Release

Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following a series of massive DDoS attacks that leveraged IoT devices using default security settings.

Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released recommendations for how to approach security for the Internet of Things (IoT). Experts said the IoT security guidance from DHS focuses on the basics while NIST had offers more of a "how-to" for businesses.

The DHS IoT security guidance put forth six strategic principles intended to equip IoT developers, manufacturers, service providers and consumers "with tools to comprehensively account for security as they develop, manufacture, implement or use network-connected devices." The DHS recommends: incorporating IoT security in the design phase, pushing security updates, building upon proven security practices, prioritizing higher risk issues, promoting transparency and being deliberate in the use of IoT devices.

Derek Manky, global security strategist at Fortinet, told SearchSecurity that the focus on the basics from the DHS was the best strategy for IoT security guidance.

"There's a lot of groups that should have focused on [the basics], but unfortunately nobody saw the problem until there were millions of devices deployed across the world," Manky said via email. "I think the best option is to focus on the basics right now. There aren't any best practices out there from an IoT perspective -- for security and development alike. The first step is to develop the right framework and then start changing the mindset of the IoT developers."

Art Swift, president of prpl Foundation, said the DHS offered "a good baseline for IoT security practices." 

"While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the Internet of Things, Swift said. "The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations."

Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high impact, but very achievable."

"For example in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."

Manky agreed that the Mirai botnet attack was proof that security from the start is one of the most important issues in IoT security.

"Mirai was shown to have accumulated its great power through something incredibly simple -- trying to log-in to devices using their default usernames and passwords. If developers just eliminated default usernames and passwords it would have completely dismantled this botnet before it got off the ground," Many said. "Security from the start means incorporating things like the Common Weakness Enumeration to evaluate the security posture of your product, where things like hardcoded and default passwords would be fleshed out before they ever make it out the door."

However, Utter said the DHS IoT security guidance left out more technical details.

"The document seems to have some overtones (ok, strong ones) of recycled ideology. Things like 'patch management' is really not something the IoT has the ability to scale right now," Utter said. "It also has some traditional thinking and assumptions -- like that the IoT is still an 'on network' issue, where we rather think of the IoT as an always connected and always on issue. So the guidance is good, the vision of how to apply this frame work to the reality of IoT falls a bit short."

Manky said "the DHS release explains the what and why, and if you want to security seriously, the NIST Special Publication gives you a how-to."

According to the new NIST Special Publication 800-160, " Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems."

Swift said "it's time to get the industry at large involved and effecting the change needed to make IoT safer and more secure."

"Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure, but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse engineered as it has been proven time and time again that this 'security by obscurity' approach is broken," Swift said. "By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first and then compete on value-add market differentiators."

Manky praised the two new IoT security guidances for promoting the need for more discussion on the topic.

"This needs to be collaborative, and it's not just Silicon Valley they need on board. They need manufacturers of practically every vertical to adopt this mindset, and a surefire way to lose your voice is to demand too much too soon," Manky said. "These are things we've been saying within the tech world for years, but the IoT reaches so many new people. So many things that weren't done over IP are quickly moving that direction. It's the next wave of digitalization, and continual outreach is important."

Next Steps

Learn more about the risks to consider with IoT systems.

Find out if passwords are destined for obscurity.

Get info on why the IoT security window is closing.


SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

Mamba Ransomware Encrypts Hard Drives Rather Than Files

September 20, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm


Threatpost | The first stop for security news

This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.

Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.

Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.

Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.

Twitter: @UrbaneSec @zfasel @SecBarbie


DEF CON Announcements!

MR. ROBOT is a rare treat - a network television show whose hacker protagonist is a fully realized character with a realistically attainable set of skills. No hyper-typing, no gibberish masquerading as tech jargon, no McGuffins to magically paper over plot holes with hacker dust. MR. ROBOT takes the tech as seriously as the drama.

One of the main reasons for this verisimilitude is the work of Kor Adana, MR. ROBOT's advisor on all things hackish. His fingerprints are on every terminal window in the show. Another advisor to the show is our very own CJunky - known to the outside world as hacker and raconteur Marc Rogers. Join Dark Tangent for a panel discussion of MR. ROBOT: the phenomenon, the hacks and the crazy ways the show seems to pull its storylines from the future. Bring your questions, and keep an eye out for late-breaking special guests.

Kor Adana’s interest in technology started as a child when he tried to build a red box to get free calls on pay phones. By the time he was in middle school, he was building his own computer systems and getting into trouble. After obtaining a B.S. in IT Network Administration, Kor went on to work in enterprise network security for one of the world’s largest automakers. He performed penetration testing, designed security policies, managed enterprise-wide eDiscovery, and conducted forensics for legal and HR matters. While there, he also worked alongside NASA in a high-profile government investigation. He eventually left the IT world to pursue his true passion, writing for film and television. He’s worked with the producers of THE WALKING DEAD, THE SHIELD, LOST, and DEXTER. He is currently a writer and technical supervisor for USA's Golden Globe Award-winning drama, MR. ROBOT. He also has one of his own projects in development with Universal Cable Productions.

Ryan Kazanciyan is the Chief Security Architect for Tanium and has thirteen years of experience in incident response and forensics, penetration testing, and security architecture. Prior to joining Tanium, Ryan was a technical director and lead investigator at Mandiant, where he worked with dozens of Fortune 500 organizations impacted by targeted attacks.

Ryan has presented security research at dozens of events worldwide, including Black Hat, DEFCON, and RSA. He has led training sessions for hundreds of the FBI's cyber squad agents, and was a contributing author for "Incident Response and Computer Forensics, 3rd Edition", published in 2014.

Andre McGregor is at DEFCON 24 celebrating his one-year anniversary as Tanium’s Director of Security responsible for internal cybersecurity. Prior to joining Tanium, Andre was a fresh-faced new agent with the FBI working cases like the NYC Subway bomber and Times Square car bomb while arresting his share of Italian Organized Crime bosses. His computer engineering background led him to help form FBI New York’s first cyber national security squad focused on computer intrusions from China, Russia, and Iran. Having deploying with NSA Blue Team and DHS US-CERT/ICS-CERT as a technically-trained cyber agent, Andre has led numerous large-scale cyber investigations ranging from financial crimes to critical infrastructure protection. In his free time, when he wasn’t sifting through terabytes of Netflow with SiLK and playing around with Autopsy and IDA, Andre was an FBI firearms instructor, dive team medic, and a volunteer firefighter driving fire trucks. After graduating from Brown University, Andre worked as an engineer at Goldman Sachs and later transitioned to IT Director at Cardinal Health/Advogent. Having shed the badge and gun last year, Andre currently serves as the FBI cyber technical consultant for the TV show Mr. Robot.

Kim Zetter is an award-winning, senior staff reporter at Wired covering cybercrime, privacy, and security. She is writing a book about Stuxnet, a digital weapon that was designed to sabotage Iran's nuclear program.


DEF CON Announcements!

What if your wireless mouse was an effective attack vector? Research reveals this to be the case for mice from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, and Amazon. Dubbed 'MouseJack', this class of security vulnerabilities allows keystroke injection into non-Bluetooth wireless mice. Imagine you are catching up on some work at the airport, and you reach into your laptop bag to pull out your phone charger. As you glance back at your screen, you see the tail end of an ASCII art progress bar followed by your shell history getting cleared.

Before you realize what has happened, an attacker has already installed malware on your laptop. Or maybe they just exfiltrated a git repository and your SSH keys. In the time it took you to plug in your phone, you got MouseJacked. The attacker is camped out at the other end of the terminal, equipped with a commodity USB radio dongle and a directional patch antenna hidden in a backpack, and boards her plane as soon as the deed is done. The reality of MouseJack is that an attacker can inject keystrokes into your wireless mouse dongle from over 200 meters away, at a rate of up to 7500 keystrokes per minute (one every 8ms).

Most wireless keyboards encrypt the data going between the keyboard and computer in order to deter sniffing, but wireless mouse traffic is generally unencrypted. The result is that wireless mice and keyboards ship with USB dongles that can support both encrypted and unencrypted RF packets. A series of implementation flaws makes it possible for an attacker to inject keystrokes directly into a victim's USB dongle using easily accessible, cheap hardware, in most cases only requiring that the user has a wireless mouse. The majority of affected USB dongles are unpatchable, making it likely that vulnerable computers will be common in the wild for the foreseeable future.

This talk will explain the research process that lead to the discovery of these vulnerabilities, covering specific tools and techniques. Results of the research will be detailed, including protocol behavior, packet formats, and technical specifics of each vulnerability. Additional vulnerabilities affecting 14 vendors are currently in disclosure, and will be revealed during this talk.

Marc is a security researcher and software engineer at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.

Twitter: @marcnewlin


DEF CON Announcements!

Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before.

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War".

Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn:
• Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change.
• How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing.
• How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack.
• How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup.
• Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure.
• Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story.
• The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you.

Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on www.siemonster.com

Twitter: @_kustodian_


DEF CON Announcements!

To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.

Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test.

Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices.

Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.


DEF CON Announcements!

Rating is available when the video has been rented.

This feature is not available right now. Please try again later.

Published on Aug 19, 2016

Take a look at weaknesses in Point of sale systems and the foundation of hotel key data and the Property management systems that manage the keys. Using a modified MST injection method Weston will demonstrate several attacks on POS and Hotel keys including brute forcing other guest’s keys from your card information as a start point. And methods of injecting keystrokes into POS systems just as if you had a keyboard plugged into the system. This includes injecting keystrokes to open cash drawer and abusing Magstripe based rewards programs that are used a variety of environments from retail down to rewards programs in Slot Machines.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.


DEF CON Announcements!