WyzGuys Tech Talk

FBI Releases Article on Privacy Risks Associated with Internet-Connected Children’s Toys

07/17/2017 01:37 PM EDT  Original release date: July 17, 2017

The Federal Bureau of Investigation (FBI) has released an article on the privacy risks associated with Internet-connected children’s toys. FBI warns that Internet-connected toys may contain “sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options” that may put the privacy and safety of children at risk due to the disclosure of personal information. FBI recommends that consumers read user agreement disclosures and privacy practices for information on how a toy’s data may be used.

Users and administrators are encouraged to review the FBI article for more information and refer to the US-CERT Tip Protecting Your Privacy.

The Internet Protocol Journal Volume 20, Number 2, June 2017

I am going to plug this excellent monthly newsletter.  Free, and no advertising.  If you are interested in the technical underpinning of the Internet, this might be for you.  Subscribe, and while you are at it, make a donation.

FTC Releases Alert on Digital Security While Traveling

07/14/2017 09:39 PM EDT  Original release date: July 14, 2017

The Federal Trade Commission (FTC) has released an alert on ensuring good digital security while traveling. Security recommendations include using caution while accessing free Wi-Fi hotspots, keeping all software updated, and using Virtual Private Networks (VPNs).

US-CERT encourages users to refer to the FTC Alert and the US-CERT Tip on Cybersecurity for Electronic Devices for more information.

Vault 7: new WikiLeaks dump details Android SMS snooping malware

Latest dump of stolen CIA documents includes user manual for HighRise app, used to eavesdrop on text messages.

Apple Releases Security Updates  

07/19/2017 03:12 PM EDT  Original release date: July 19, 2017

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.  (That’s right, Apple fans, you are at risk for having your computer and email account hijacked too!)

US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:

• tvOS
• iTunes for Windows
• iCloud for Windows
• Safari
• macOS Sierra, Security Updates
• iOS
• watchOS

Myspace bug left old accounts vulnerable to attack

Myspace is still there, and so’s your old account

Moving Segway hacked

– From Naked Security

Security researchers have discovered that Segway’s Ninebot MiniPRO, a so-called “hover board” can be hacked and controlled remotely.

The attack is made possible by two major oversights: every Ninebot MiniPRO has the same PIN code and none bothers to check the authenticity of its firmware. According to IOActive, the company who discovered the vulnerability:

Even though the rider could set a PIN, the hoverboard did not actually change its default pin … This allowed me to connect over Bluetooth while bypassing the security controls. I could also document the communications between the app and the hoverboard, since they were not encrypted.

Researchers were able to use these flaws to install their own firmware and then make merry with the hacked non-hovering not-boards: shutting them down, changing the colours of their lights, disabling safety mechanisms or just driving (not flying) them off.

It’s been understood for many years that hard-coded or default passcodes are a bad idea but discovering that something as shiny and new as a Ninebot MiniPRO has one isn’t the surprise it should be. The ‘PRO is part of the IoT (Internet of Things) and the IoT has recently given giving hard-coded passwords, and many other bad old ideas, a new lease of life.