Day: October 13, 2016

Posted on

Akamai Finds Longtime Security Flaw in 2 Million Devices

It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.

New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries like financial services, retail, hospitality, and gaming—have been targets of this attack.

The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.

“This is something we’ve known about for a dozen years,” says Martin McKeay, a security advocate at Akamai. “This is a vulnerability that we’ve seen before. It should not be happening. But we’re going to be seeing this more and more as everything gets an IP address and has an administrative interface. These products have to be thought through and protected before they get into the home.”

Akamai says it is working with device vendors to improve their SSH implementation and cites the network video recorder maker NUUO, the satellite antenna maker Intellian, the WiMax router maker Green Packet, the hotspot maker Ruckus, and the network-attached storage device maker Synology as companies that sell one or more products in which it detected SSH flaws. Ruckus published a security advisory in 2013 about the potential to use SSH for “unauthenticated TCP tunneling.” Sudhakar Padala, Ruckus’ senior principal security architect, stated in an email to WIRED that the Akamai warning seems to match the vulnerability Ruckus had “immediately corrected” in 2013. He added, “Akamai did not alert us to this new report. We take all security vulnerabilities extremely seriously.” In its report, Akamai cites Ruckus’s 2013 advisory but adds, “This was one of the affected device types discovered during our research.” Intellian declined to comment. The other companies could not yet be reached for comment.

The Akamai researchers found that hackers have been able to establish unauthorized SSH connections, called “tunnels,” with IoT devices to then route malicious traffic as part of command and control infrastructure. Akamai observed this strategy being used for attacks like credential stuffing, in which attackers set up an automated system for trying to get into customer accounts on a site using credential pairs leaked in previous data breaches.

In one example, Akamai observed hackers using an account called “admin” to authorize an SSH tunnel to a network video recorder. They then used this access to generate and send malicious traffic from the video recorder. Some quick research revealed that the factory-default password for this administrator account was listed publicly as “admin.” From there the hackers were able to access other server communication tools, like the Transmission Control Protocol, and with relatively little effort access and direct the device. Additionally, from a hacker’s perspective, the approach has the added benefit of masking the true source of an attack, since the malicious traffic emanates from the network, and therefore IP address, of the hijacked IoT device.

Akamai has recommendations for manufacturers, like building in prompts for customers to change default administrator credentials, disabling SSH on devices unless it’s specifically needed, and creating ways for devices to easily receive configuration updates. For customers, the company advises changing factory default usernames and passwords when possible, disabling SSH traffic on home networks, and creating firewall restrictions on inbound and outbound SSH access if applicable. But one major concern is that, unlike having your Facebook account hacked, the average person will likely never realize that their IoT devices have been compromised in this way even if it happens to them. “It’s not something most people are actually going to notice,” McKeay says. “But it does mean that your network is going to be part of a chain of control.”

Concern about Internet of Things insecurities has grown as more attackers use the type of approach Akamai describes. Most recently, an army of centrally controlled IoT devices launched a massive distributed denial-of-service (DDoS) attack against the website of security reporter Brian Krebs. The attack created its botnet using malware called Mirai, which has since been publicly released, increasing the danger of future Mirai attacks.

In the case of the SSH hacks, Akamai emphasizes that nothing about the SSH vulnerabilities is really new and it’s true that these types of problems have been long foreseen. For example, a 2003 evaluation of SSH by the security firm SANS Institute noted, “The unfortunate reality is that SSH is not a ‘silver bullet’ capable of removing all dangers. Known exploits of SSH exist that can be used as attack vectors against a network.” But these and similar warnings were directed at more traditional computer networks during the early 2000s. The idea that IoT devices need to be protected with the same rigor is still developing, but for victims of IoT botnets it’s coming too slowly. “Embedded devices still tend to run old software stacks that have not been vetted and that either don’t implement security at all, don’t implement it properly, or might implement security but leave default passwords on there,” says Balint Seeber, the director of vulnerability research at the Internet of Things security company Bastille. “Both customers and companies are slowly waking up, and that’s great, but it’s just such a broad domain.”

Even if it’s a rude awakening, IoT devices now number in the tens of billions, and it’s time to protect them.

Go Back to Top. Skip To: Start of Article.

from Wired Top Stories http://ift.tt/2ellCHy
via IFTTT

Posted on

Terahertz radiation could speed up computer memory by 1000 times

One area limiting speed in personal computing speed is memory — specifically, how quickly individual memory cells can be switched, which is currently done using an external magnetic field. European and Russian scientists have proposed a new method using much more rapid terahertz radiation, aka "T-rays," the same things used in airport body scanners. According to their research, published in the journal Nature, swapping out magnetic fields for T-rays could crank up the rate of the cell-resetting process by a factor of 1000, which could be used to create ultrafast memory.

The radiation is actually a series of short electromagnetic pulses pinging the cells at terahertz frequencies (which have wavelengths of about 0.1 millimeter, lying between microwaves and infrared light, according to the scientists’ press release). Most of the recent T-ray experiments have dealt with quick, precise inspections of organic and mechanical material. Aside from quickly scanning you for contraband and awkward bulges at airports, other proposals have involved using terahertz radiation to look into broken microchip innards, peer into fragile texts and even comb airport luggage for bombs.

But similar to those hypothetical applications, you won’t see T-rays in your PCs any time soon. The scientists have successfully demonstrated the concept on a weak ferromagnet, thulium orthoferrite (TmFeO₃), and even found that the terahertz radiation’s effect was ten times greater than a traditional external magnetic field, meaning the new method is both far faster and more efficient. But the scientists have yet to publish tests on actual computer memory cells, so it’s unknown when, or if, T-rays will buzz around inside your machine.

Source: Nature

from Engadget http://ift.tt/2eaYxUt
via IFTTT

Posted on

Science creates a cast that lets you scratch those itches

If you made a list of things that sucked about breaking your arm, the fiberglass cast to heal you would be close to the top. You can’t shower with it, you can’t get at your skin and you wind up an itchy, sweaty mess for months on end. Three college students out of Illinois believe that they can alleviate some of those bugbears with Cast21, a pretzel-esque sleeve that would replace traditional fiberglass castings. The Cast21 sleeve is a mathematically-designed structure that’s as rigid as a traditional cast, but without most of those issues. For instance, its hollow design means that you can get to most of your skin, letting you scratch those itches when you need to. Plus, you can get it wet, it’s lightweight and can be removed with a pair of pointed shears. Oh, and it’ll cost roughly the same as the existing procedure, so it won’t put too much of a dent in your hospital bills.

The sleeve itself is made of silicon and comprised of a series of hollow tubes that are all connected together. Once a doctor places it on your forearm, two liquids are injected into the tubes and as they mix, the structure hardens. The silicon construction means that a wide variety of colors and designs can be incorporated into the cast, including block colors, camouflage pattern and even a "cookies and cream" motif.

The team behind Cast21 are currently looking for investors to help them get through the initial manufacturing and prototype stages. Should that cash arrive soon, it’s hoped that initial trials on human patients could begin as early as mid-2017, although that’s a very ambitious goal. COO Justin Brooks also has one eye on conquering the animal market, given how frequently you see dogs with broken forelegs. He also says that his company has one up on its 3D-printed rivals since there’s significantly less complexity with stretchy silicon.

Source: Cast21

from Engadget http://ift.tt/2e0qmkA
via IFTTT

Posted on

Steam will soon natively support PlayStation 4 controllers

While it’s been possible to link a DualShock 4 to a PC to play Steam games, the functionality has been provided by third-party apps, not the companies themselves. Luckily, that will soon change, after Valve’s Jeff Bellinghausen confirmed to Gamasutra that the game company is working to include native support for other gamepads, starting with the PlayStation 4 controller.

"Believe it or not, when you use the PS4 Controller through the Steam API, it’s exactly the same as a Steam Controller. Not only is it a really nice, high quality controller, but it’s also got a gyro and a touchpad." says Bellinghausen. "Existing native support for the PS4 controller on the PC is a bit weak; in this case Steam itself is communicating directly with the device so everything that’s nice and reliable."

In the past, Steam users have relied on apps like DS4Windows to connect DualShock controllers to their PC. However, with native Steam support and the new DualShock 4 USB Wireless Adaptor, which already helps PC users play PlayStation Now games on their desktop, it won’t be long before Sony’s gamepad can be fully utilized — touchpad and all — without any additional customization.

Via: Polygon

Source: Gamasutra

from Engadget http://ift.tt/2eaBO9G
via IFTTT

Posted on

Big soda is buying off big health orgs to keep profits and Americans fat

Under the guise of sweet charitable giving, soda makers are handing out millions to big name health organizations so that the groups stay quiet about health issues that threaten to slim down drink profits—not to mention Americans themselves—a new study suggests.

Between 2011 and 2015, Coca-Cola Company and PepsiCo sponsored 96 national health organizations, including the American Diabetes Association, the American Heart Association, and the American Society for Nutrition, researchers report in the American Journal of Preventative Medicine. Meanwhile, lobbyists for the beverage makers successfully campaigned against nearly 20 proposed state and federal regulations aimed at protecting public health, such as improvements to nutrition labeling and soda taxes.

The pop makers’ efforts to defeat public health policies casts doubt on the sincerity of their charitable giving to health groups. But the sponsorships alone are concerning, according to the study authors, Daniel Aaron and Michael Siegel of Boston University. Earlier studies have found that “sponsorships of health organizations can have a nefarious impact on public health,” they wrote, noting the efforts of Big Tobacco decades ago. Sponsors may directly or indirectly—through feelings of indebtedness—get an organization to take on their interests. As such, the Federal Trade Commission considers sponsorships a marketing tool. All in all, Aaron and Siegel conclude that the soda sponsorships “are likely to serve marketing functions, such as to dampen health groups’ support of legislation that would reduce soda consumption and improve soda companies’ public image,” they wrote.

Though the authors don’t prove that the soda sponsorships have resulted in “nefarious” effects, there’s plenty of reasons to buy the argument. For instance, in 2010, the charity Save the Children stunned colleagues and health professionals by abruptly dropping support for a soda tax—a policy the organization had been fiercely supporting as part of a campaign to combat childhood obesity. The turnabout occurred after the organization received more than $5 million from Coca-Cola Company and PepsiCo, though the charity’s executives denied the connection.

Similarly, in 2012 and 2013, the NAACP, which runs a Coca-Cola-funded health program and has close ties to soda makers, firmly opposed Mayor Bloomberg’s soda portion size limit for New York City. The stance was in spite of the fact that African American’s in the city suffer higher than average rates of obesity.

Last year The New York Times uncovered financial links between Coca-Cola and the research group, Global Energy Balance Network, run out of the University of Colorado. The researchers willfully downplayed the role of sugary beverages in poor health and obesity and shifted focus to a need for more exercise. The group has since disbanded and Coca-Cola’s chief scientist stepped down following the revelation.

And just last month, researchers at the University of California, San Francisco dug up evidence that sugar industry executives wrote fat checks to Harvard researchers in the 1960s to downplay the role of sugar in heart disease. Instead the researchers placed the blame solely on excess saturated fat—a scheme that skewed health policy and dietary guidelines for decades.

Despite such highly publicized examples of industry’s meddling in health campaigns and policy, the new study by Aaron and Siegel is the first to try to capture the extent of the problem. The researchers sifted through financial disclosures on scientific literature, websites, and news reports, plus a database that tracks lobbying spending. The researchers wrote that their tally of 96 health organizations sponsored is likely an underestimate, given the potential for undisclosed funding plus the fact that they only looked for national—not state or local—health organizations.

Still, they conclude, the results show an extensive relationship between soda makers and health organizations, which have a lot of sway on policies and laws. “It is recommended that organizations find alternative sources of revenue in order to stop indirectly and inadvertently increasing soda consumption and causing substantial harm to Americans,” they conclude.

In 2009, the average American consumed 46 gallons of soda, giving the US the highest per capita consumption rate of the sugary beverages of any country. Meanwhile, about 38 percent of US adults and 17 percent of children are obese. Recent research has estimated that sugary drinks were responsible for a fifth of American’s weight gain.

American Journal of Preventive Medicine, 2016. DOI: 10.1016/j.amepre.2016.08.010  (About DOIs).

from Ars Technica http://ift.tt/2ddnsnT
via IFTTT