As the recent attack on Brian Krebs shows, the Internet of Things is seriously vulnerable to hijack. What makes that even more concerning is even when owners of IoT devices want to update it may not even be possible and it is seldom easy. Until that changes, botnets of IoT devices are going to be used more and more to silence voices on the net.
Brian Krebs writes one of the best security blogs out there. He frequently names the bad guys behind attacks and data theft. Recently he published a series of articles on a company that does DDOS (Distributed Denial Of Service) attacks for profit. Two weeks after the first article appeared he reported a massive and sustained DDOS attack on his site. At its peak it reached over 620 gigabits per second, by far the largest such attack ever seen.
The attackers were able to mount such a large attack by harnessing the so-called Internet of Things (IoT) devices. Many of these have buggy software and few are ever patched by their manufacturers. Given their great numbers and easy compromise it’s possible to create an online army bigger than anyone could before. And it’s likely that army will be used to silence voices on the Internet more and more in the future. We jabber on and on about free speech on the net but unless we take steps to defend it we won’t have it much longer.
The C programming language has been around since the 1970s and it’s been used to create a incredible amount of software. It’s guaranteed to be part of the software you’re using to view this regardless of what you’re using to view it with. But C has some serious drawbacks in that it’s incredibly easy to make serious mistakes that don’t seem obvious until the software is running (and possibly not all time).
But there are follow-on languages that build on C but add features that make some of these errors obvious. Microsoft has one called C# and it’s available for Windows developers to use as part of their Visual Studio developer environment. But lots of programmers, especially those working on open source, are still using regular old C. Recently, Microsoft Research developed Checked C which adds many of the features of C# into C without significantly changing how programmers work or requiring older code to be rewritten. They’ve released it as an open source project for use on Windows and Linux systems and welcome fixes and improvements.
In case you wonder why this is a big deal you need to know that much of the software running on the Internet is programmed in C and many of the security vulnerabilities that have been found and exploited arose from the kind of mistakes that C overlooks. Widespread use of something like Checked C could make a significant improvement in security for everyone.
Talk about attack surface: CERN has to keep tabs on around 40,000 bring-your-own-devices from professors, technicians, and other workers; academics and engineers also connect to systems remotely. The organization’s two main data centres in Switzerland and Hungary have around 100,000 hard-drives and 13,000 servers in total.
Then there’s the LHC’s computing grid, spread across North America, Europe, and Asia, which reprocesses data generated by the experiments. Control systems for equipment need to be secure as well, and CERN hosts around 10,000 websites.
Nissan Leaf electric cars allow you to control some of its features via a smartphone app. Unfortunately, this also allows attackers to control the heat and air conditioning. The attack isn’t very sophisticated and doesn’t even require the app, just a carefully constructed file sent by a web browser. Nissan is aware of the issue but no fix is yet available.
Internet connectivity for cars is becoming more common yet most automobile manufacturers have never had to deal with security until now. It’s a much different environment than the closed off embedded engine control systems they’re familiar with and they need to come up to speed faster than they seem to be so far.
It’s bad enough Frontier tries to pass off 7 Mbps DSL as “high speed Internet”, but their e-mail password resets are conducted over chat with a customer rep. If that sounds like a bad idea, rest assured it is.
Two hackers have found a vulnerability that allows them to completely control a Jeep Cherokee while it’s traveling on the road. And when I say completely, I mean not just the radio, the AC and the wipers but also the steering, brakes and transmission.
It’s because the internal control network for the vehicle is connected to the same network as the entertainment system and they’re both connected to the cellular network. And Jeep isn’t alone in this, other “connected cars” may also be vulnerable .
Fiat Chrysler, which makes Jeep, issued a patch on July 16th that must be manually installed. Other manufacturers are also slowly awakening to the need to pay attention to security in their vehicles. As I always say, if you can get access anyone can get access. That applies to your computer, your home and (now) your car.
More cybersecurity bad news. A serious defect in iOS and Mac OS X can lead to password theft by exploiting resource sharing between apps. It was originally reported to Apple six months ago and the researchers decided to go public after Apple remained silent. Fixing this will require major changes to the operating system and the App Store infrastructure, so don’t expect a fix to be quick or simple.
In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.