IoT This Week
Consuming and curating the latest news for you.
April 12, 2018

This issue includes: Hardware hacking, IIoT, SMB for payload downloads, credit card chip swaparoo, Amazon R&D, SpaceX and much more...
router-3

IoT

Embedi released a write up on IoT vulnerabilities as they relate to the OWASP IoT Top Ten. They analyzed many different devices and it's no surprise that IoT still has a long way to go when it comes to security.

If you are in to hacking hardware, here is a nice write up on making a $30 IoT camera do more than it was originally intended to; working RTSP for video, ssh server, ftp server, remote audio playback and recording, etc.

Several pipeline companies had their data systems blacked out through attacks on a third party system which they use for interactions with customers. The attacks don't appear to have impacted their SCADA systems, however it did affect some of their capacity to conduct business.

Two security issues were identified in industrial automation devices from Moxa. In the first issue, an attacker could send commands to a device's operating system by using commands as a username in the login attempt. The second issue involved the ability to retrieve the private key for the web server via an HTTP GET request.

A variant of the Mirai botnet is being used to conduct DDoS attacks against the financial sector. The attack is using at least 13,000 IoT devices and generating up to 30 Gbps of network traffic.

Microsoft is placing a $5 billion bet on the Internet of Things over the next four years.

Comcast apparently wants to take over the smart home market. They have begun integrating smart home technology into their set top boxes and they also acquired Stringify last year. Given the degree to which people dislike Comcast, this doesn't seem likely to happen.

Cloudflare is offering an IoT protection service called Orbit. The service can create a secure and authenticated connection between the IoT device and the origin server for secure updates and can also deploy virtual patches to help protect IoT devices.
document

InfoSec

Attackers are using the SMB protocol to download payloads from the internet because it isn't flagged by many IPS systems. Probably a good way to utilize all of those vulnerable SMB servers exposed to the internet.

The Canadian government is looking to implement their own right to be forgotten legislation.

Homeland Security wants to compile a database of journalist and bloggers. Anytime the government wants to create a database of something like this, it will almost always be abused in some fashion.

The Secret Service is warning about a new credit card fraud technique where criminals intercept newly issued credit cards before they reach the recipient and replace the inactive chip with an old or invalid chip. Once the recipient receives the card and activates it the chip that is now in the hands of criminals is activated allowing them to use the card while the recipient's card does not work. That's just plain mean.

Possession of ransomware is now illegal in Michigan. Once more, well intended state legislation will likely have a negative effect on security research.

Delta and Sears breaches are being blamed on a malware attack against a third-party service used by both. Unfortunately I think third parties will be the avenue of many breaches given all the data sharing occurring and that it's impossible for companies to verify the security of every third party they deal with.
editor

Tech

A federal court in Texas ruled that Apply must pay a patent troll $500 million. Fortunately there are ongoing hearings where the patents in question have been deemed invalid. A lot of time would be saved if the patent office would spend more time up front validating pending patents instead of just rubber stamping them and dealing with the fallout later.

Oregon became the second state to pass a Net Neutrality law.

Amazon spent almost $23 billion on research and development in 2017 compared with Google at $16.6 billion and Microsoft at $12.3 billion.

Bots on Twitter share two-thirds of links to popular websites according to Pew Research Center.

SpaceX is prohibited from broadcasting from space due to an old law directed at espionage I would suspect. Oddly, this is something NOAA (National Oceanic and Atmospheric Administration) oversees. Three cheers for government bureaucracy at work.

Apple is cutting production of the HomePod due to less than expected sales. I don't know, maybe make sure the voice assistant which is an integral part of the speaker isn't dumb.

If you're into Sci-fi shows...


The Expanse is back for a third season on Syfy. It's been an outstanding show so far. Normally "outstanding" and "Syfy" don't go together but in this case they do.

Also, Lost In Space starts Friday on Netflix. Initial reviews have been positive I think but we'll see.

If you're into hardware hacking...

Check out Hackaday.com.

Interesting project: Cracking a bluetooth credit card

Get Involved!


OWASP IoT Project 2018 is revving up with our #iot-security channel meetups and working on revamped Top Ten lists.
twitter linkedin email
MailPoet