fbpx
Mid-April Security Alerts

Mid-April Security Alerts

Cisco Issues 31 Mid-April Security Alerts

Among them, two are critical and six are of high importance.

A busy month for Cisco router owners got busier yesterday when the networking giant introduced 31 new advisories and alerts. These announcements came on top of 11 high- and medium-impact vulnerabilities announced earlier in the month.

Of the 31 alerts, 23 are of medium impact, six are of high impact, and two are of critical impact to the organization and its security team.

Most of the medium-impact alerts are for cross-site scripting vulnerabilities, denial-of-service vulnerabilities, or vulnerabilities affecting unauthorized users and access. These were found on devices ranging from LAN controllers to wireless network access points to Cisco’s new Umbrella security framework.

The two critical alerts are for two very different vulnerabilities. In one, a vulnerability in Cisco IOS and IOS XE could allow an attacker to reload the system on a device (potentially replacing the legitimate system with one containing malicious code), or remotely execute code at a privilege level above the level of the user being spoofed to gain access.

This vulnerability is found in the Cisco Cluster Management Protocol (CMP) and was discovered when the documents in the infamous Vault 7 disclosurewere analyzed. That’s bad news because those documents have been available to hackers around the world for more than two years. And the news gets worse: Researchers at Cisco Talos have published a blog post showing this vulnerability has been exploited in the wild as part of a DNS hijacking campaign dubbed “Sea Turtle.”

Cisco already has released a software patch for this critical vulnerability, which has no operational workaround for successful remediation.

The second critical vulnerability could allow a remote attacker to gain access to applications running on a sysadmin virtual machine (VM) that is operating on Cisco ASR 9000 series Aggregation Services Routers. This vulnerability, Cisco says, was found during internal testing and has not yet been used in the wild. The source of the vulnerability – insufficient isolation of the management interface from internal applications – has been fixed in a pair of Cisco IOS XR software releases and does not, therefore, warrant a separate update, Cisco says.

Between the medium and critical vulnerabilities are six high-importance vulnerabilities that affect systems including telepresence video servers, wireless LAN controllers (three separate vulnerabilities), Aironet wireless access points, and the SNMP service.

 

Cisco ranks the severity of vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 3. Vulnerabilities with a CVSS score of 9.0 to 10.0 are critical, those in the range of 7.0 to 8.9 are high, and a score of 4.0 to 6.9 warrants a medium label. Anything ranking below medium is given an informational alert only.

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

As Threats Evolve So Should You

As Threats Evolve So Should You

Microsoft Office now the most targeted platform, as browser security improves

Microsoft Office has become cybercriminals’ preferred platform when carrying out attacks, and the number of incidents keeps increasing, Kaspersky Lab researchers said during the company’s annual conference, Security Analyst Summit, in Singapore. Boris Larin, Vlad Stolyarov and Alexander Liskin showed that the threat landscape has changed in the past two years and urged users to keep their software up-to-date and to avoid opening files that come from untrusted sources to reduce the risk of infection.

Today, more than 70% of all the attacks Kaspersky Lab catches are targeting Microsoft Office, and only 14% take advantage of browser vulnerabilities. Two years ago, it was the opposite: Web-based vulnerabilities accounted for 45% of the attacks, while Microsoft Office had a 16% share.

Kaspersky researchers presented data showing increase in Microsoft Office exploits since 2016As Threats Evolve So Should You

Researchers said that this is because hacking browsers has become more expensive, as browser security has improved. “Browser developers put much effort into different kinds of security protections and mitigations,” Liskin said. “Attackers were looking for a new target, and MS Office has become a star.”

Liskin added that there are plenty of reasons why cybercriminals choose to attack the popular suite. “Microsoft Office has a huge number of different file formats,” he said. “It is deeply integrated into the Windows operating system.”

He also argued that when Microsoft created Office, it made several decisions that, in hindsight, aren’t optimal security-wise and are currently difficult to change. Making such alterations would have a significant impact on all the versions of the products, Liskin said.

The researchers pointed out that the most exploited vulnerabilities from the past two years are not in MS Office itself, but rather in related components. Two of those vulnerabilities, CVE-2017-11882 and CVE-2018-0802, exploit bugs found in Equation Editor. Cybercriminals prefer to use them because they can be found in every version of Microsoft Word released in the past 17 years. Moreover, building exploits for them does not require advanced skilled, because the Equation Editor binary lacks modern protections and mitigations. These are simple, logical vulnerabilities, the researchers said.

Exploit uses Internet Explorer to hack Office

Another interesting vulnerability is CVE-2018-8174. In this unusual case, the vulnerability was actually in Internet Explorer, but the exploit was found in an Office file. “The exploit was delivered as an obfuscated RTF document,” researcher Larin said. “This is the first exploit to use a vulnerability in Internet Explorer to hack Microsoft Office.”

The infection chain has three steps. First, the victim opens the malicious document. As they do this, a second stage of the exploit is downloaded: an HTML page that contains a VBScript code. This then triggers the third step, ause after free (UAF) vulnerability, and executes shellcode. UAF bugs are a type of memory corruption vulnerability that have been very successful in the past for browser exploitation. The technique works by referencing memory after it has been freed, causing the software to crash or allowing an attacker to execute code.

Cybercriminals act fast on Microsoft exploits

What intrigues Larin, Stolyarov and Liskin the most about the cases they’ve studied is how fast cybercriminals operate. Most incidents start with a Microsoft Office zero-day that’s used in a targeted campaign. Once it becomes public, it’s only a matter of days until exploits appear on the dark web. Sometimes, it can even be faster, as has happened with CVE-2017-11882, the first Office Equation Editor vulnerability Kaspersky Lab researchers uncovered. The publication of the proof of concept was followed by a massive spam campaign that began on the very same day.

Microsoft Office vulnerabilities might become even more common in the near future, as attackers continue to target the suite. Larin advised users to keep their software updated, and to pay attention to the files they receive from dubious email addresses. “Our best recommendation is not to open links and files received from untrusted sources, and have installed security solutions with advanced detection of exploits,” Larin added.

 

As Threats Evolve So Should You By Andrada Fiscutean

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

 

 

U.S. Patent Granted for Blockchain

U.S. Patent Granted for Blockchain

Blockchain Patent Granted to Cybersecurity Company Owned by U.S. Defense Contractor

 

Documents published by the United States Patent and Trademark Office (USPTO) on April 16 reveal that Texas-based cybersecurity company Forcepoint has been awarded a blockchain-related patent.

Forcepoint is owned by U.S. defense contractor Raytheon and private equity firm Vista Equity Partners, and Crunchbase estimates its yearly revenue to be $600 million.

The system described in the patent appears to be a complex user behavior monitoring and management system. The system would aim to store data about electronically-observable user interactions and then use this data to identify known good, anomalous and malevolent user actions to enhance the system’s cybersecurity.

Some versions of the system employ blockchain technology, according to the patent:

“In certain embodiments, the association of the additional context may be accomplished via a blockchain block within a user behavior profile blockchain […] implemented with appropriate time stamping to allow for versioning over time. ”

Furthermore, the patent also provides the possibility of storing user behavior data on the blockchain directly, noting that advantages of the solution are immutability and tamper-evident.

As Cointelegraph recently reported, digital payments giant PayPal has won a cybersecurity patentto protect users from crypto ransomware.

Also, at the beginning of the current month, global consulting company Accenture has patentedtwo solutions focused on blockchain interoperability.

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

 

 

Things Aren't As They Seem

Things Aren’t As They Seem

Mueller report details how Russians reached millions of US Facebook and Twitter users and brought them out to real-life rallies

Special counsel Robert Mueller’s report released Thursday says Russia’s Internet Research Agency, or IRA, reached millions of U.S. users on Twitter, Facebook and Instagram leading up to the 2016 presidential election. Russian operatives also communicated with the Trump campaign under false identities “without revealing their Russian association” and interacted with prominent pro-Trump activists to arrange political rallies, “confederate” events and even a #KidsforTrump organization, the report says.

“IRA-controlled Twitter accounts separately had tens of thousands of followers, including multiple U.S. political figures, who retweeted IRA-created content,” the report says. Facebook has estimated that IRA-controlled accounts reached up to 126 million people, with Twitter notifying 1.4 million people they may have been in contact with a Russia-controlled account.

The Mueller document gives a fuller picture of how both technical and in-person intelligence operatives worked together to influence sentiment leading up to the 2016 election.

An odyssey that ramped up in 2014

Russian operatives had been dabbling in social media until around 2014, when they consolidated their efforts under a single program known internally as the “translator department,” according to the report. They later began sending operatives to the U.S. to further the election goals of the program.

In June 2014, four members of the department lied to the U.S. State Department, claiming to be “friends who met at a party.” Two of them, Anna Bogacheva and Aleksandra Krylova, received visas to enter the U.S. In 2016, other operatives were seen holding up signs at an event near the White House purportedly celebrating the birthday of Yevgeniy Prigozhin, a Russian tycoon alleged to have funded some of the interference campaigns and their associated social media ad buys.

On Twitter, the IRA program broke its operation into two strategies: creating real Twitter accounts meant to represent “individual U.S. personas,” and a separate, IRA-controlled network of automated Twitter bots “that enabled the IRA to amplify existing content on Twitter.”

One of the IRA accounts, which claimed to be that of a Trump supporter from Texas, had 70,000 followers. Another anti-immigration persona had 24,000 followers. A third, called @march_for_trump, organized a series of rallies in support of Trump across the U.S. The accounts posted 175,993 tweets, though the report says only 8.4% of those were election-related.

“U.S. media outlets also quoted tweets from IRA-controlled accounts and attributed them to the reactions of real U.S. persons,” the report says.

Influential conservatives also interacted with the accounts, including TV commentator Sean Hannity, Roger Stone, former U.S. Ambassador to Russia Michael McFaul and Michael Flynn Jr.

From Twitter to real life

“The Office identified dozens of U.S. rallies organized by the IRA,” the report says. “The earliest evidence … was a ‘confederate rally’ in November 2015. The IRA continued to organize rallies even after the 2016 U.S. presidential election.”

Many of the rallies drew few participants, while others drew hundreds. “The reach and success of these rallies was closely monitored” by the Russian team, the report says.

The report clarifies that in the cases in which a pro-Trump, IRA-organized rally also coordinated with Trump’s campaign, the campaign was not aware of the origins of the organizers. “The IRA’s contacts included requests for signs and other materials to use at rallies, as well as requests to promote the rallies and help coordinate logistics.”

“The investigation has not identified evidence that any Trump campaign official understood the requests were coming from foreign nationals,” the report says.

Another two-part campaign, against Hillary Clinton

As with the IRA’s Twitter strategy, Russia’s GRU intelligence agency broke its campaign of interference against Hillary Clinton’s presidential campaign into two parts. One group developed specialized malware — malicious software used, in this case, to monitor communications. A second group was charged with honing and launching mass spearphishing operations, meant to identify key targets within Clinton’s campaign and craft believable emails persuading them to click and, therefore, install the custom malware.

The GRU officers sent hundreds of these emails to Clinton staffers, including official campaign accounts and Google accounts used by staffers.

 

Things Aren't As They Seem By: Kate Fazzini

 

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Microsoft: Hackers access customer accounts

Microsoft: Hackers access customer accounts

Microsoft: Hackers compromised support agent’s credentials to access customer email accounts

On the heels of a trove of 773 million emails, and tens of millions of passwords, from a variety of domains getting leaked in January, Microsoft has faced another breach affecting its web-based email services.

Microsoft  has confirmed to TechCrunch that a certain “limited” number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

According to an email Microsoft has sent out to affected users (the reader who tipped us off got his late Friday evening), malicious hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with — “but not the content of any e-mails or attachments,” nor — it seems — login credentials like passwords.

Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft’s letter to users said.

The hackers got into the system by compromising a customer support agent’s credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source.”

We are printing the full text of the email below, but a separate email sent to us, from Microsoft’s Information Protection and Governance team, confirmed some of the basic details, adding that it has increased detection and monitoring on those accounts affected.

Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts. 

No enterprise customers are affected, TechCrunch understands.

Right now, a lot of question marks remain. It’s unclear exactly how many people or accounts were affected, nor in which territories they are located — but it seems that at least some were in the European Union,  since Microsoft also provides information for contacting Microsoft’s data protection officer in the region.

We also don’t know how the agent’s credentials were compromised, or if the agent was a Microsoft employee, or if the person worked for a third party providing support services. And Microsoft has not explained how it discovered the breach.

We have asked Microsoft all of the above and will update this post as we learn more.

In this age where cybersecurity breaches get revealed on a daily basis, email is one of the most commonly leaked pieces of personal information. There’s even been a site created dedicated to helping people figure out if they are among those who have been hacked. Have I Been Pwned, as the site is called, now has over 7.8 billion email addresses in its database.

We’ll update this post as we learn more. The letter from Microsoft to affected users follows.

Dear Customer

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at ipg-ir@microsoft.com. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
dpoffice@microsoft.com

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

Updated with comment from Microsoft.

 

By:  Ingrid LundenZack Whittaker

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Cyber Leak: Are You Protected

Cyber Leak: Are You Protected

Hackers publish personal data on thousands of US police officers and federal agents

 

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

Unprompted, the hacker sent a link to another FBINAA chapter website they claimed to have hacked. When we opened the page in a Tor browser session, the website had been defaced — prominently displaying a screenshot of the encrypted chat moments earlier.

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

In the encrypted chat, the hacker also provided evidence of other breached websites, including a subdomain belonging to manufacturing giant Foxconn. One of the links provided did not need a username or a password but revealed the back-end to a Lotus-based webmail system containing thousands of employee records, including email addresses and phone numbers.

Their end goal: “Experience and money,” the hacker said.

 

By: Zack Whittaker

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Every Success Starts Somewhere

Every Success Starts Somewhere

How Jeff Bezos decided the first thing Amazon would sell was books

 

  • Amazon was designed to be an “everything store,” according to Brad Stone’s book “The Everything Store.”
  • But when CEO Jeff Bezos was first thinking about launching the company, he decided to start by selling books.
  • They were the most practical product choice, and he could offer a much wider selection than any brick-and-mortar retailers could.
  • Visit Business Insider’s homepage for more stories.

Amazon grew out of CEO Jeff Bezos’ desire to build an “everything store.” It was an idea he’d discussed at length with his former boss David Shaw.

Brad Stone wrote in his 2013 book, also called “The Everything Store,” that Bezos and Shaw’s goal was to build “an Internet company that served as the intermediary between customers and manufacturers and sold nearly every type of product, all over the world.”

To be sure, that description is fitting for the Amazon we know today. But when Bezos was first thinking about launching the company, he knew that a store that sold absolutely everything would be an unrealistic goal. So he tried to zero in on a single product category.

Stone wrote that Bezos thought up 20 product categories, from music to office supplies. Books seemed like the best option, for a few reasons. Customers would always know what they were in for, since one copy of a book is the same as another.

What’s more, Stone wrote, at the time there were two primary book distributors — Ingram and Baker and Taylor — meaning Amazon wouldn’t have to get in touch with thousands of book publishers.

Finally, there were 3 million books in print, which was a lot more than a bookstore, such as Barnes and Noble, could stock.

So an “everything store” of books it was. Stone quoted a speech Bezos gave at Lake Forest College in 1998: “With that huge diversity of products you could build a store online that simply could not exist in any other way.”

When Amazon opened to the public in 1995, according to the Los Angeles Times, it billed itself as “Earth’s Biggest Bookstore.” By 1997, the Los Angeles Times reported, the company carried more than 2.5 million titles.

Amazon began broadening its horizons beyond books in 1998, when it bought the companies Junglee Corp. and Planet All. “We’re at an inflection point where we are now looking at a broader range of products,” Bezos told The New York Times, which labeled Amazon “the most successful merchant on the Internet.”

BY: 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

 

LVT- Integration-moving-forward, view of CAT5 cable and with services Icons, Greenville South Carolina

Social Channels Are Ruling E-Commerce

THE SOCIAL COMMERCE REPORT: How Facebook, YouTube, Pinterest, and other popular apps are upending the e-commerce space

Social media is becoming increasingly influential in shoppers’ purchasing decisions. In fact, the top 500 retailers earned an estimated $6.5 billion from social shopping in 2017, up 24% from 2016, according to BI Intelligence estimates.

Growth in Share of Retail Site VisitsBI Intelligence

In addition to influencing purchase decisions, social media is a large part of the product discovery and research phase of the shopping journey. And with more and more retailers offering quick access to their sites via social media pages, and shoppable content becoming more popular, it’s likely that social media will play an even larger role in e-commerce.

In The Social Commerce ReportBusiness Insider Intelligenceexamines the advantages and disadvantages of each platform, and reviews case studies of successful campaigns that helped boost conversion and increase brand awareness. Additionally, we explore how retailers can bring social aspects into their own sites and apps to capitalize on consumers’ desire for social shopping experiences.

Here are some key takeaways from the report:

  • Social media is becoming more influential in all aspects of the purchasing journey.
  • Facebook is the clear winner in social commerce, with its huge user base and wide-ranging demographics.
  • However, retailers should have a presence on every platform their target market is on. Each platform will require a different strategy for retailers to resonate with its users.
  • Retailers can also benefit from bringing social aspects in-house. They can do this by building their own in-house social networks, or by embedding social media posts into their sites.

 

BY:  

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

IoT And Your Digital Supply Chain

IoT And Your Digital Supply Chain

IoT And Your Digital Supply Chain

“Money, it’s a gas. Grab that cash with both hands and make a stash”, Pink Floyd is always near and dear to my heart. No doubt the theme song to a lot of producers of devices that fall into the category of Internet of Things or IoT.

I can’t help but to giggle at the image that comes to mind when I think about IoT manufacturers. I have this vision in my head of a wild-eyed prospector jumping around after finding a nugget of gold the size of a child’s tooth. While this imagery may cause some giggles it also gives me pause when I worry about what these gold miners are forgetting. Security comes to mind.

I know, I was shocked myself. Who saw that coming?

While there is a mad rush to stake claims across the Internet for things like connected toasters, coffee makers and adult toys it seems security falls by the way side. A lot of mistakes that were made a corrected along the way as the Internet evolved into the monster that it is today are returning. IoT appears to be following a similar trajectory but, at a far faster pace.

With this pace we see mistakes like IoT devices being rolled out with deprecated libraries and zero ability to upgraded their firmware or core software. But, no one really seems to care as they count their money while they’re still sitting at the table. The problem really comes into focus when we realize that it is the rest of us that will be left holding the bag after these manufacturers have made their money and run.

Of further concern is the fractured digital supply chains that they are relying on. I’m worried that with this dizzying pace of manufacture that miscreants and negative actors are inserting themselves into the supply chain. We have seen issues like this come to the forefront time and again. Why is it that we seem hell bent on reliving the same mistakes all over again?

One of my favorite drums to pound on is the use of deprecated, known vulnerable, libraries in their code. I’ve watched talks from numerous presenters who unearthed this sort of behavior at a fairly consistent pace. What possible rationale could there be for deploying an IoT device in 2016 with an SSL library that is vulnerable to Heartbleed?

I’ll let that sink in for a moment.

And this is by no means the worst of the lot. These products are being shipped to market with preloaded security vulnerabilities that can lead to all manner of issues. Data theft is the one that people like to carry on about a fair bit but, it would be a fairly trivial exercise to compromise some of these devices and have them added to a DDoS botnet.

What type of code review is being done a lot the way by code written by outsourced third parties? This happens a lot and really does open a company up to a risk of malicious, or poor, code being introduced.

The IoT gold rush is a concern for me from a security perspective. Various analyst firms gush about the prospect of having 800 gajillion Internet enabled devices online by next Tuesday but, they never talk about how we are going to clean up the mess later on. Someone always has to put the chairs up after the party is over.

 

IoT And Your Digital Supply Chain By:  Dave Lewis

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

Keeping Kids Safe Online

Keeping Kids Safe Online

“Here Be Dragons”, Keeping Kids Safe Online

Sitting here this morning sipping my coffee, I watched fascinated as my 5-year-old daughter set up a VPN connection on her iPad while munching on her breakfast out of absent-minded necessity.

It dawned on me that, while daughter has managed to puzzle out how to route around geofencing issues that many adults can’t grasp, her safety online is never something to take for granted. I have encountered parents that allow their kids to access the Internet without controls beyond “don’t do X” — which we all know is as effective as holding up gauze in front of semi and hoping for the best (hat tip to Robin Williams).

More parents need to be made aware that on the tubes of the Internet, “here be dragons.”

First and foremost for keeping your kids safe online is that you need to wrap your head around a poignant fact. iThingers and their ilk are NOT babysitters. Please get this clear in your mind. Yes, I have been known to use these as child suppression devices for long car rides but, we need to be honest with ourselves. Far too often they become surrogates and this needs to stop. When I was kid my folks would plonk me down in front of the massive black and white television with faux wood finish so I could watch one of the three channels. Too a large extent this became the forerunner of the modern digital iBabysitter.

These days I can’t walk into a restaurant without seeing some family engrossed in their respective devices oblivious of the world around them, let alone each other. Set boundaries for usage. Do not let these devices be a substitute parent or a distraction and be sure to regulate what is being done online for both you and your child.

I have had conversations about what is the best software to install on a system to monitor a child’s activity with many parents. Often that is a conversation borne out of fear of the unknown. Non-technical parents outnumber the technically savvy ones by an order of magnitude and we can’t forget this fact. There are numerous choices out there that you can install on your computer but, the software package that is frequently overlooked is common sense.

All kidding aside, there seems to a precondition in modern society to offload and outsource responsibility. Kids are curious and they will click links and talk to folks online without the understanding that there are bad actors out there. It is incumbent upon us, the adults, to address that situation through education. Talk with your kids so that they understand what the issues are that they need to be aware of when they’re online. More importantly, if you as a parent aren’t aware of the dangers that are online you need to avail yourself of the information.

This is by no means that only choice out there but, it is a good starting point. The Internet is a marvelous collection of information but, as with anything that is the product of a hive mind, there is a dark side. Parents and kids need to take the time to arm themselves with the education to help guard against perils of the online world.

If you don’t know, ask. If you don’t ask, you’ll never know.

 

Keeping Kids Safe Online By:  

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

 

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

1 2 3