IoT Guidelines

ecobee3-iphone-heroThe Obama administration came out and laid down guidelines for security for internet-connected devices. The Department of Homeland Security released its cybersecurity policies, which were separate from the Obama administration guidelines.  The Department of Homeland Security summarized it in 6 main points: Incorporate Security at the Design Phase, Advance Security Updates and Vulnerability Management, Build on Proven Security Practices, Prioritize Security Measures According to Potential Impact, Promote Transparency across IoT, Connect Carefully and Deliberately. This project has mainly been guided by NIST. The policy is being put into place in order to increase public trust in household appliances and devices. FCC commissioners and other higher-ups have said that it is unlikely that the FCC will enact mandatory IoT security standards now. Although, more than likely we will be seeing IoT security standards in the near future. The issue is a bit skewed, because it deals with so many different branches, such as The Office of Management and Budget, The FCC, NIST, and the Department of Homeland Security.

 

Sources:  White House Issues Guidelines for IoT Cybersecurity

Strategic Principles for Securing the Internet of Things 2016

 

The FBI recommends that you cover your webcam.

James Comey, Director of the Federal Bureau of Investigation, recently stated that the public should cover their webcams on their computers due to hackers invading people’s privacy. Hackers hack into computers and use the webcams to watch their unsuspecting victims.

This isn’t brand new news. Hackers have been able to hack into people’s webcams for years, but it has taken years for officials to make a statement on the issue.

Hackers use a program called “Blackshades”. This allows hackers to view documents, photos, and record keystrokes. Some websites have been found to sell webcams of women for as little as $1 per web cam and 100 male web cams for $1.

Mark Zuckerberg, creator of Facebook, advises the usage of a sticky note to block the webcam. If hackers are able to hack into your webcam, they will be unable to see anything.

-Brett Patterson
BRP5088

Dedicated to Jar311

Source: https://www.engadget.com/2016/09/23/the-fbi-recommends-you-cover-your-laptops-webcam-good-reasons/

Rootkit Found on Android Phones

3d-android-logo-wallpaperYou can’t get the new phone because it lights on fire, and now you may have to get rid of your old phone. However, most of you should be safe as this pre-installed rootkit was found on Chinese devices. So here’s what the hack allowed:

Over 3 million phones were found to have the following

The vulnerable mechanism, which is associated with Chinese mobile firm Ragentek   Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts.
According to the researchers, this privileged binary not only exposes user-specific information to attackers but also acts as a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices as a privileged user.
According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy. (This is where the most comes from).
So why is this a big deal?
This could allow a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.
  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

-Nick Walter (njw4227)

Source: http://thehackernews.com/2016/11/hacking-android-smartphone18.html

No, a locked computer cannot be hacked by a Pi 0.

download.jpgSamy Kamkar created a tool called PoisonTap that runs of a Raspberry Pi 0 and the article blows its abilities out of the water before slowly reducing it to nothing. It starts out claiming it can “hack a locked computer” but they soon amend this to include “with a browser open in the background”. They even go so far as to claim it will give attackers access to your router and launch other attacks from that platform.

Supposedly the device can be plugged in, wait a minute, be unplugged and its done. They even go so far as to say you need no knowledge to use it. Problem is it doesn’t give the user simple info or even usable for that matter unless the common person suddenly has software to inspect cookies.

Now on to the actual work it does. The Pi 0 emulates a network device and so the computer will send it the network traffic. It then will hunt down all cookies involved with non HTTPS sites and gather them. That is all it does. So no it does not hack your computer. Most important sites run as HTTPS so most cookies are not in danger.

This is not even remotely an effective attack method. In the article the business security side comes up but the problem is due to it being a work environment most users will not even lock the systems so why not just access the PC directly. Better yet install a physical keylogger so that you can get HTTPS info also. Another problem with it is that it needs a browser open to work, and with a locked PC you would never know until you started looking through the Pi’s files at a later point so to be effective you need to hit many devices. Another problem is best practices in the security field would prevent this from ever happening.

Ending note: a USB rubber ducking would be a better idea as it can do so much more.

Evan Delmolino – edd1717@rit.edu

source: http://motherboard.vice.com/read/this-5-device-can-hack-your-locked-computer-in-one-minute?utm_source=mbtwitter

New Chinese Cyber Law?

China has enacted a new law in which personal information collected or generated must be stored in China. Therefore, any foreign company working in China must have their information stored within China.

Such a policy creates a segregation within the world, in which information stored in China will be separated from the rest of the world. Furthermore, such a concept has an extreme impact on any multinational company doing any sort of work in China. Companies in general, are constantly sharing data across borders, and such a law will inhibit foreign companies from doing online business with China.

If this isn’t enough to make foreign companies second-guess themselves, the law itself is written in vague terms. The law, which states “critical information infrastructure” must be contained within China. However, this leads to extreme interpretation as to what this critical information is.

I believe this enactment of a law is a large step backwards with China and foreign businesses. China already does not like foreign businesses within China, as we see with Facebook and other websites that are, by and large, not allowed within China’s networks.

-Tim Zabel

Source:

http://www.databreachtoday.com/new-chinese-cybersecurity-law-step-backward-a-9518