The internet of dangerous things is arriving but what about taking care of the devices we already have? We’ll discuss!

Plus details on critical updates from Adobe, the surprising number of Gas Stations vulnerable to exploitation via the internet, your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Flash Updates

• On January 22nd Adobe released an emergency patch for Flash Player to resolve the zero day vulnerability that we discussed last week
• Adobe released Flash Player 16.0.0.287 on the 22nd
• It turns out that this fix did not completely close the vulnerability, and the exploit kit quickly worked around the fix and continued to exploit the vulnerability
• Adobe issued a security advisory (different than an bulletin) about the issue
• On January 27th, Adobe released Flash Player 16.0.0.296 in another bulletin
• The latest release, 16.0.0.296 fixes both CVE-2015-0311 and CVE-2015-0311
• The researcher who originally discovered the exploits in the wild, has also pointed out that the 2015-0311 flaw is being used outside of the exploit kit now as well
• FireEye also discovered the 2015-0311 vulnerability being exploited in a different way

Gas Stations vulnerable to exploitation via the internet

• “An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7
• “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
• While doing research, HD Moore found that more than 5000 gas gauge devices are connected to the internet with no authentication. The automated tank gauges generally only have a serial port.
• “Approximately 5,800 ATGs (Automated Tank Gauge) were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
• Some of the devices have TCP/IP interfaces, and those that do not can be connected to a serial server, a common device in the IT industry, then be connected to the internet. Most serial servers do offer the ability to require a password to access the port, however this feature is often not enabled, and is not very secure
• “Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” the researcher said. “Less-secure alternatives include applying source IP address filters or setting a password on each serial port.”
• Another example of taking devices that were not meant to be put on the internet, and then doing so, without taking into account the security implications. Even with a password and source IP filtering, these devices should not be directly connected to the Internet. That is what VPNs are for
• Additional Coverage – ITWorld

The internet of dangerous things

• Krebs talks about the trends in Distributed Denial of Service Attacks
• Krebs cites data from Arbor networks, and their subsidiary Prolexic, which Krebs uses to protect his site, which was under constant attack from various sources throughout December
• The point needs to be raised that a growing number of these attacks are sources from ‘Internet of Things’ type devices, small consumer devices with an embedded operating system that receives no updates after it ships
• The attacks against Sony and Microsoft over Christmas used exploited routers, but a growing number of other devices could be vulnerable, especially in light of things like the new Linux Ghost vulnerability
• We have seen viruses attacking NAS and other types of storage devices, and I am sure it will not be long before the first attack against set-top boxes like the Boxee and Roku.
• “As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.”
• “Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks.”
• It has been over a year since these amplification vulnerabilities were patches, but there are still many systems being exploited to perform these attacks
• “According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.”
• “According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.”
• While analyzing the data from the dump of the Lizard Stresser database, Krebs found that one of the most popular targets for attack were small personal minecraft servers
• Krebs: “Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.”

Feedback:

• Click to play usefulness?

• Recommendations to Build or to Buy SAN?

• How can I explain password security to others if I am not an expert myself?
  • What is a cryptographic hash

Round Up:

• Highly critical “Ghost” allowing code execution affects most Linux systems
• German data center with no air
• Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
• Making a disk array that will survive 4 years with 99.999% reliability, with no human interaction
• Canada Casts Global Surveillance Dragnet Over File Downloads
• Using gas to blow open an ATM
• Deploying tor relays | Mozilla IT
• NANOG reacts to LizardSquad taking credit for outage at Facebook, Instagram, Hipchat, Tinder, and Myspace
• iTunes Connect Issue Logging Developers Into Other Accounts
• Verizon ends expansion of its FiOS network, will focus on building out existing locations
• Internet Crime Complaint Center issues advisory about business email scam
• Oxford university puzzles over 175 year old dry pile battery that is still ringing a bell