Collaborate Disseminate
Verizon’s Data Brief Digest 2017 describes an attack against an unnamed university by attackers who hacked a variety of IoT devices and had them spam network targets and slow them down: Analysis of the university firewall identified over 5,000 devices making hundreds of Domain Name Service (DNS) look-ups every 15 minutes, slowing the institution’s entire network and restricting access to… Continue reading IoT Attack Against a University Network
Lately, I have been collecting IoT security and privacy guidelines. Here’s everything I’ve found: "Internet of Things (IoT) Broadband Internet Technical Advisory Group, Broadband Internet Technical Advisory Group, Nov 2016. "IoT Security Guidance," Open Web Application Security Project (OWASP), May 2016. "Strategic Principles for Securing the Internet of Things (IoT)," US Department of Homeland Security, Nov 2016. "Security," OneM2M Technical… Continue reading Security and Privacy Guidelines for the Internet of Things
Here’s a story about data from a pacemaker being used as evidence in an arson conviction. EDITED TO ADD: Another news article. BoingBoing post. EDITED TO ADD (2/9): Another article…. Continue reading Pacemaker Data Used in Arson Conviction
Attackers held an Austrian hotel network for ransom, demanding $1,800 in bitcoin to unlock the network. Among other things, the locked network wouldn’t allow any of the guests to open their hotel room doors. I expect IoT ransomware to become a major area of crime in the next few years. How long before we see this tactic used against cars?… Continue reading IoT Ransomware against Austrian Hotel
The FDA has issued a report giving medical devices guidance on computer and network security. There’s nothing particularly new or interesting; it reads like standard security advice: write secure software, patch bugs, and so on. Note that these are "non-binding recommendations," so I’m really not sure why they bothered. EDITED TO ADD (1/13): Why they bothered…. Continue reading FDA Recommendations on Medical-Device Cybersecurity
In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene. The particulars of the case are weird. Amazon’s Echo does not constantly record; it only listens for its… Continue reading Law Enforcement Access to IoT Data
In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene. The particulars of the case are weird. Amazon’s Echo does not constantly record; it only listens for its… Continue reading Law Enforcement Access to IoT Data
The FDA has issued a report giving medical devices guidance on computer and network security. There’s nothing particularly new or interesting; it reads like standard security advice: write secure software, patch bugs, and so on. Note that these are "non-binding recommendations," so I’m really not sure why they bothered. EDITED TO ADD (1/13): Why they bothered…. Continue reading FDA Recommendations on Medical-Device Cybersecurity
There’s a concept from computer security known as a class break. It’s a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in Internet-enabled… Continue reading Class Breaks
You can rent a 400,000-computer Murai botnet and DDoS anyone you like. BoingBoing post. Slashdot thread…. Continue reading You, Too, Can Rent the Murai Botnet