The Debate Over How to Encrypt the Internet of Things

WIRED Threat Level

So-called lightweight encryption has its place. But some researchers argue that more manufacturers should stick with proven methods. Security Security / Security News

Weak Encryption Leaves Mobile Health App at Risk for Hacking

Data Breach Today

DHS, Philips Issue Advisories for HealthSuite Android Health App The lack of strong encryption in Philips' HealthSuite Health Android app leaves the mobile health software vulnerable to hacking, according to a new advisory issued by the medical device manufacturer and an alert from the Department of Homeland Security.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Kali Project Encryption and Isolation Using Vagrant and BitLocker

Perficient Data & Analytics

Create a BitLocker-protected virtual drive to provide “encryption at rest” data protection for your project files and data portability for archival purposes. Once the disk is mounted, the script invokes the BitLocker utility to encrypt the drive.

NEW TECH: DataLocker introduces encrypted flash drive — with key pad

The Last Watchdog

One sliver of the $90 billion, or so, companies are expected to spend this year on cybersecurity products and services is an estimated $85 million they will shell out for encrypted flash drives. DataLocker honed its patented approach to manufacturing encrypted portable drives and landed some key military and government clients early on; the company has continued branching out ever since. The encryption in our products is handled by a chip inside the actual hardware itself.

NEW TECH: DataLocker extends products, services to encrypt data on portable storage devices

The Last Watchdog

Related: Marriott reports huge data breach Ever thought about encrypting the data held on a portable storage device? I had the chance at RSA 2019 to visit with Shauna Park, channel manager at DataLocker, to discuss what’s new in the encrypted portable drive space.

Kr00k Wi-Fi Encryption flaw affects more than a billion devices

Security Affairs

A high-severity hardware vulnerability, dubbed Kr00k , in Wi-Fi chips manufactured by Broadcom and Cypress expose over a billion devices to hack. This serious flaw, assigned CVE-2019-15126, causes vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication.”

Hackers are Hurting the Internet of Things in More Ways Than you Think

InfoGoTo

With this method, they can capture the cryptographic keys to unlock the encryption that secures your IoT data. With keys in hand, cyberthugs can access and sift through data that the encryption was meant to protect. They can also include smart sensors and different apparatuses in critical infrastructure sectors like manufacturing, energy, transportation systems and more than a dozen others that the Department of Homeland Security has identified.

IoT 63

AUSTRALIA: Assistance and Access Act, December 2018 – Holy grail of uncertainty created by new rushed-in data encryption laws

DLA Piper Privacy Matters

According to its Explanatory Memorandum, the Act is intended to ‘introduce measures to better deal with the challenges posed by ubiquitous encryption ‘ It amends primarily the existing Telecommunications Act 1997 to establish frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies in relation to encryption technologies, via the issuing of technical assistance requests, technical assistance notices and technical capability notices.

FTC Orders Mobile Device Manufacturers to Provide Information about Security Updates for Study

Hunton Privacy

On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.”

US Navy Memo Raised Cyberscurity Concerns About DJI Drones

Data Breach Today

Army ordered that the use of drones made by Chinese manufacturer DJI be discontinued, citing security concerns. Now, a second classified memo used to support that decision has been released, revealing serious concerns about how cyberspies could intercept video and other encrypted data

IoT Inspector Tool from Princeton

Schneier on Security

From their blog post : Finding #3: Many IoT Devices Contact a Large and Diverse Set of Third Parties In many cases, consumers expect that their devices contact manufacturers' servers, but communication with other third-party destinations may not be a behavior that consumers expect.

IoT 83

New Guidance Published on Cybersecurity and Medical Devices

Data Matters

New European medical device guidance will require manufacturers to carefully review cybersecurity and IT security requirements in relation to their devices and in their product literature. The Guidance is intended to assist medical device manufacturers meet the new cybersecurity requirements in the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (collectively, the Regulations).

KNOB attack threatens over a billion Bluetooth-enabled devices

Security Affairs

A vulnerability tracked as CVE-2019-9506 and referred as Key Negotiation of Bluetooth ( KNOB ) attack could allow attackers to spy on encrypted connections. “The encryption key length negotiation process in Bluetooth BR/EDR Core v5.

Spotlight Podcast: Synopsys’ Dan Lyon on the Challenge of Securing Connected Medical Devices

The Security Ledger

Dan and I discuss some of the flaws in the approach that medical device makers take to security, and how manufacturers can take a page out of their own book: applying the same standards to cyber security as they do to – say- device safety. . How is it that a manufacturer can possess the design savvy to make an electronic device that lives within the human body, yet fail utterly to understand and account for the possibility of even trivial electronic manipulation and attacks?

The Growing Presence (and Security Risks) of IoT

Thales eSecurity

In the absence of IoT security regulations, many smart product manufacturers simply release new devices that lack built-in security measures and have not undergone proper security review and testing. Take manufacturing, for instance.

IoT 127

Ransomware at IT Services Provider Synoptek

Krebs on Security

based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries , including state and local governments, financial services, healthcare, manufacturing, media, retail and software.

A new NAS Ransomware targets QNAP Devices

Security Affairs

The ransomware targets poorly protected or vulnerable NAS servers manufactured by Taiwan-based QNAP Systems, attackers exploits known vulnerabilities or carry out brute-force attacks. encrypt extension to filenames of encrypted files. encrypt extension to the encrypted files.”

P2P Weakness Exposes Millions of IoT Devices

Krebs on Security

Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software.

IoT 285

Facebook Plans on Backdooring WhatsApp

Schneier on Security

This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms.

RobbinHood ransomware exploit GIGABYTE driver flaw to kill security software

Security Affairs

Ransomware operators leverage a custom antivirus killing p ackage that is delivered to workstations to disable security solution before starting encryption. Attackers execute the RobbinHood ransomware and attempt to encrypt the files on the infected host.

Consumer Reports Reviews Wireless Home-Security Cameras

Schneier on Security

The video is encrypted, and it travels from the camera through D-Link's corporate servers, and ultimately to the user's phone. Users can also access the same encrypted video feed through a company web page, mydlink.com. If you do this, the web server on the camera doesn't encrypt the video. This is the sort of sustained pressure we need on IoT device manufacturers. Consumer Reports is starting to evaluate the security of IoT devices.

MY TAKE: PKI, digital certificates now ready to take on the task of securing digital transformation

The Last Watchdog

Related: Why PKI is well-suited to secure the Internet of Things PKI is the authentication and encryption framework on which the Internet is built. Lacking a reliable way to authenticate identities during the data transfer process, and also keep data encrypted as it moves between endpoints, the Internet would surely atrophy – and digital transformation would grind to a halt. Quantum computers can rather easily break the strongest encryption we have today.

Maze Ransomware operators leak 14GB of files stolen from Southwire

Security Affairs

The Maze ransomware gang has released 14GB of files that they claim were stolen from one of its victims, the Southwire cable manufacturer. The victims of the Maze Ransomware are facing another risk, after having their data encrypted now crooks are threatening to publish their data online.

MY TAKE: Why it’s now crucial to preserve PKI, digital certificates as the core of Internet security

The Last Watchdog

For decades, the cornerstone of IT security has been Public Key Infrastructure, or PKI , a system that allows you to encrypt and sign data, issuing digital certificates that authenticate the identity of users. The role of the CAs is to diligently verify the authenticity of websites, and then help the website owners encrypt the information that consumers type into their web page forms. Fortanix is supplying the advanced encryption technology underpinning Google’s new service.

A new piece of Snake Ransomware targets ICS processes

Security Affairs

Then the malware encrypts the files on the system, skipping Windows system files and folders. a file named invoice.doc is encrypted and renamed like invoice.docIksrt. The experts noticed that the malware appends the ‘ EKANS ‘ file marker to each encrypted file.

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

Krebs on Security

Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China. Establish and maintain end-to-end encryption for all applications.

IT 285

Hackers infect Linux servers with JungleSec Ransomware via IPMI Remote console

Security Affairs

“In one case, the IPMI interface was using the default manufacturer passwords. Once encrypted the files, attackers drop the ransom note (ENCRYPTED.md) for the JungleSec Ransomware that contains instructions to pay the ransom and decrypt the files.

These hackers have breached FBI-affiliated websites and leaked data online

Security Affairs

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday. “We We hacked more than 1,000 sites,” the hacker told TechCrunch through an encrypted chat.

New DigiCert poll shows companies taking monetary hits due to IoT-related security missteps

The Last Watchdog

Carried out by ReRez Research , DigiCert’s poll queried senior officials at organizations in the fields of healthcare, industrial manufacturing, consumer products and transportation ranging in size from 999 to 10,000 employees. The companies with a good handle on things have discovered how to leverage robust authentication and encryption regimes to help maintain the integrity of their IoT systems.”.

IoT 135

Moxa Industrial Switches plagued with several flaws

Security Affairs

Industrial control systems used in many industries, including the energy sector, critical manufacturing, and transportation, continues to be an element of concern for security experts.

OceanLotus APT group leverages a steganography-based loader to deliver backdoors

Security Affairs

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. To make hard the analysis of the malware, backdoor DLLs are heavily obfuscated and C2 communication encrypted.

Building a foundation of trust for the Internet of Things

Thales eSecurity

With consumers in particular prioritising convenience and functionality over security, it’s down to manufacturers to ensure security is embedded into devices from the point of creation.

IoT 77

Experts found 36 vulnerabilities in the LTE protocol

Security Affairs

According to the researchers, the Radio Resource Control (RRC) Connection procedure is not encrypted and an attacker could modify data transferred. The experts also discovered vulnerabilities in baseband chipsets manufactured by Qualcomm and HiSilicon.

Keeping the Internet Secure

Adam Shostack

Today, a global coalition led by civil society and technology experts sent a letter asking the government of Australia to abandon plans to introduce legislation that would undermine strong encryption.

Supply Chain Security 101: An Expert’s View

Krebs on Security

For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So for example you might define rules that say appliances can talk to the manufacturer only. .

Priming the payments ecosystem for explosive growth

Thales eSecurity

Many manufacturers and third-party merchants now actually save their best deals for Prime Day knowing millions of extra shoppers will be buying goods via the online store.

Medtronic’s implantable heart defibrillators vulnerable to hack

Security Affairs

Security firm Clever Security discovered that heart defibrillators manufactured by Medtronic are affected by two serious vulnerabilities. “The Conexus telemetry protocol utilized within this ecosystem does not implement encryption. The U.S.

Approaching the Reverse Engineering of a RFID/NFC Vending Machine

Security Affairs

Manufacturer block: This is the first data block (block 0) of the first sector (sector 0). It contains the IC manufacturer data. Data blocks: All sectors contain 3 blocks of 16 bytes for storing data (Sector 0 contains only two data blocks and the read-only manufacturer block).

NIST Tests Forensic Methods for Getting Data From Damaged Mobile Phones

Security Affairs

However, they can still be useful with encrypted phones because investigators often manage to get the passcode during their investigation. Manufacturers use those taps to test their circuit boards, but by soldering wires onto them, forensic investigators can extract data from the chips.

Medtronic Devices Fatal Flaw? Hackers Demonstrate New Attacks

Adam Levin

Medtronic manufactures the targeted pacemakers. Also criticized was Medtronic’s failure to implement rudimentary security standards such as https encryption and digital signatures.