Skip to content

Bonk Detecting WiFi Mattress

Quote

Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood.

The pair say the risk that regulation could stifle market-making IoT innovation (like the WiFi cheater-detection mattress) is outweighed by the need to stop feeding Shodan.

“National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices, but regulation development faces the challenge of … security-by-design without stifling innovation, and remaining actionable, implementable and binding,” Scott and Spaniel say.

“Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy.

“Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.” …


I have two comments:

To think any agency could actually do this correctly is laughable given complexity and the track record of the gov. Hey they cannot even stop the robo calls from the likes “Card Redemption Services” The trove of treasure, additionally, to be gained from leaks is far too valuable to both gov. and industry to limit it with some solid standard.

But the Wifi Mattress idea may have legs (4 of them at least…) A Wifi enabled mattress — why with the addition of an accelerometer and a gui for to put in your social media credentials – well then your bedroom gymnastics can be posted instantly to your facebook page. A whole new level in selfies! (..or as I to call it the “look at me, look at me mommy” website that dumps all your info in the hungry jaws of advertisers)

My Friend Cayla

…Or is it My Friend Spy Cayla. And what is the difference between this and Google Voice and Siri? Not much.

Quote:

The My Friend Cayla doll has been shown in the past to be hackable

An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla “offers no special risk”.

In a statement sent to the BBC, the TRA also said “there is no reason for alarm”.

The Vivid Toy group, which distributes My Friend Cayla, has previously said that examples of hacking were isolated and carried out by specialists. However, it said the company would take the information on board as it was able to upgrade the app used with the doll.

But experts have warned that the problem has not been fixed.

The Cayla doll can respond to a user’s question by accessing the internet. For example, if a child asks the doll “what is a little horse called?” the doll can reply “it’s called a foal”.
Media captionRory Cellan-Jones sees how Cayla, a talking child’s doll, can be hacked to say any number of offensive things.

A vulnerability in Cayla’s software was first revealed in January 2015.

Complaints have been filed by US and EU consumer groups.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

The Commission is investigating whether such smart dolls breach EU data protection safeguards.

In addition to those concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.

The TRA said “we would always expect parents to supervise their children at least intermittently”.

It said the distributor Vivid had “restated that the toy is perfectly safe to own and use when following the user instructions”.
Privacy laws

Under German law, it is illegal to sell or possess a banned surveillance device. A breach of that law can result in a jail term of up to two years, according to German media reports.

Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state – in Nazi Germany and communist East Germany.

The warning by Germany’s Federal Network Agency came after student Stefan Hessel, from the University of Saarland, raised legal concerns about My Friend Cayla.

Mr Hessel, quoted by the German website Netzpolitik.org, said a bluetooth-enabled device could connect to Cayla’s speaker and microphone system within a radius of 10m (33ft). He said an eavesdropper could even spy on someone playing with the doll “through several walls”.

A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a “concealed transmitting device”, illegal under an article in German telecoms law (in German).

“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he explained.

Manufacturer Genesis Toys has not yet commented on the German warning.

Not so Smart using a Smart TV

As reported Vizio’s Smart TVs spied on you

Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Source here

Well for their offense Vizio was slapped with 2.2million fine. Sounds like a lot, right? Well as a colleague of mine observed, that is 20cents per TV. In other words, it was a great ROI for Vizio and points out how toothless the FTC really is.

So what to do? Turn off all the Smart TV features, boycott Vizio (that said, Samsung and others are just as bad it may appear). Better Yet, unplug the TV from the Internet.

Some sites suggest that Roku and Apple streaming boxes front-ending your TV are better. I am not so sure as I know with the Roku, at least, one needs to reset your ID often to clear the tracking and there does not appear to be a permanent “Kill” switch for this type of spyware crap.

I am toying of building my own set top streaming device using the RasberryPI. If I do so, I will pay pay special attention to the privacy aspects of the embedded software I use and report findings here. Don’t hold your breath, time is at a premium of here.

Anyway – welcome to the iDIoT. The Insecure Dumbed-down Internet of Things

Nick

Ghostery – Bad Design

I am constantly evaluating browser add-ons and recently took a harder look at Ghostery. I notice that settings could not be saved when I closed the browser and then restarted. Why? Well it seems that Ghostery stores these in a cookie.

What a Cookie? Shame Shame Shame. **ALL** browsers should be set to dump cache and all cookies when you close it. Why? It helps greatly to prevent tracking and those targeted adverts among others.

What to use instead? A good and efficient ad-blocker. like uBlock I am also using uBlock Origin which appears to have a wider feature set and extra privacy settings. Both can be downloaded from your favorite browser ad-ons facility. Here are a few: Firefox is here, Chrome (yuk- you are google’s product, but if you insist) is here. Safari – not on their site, but uBlock is here. I cannot find the download for uBlock Origin. Post comment with link if you know it.

Direct uBlock Origin releases are here, but they may not be verify by the browser yet.

Nick

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Googdroid

QUOTE

This article begs the question: “Why doesn’t google police its store an evaluate apps for potential malware?” So much of the crap on google play is infected with spyware. Oh wait, spyware, that is how google makes money selling your private info others so they can market more to you.

A new strain of Android malware is infecting an estimated 13,000 devices per day.

The Gooligan malware roots Android devices before stealing email addresses and authentication tokens stored on them. The tokens create a means for hackers to access users’ sensitive data from Gmail accounts, security researchers at Check Point Software Technologies warn.

The malicious code creates a money-making sideline for crooks by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Gooligan targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), collectively around 74 per cent of Android devices currently in use. Gooligan is installing at least 30,000 apps on breached devices every day, or more than 2 million apps since the malicious campaign began, according to Check Point.

Security researchers at the Israeli firm first encountered Gooligan’s code in the malicious SnapPea app last year. In August, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe. Hundreds of the email addresses compromised by Gooligan are associated with enterprises around the world.

Check Point has passed on its findings on the campaign to Google’s security team. “This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” Shaulov advised.

Russian hackers throw Trump victory party with new spear phishing campaign

Quote

Tied to DNC breach

Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it’s responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets.

Security firm Volexity refers to the group as “the Dukes” based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as “the Dukes”—also referred to as APT29 or “Cozy Bear.” The Dukes’ primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US.

IoT worm can hack Philips Hue lightbulbs, spread across cities

Quote

Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off.

The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric encryption keys to control devices over Zigbee wireless networks. This allows the malware to compromise a single light globe from up to 400 metres away.

The worm can then spread from a single smart bulb to those nearby thanks to the use of these skeleton keys.

The attack is the handiwork of researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten of the Weizmann Institute of Science, Israel, along with Colin O’Flynn of Dalhousie University, Canada.

It triggered Philips to release a firmware patch for owners of its “Hue” connected bulbs. This is not without some risk as users must first set up the Philips Hue app in order to receive the automatic patches, and do so before attacks take place since the worm can easily override update attempts.

Comment: Why they call these smart devices is beyond me. Not have rock solid security is pure stupidity. Oh wait, we are talking of IoT security.

Trump’s taxing problem: The end of ‘affordable’ iPhones

Quote

In Trump’s view, Apple is emblematic of US manufacturers responsible for killing domestic jobs by buying components made and assembled overseas. The iPad employs chips designed in Britain by ARM, memory from South Korea’s Samsung and Japan’s Toshiba and Elpida Memory, with assembly by Foxconn in Taiwan.

But step back and Trump’s economic nationalism extends beyond the obvious target of Apple – it takes in a broad swath of tech firms large and small from “ordinary” US states and places.

Over in Trump-friendly Texas, Dell employs Samsung’s NAND in its storage devices with Massachusetts-based EMC also employing Sammy’s memory.

Up in the Hillary-Clinton-supporting northwest, Microsoft uses the Foxconn-like Pegatron in Taiwan to build its Surfaces, which also happen to employ Samsung’s SSD.

Technology firms across the US, not just Silicon Valley, are plugged into the global sourcing and integration of components.

The rise of IoT takes this into newer, smaller devices – no longer just the big stuff of enterprise or the shiny stuff in the hands of consumers.

US firms that are part of this global supply chain will pay more in tax.

Trump has proposed to tax goods from US companies made abroad and imported with a 35 per cent levy on goods coming from Mexico. He has also talked of a 15 per cent tax on “outsourcing jobs” and an apparent further 20 per cent tax for all imported goods.

..

It’s therefore reasonable to expect the price of tech to increase domestically in the long term and for the cost to feed in internationally.

There is a “but”, however. Donald Trump himself. Given his propensity for verbal pugilism during the presidential campaign, it’s difficult to know what words were intended simply to score points and grab the sound bite and which was actual policy in the making

Comment
If companies invested a fraction of the amount of the cost to move overseas in training, then the landscape would be far different today. The likes of Apple just accelerate the race to the bottom and hollow out the middle class adding the income disparities that we see today.

Like with a Cloth or something?

Quote

August 2015 Hillary Clinton was asked, “Did you wipe your email server?” and she evasively replied, “Like with a cloth or something?” A year later we found out that “cloth” was BleachBit, a software application that deletes information “so even God can’t read it,” as Congressman Trey Gowdy announced August 2016.

  • After you have smashed your BlackBerry, don’t forget to wipe the fingerprints from your email server with this non-abrasive, soft microfiber Cloth or Something.
  • Thin, foldable size makes it easy to stash the Cloth or Something in burn bags.
  • 6″ x 6″ size quickly wipes even the biggest email servers with thousands of emails.
  • Buy an extra cloth for your VIP (VERY VIP) client.
  • Optionally autographed on the back by Andrew, creator of BleachBit.
  • Printed in the USA!
  • Guaranteed not to prove intent, or you will get a full refund paid when you are released from prison.
  • First-class shipping and handling is a flat rate of $2 per order.
  • Yes, this cloth is real, and you can really buy it.

Don’t wait for a subpoena: Order Now!