Critical Flaws Found in Amazon FreeRTOS IoT Operating System

Link

A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.

There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.

-Max Swank

Facebook User Data Stolen In Hack. Facebook Offers No Protection.

In a recent breach of Facebook it is suspected that approximately 29 million users had their data stolen, with the most severely affected being a group of 14 million. The attack is currently being attributed to spammers pretending to be a digital marketing firm. According to Facebook, Data stolen includes: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”. News of the hack first surfaced on October 5th when it was suspected that 50 million users were affected, a number that has since been lowered.

Facebook first shared details of the attack last week, fearing as many as 50m people had been affected

Usually, companies in such a predicament offer access to credit protection agencies and other methods of identity theft prevention like in the case of the 2013 Target breach. However, Facebook declared that it would not be taking such steps, and would instead direct users to help pages where they could learn how to avoid phishing. Experts worry about the potential for smaller scale attacks. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes that though no financial data was captured, information gathered could still be used in knowledge based authentication to break into accounts. He believes that the best move for Facebook would be to offer free access to password managers and other similar software to help combat this.

In Europe, the breach is costing Facebook about $1.6 billion, or 4% of its yearly revenue. This case is being recognized as the first major test of the General Data Protection Regulation which was enacted in May.

  • Nicholas Antiochos

Sources:

https://www.businessinsider.com/facebook-thinks-spammers-responsible-hack-stole-info-from-29-million-users-2018-10

https://www.bbc.com/news/technology-45845431?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent

First Internet of Things Security Laws Set for 2020 in California

California Governor Jerry Brown is the first governor to sign a bill to protect against the very prevalent cyber attacks on Internet of Things (IoT) devices. CNET tells:

The law mandates that any maker of an Internet-connected, or “smart,” device ensure the gadget has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Since this bill is the first of its kind, it is expected that many other states will begin to follow California’s example and implement some sort of protection against IoT attacks. Although the bill requires manufacturers to assign a password to each device, many of the stipulations are non-specific, like many cyber laws. It is hard to be specific in a case like this, as attacks could easily find a loophole not covered within the bill. With a vague bill, it in a way could deter an attacker who knows the law could be translated in a number of ways to point to what he or she might have been doing as illegal.

This need of security was demonstrated most by the WannaCry ransomware attacks that hit hospitals across the nation. Hospitals have been increasingly using devices connected to their networks to aid in caring for patients. The attacks locked up devices that were in use, potentially threatening the lives of patients. An attack like this is more alarming than many ransomware attacks, as it takes the attacker’s morals (or in this case, lack of morals) into account more than other attacks.

The lack of security on IoT devices has desperately needed to be addressed, as over 8.4 billion IoT devices are out in the world on networks with little to no security. The law goes into effect at the beginning of 2020. California’s status as the most populated state in the U.S. is part of the reason the bill was signed into effect and is also the hope for cyber security experts to be influential in persuading others to join in the fight against attacks.

-Chevy Bolay

City of Atlanta Victim of yet Another Cyber Attack

Early on March 22nd, several departments in Atlanta, Georgia were the target for a cyber attack. The attackers launched a ransomware attack, and demanded bitcoins as payment (over $50,000 USD).

Ransomware exampleRansomware attacks are relatively new and became popular in 2017 with the widely feared WannaCry attack. Ransomware typically encrypts some of your files and locks you out of your computer, then demands a ransom to be paid (usually with Bitcoin, an anonymous cryptocurrency).

This attack had a widespread impact as it affected multiple departments in Atlanta. Administrators took down several websites and services while the attack was investigated by the FBI, DHS, Microsoft, and Cisco. While ATL airport was not directly affected, administrators also disabled its Wi-Fi and advised passengers that flight schedules may not be accurate and to verify information with their airline.

As an additional measure, city employees were directed not to turn on any devices in the building until the malware had been contained. Five days later on March 27th the first machines were powered back on. Administrators expect some machines to be infected and that employees will continue to work using other methods if their machines are affected.

Ransomware attacks historically have just been a means of pressuring victims into paying the ransom. Attackers usually are not looking to steal information in the process. In fact, if an attacker did want to steal information, it wouldn’t make much sense to tell the victim that their machine is infected. However, in the case of the Atlanta cyber attack, both employees and the public were advised to monitor their credit cards and bank accounts for any suspicious activity.

The investigation has shown that it doesn’t appear any information has been compromised. While the details of the attack have not been released, Rendition Infosec reported that Atlanta government had been compromised by a previous cyber attack in April 2017. Microsoft had released critical patches over a month before the attack happened, but they were not installed. The attack lasted a little over a week, and statements from the city of Atlanta suggest that they were not aware the attack had happened in the first place. The identity of the attackers still remains unknown.


Jesse Roux

http://amp.wsbtv.com/www.wsbtv.com/news/local/atlanta/fbi-looking-into-citywide-computer-issues-in-atlanta/720045695?tnym

http://amp.wsbtv.com/www.wsbtv.com/www.wsbtv.com/news/local/hartsfield-jackson-takes-down-wi-fi-after-cyber-attack-on-city/720533019

http://searchsecurity.techtarget.com/news/252437715/Five-days-after-Atlanta-ransomware-attack-recovery-begins

https://www.renditioninfosec.com/2018/03/atlanta-government-was-compromised-in-april-2017-well-before-last-weeks-ransomware-attack/

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki