Connect with us

Home Security

IoT bug report claims “at least 100M devices” may be impacted – Naked Security

Published

on

Here’s another BWAIN, which is our shorthand for Bug With An Impressive Name.

That’s the abbreviation we use for bugs that end up with names, logos and even dedicated websites that are catchy, cool, fancy, important or dramatic, and sometimes even all of these at the same time.

Classic examples of the genre include:

This time, we’re talking about NAME:WRECK, a bunch of somewhat related bugs in the core DNS software used by several different operating systems.

This “bug cluster” features in a report released yesterday by researchers from Forescout and JSOF.

The nickname comes from the word “name” in DNS, combined with the fact all the bugs could theoretically let an attacker crash an affected device, or perhaps worse.

DNS, as you probably know, is short for domain name system, which converts names like nakedsecurity.sophos.com into IP numbers such as 192.0.66.200 [correct at 2021-04-13T16:20Z].

Technically, you can run a TCP/IP network stack without DNS, simply by referring to each device by its network number only.

But even the most limited and self-contained test networks quickly end up crying out for DNS, and if ever you want to hook up your device or devices to the internet, you can consider DNS support a must.

That’s why any TCP/IP device, no matter how tiny and resource-constrained it might be, and any operating system, no matter how much it might have been miniaturised, includes code for what’s known as DNS resolution or DNS lookup.

That code needs to know how to formulate DNS requests, which are compactly encoded binary network packets specified in RFC 1035, published way back in 1987 when every byte really mattered.

DNS lookup code also needs to know how to deconstruct the similarly formatted DNS replies that come back, even though that code didn’t create those packets in the first place, and doesn’t know whether it can trust the person who did.

As you probably know only too well, making sense of binary data, known as parsing in the jargon, is very easy to do badly.

The fact that a program can reliably parse billions of well-formed packets without a hitch doesn’t mean it won’t misbehave when faced with deliberately malformed packets that would never occur in regular use.

As the old joke goes: “A penetration tester walks into a bar and says, ‘4,294,967,297 beers, please’, just to see how good the bartender is.”

The devil’s in the details

The NAME:WRECK report isn’t just one bug or one vulnerability, and all of them date back to last year except for one.

Fortunately, they are all patched (at least one has had an update out for nearly a year already) but together they constitute a worthwhile reminder that even in the modern age, programmers continue to make old-school coding mistakes.

The vulnerabilities that have been lumped together under the NAME:WRECK “brand” were found in three different operating systems.

Two were low-level operating systems, often known as RTOSes (short for real-time operating systems) dedicated to internet-of-things (IoT) devices, namely Nucleus NET from Siemens and NetX from Microsoft.

The third was FreeBSD, widely used as both a mainstream server operating system and as an operating system for embedded devices. (As the name suggests, FreeBSD is available for free, like Linux, but it uses a much more easy-going and liberal open source licence.)

Parsing errors and randomness problems

Six of the bugs involved parsing errors, where the data sent back in DNS replies was carelessly processed, leading to buffer overflows.

Some of these could be exploited to cause the DNS lookup code to read data where it shouldn’t, causing a crash, or denial of service) (DoS).

Others could be exploited not just to read from the wrong place but to write to the wrong place as well, leading to remote code execution (RCE).

RCE generally means that an attacker can quietly inject malware into your computer simply by sending rogue packets, without needing to login first or to know any kind of password.

One bug involved a loop limit bug, where the code added no bytes to a text string, decided that the string wasn’t full yet, and went back for more, vainly adding zero bytes over and over again for ever and ever, in the hope that the string would eventually get longer.

The last bug involved poor randomness, where one-time random numbers added as transaction identifiers into DNS replies were not random enough.

As a result, attackers could create fake DNS replies that would pass muster and perform DNS poisoning on the local device’s stored list of known DNS replies.

By feeding an internet device a list of server names and fake IP numbers, criminals could trick that device into visiting imposter sites, replacing the real IP numbers of well-known servers with IP numbers controlled by the crooks.

The bugs were:

The NAME:WRECK report includes a ninth bug, though this one was actually found back in 2016 by researchers at Exodus Intelligence. Somehow, that bug never received a CVE identifier at the time, but one has been issued retrosepctively, namely CVE-2016-20009. That bug was a buffer overwrite in WindRiver’s IPNet software, apparently leading to remote code execution. We’re not sure if it was ever fixed, or if it’s still exploitable in current IPNet versions. If you are a WindRiver user, we recommend consulting the Exodus report for further details to help you work out if you are vulnerable.

What to do?

As so often, patching is the cure in this case.

Regular FreeBSD users will almost certainly have updated their laptops and servers by now, and almost certainly don’t need to worry.

However, if you have an embedded device based on FreeBSD, you may want to contact the maker of the device for confirmation that the patch has been included in the current device firmware.

Given the media interest in this report, devlopers using Nucleus NET or NetX in their products should consider publishing a note for their customers to say whether their devices are vulnerable or not.

Programmers interested in the sort of the low-level coding errors that led to these bugs might want to take a look at the Forescout/JSOF report, which gives six practical examples of the coding blunders to look for!

This content was originally published here.

Home Security

Precision agriculture using AI and IoT to usher in the next revolution in food security

Published

on

Micromanagement of every aspect of the field being used for your crops is called precision agriculture. It includes mapping of the field in terms of disparities within the field or with other fields around it, the sun light variation across the year, wind patterns, rain predictions and other seasonal effects. To do that, feed from weather stations, Remote sensing equipment, GIS and GPS may be used.

Another key feature of precision farming is having a trained software module on the specific crop being planned in that field. This software module has an understanding about the growth patterns of that crop, possible diseases that are related to that crop, prescriptions of specific fertilizer or pesticides depending upon the disease pattern, and prediction of disease depending upon the growth of leaves or size or colour of the plant.

It uses feed sensors, weight sensors, soil sensors, temperature sensors, intensity sensors and multiple types of cameras. All these sensors may be deployed on a machine. This machine can be a low flying drone or a small robot moving through the field. Based on the crop and the size of the plants, the robot height and size can be manoeuvred. This robot or drone will have multiple compartments full of different ingredients required for the plants. One box may contain water, another may have pesticides, another may have fertilizer and so on. Based on the real feedback of different sensors, the software module will process that information according to the trained AI model installed on that robot or drone. Depending upon the necessary trigger, instructions will follow, and the robot will discharge specific amount of pesticides or fertilizer or water etc.

This whole mechanism may look like a complex process for small and medium level farmers, but that is not the case. Just like farmers currently hire big machines for sowing and cutting the crops, they will be able to hire different kinds of robots for their specific crops. Initially the cost will be high, but eventually, when this becomes a standard practice, the cost will come down with volume and scale.

The end user will not be required to understand or learn about these complex systems. They will just employ these systems like we use washing machines without understanding the mechanical engineering behind their working. The farmer will only need to follow some simple and clear instructions and press a few buttons.

While its execution will be simple, the advantages of precision farming are many and varied. End-to-end efficiency and decrease in wastage/loss of the yield due to disease etc will lead to an increase in crop-yield. Another advantage is the huge saving in inputs: currently, farmers waste a lot of water, pesticides, and fertilizers because these are thrown all over the field, a significant portion of which is not used by the plants. With robots in the field, only the required resources will be given near the roots of the plants, which will save a lot of resources. It will also result in a lot of data inputs across the fields, regions, and geographies, which will result in better policy decision regarding which crops to be promoted, pricing of the output, availability of markets for the produce, value enhancement products in the food chain etc.

Many people may be worried about the impact of such technologies on the job market for agriculture workers. It will result in net additional jobs in this sector. Many hands will be required for maintenance, operations, storage, production, marketing of these variety of robots and drones. The only challenge is that existing agriculture workers will be required to undergo training to work on these modern machines, which will require huge efforts on the part of the trainers as well as the farmers. So, in conclusion precision farming is going to be the next big thing in the domain of agriculture which will have significant impact on economy, food reliance and modern society.



Linkedin
{{#PIU}}{{/PIU}}
{{^PIU}}{{/PIU}}

{{A_D_N}}

{{C_D}}

{{{short}}}
{{#more}}
Read More
{{/more}}

{{/totalcount}}
{{^totalcount}}

Start a Conversation

This content was originally published here.

Continue Reading

Home Security

IoT Security In The Spotlight, As Research Highlights Alexa Security Flaws | Information Security Buzz

Published

on

Last week, IoT security was in the spotlight again as researchers warned that Amazon’s Alexa is vulnerable to malicious third-party apps, or “skills”, that could leave owners at risk of a wide range of cyberattacks.

Researchers analyzed 90,194 unique skills from Amazon’s skill stores across seven countries and found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.

For instance, developers can register skills that fraudulently use well-known company names, and leverage these fake brand names to send out phishing emails that link to the skill’s Amazon store webpage. Attackers can also make code changes after their skills have been approved by Amazon, opening the door for various malicious configurations.

VP of IoT
Best-practices for IoT device security include strong authentication and secure software updates.

Continued innovation in the Internet of Things technology has propelled us into the Fourth Industrial Revolution and is undoubtedly valuable for consumers and businesses alike.

However, as this research into Alexa’s vulnerabilities has shown, we can’t be oblivious to the security risks that go hand-in-hand with introducing such a large number of devices into the ecosystem. Left unchecked, this presents a huge security risk. While there are many potential threats to IoT devices, a common

…..

Continued innovation in the Internet of Things technology has propelled us into the Fourth Industrial Revolution and is undoubtedly valuable for consumers and businesses alike.

However, as this research into Alexa’s vulnerabilities has shown, we can’t be oblivious to the security risks that go hand-in-hand with introducing such a large number of devices into the ecosystem. Left unchecked, this presents a huge security risk. While there are many potential threats to IoT devices, a common thread in IoT security weakness is the lack of strong authentication.

As attack vectors continue to evolve, it is increasingly critical that organizations embrace security solutions that ensure the integrity and security of their IoT systems. Best-practices for IoT device security include strong authentication and secure software updates – ensuring only authentic code can be installed on the device. For a complex system such as Alexa’s Skills that involve the Alexa platform, third-party apps and third-party cloud services – a comprehensive approach to ensuring the security of the ecosystem is essential.

@Alan Grau, VP of IoT , provides expert commentary for “dot your expert comments” at @Information Security Buzz.
“Best-practices for IoT device security include strong authentication and secure software updates….”
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/iot-security-in-the-spotlight-as-research-highlights-alexa-security-flaws

@Alan Grau, VP of IoT , provides expert commentary for “dot your expert comments” at @Information Security Buzz.
“Best-practices for IoT device security include strong authentication and secure software updates….”
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/iot-security-in-the-spotlight-as-research-highlights-alexa-security-flaws

Dot Your Expert Comments

* By using this form you agree with the storage and handling of your data by this web site.

This content was originally published here.

Continue Reading

Home Security

Is Biden’s Peloton Bike an IoT Cybersecurity Risk? – Security Boulevard

Published

on

Is Every Connected Device in a Staffer’s Home an IoT Cybersecurity Risk?

Most folks are still working from home at least some of the time. That creates a number of challenges for IT departments around cybersecurity and smart devices. As our lives become ever more connected to the internet through everything from smartphones to smart bikes, it’s important to remember that even the most humble internet-connected device can be a security risk. Many business IT teams are still coming to terms with that increased Internet-of-Things (IoT) cybersecurity risk and how to mitigate it.

If Cybersecurity is Like a Game, Shouldn’t You Play to Win? Here’s How to Do It.

IoT Devices (and Risks) Are Proliferating

During the last year, as we all spent more time at home, many folks discovered that they could make their home lives a little more pleasant with IoT devices. Experts estimate that more than 26.66 billion IoT devices are active in 2020, with 127 new IoT devices connecting to the internet every second. However, researchers also report that IoT devices face 5,200 attacks a month. That means that organizations need to keep IoT security top of mind as their security posture evolves.

Including the White House. The original work from home example, the President’s House is also home to one of the world’s most secure and sensitive networks. As new First Families with an increasing number of IoT devices move in, like President Biden and his Peloton bike, the White House cybersecurity team is faced with the same dilemma as many businesses: how to secure their IT environment against the potential risk.

Don’t let cyberattacks put the brakes on your business. Stay agile and keep your engine running under any conditions. Start your journey on The Road to Cyber Resilience now! DOWNLOAD THIS PACKAGE>>

How to Mitigate the Risk

In the case of the President’s bike, the Secret Service and the National Security Agency (NSA) will make changes to both the physical structure and the IT capability as well as enacting strong access control policies and tools in order to mitigate the risk. Cameras and microphones will be removed, and a constant series of password changes will help blunt the possibility of foreign agents hacking into President Biden’s Peloton. This tracks with the advice given by the National Institute of Standards and Technology (NIST).

But most companies don’t need to go that far when securing their environments against IoT risks. Businesses can keep their networks safe and employees can enjoy their IoT devices without taking drastic measures or spending a fortune. While cybercrime risks continue to climb across the board, by taking sensible precautions, organizations can secure their systems and data from many of the pitfalls that arise from remote working IoT cybersecurity risks quickly and affordably.

Would you trust a flimsy lock for your front door? Add a stronger lock between cybercriminals and your business when you learn to Build Better Passwords. GET IT>>

Add a Universal Mitigation Now

One key to mitigating IoT risk and remaining cyber resilient as an organization is maintaining strong access point control. It’s not just a fantastic mitigation for IoT risk either. Strong access point control is essential for mitigating all types of cybersecurity risk – and secure identity and access management with a solution like Passly is an effective, cost-effective way to implement it in a flash.

Passly brings major weapons against intrusion to the fight with multifactor authentication (MFA), single sign-on (SSO), and secure shared password vaults. MFA is a must-have in today’s rapidly evolving threat landscape – it has been proven to block up to 99.9% of common cyberattacks from getting through to business systems. Back that up with single sign-on that empowers your IT team to add and remove permissions fast in case of compromise and secure shared password vaults to make sure that your team can easily respond to emergencies remotely, and you’ve added a huge amount of security strength for a small price.

Contact ID Agent’s experts today to add Passly to your security stack or watch a video of Passly in action to see why it’s perfect for every business.

The Post-Pandemic Dark Web is a Whole New World of Danger. It’s Still Our Backyard. Let Us Show You Around.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

This content was originally published here.

Continue Reading

Trending

AutomateMyHome

Subscribe to AMH Daily Updates

Get the best news, expert tips and product reviews everyday!