Deral Heiland, Research Lead at Rapid7, is disclosing a vulnerability that reveals how popular home lighting system, Osram Lightify leaves users vulnerable to attack. A link to the blog post with additional details can be found here. Specifically, a malicious actor can: Execute commands to change lighting, and also execute commands to reconfigure the devices Inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation. Deral commented below. Deral Heiland, Research Lead at Rapid7: “As consumer based IoT solutions find their way into our enterprise…
Author: ISBuzz Team
In the healthcare industry, those practicing in the field must take the Hippocratic Oath and swear to uphold specific ethical standards. This standard helps promote the idea of “do no harm” and healthcare practitioners take this oath very seriously. But what about the Information Technology industry? How do we ensure that those we give ultimate power to in our organizations are not abusing their power and are acting in the best interest of the company? There is nothing similar to the Hippocratic Oath for systems administrators, network engineers, or security analysts. Although we would like to hope that throughout our…
In response to the news that a joint operation by Europol, the Dutch National High Tech Crime Unit, Intel, and Kaspersky has seized the command and control servers for the Shade ransomware strain and published code that allows anyone hit by the malware to decrypt their files. Mark James, security specialist at ESET commented below. Mark James, Security Specialist at ESET: Now that the C&C servers have been seized will this likely be the end of Shade? “One of the biggest problems with malware these days is its ability to be modified in ways that may affect the outcome of…
When each nation’s best athletes compete at the Olympic Games, one city seemingly becomes the center of the universe. And while the world looks on closely, threat actors do the same—only for much more nefarious reasons. Every four years, the Olympics’ host country pours an enormous amount of time and resources into building the physical and technical infrastructure necessary to accommodate visitors from all over the world. For example, the total cost of the 2016 Olympics in Rio de Janeiro, Brazil, is estimated to exceed $12B, an increase by $99.3M since August alone. Spectators and revelers are projected to spend…
Following the news that the Government Digital Service (GDS) is testing ways to use people’s social media accounts to help prove their identity when accessing online public services, Lee Munson, Security Researcher at Comparitech.com. Lee Munson, Security Researcher at Comparitech.com: “In theory, the government’s idea of using social media accounts as a means of authenticating a consumer’s identity is compelling – after all, the vast majority of the population is now signed up to one or more of Facebook, Twitter, Instagram, etc. “In practice, however, I am concerned that the increasing use of social sites as proof of identity could actually lead to…
According to BBC reports, O2, one of the biggest UK mobile networks, appears to have suffered a data breach. The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. Security experts at MIRACL, Lieberman Software, Comparitech.com, ESET, Veracode and Intercede commented below. Brian Spector, CEO at MIRACL: “This incident provides us with another reminder of just how vulnerable passwords are to being hacked. The tendency for people to choose a password for life means that setting up a cursory account on a gaming site could threaten all the private information…
In light of the news that Amazon has won the approval for UK delivery drone tests, Colin Bull, Principal Consultant Manufacturing and Product Development at SQS, highlights below the vital need for the implementation of regulation and the standardisation of radio frequencies on which drones can operate. Colin Bull, Principal Consultant Manufacturing and Product Development at SQS: “With today’s news that Amazon has won the approval for UK autonomous delivery drone tests, what was once thought of as a fun novelty for the modern consumer, is soon to become a daily reality. Despite the obvious benefits, drones must be embraced and feared in…
Security experts from VASCO Data Security, STEALTHbits Technologies, Lastline and InfoArmor provide their insight on DNC email and email Encryption below. John Gunn, VP of Communications at VASCO Data Security: “Encryption is simple to use, inexpensive, and highly effective. It doesn’t guarantee the hackers could not have obtained the information, but it certainly would have made their job a lot more difficult. This issue again underscores that there is a significant shortage of qualified IT security professionals – this event is just more evidence of the problem. Political campaigns are not known for paying well or for providing long-term employment. They should have…
When I started writing for Tripwire and some of the other information security websites that graciously publish my work, I had a few humble goals in mind: To raise awareness about security-related topics for the general public; To spark some thought and conversation about information security; To educate folks who are considering a career and just starting out in the information security field; To be more like my info-sec rock star friend, Javvad Malik. I never expected that anyone would want me to endorse any products, but lately, I have received unsolicited requests to review and endorse some security products.…
The Democratic National Committee’s email has been hacked and confidential emails have been posted on Wikileaks. The emails outline thoughts on the Bernie Sanders campaign, donors and their backgrounds and entertainers who might be invited or not to the White House. Tim Erlin, Senior Director of IT Security and Risk Management of Tripwire commented below. Tim Erlin, Senior Director of IT Security and Risk Management at Tripwire: “If you’re part of the political process, especially during a hotly contested election, it’s safest to just assume that your emails aren’t private. It’s possible to take measures to protect email contents through…