been succombing to the same attacks again and again since the time of the Trojan wars and the invention of a certain horse. I'd be very happy buying a system that was secure against today's attacks.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/24/2014 | 11:01:37 AM
Re: Compimise your services?
That's a great point about the scale of the IoT. It's fun to talk about smart toasters, Google glass and all the gee whiz technology that entrepeneurs are imagining for the future. But security-after-the-fact will be a nightmare. On the other hand, how do you defend against attacks on products that haven't yet been invented? 
Lorna Garey
Lorna Garey,
 User Rank: Ninja
1/24/2014 | 11:00:03 AM
Re: Compimise your services?
Like we might look for an EnergyStar label! Maybe there should be an independent lab, like Consumer Reports, testing and certifying security in a way consumers can understand.
MartinL923
MartinL923,
 User Rank: Apprentice
1/24/2014 | 10:50:06 AM
Re: Compimise your services?
Lorna: I think that by then it will be too late. If we're to secure internet enabled smart-devices we need to ensure that these are secure by design *now*. By the time that such attacks are hitting the headlines, there will already be many thousands of these devices in circulation that we will not be able to secure. We need to raise the profile of security to make sure that buyers are raising the issue with the vendors. In this way we can make security a competetive advantage for manufacturers, in the same way that anti-lock brakes and airbags are for cars.
Lorna Garey
Lorna Garey,
 User Rank: Ninja
1/24/2014 | 10:21:59 AM
Re: Compimise your services?
Maybe a few of just that sort of attacks would make the public finally demand that either the agencies charged with protecting us go on the offensive against those using ransomware in a real and meaningful way, or demand that makers of these appliances get serious about secure application development.

Re the former, the concept of offensive security is not talked about much yet outside security circles. What will it take to bring it into the mainstream?
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/24/2014 | 8:16:35 AM
Re: Dangerous appliances --subtly different problem that requires a different approach.
Martin, I think you hit the nail on the head when you describe the security issues related to the IoT as a "subtly different problem that requires a different approach. I suspect your use of the words "subtly different" is an understatement!   Thanks for raising the issues about the brave new world (let alone toaster) that we are entering, and also your very thoughtful comments.
MartinL923
MartinL923,
 User Rank: Apprentice
1/24/2014 | 5:44:36 AM
Re: Dangerous appliances
Shane: I think a slightly different approach is needed to detect malicious code running within embedded devices. Anti-virus is very good a detecting known bad code, and allowing the vast numbers of 'good' software that you could install on a desktop device to run unimpeeded.

An embedded device should only ever run one programme and contain no other software apart from updates. So we would need to establish that only authorised software can run on the device, and that any instructions received by the processor (or any sensors or actuators) has been generated from legitimate code operating correctly.

Its a subtly different problem that requires a different approach.
MartinL923
MartinL923,
 User Rank: Apprentice
1/24/2014 | 5:33:39 AM
Re: Hacker: Good afernoon, sir, is your house empty now?
cbabcok: Like most things in security its a trade off. I don't doubt that there will be many advantages to the Internet of Things. Anything that can help us better manage our limited resources, allow us to do more with less, or even just make less demands on my free time has to be a good thing. Nevertheless, there will be risks. If we can prepare for those risks now and think about how we can manage them, then we can maximise our benefits while minimising any downsides.
MartinL923
MartinL923,
 User Rank: Apprentice
1/24/2014 | 4:58:00 AM
Re: Compimise your services?
seppleyt5j01: Exactly, I see this as the biggest risk. We've already seen attackers seeking to distract security teams within the financial services industry by launching a denial of service attack just before attempting to compromise high value systems. Taking malicious control of environmental control systems would be a very effective mechanism of causing disruption to a security team or business.

I hadn't thought of a ransomware style attack on environmental control, but a lack of heating at this time of year, or the a/c set to full heat in the middle of summer would no doubt lead many people to reach for their credit card to pay off their attackers.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...