Smart TVs Not So Smart

Don’t worry, I’m sure the people building self-driving cars are doing a much better job. Maybe. Probably. Perhaps. Investigation finds major security flaws with smart TVs

Consumer Reports has found millions of smart TVs from major manufacturers can be controlled by hackers exploiting easy to-find security vulnerabilities.

This focuses on hackers controlling your TV, but experience has shown that if they can get in, they won’t wreak havoc, so much as steal things.

Why you want a camera and a microphone in your living room/family room/wherever you have a TV is beyond me. Especially when we KNOW that the vendors of smart devices couldn’t care less about security. Hat tip: I, For One, Welcome Our New Self-Driving Overlords.


Now That’s What You Call Ironic

UK’s data watchdog agency hit by hackers. Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog – TechCrunch

There were actually several thousand government sites hit across the US, UK and Australia. Apparently the malware Coinhive was added to the plugin Browsealoud which lets visually impaired and blind users surf the internet. The company, Texthelp, which produces Browsealoud is “investigating.”

Color Me Shocked – Amazon’s Smart Lock Has Been Hacked (again)

So the first hack required an evil-doer as a delivery driver. This hack doesn’t require a delivery driver be in on the break-in, only that a delivery take place. Amazon Key smart lock security integrity called into question by hack

A hacker known online as “MG” posted the above clip, showing the Amazon Key’s security protocols being overriden in a controlled situation.

Though MG is withholding the details of how his hack works until Amazon has had an opportunity to address the issue, the video shows the Amazon Key’s lock potentially remaining open even when a delivery driver’s access allowance has expired.

I expect the details to be interesting. Losing game in the long-run?

This is the Stupidest Thing I’ve Heard in a Long Time

Why are people so happy to share every corner of their lives with the internet? Fitness tracking data on Strava app reveal US military bases details, sparking security concerns | Fox News

In some ways this is worse than the people who take photos of every meal, because the corner pub has the best corned-beef sandwich in the world.

Data from fitness trackers that clearly show the movement of personnel at U.S. military bases is sparking major concerns, with experts citing potential dangers to base security.

Now maybe this story is overblown. Maybe the military isn’t that worries about people knowing the main-streets in their bases. But it is still stupid to share every aspect of your life online.

Are Your Windows Systems Vulnerable to Spectre/Meltdown?

Find out with a piece of freeware courtesy of Steve Gibson. InSpectre: See whether your PC’s protected from Meltdown and Spectre | Computerworld

Security guru Steve Gibson cooks up a new, easy, no-bull utility that scans your machine and tells you, point blank, whether you’re vulnerable to Meltdown or Spectre.

You can find the utility at this link to Steve’s site. This is the ONLY place you should download the utility. 3rd party sites are probably bundling it with malware. While your over at Steve’s site consider picking up a copy of SpinRite. If you have spinning magnetic media, it can save the day when you have disk errors.

InSpecter was covered extensively in yesterday’s episode of Security Now. (Last Tuesday’s episode covered the details on Spectre and Meltdown.)

The interesting thing/annoying thing to come out of Tuesday’s pod cast is that Microsoft has a mitigation for some of this, that doesn’t come with an awful performance cost, but unless you are on the most recent Windows 10 Creators Update the mitigation is not available. I am on that release, and I haven’t noticed any problems, but then I haven’t been doing much computing. Microsoft should make it available on other builds soon, but who knows.

Another Hospital Hit By Ransomware

So far they haven’t been giving any technical details, but the effects are seen. Hospital hit by ransomware: First-responders diverted away from county. (Hancock County, Indiana)

There are other articles where the hospital spokesman makes some generic statement about care not being impacted, but the hospital is doing everything with pencil and paper.

Area fire department and EMS personnel were told Friday morning that the hospital in Greenfield would not be accepted patients as usual. Ambulances were instead sent to hospitals in Indianapolis and other surrounding areas.

Some of those “surrounding areas” are as much as 30 minutes away – even without snow.

There also isn’t much being said about the path the hackers took. If it is still via all the stuff that was exploited last year, then whoever denied funding for the required upgrades should lose their job. In reality, the poor IT schlub who requested the funding and was denied, will probably be fired. Because some director isn’t going to fire himself.

Internet of Industrial Things Still Lacking in Security

It’s one thing to use IoS to turn the lights down when you want to watch a movie, but this is serious infrastructure stuff. 147 Security Vulnerabilities Found in ICS Mobile Applications. (ICS is Industrial Control System technology.)

The security of mobile applications used to help monitor industrial control system (ICS) technology is severely lacking

What a surprise. Because in 2018, after a year of Operating system problems, and IoT problems, in the midst of CPU vulnerabilities, managers still can’t prioritize security. (Makes products more complicated and provides no additional features? Budget denied!)

I don’t care what you do with the lights in your home theater, but I sort of do care with what the power companies, water purification plants, et al do with their tech.

In October 2017, US-CERT warned about ongoing threats targeting industrial infrastructure across the United States.

Put a bunch of unsecured Linux nodes on the internet, and offer to control them via a smartphone app. What could go wrong?