Security researcher and IoT hacker Dennis Giese talks about his mission to liberate robot vacuums from the control of their manufacturers, letting owners tinker with their own devices and - importantly - control the data they collect about our most intimate surroundings.

The post Episode 254: Dennis Giese’s Revolutionary Robot Vacuum Liberation Movement appeared first on The Security Ledger with Paul F. Roberts.

In this episode of the podcast (#182) Trammell Hudson of Lower Layer Labs talks to us about Project Airbreak, his recent work to jailbreak a CPAP machines and how an NSA hacking tool helped make this inexpensive equipment usable as a makeshift respirator.

The post Episode 182: Hackers take Medical Devices ‘off label’ to Save Lives appeared first on The Security Ledger with Paul F. Roberts.

Sarah Zatko of the Cyber Independent Testing Lab joins us to talk about CITL's big new study of firmware security. In our second segment, we’re joined by Allan Thomson who is the Chief Technology Officer at LookingGlass Cyber Solutions to talk about the growing use of cyber threat intelligence and the need to evolve cybersecurity practices to keep ahead of fast-evolving threats.

The post Episode 157: Do we need an FDA for Software? Also: operationalizing Threat Intelligence appeared first on The Security Ledger with Paul F. Roberts.

A programming glitch in GPS satellite software grounded planes in China and other countries. But what does it tell us about the security of the Internet of Things? Bill Malik of Trend Micro joins us to discuss.

The post Episode 147: Forty Year Old GPS Satellites offer a Warning about securing the Internet of Things appeared first on The Security Ledger with Paul F. Roberts.

Malicious software is nothing new. Computer viruses and worms have been around for decades, as have most other families of malware like remote access tools (RATs) and key loggers. But all our experience with malware hasn’t made the job of knowing when our organization has been hit by it any easier. In fact, recent news stories about breaches at Home Depot, Target, Staples and other organizations makes it clear that even sophisticated and wealthy corporations can easily overlook both the initial compromise and endemic malware infections – and at great cost. That may be why phrases like “dwell time” or “time to discovery” seem to pop up again and again in discussions of breach response. There’s no longer any shame in getting “popped.” The shame is in not knowing that it happened. Greg Hoglund says he has a fix for that latter problem. His new company, Outlier Security, isn’t “next generation […]

The post Dusting For Malware’s Bloody Prints appeared first on The Security Ledger with Paul F. Roberts.

One of the notable trends in recent years has been the drive, among malicious actors, to compromise devices in new- and hard-to-detect ways. An area of interest and exploration is malicious software that can attack a computer’s BIOS – the small bit of code that runs when a computing device is first powered on. BIOS malware is so powerful because it offers adversaries the possibility of getting a foothold on systems prior to an operating system and the security features- and applications that run there. Successful BIOS attacks give attackers almost total control over the system they are installed on. BIOS malware isn’t a new idea. In fact, it has been around since the late 1990s, when the Chernobyl Virus was identified. That virus could wipe a machine’s BIOS, a well as the contents of its hard drive. But BIOS threats have been getting more attention lately. Proof of concept malware appeared as recently […]

The post UEFI: Security, BIOS and the Internet of Things appeared first on The Security Ledger with Paul F. Roberts.

Security problems abound in the mobile device space – and many of them have been well documented here and elsewhere. While mobile operating systems like Android and iOS are generally more secure than their desktop predecessors, mobile applications have become a major source of woe for mobile device owners and platform vendors. To date, many of the mobile malware outbreaks have come by way of loosely monitored mobile application stores (mostly in Eastern Europe and Russia). More recently, malicious mobile ad networks have also become a way to pull powerful mobile devices into botnets and other malicious online schemes. But my guests on the latest Security Ledger podcast point out that mobile application threats are poised to affect much more than just mobile phone owners. Jon Oberheide, the CTO of DUO Security and Zach Lanier, a researcher at DUO, note that mobile OS platforms like Android are making the leap […]

The post Perverse Security Incentives Abound In Mobile App Space appeared first on The Security Ledger with Paul F. Roberts.

With another busy week behind us in the security world, we sat down with Zach Lanier, a senior security researcher for mobile authentication specialist Duo Security. Zach is a recognized authority on the security of mobile devices, and was able to talk about some ongoing research he’s doing on Blackberry’s BB10 operating system. Zach told us that Blackberry 10, the latest version of Blackberry’s mobile operating system, is a big improvement over previous versions, including the TabletOS that Blackberry (formerly Research in Motion) used for its PlayBook – the company’s first foray into the tablet space.  But Lanier and fixed many of the information leaks that he and others found in TabletOS and reported to the company. “But there are still lots of questions we’re looking to answer,” Lanier said.   Among other things, Lanier is examining whether Blackberry 10’s support for so many different runtimes might pose security problems for […]

The post Podcast: Security Challenges Ahead For Blackberry appeared first on The Security Ledger with Paul F. Roberts.

The Consumer Electronics Show – or CES- kicked off last week in Las Vegas. In the last decade, CES has become one of the premiere venues for consumer device makers to launch new products and to show off prototypes of technology they hope to introduce to the public. Home entertainment megafauna dominate the coverage of CES — there was Samsung’s 85-inch LED LCD model with 4K resolution that can transform from flat-screen to curved display. But this year’s show is also a showcase for the next wave of connected devices, including wearable technology, smart appliances and connected vehicles. All these new platforms raise important questions about security, privacy and reliability. I sat down to talk about some of those issues with Mark Stanislav, the lead security evangelist at the firm Duo Security. Mark is a frequent contributor to The Security Ledger who last joined us to provide an end of year […]

The post Is 2014 The Year Uncle Sam Takes On Connected Device Security? appeared first on The Security Ledger with Paul F. Roberts.

The Internet of Things leverages the same, basic infrastructure as the original Internet – making use of protocols like TCP/IP, HTTP, Telnet and FTP. But the devices look and act very differently from traditional PCs, desktops and servers. Many IoT devices run embedded operating systems or variants of the open source Linux OS. And many are low-power and many are single function: designed to simply listen and observe their environment, then report that data to a central (cloud based repository).   But IoT devices are still susceptible to hacking and other malicious attacks, including brute force attacks to crack user names and passwords, injection attacks, man in the middle attacks and other types of spoofing.  Despite almost 20 years experience dealing with such threats in the context of PCs and traditional enterprise networks, however, too many connected devices that are sold to consumers lack even basic protections against such threats. […]

The post How Connected Consumer Devices Fail The Security Test appeared first on The Security Ledger with Paul F. Roberts.