Weekend Update

FBI Releases Article on Privacy Risks Associated with Internet-Connected Children’s Toys

07/17/2017 01:37 PM EDT  Original release date: July 17, 2017

The Federal Bureau of Investigation (FBI) has released an article on the privacy risks associated with Internet-connected children’s toys. FBI warns that Internet-connected toys may contain “sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options” that may put the privacy and safety of children at risk due to the disclosure of personal information. FBI recommends that consumers read user agreement disclosures and privacy practices for information on how a toy’s data may be used.

Users and administrators are encouraged to review the FBI article for more information and refer to the US-CERT Tip Protecting Your Privacy.

The Internet Protocol Journal Volume 20, Number 2, June 2017

I am going to plug this excellent monthly newsletter.  Free, and no advertising.  If you are interested in the technical underpinning of the Internet, this might be for you.  Subscribe, and while you are at it, make a donation.

FTC Releases Alert on Digital Security While Traveling

07/14/2017 09:39 PM EDT  Original release date: July 14, 2017

The Federal Trade Commission (FTC) has released an alert on ensuring good digital security while traveling. Security recommendations include using caution while accessing free Wi-Fi hotspots, keeping all software updated, and using Virtual Private Networks (VPNs).

US-CERT encourages users to refer to the FTC Alert and the US-CERT Tip on Cybersecurity for Electronic Devices for more information.

Vault 7: new WikiLeaks dump details Android SMS snooping malware

Latest dump of stolen CIA documents includes user manual for HighRise app, used to eavesdrop on text messages.

Apple Releases Security Updates  

07/19/2017 03:12 PM EDT  Original release date: July 19, 2017

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.  (That’s right, Apple fans, you are at risk for having your computer and email account hijacked too!)

US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:

Myspace bug left old accounts vulnerable to attack

Myspace is still there, and so’s your old account

Moving Segway hacked

– From Naked Security

Security researchers have discovered that Segway’s Ninebot MiniPRO, a so-called “hover board” can be hacked and controlled remotely.

The attack is made possible by two major oversights: every Ninebot MiniPRO has the same PIN code and none bothers to check the authenticity of its firmware. According to IOActive, the company who discovered the vulnerability:

Even though the rider could set a PIN, the hoverboard did not actually change its default pin … This allowed me to connect over Bluetooth while bypassing the security controls. I could also document the communications between the app and the hoverboard, since they were not encrypted.

Researchers were able to use these flaws to install their own firmware and then make merry with the hacked non-hovering not-boards: shutting them down, changing the colours of their lights, disabling safety mechanisms or just driving (not flying) them off.

It’s been understood for many years that hard-coded or default passcodes are a bad idea but discovering that something as shiny and new as a Ninebot MiniPRO has one isn’t the surprise it should be. The ‘PRO is part of the IoT (Internet of Things) and the IoT has recently given giving hard-coded passwords, and many other bad old ideas, a new lease of life.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.