Tech Friday

  • Urgent11 security flaws affect 2 billion IoT devices:
    • Security researchers have disclosed details about 11 security flaws that impact a wide range of IoT devices
    • Know as"Urgent11" these flaws impactVxWorks, a real-time operating system (RTOS) created by Wind River
    • VxWorks in used in many types of devices including network devices, medical devices, printers and industrial equipment
    • RTOSes are simple operating systems (OS) with limited features designed to be embedded in IoT type devices and used primary to handle input and output
    • VxWorks is a very popular RTOS. In its 32-year history, only 13 security flaws with a MITRE-asigned CVE have been found
    • Security firm Armis decided to analyze the OS for security flaws due to it's popularity
    • Armis recently released the flaws and will release more detailed information at the the Black Hat security conference next week in Vegas
    • The Urgent11 security flaws reside in the TCP/IP protocol. The issues range in severity from simple information about a device, to crashing the system, to allowing hackers to take full remote control
    • These flaws affect all versions of the VxWorks since v6.5
    • The impact of a given flaw varies depending on the device affected. A compromised firewall would be more of a problem than a door bell for example
    • Wind River released patches for the Urgent11 flaws last month
    • "The IPnet stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of other RTOS vendors." - Wind River
    • "The latest release of VxWorks is not affected by the vulnerabilities, nor are any of Wind River's safety-critical products that are designed for certification, such as VxWorks 653 and VxWorks Cert Edition" Wind River said
    • Wind River also indicated there is no evidence of these flaws exploited in the wild thus far
    • The wide variety of devices in question makes finding and patching them complicated
    • Systems not directly connected to the Internet are not as important to patch. Networking equipment should be a top priority since they could be comprised to give an attacker access to a network
    • View the full report here:
    • Read the Wind River release here:
  • Video gamers fall prey to credential thieves:
    • Gamers are easy targets for credential-thieving hackers
    • Enzoic, a company focused on credential protection, said it sees more compromised gaming credentials than any other type
    • Mike Wilson, CTO at Enzoic, said credentials for Fortnite, Minecraft and RuneScape are hot now, earning a hacker as much as $40 per active username and password
    • Wilson also said "These kids are more interested in the next challenge or high score, not their security"
    • A recent report from Akamai revealed there have been more than 12 billion credential stuffing attacks against gaming websites since November 2017
    • Enzoic indicated it's because the credentials are easy to get
    • The credentials are desirable because they are typically are good for multiple services
    • Fan forums contribute to the problem as well. Popular gaming communities are often ripe for SQL injection attacks which can lead to data leakage and breaches
    • Wilson said 83% of the gaming-related credentials in Enzoic’s database are in cleartext or have a weak hashing algorithm making them easy to crack
    • Another issue is that the game makers hate to do anything that makes using the site harder and are loathe to require a mass password reset
  • US military says cybersecurity danger is "Keeping Us Up At Night":
    • As the physical and virtual worlds become increasingly intertwined cyberwarfare becomes more dangerous
    • State-sponsored attacks on civilian targets have raised the ante
    • Two weeks after the US Cyber Command hit Iran's command and control structure for downing a drone, a warning was released about Iran attacking millions of unpatched Microsoft Outlook systems
    • We are increasingly vulnerable as billions of new devices are connected to the network (think IoT)
    • Lt. Gen. RobertAshley,director of the Defense Intelligence Agency, said"The internet of things creates a degree of vulnerability for all the things that are connected to it"
    • "When people ask me what keeps you up at night, that is kind of the thing that keeps me up at night." said General Ashley, a recent cybersecurity conference
    • "This past September," reported the New Yorker, "the Department of Defense issued a strategic plan that not only confirmed the existence of cyber weapons but declared its commitment to using them 'to advance U.S. interests' and 'defend forward'. The cyberattack on Iran in June was a manifestation of this new, more aggressive approach."
    • Check out this great article from Forbes:

Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view. Read more


Content Goes Here