Intel redesigned its 8th-gen processors to patch ‘Meltdown’ flaws

How Complete Beginners are using an ‘Untapped’ Google Network to create Passive Income ON DEMAND

As promised, Intel has redesigned its upcoming 8th-gen Xeon and Core processors to further reduce the risks of attacks via the Spectre and Meltdown vulnerabilities, CEO Brian Krzanich wrote. Those fixes are on top of the software updates already issu…
Engadget RSS Feed
Cash For Apps: Make money with android app

Security camera “riddled” with 13 serious security flaws

How Complete Beginners are using an ‘Untapped’ Google Network to create Passive Income ON DEMAND

Unlucky for some users: Korean manufacturer races to patch vulnerabilities.

Researchers have uncovered serious security holes in a popular security camera range. The flaws could enable hackers to infiltrate networks and launch attacks on connected infrastructures.

Thirteen bugs have been found in the SmartCam range made by South Korean company, Hanwha Techwin. The cameras are sold to European SMEs and consumers.

Via the flaws, attackers could gain access to a camera, send voice messages to its onboard speaker, or use its resources for cryptocurrency mining, said Vladimir Dashchenko, head of the ICS CERT Vulnerability Research Team at security vendor Kaspersky Lab.

Among the vulnerabilities are the use of insecure HTTP, root privilege remote command execution, and zero protection from brute force attacks for the camera’s admin password. Any one of these flaws could enable hackers to launch attacks from within a connected network.

The worst flaw is in a misconfigured Hanwha communications protocol used to link the cameras with Cisco Jabber, said researchers.

Read more: Tenable unveils cybersecurity benchmarking tool

According to reports from Threatpost, Kaspersky Lab has shared its findings with Hanwha Techwin, leading the manufacturer to issue firmware patches for the SNH-V6410PN/PNW SmartCam. Other flaws are expected to be patched soon.

Threatpost described the camera as being “riddled” with security holes.

Researchers said that 2,000 of the cameras have publicly accessible IP addresses, but the number of vulnerable devices could be far higher than that. Other cameras from the same vendor are thought to be at risk too.

“We believe there are even more of these cameras in use, but inside protected networks,” said Dashchenko.

“A remote attacker can also put a camera out of service so it can no longer be restored. We were able to prove this hypothesis three times,” he added.

For attacks to be successful, a hacker must know the serial number of the camera, but this is easy to find. “The way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system doesn’t have brute force protection,” explained Kaspersky Lab.

Internet of Business says

Hanwha Techwin was founded in 1977 as Samsung Techwin, but has been part of the Hanwha Group since 2015. It makes surveillance, aeronautics, and weapons systems.

So the fact that such basic security vulnerabilities have been found in a product made by a surveillance and weapons system specialist, whose technology has 41 years of heritage behind it, is a major cause for concern.

The reports come in the wake of security and privacy flaws being found in a range of popular smart home devices, including Amazon’s Alexa-powered range, and other reports suggesting that poor IoT security is a growing problem as vendors and users rush to deploy connected solutions.

This latest security story reveals that the latter must now be seen as a serious challenge for IoT professionals.

This is why recent government moves to put security testing front and centre of any IoT purchase are welcome, and it is also why IoT security needs to be regarded as a strategic business issue in far more organisations.

Read more: Vendors, users ignoring IoT security in rush to market – report

Read more: IoT ramps up cyber security risk, says in-depth report

The post Security camera “riddled” with 13 serious security flaws appeared first on Internet of Business.

Internet of Business

Cash For Apps: Make money with android app

Intel failed to disclose Meltdown and Spectre to government until flaws made public, Apple and others confirm

Article Image

Apple, Google parent Alphabet and Intel in letters to lawmakers on Thursday revealed a bit of background information concerning the recent airing of Meltdown and Spectre chip vulnerabilities, saying Intel notified U.S. cyber security officials of the flaws only after their existence was made public.
AppleInsider – Frontpage News

Researchers discover new ways to abuse Meltdown and Spectre flaws

Intel has already started looking for other Spectre-like flaws, but it won't be able to move on from the Spectre/Meltdown CPU vulnerabilities anytime soon. A team of security researchers from NVIDIA and Princeton University have discovered new ways t…
Engadget RSS Feed

Intel expands bug bounty to catch more Spectre-like security flaws

To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It's widening its bug bounty program to both include more researchers and offer mor…
Engadget RSS Feed

Intel told Chinese firms of Meltdown flaws before the US government

Intel may have been working with many tech industry players to address the Meltdown and Spectre flaws, but who it contacted and when might have been problematic. Wall Street Journal sources have claimed that Intel initially told a handful of custome…
Engadget RSS Feed

Apple downplays processor flaws across all Mac, iOS, and tvOS devices (Updated)

While Intel, Google, ARM, and Microsoft rushed to issue both public statements and patches addressing the Meltdown and Spectre processor security exploits, Apple took the opposite tack, waiting more than a day to quietly downplay the gigantic story using a tech support document, without a corresponding press release or public statement. In short, the number of affected Apple products is huge, and the company doesn’t yet have fixes ready for all of them, but it’s working on them — there’s no need to worry.

The particularly bad news for Apple and its users: “All Mac systems and iOS devices are affected,” according to the support document. This stunningly broad admission erases any ambiguity as to whether Apple’s custom-designed A-series chips and more recent products were protected — they were not. Worse: tvOS devices* running on Apple-designed chips also appear to be affected, though with varied vulnerabilities.

On the other hand, Apple was ahead of its rivals in saying that “there are no known exploits impacting customers at this time.” Apple has already patched its iOS, macOS, and tvOS operating systems against Meltdown, which means that any device running iOS 11.2, macOS 10.13.2, or tvOS 11.2 was partially protected before most people knew there were issues worthy of concern. Additionally, Apple plans to patch its Safari browser “in the coming days” to address Spectre, suggesting complete fixes for current macOS and iOS devices aren’t far off.

Unfortunately, there are tens if not hundreds of millions of older Apple devices in the marketplace that can’t run Apple’s latest operating systems and browsers, and it’s unclear what Apple will do to secure them. Intel drew a clear line in its announcement, providing timetables for protection of processors five years old or newer; ARM offered patches across Cortex processors regardless of age. Apple’s silence on this question isn’t exactly reassuring — will older Apple products receive security patches?

Additionally, the risk to tvOS devices remains somewhat ambiguous. Since Apple is addressing Spectre with Safari patches on macOS and iOS, but Apple TVs don’t have a Safari app, the solution there isn’t clear. It appears Apple will patch tvOS itself to address Spectre.

If there’s any silver lining in Apple’s announcement, it’s that performance impacts to Macs and iOS devices are said to be non-existent or small. Apple notes that benchmarks show “no measurable reduction” in macOS or iOS performance after the Meltdown patch and that upcoming Safari patches will have either “no measurable impact” or “an impact of less than 2.5 percent,” depending on the benchmark. But again, nothing is said about the Apple Watch and Apple TV, both of which historically suffered from sluggish performance before receiving processor upgrades.

Like other OS vendors, Apple promises to release “further mitigations for these issues” in future iOS, macOS, and tvOS updates. Hopefully, the initial Spectre patches will fare as well as the Meltdown ones and Apple will announce solutions for older and less common devices, as well.

Update at 10:48 a.m. Pacific: Apple changed its announcement on January 5 to note that Apple Watches are not affected by either Meltdown or Spectre, after saying on January 4 only that Watches were unaffected by Meltdown. We’ve updated this article to reflect the change.

Apple – VentureBeat

BlackBerry’s ‘Jarvis’ finds security flaws in connected cars

As cars become more reliant on software, it's critical for automakers to make sure their code is as secure as possible. It's somewhat surprising, though, for a company like BlackBerry to come out with a potential solution. At a keynote during the Nor…
Engadget RSS Feed

Intel faces more class action suits over share price hits caused by Spectre and Meltdown flaws

Article Image

Intel’s legal woes surrounding the Meltdown and Spectre vulnerabilities in its processors are increasing, with more legal firms filing class action suits against the chip company, this time on the behalf of its shareholders over the revelation of the flaws and the effect on the value of the company’s shares.
AppleInsider – Frontpage News