Security, Privacy and IoT: The Week of February 13th

3 minute read

I’m experimenting with compiling a list of interesting articles each week - I’ll compile a list of articles that caught my eye. I’m trying to keep this quick and maintain a high signal-to-noise ratio.

Security

Adobe Flash Critical Security Update

Adobe has released Flash Player version 24.0.0.221 for Windows, macOS and Linux. It fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system”. If you have Flash installed on your computer, update it immediately. Also update Chrome.

Except for the copy of Flash that comes with Chrome, I haven’t had Flash installed on my Mac in years and I don’t miss it at all.

https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

Address Space Randomization Fail

Address Space Randomization has helped protect against a whole category of vulnerabilities where an attacker would execute arbitrary machine code injected into a program through a vulnerability like a stack overflow or a byte array that didn’t protect against accesses outside its bounds. Randomizing the address space made it difficult for the attacking code to know where it was and where functions it needed to call were.

Unfortunately, the hardware support for randomizing the address space is vulnerable to a timing attack, allowing attackers to guess where they are in the address space - even in high-level programs like Javascript.

This is a sophisticated attack for which there’s no simple software solution.

https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/

https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

Microsoft Patch Tuesday Postponed

Microsoft is skipping its patches this month due to a “last minute issue”. Patches scheduled for release in February - including one that fixes a serious zero-day security issue with SMB (Windows file sharing) - will now be released in mid-March.

https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

While it’s best not to release updates that break Windows, perhaps finding a way not to wait an extra month to patch a serious security issue would lead to better outcomes.

Russian Malware for Macs

While Macintosh has a much better security record than its competitors, it’s not impervious to attack. This week researchers identified new malware that infects Macintoshes - ironically, likely through a Mac anti-virus program called “MacKeeper”.

http://www.macworld.com/article/3169935/security/russian-cyberspies-blamed-for-us-election-hacks-are-now-targeting-macs.html

Another Yahoo Breach

Yahoo disclosed a third major breach, this time involving forged cookies which allowed intruders to access accounts.

https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-breachiness-to-users-victimized-by-forged-cookies/

Connected Cars Apps Are Easy To Crack

Unsurprisingly, researchers found many vulnerabilities in Android apps for connected cars.

https://arstechnica.com/security/2017/02/android-connected-car-apps-could-give-up-the-keys-to-criminals/

Privacy

Apps And White House Leaks

White House staffers may be leaking using the Confide app:

https://www.wired.com/2017/02/white-house-encryption-confide-app/

Also, Signal:

https://arstechnica.com/tech-policy/2017/02/house-members-epa-officials-may-be-using-signal-to-spread-their-goals-covertly/

Wickr Opened For Public Review

Wickr, another encrypted communications app, has opened its enterprise code for public review.

https://techcrunch.com/2017/02/15/encrypted-chat-app-wickr-opens-code-for-public-review/?ncid=rss

Wired and Ars Technica have advice on how to deal with United States border searches of your devices.

US Border Searches and Phones

US Customs and Border Patrol are conducting troubling searches of people’s phones and computers - even with US citizens.

https://arstechnica.com/tech-policy/2017/02/what-could-happen-if-you-refuse-to-unlock-your-phone-at-the-us-border/

Internet of Things

August Smart Locks

Alexa can now unlock August smart locks. To avoid passersby yelling “Alexa, unlock the front door!” through your window, the August skill requires a preset PIN with the lock command. Siri has been able to unlock August locks since their introduction of HomeKit support.

http://august.com/2017/02/15/august-home-first-allow-amazon-alexa-unlock-door/

First HomeKit Security Camera

The Apple Store now lists the D-Link Omna 180 - the first security camera to support HomeKit. The store lists the camera as available at the end of February, but my order shipped the same day. I’ll post a review after I have time to evaluate it.

http://www.apple.com/shop/product/HKXW2VC/A/d-link-omna-180-cam-hd-camera

ecobee Smart Thermostat with Keen Smart Vents

I’d love for this to work - our home has a single heating zone and isn’t practical to retrofit for multiple zones. Integrating ecobee’s thermostats with sensors in each room, with Keen’s vent covers could allow much better control of the temperature in each room. Unfortunately, Keen’s first generation product had terrible reviews - vent covers would fall from the vents, and the system had major issues with distance and signal strength. Hopefully the new generation will work better.

https://shop.keenhome.io/collections/works-with-ecobee?_ga=1.150858686.980175814.1487270027

https://www.ecobee.com/faq/how-to-connect-your-ecobee3-with-keen-smart-vents/

Updated: