Another week of vast information consumption, headlines, breach reports, security bulletins and client concerns. Learning everyday in the security consulting business or you are left behind quickly. Unless you stay on top of the failures of others you cannot learn from their mistakes so you can hopefully avoid them in the future. That’s the goal anyway.
Post-election rhetoric calmed down a great deal and I could focus on more applicable stories. This week was all over the board on the topics I found interesting.
Week Ending 11/18/16
US lawmakers balk at call for IoT security regulations
I put this one in here this week only because I was on a webinar the day before where Mr. Schneier gave the keynote and talked about his upcoming testimony. I want to say I am surprised at the hard pushback the lawmakers had but then again I am not. US lawmakers are lawyers, accountants, business people and maybe some technologists scattered around but none of them are security experts.
IoT is out of control and reaching a point of no return. Unlike software that can be uninstalled, patched fairly easily, or blocked. IoT devices are disconnected from any kind of central control for the most part. The software is slapped on to low powered devices that do very specific things but are not secured in a way that prevents them from being used maliciously. The recent DDOS attacks used vulnerable IoT devices, light bulbs, baby monitor cameras, and other WiFi/Internet enabled devices as a collective computer all turned against a target. This is a serious problem.
The industry has no self-control and is driven by getting a device out first with the best features with little to no consideration to security. As much as I hate government interference, the time has come for an IoT certification.
The law makers arguments are valid that most IoT devices are made outside the U.S. but I would counter that so are all the TVs, DVD players, etc… and all those have to abide by FCC regulations to be sold here. IoT security compliance wouldn’t be that hard to enforce.
700 Million Android Devices Has Backdoor Sending Data To China
Open source operating systems can lead to things being sneaked in that isn’t easily detected. Like a backdoor sending all your SMS messages, location, phone calls, contact lists and other data to a secret server in China.
That’s what security researchers at Kryptowire discovered. Every 72 hours the phones are sending data to a company called AdUps. The commands discovered are sending SMS texts, call logs, PII (every 24 hours), IMSI and IMEI identifiers, geolocation, and list of apps installed. Also the backdoor can install apps without the user’s knowledge, remove apps, update the phone’s firmware or re-program the phone, and execute remote commands.
This is not a security flaw but appears to be 100% intentional. Whether for marketing or government surveillance purposes it doesn’t matter, this is scary.
Microsoft Joins The Linux Foundation
What!?! Microsoft did what now?
Flashback to 2001: Steve Ballmer called Linux a cancer. It contaminates all other software with Hippie GPL rubbish.
Fifteen years later, Ballmer is no longer with Microsoft, and they join the Linux Foundation has a high-paying Platinum member.
This is good move for Microsoft. I think they have finally begun to realize the world is no longer run solely on Windows. The Cloud revolution had pushed Microsoft to give up it’s hopes of being a one stop shop for computing and get back to what they do best, software. However, not just software for Windows but for all platforms.
I never would have thought to see SQL on anything other than Windows but when large customers moved off Windows to stay viable the market told them what to do. This is the next steps.
Microsoft Visual Studio Launches on Mac
Continuing on from the previous article, Microsoft is on a roll.
Visual Studio on a Mac.
British National Health Service (NHS) Email Implodes From Reply-All Storm
I’ll end this post with one I find hilarious. It’s funny because I have been here, although not at this scale. Mine was about 100,000 people and the email had an attachment. The result was the same, the email crashed for the day until it calmed down.
An internal email, that seemed to be a test, was sent to 1.2 million NHS employees. First problem, the email didn’t use the BCC. Normally that’s not a big deal, except when people habitually and stupidly use the Reply-All when they really intended to ask the sender only.
So when the Reply-All came in all 1.2 million people got it. Everyone needs to chime in so the domino effect started, and kept going, and people had to chime in with Reply-All to tell people to stop using Reply-All. Then someone uses Reply-All to say ‘OK’. Then someone else does a Reply-All to scream back ‘STOP IT’. Then you get the ‘Why am I getting this?’.
The bouncing of millions of internal emails through the internal email systems brought it to its knees. So simple yet so damaging.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.