Posts

New DNS vulnerabilities put millions of IoT devices at risk of hacking


Security researchers have warned of a slew of DNS flaws that could affect millions of internet of things (IoT) devices.

According to researchers at Forescout, the nine vulnerabilities have been dubbed “NAME:WRECK,” and they affect four popular TCP/IP stacks: FreeBSD, Nucleus NET, IPnet, and NetX. These vulnerabilities relate to Domain Name System (DNS) implementations, causing Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to target devices offline or take control of them.

The researcher said the widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. 

Forescout researchers teamed up with JSOF to find the flaws and added that these can impact over 100 million consumer, enterprise, and industrial IoT devices worldwide. Millions of IT networks use FreeBSD, including Netflix and Yahoo. Meanwhile, IoT/OT firmware, such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.

If exploited, among the plausible scenarios researchers laid out included exposing government or enterprise servers by accessing sensitive data, such as financial records, intellectual property, or employee/customer information. They could also compromise hospitals by connecting to medical devices to obtain health care data, taking them offline and preventing health care delivery.

Hackers could also use the flaws to access critical residential and commercial building functions, including major hotels, to endanger residents’ safety. This could include tampering with heating, ventilation and air conditioning systems, disabling critical security systems, or shutting down automated lighting systems.

Researchers said that unless urgent action is taken to adequately protect networks and the devices connected to them, “it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”

“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption,” said Daniel dos Santos, Research Manager, Forescout Research Labs….

Source…

Biden needs to respond to Russian hacking

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


President Joe Biden is a famously nice guy. Maybe he should stop being nice, just for a while.

His administration is reportedly close to punishing Russia for a series of glaring transgressions and abuses, including the epic SolarWinds Corp. computer hack that has left governments and businesses worldwide exposed to a mammoth data breach. As Bloomberg News reported Wednesday, the White House may soon announce economic sanctions against individuals close to Russian President Vladimir Putin and expel Russian diplomats from the U.S. There also may be “private talks with Russia laying out further actions the U.S. would be prepared to take.”

I don’t know. When you haven’t taken any action, telling the people who have been picking your pocket that there are further actions you would be prepared to take if they don’t change their ways doesn’t seem threatening.

And the clock is ticking. The SolarWinds hack burst into view in December, but by then it had been running undetected for months. In late February, amid congressional inquiries into the intrusion, National Security Advisor Jake Sullivan said the Biden administration would soon deploy a “mix of tools seen and unseen” against Russia that went well beyond economic sanctions. Those actions were said to be just weeks away. In March, White House Press Secretary Jen Psaki said a “mix of actions seen and unseen” were on the way.

Now it’s April, and Biden still hasn’t acted. What’s more, he has yet to appoint a national cyber director, the person with the authority to coordinate speedy responses to cyberattacks. Congress created the position late last year through defense legislation that overcame a veto from former President Donald Trump. The expectation was that Biden’s White House, which has prioritized cybersecurity, would fill the role quickly. But bureaucratic squabbles have left it empty.

Source…

Small Kansas water utility system hacking highlights risks

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


ELLSWORTH, Kan. (AP) — A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.

Wyatt Travnichek, 22, was charged last month with remotely accessing the Post Rock Rural Water District’s systems in March 2019, about two months after he quit his job with the utility. He’s accused of shutting down the facility’s cleaning and disinfecting procedures.

When he worked for the utility, he would monitor the water plant remotely by logging into its computer system, the Kansas City Star reports.


The federal indictment says Travnichek used a Samsung phone to commit the offense. Post Rock utility officials declined to provide further details. Travnichek’s attorney, a federal public defender, didn’t respond to the Star’s request for comment.

No centralized database of hacker attacks on utilities exists, but a 2016 report from the federal Department of Energy said the Department of Homeland Security responded to 25 water cybersecurity incidents in 2015.

The Florida city of Oldsmar, population 15,000, reported in February that a hacker attempted to poison its water supply by remotely accessing its system and changing chemical levels. An employee was able to quickly reverse the hacker’s actions.

Small utilities such as Post Rock may not have the resources to hire dedicated information technology staff. Commonly their employees juggle multiple roles, including cybersecurity.

“As far as cities having an IT person, I just don’t know of any our size,” said Bill Shroyer, assistant city administrator in Sabetha, in northern Kansas, and president of the Kansas Rural Water Association. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”

Security experts say the Post Rock case could be as simple as officials failing to revoke Travnichek’s electronic access after he quit. The indictment doesn’t specify…

Source…

Biden Needs to Get Serious About Russian Hacking

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Expect never-ending cyberwarfare.

Photographer: Chris Ratcliffe/Bloomberg

President Joe Biden is a famously nice guy. Maybe he should stop being nice, just for a while.

His administration is reportedly close to punishing Russia for a series of glaring transgressions and abuses, including the epic SolarWinds Corp. computer hack that has left governments and businesses worldwide exposed to a mammoth data breach. As Bloomberg News reported Wednesday, the White House may soon announce economic sanctions against individuals close to Russian President Vladimir Putin and expel Russian diplomats from the U.S. There also may be “private talks with Russia laying out further actions the U.S. would be prepared to take.”

I don’t know. When you haven’t taken any action, telling the people who have been picking your pocket that there are further actions you would be prepared to take if they don’t change their ways doesn’t seem threatening.

And the clock is ticking. The SolarWinds hack burst into view in December, but by then it had been running undetected for months. In late February, amid congressional inquiries into the intrusion, National Security Advisor Jake Sullivan said the Biden administration would soon deploy a “mix of tools seen and unseen” against Russia that went well beyond economic sanctions. Those actions were said to be just weeks away. In March, White House Press Secretary Jen Psaki said a “mix of actions seen and unseen” were on the way.

Now it’s April, and Biden still hasn’t acted. What’s more, he has yet to appoint a national cyber director, the person with the authority to coordinate speedy responses to cyberattacks. Congress created the position late last year through defense legislation that overcame a veto from former President Donald Trump. The expectation was that Biden’s White House, which has prioritized cybersecurity, would fill the role quickly. But…

Source…