Researcher Billy Rios (previously) has extended his work on vulnerabilities in hospital drug pumps, discovering a means by which their firmware can be remotely overwritten with new code that can result in lethal overdoses for patients. Read the rest
Google analyzed the "secret questions" used by its vast userbase and was not surprised to learn that they are mostly terrible.
In a blog post at the company's Online Security Blog, Elie Bursztein said that "secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism."
"That’s because they suffer from a fundamental flaw," Bursztein wrote. "Their answers are either somewhat secure or easy to remember—but rarely both."
Here are some specific insights:
With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question
• "What is your favorite food?" (it was ‘pizza’, by the way) With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question
• "What’s your first teacher’s name?" With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,
• "What is your father’s middle name?" With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.
Tone is an experimental Chrome plugin from Google Research that lets computers share small amounts of information (like URLs) with ultrasonic chirps. Read the rest
The Logjam bug allows attackers to break secure connections by tricking the browser and server to communicate using weak crypto -- but why do browsers and servers support weak crypto in the first place? Read the rest
Telcos send routers with default passwords to their customers, who never change them, and once they're compromised, they automatically scan neighboring IP space for more vulnerable routers from the same ISP. Read the rest
When you make up your own crypto, it's only secure against people stupider than you, and there are lots of people smarter than the designers of the Open Smart Grid Protocol, who rolled their own (terrible) crypto rather than availing themselves of the numerous, excellent, free public cryptographic protocols. Read the rest
Security researcher Jeremy Richards has called the Hospira Lifecare PCA 3 drug-pump "the least secure IP enabled device" he's examined. Read the rest
Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act. Read the rest
If your car has a proximity-based ignition fob that lets you start the engine without inserting a key, thieves on the street in front of your house can use an amp to detect its signal from your house and relay it to the car, getting away clean. Read the rest