Skip to content

BBC – Parents urged to boycott VTech toys after hack

http://www.bbc.com/news/technology-35532644

Cybersecurity experts have said parents should boycott or at least be cautious of VTech’s electronic toys because of how it has handled a hack attack.

They gave the advice after it emerged that VTech’s new terms and conditions state that parents must assume responsibility for future breaches.

Learning Lodge

More than 6.3 million children’s accounts were affected by last year’s breach, which gave the perpetrator access to photos and chat logs.

VTech says it stands by the new terms.

“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information,” said a spokeswoman.

“But no company that operates online can provide a 100% guarantee that it won’t be hacked.

“The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company’s liability for the acts of third parties such as hackers.

“Such limitations are commonplace on the web.”

‘Full responsibility’

The new terms were flagged by a blog by the Australian security specialist Troy Hunt.

In it, he detailed additional flaws with VTech’s products and alleged that it was misleading for the firm to have described the attack as being “sophisticated”.

Child on tablet
VTech has said 6.3 million children’s accounts and 4.9 million parents’ accounts were affected by the hack attack

He also disclosed that the company had issued new terms and conditions on 24 December for the software that lets parents add apps to its devices and copy off photos and other saved files.

They tell parents:

“You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.

“You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.”

InnoTab Max

Another security researcher, Scott Helme, later confirmed the terms appeared when Europe-based owners of the VTech’s InnoTab Max tablets updated its firmware.

Mr Hunt was dismayed.

“People don’t even read these things!” he wrote.

“If [VTech] honestly feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.”

‘Unforgiveable and ignorant’

His condemnation of the firm has since been echoed by four other security experts.

“This is an unbelievably arrogant and derogatory response considering their track record with data security,” said Ken Munro from Pen Test Partners.

“If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else.”

Prof Angela Sasse – director of the UK Research Institute in Science of Cyber Security – added that she would be “cautious” about all of the firm’s products.

VTech baby monitor“The nature of the security flaws identified, and their displayed lack of urgency in fixing them, casts doubt on their security competence,” she told the BBC.

“Instead, they change the T&Cs to ‘dump’ any risk on their customers – I would not trust a vendor who behaves in this way.”

University College London’s Dr Steven Murdoch also guided potential shoppers elsewhere.

“The existence of vulnerabilities that result from beginners’ mistakes in the VTech website is disappointing, as is their handling of the situation, so it raises serious questions about whether there are vulnerabilities in their other products,” he said.

“It would be understandable that potential customers will look elsewhere.”

Meanwhile, Trend Micro’s Rik Ferguson said the firm’s behaviour was “unforgivable, ignorant and indefensible”.

“Would I advise consumers to avoid an organisation that attempts to take advantage of its customers’ goodwill and to absolve itself of its legal responsibilities with weasel words? Unequivocally, yes.”

**Watch the video interview on the BBC link above.

A lawyer added that VTech’s approach was “odd”.

“It’s unusual to see these terms in consumer contracts and it’s questionable if they would be enforceable,” said Callum Murray, head of commercial technology at Kemp Little.

Under scrutiny

VTech’s reach is about to grow following a deal to take over its US rival Leapfrog, which makes child-centric tablets computers, smartwatches and apps of its own.

But one company-watcher commented that the impact went even further.

Leapster

“A lot of eyes are on VTech because nothing on this kind of scale has happened in the toy industry before,” said Billy Langsworthy, editor of the Toy News trade magazine.

“Toy firms need to be aware that these kinds of cyber-attacks are going to become more common, so right from how they set up their security to how they deal with the PR of a breach is something that this sector is going to have to look at.”

How to Hack the Power Grid Through Home Air Conditioners

http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-conditioners/

Now researchers have found another way to take down the power grid: by remotely manipulating home and office air conditioners to create a surge.

The devices, which can be installed on both central air conditioning systems as well as window-installed units, can be easily manipulated by hackers, say Vasilios Hioureas of Kaspersky Lab and Thomas Kinsey of Exigent Systems, who conducted their research as part of the Securing Smart Cities initiative. The two presented their findings today at the Kaspersky Security Analyst Summit.

The way the system works is that operators at regional power centers send a command via radio frequency that gets amplified through repeater stations installed throughout a city to reach the devices and shut down air conditioners. But because the systems Hioureas and Kinsey examined don’t encrypt that communication and don’t use authentication to prevent unauthorized parties or systems from communicating with them, anyone in the vicinity who can emit a stronger signal than the one the utility company sends out through the repeater stations can manipulate the devices as well.

“Anyone with $50 can generate a signal that can trump a repeater [to take out a few air conditioners]; and anyone with $150 can generate that through an [amplifier] and presumably take out a whole neighborhood,” says Kinsey. “And obviously you can scale that up as much as you want to [depending on the strength of your signal].”

A hacker could directly attack a specific home or office by taking advantage of the fact that the systems have unique IDs and can be singled out.

A hacker could cut air conditioners during a heatwave—creating a potentially fatal condition for the elderly and sick—or turn air conditioners on during peak energy periods, causing a surge that creates a widespread blackout. Or a hacker could directly attack a specific home or office by taking advantage of the fact that the systems have unique IDs and can be singled out.

The attack against the devices requires little skill. All a hacker would need is to be on the same radio frequency as the utility company, and then they could monitor and record the commands the company sends to the devices (a technique known as sniffing). From there, they could just play back those recorded commands to other devices to get them to turn on or off (a so-called “replay” attack).

“This is the funny part, to show how ridiculously insecure it really is, you don’t have to even know anything or reverse-engineer anything and you can reproduce the result [by doing a replay attack],” says Hioureas.

An attacker could also simply jam the RF traffic with noise to prevent the power company from communicating with the devices to turn air conditioners on or off, simply preventing them from shutting down the devices during peak hours.

The two researchers wouldn’t identify the devices they examined since they’re still in the process of reaching out to vendors. But Kinsey says that the chips used in some of them are so out-dated and limited—one system they examined used a chip made in 1995—that even if the vendors wanted to add authentication to make the devices more secure he doubts they could do it.

“It doesn’t look like there’s room [to add authentication]…it looks like the hardware is not capable of doing something like that,” he says.

**For goodness sake, if your Amazon account is worth encrypting, then so are instructions to the National Grid.  It’s got to the stage that nonsense on Twitter and Google are encrypted – but our national infrastructure is not.

Deep Power v shallow habits

Our habits define us; our career success and technical abilities depend upon deep power and concentration. Shallow habits such as checking facebook reduce our abilities to mediocre levels.  Deep concentration requires absolute quiet, and pushes our cognitive abilities beyond their breaking point.

Every morning, drink your coffee in bed.  It’s nice, warm and quiet.  Set your sunrise alarm for 1 hour early.

Place your books on the side, and read a chapter with your morning coffee – every day.

These incremental chapters, or half chapters, increase your knowledge and learning, when your brain is empty of thoughts, and distractions.

Give it a month, and you’ll have gained more than 20 hours of “clean, pure” learning.

Make this a habit, and your levels of technical learning will surpass even 4 hours of evening revision.   Learn when your surroundings are totally peaceful and totally silent, and when your brain is fresh and able to comprehend complex material.

This is deep learning versus shallow learning.  Always go for deeper more complex learning – when you’re warm and relaxed.  Serenity is the key.

Initially your concentration times may only be 45 mins at most.  Gradually this will become 1 hour and then 90 mins.   Remember less is more.  20 minutes is better than 4 hours.

Short bursts of activity are the key to amazing success in your exams and life. Try to get as much work done before breakfast before the manic day begins. Quiet serenity is the key to “deep learning”.

Broadcast Storms – Spanning Tree – Loops

https://www.youtube.com/watch?v=FYOwbWn8CR0What is a broadcast storm?  What is a loop?

Interface configuration problems

Server 2012 – How to create a DHCP Server

How to install the DHCP server and scope

 

How to create a reservation

Server 2012 – How to create and deploy printers

Step 1 – Add role of print server

Server Manager > Add Roles > Print & document services

Print Server > Install

*****

Step 2 – Add a Networked printer

All programs > Admin Tools > Print Management (to add & deploy printers)

Print server (PS1) > printers  (xps is installed by default)

Right Click on empty space > Add Printer

*Add a TCP/IP printer by IP > Next > Autodetect > Host or IP address

****

Step 2.b – Add a local printer

Add a new printer > LPT1

Install a new driver eg HP > printer drivers > next

TICK Share

Share Name: Front Office (or other name for shared printer)

Comment > Next  > Next

*****

Step 3 – Deployed printer

Right click on printer > Deploy with Group Policy

Select your group policy

gpupdate.exe

Open Mesh – How to set up Open Mesh Routers

Open Mesh versus Meraki

Open Mesh give you a **FREE** lifetime license to the cloud controller.  Yay!

You reuse your existing ISP router as internet access, DHCP, and DNS – the rest of the devices can mesh with this one internet connection.

Lets compare costs..

open mesh cost meraki

Speeds are 2.4 GHz at 150/300 or 450 mbps.  Whereas 5 GHz is faster at 1300 mbps – but remember 5 Ghz has a shorter range (needs wide open spaces).

All Open Mesh devices are cheap as chips.

***No Monthly costs – just the hardware cost***

Skips away.

Place your “gateway” device with the internet connection centrally!.  CENTRALLY…

Each “hop” cuts the speed in half, so you need the gateway in the centre, so that at most the other devices are 1-2 hops away.  Gateway = Full speed, 1st hop = Half speed, 2nd hop = quarter speed.  CENTRAL is the mantra with open mesh devices.

*****

This video is 1 hour 15 mins.. if you want to listen to open mesh info in the background.

The 25 Most Popular Passwords of 2015: We’re All Such Idiots

http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514

Every year, SplashData complies a list of the millions of stolen passwords made public throughout the last twelve months, then sorts them in order of popularity. This year the results, based on a total of over 2 million leaked passwords, are not the list of random alpha-numeric characters you might hope for. Rather, they’re a lesson in exactly how not to choose a password.

Yes, “123456″ and “password” remain bewilderingly popular.

But anyway, without further ado, here’s the list, direct from Splash Data. Brace yourselves.

1. 123456 (Unchanged)

2. password (Unchanged)

3. 12345678 (Up 1)

4. qwerty (Up 1)

5. 12345 (Down 2)

6. 123456789 (Unchanged)

7. football (Up 3)

8. 1234 (Down 1)

9. 1234567 (Up 2)

10. baseball (Down 2)

11. welcome (New)

12. 1234567890 (New)

13. abc123 (Up 1)

14. 111111 (Up 1)

15. 1qaz2wsx (New)

16. dragon (Down 7)

17. master (Up 2)

18. monkey (Down 6)

19. letmein (Down 6)

20. login (New)

21. princess (New)

22. qwertyuiop (New)

23. solo (New)

24. passw0rd (New)

25. starwars (New)

There are some interesting trends, if you can get beyond the sheer stupidity for a moment. Sports-based passwords are still popular, with “football” and “baseball” both ranking highly, and so are those inspired by a certain blockbuster film, with “starwars” and “solo” making an appearance.

It’s also nice to see the return of “princess,” which dropped out of the Top 25 last year but has made a resurgence, also potentially due to Star Wars. Elsewhere, other new entires—including “welcome,” “login” and “passw0rd”—are just as hackable but far more amusingly dumb.

You can check out the lists from 2013 and 2014 if you don’t hate humanity and the internet enough already.

Happy EU Data Protection Day – 28th Jan

Data Privacy Day: Take Charge of Your Family’s Privacy

Thursday, January 28, is Data Privacy Day—a day dedicated to promoting and raising awareness of privacy and data protection around the globe. It commemorates the January 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. And it’s a great day to take charge of not only your own privacy, but also the privacy of any school children in your life.

We recently launched Spying on Students—an online resource dedicated to helping students, parents, teachers, and school administrators learn more about the privacy issues surrounding school-issued devices and cloud services. The website—part of our new campaign to promote student privacy—provides useful guides for adjusting privacy settings on mobile devices. It also answers common questions about the legal and technological landscape regarding student privacy and offers suggestions on how you can connect with other concerned parents.

As we reported last week, our student privacy campaign—including the complaint we filed with the Federal Trade Commission (FTC) about Google’s unauthorized collection of personal information from school children via Chromebooks and Google Apps for Education (GAFE)—caught the attention of Senator Al Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. He responded by writing a letter to Google CEO Sundar Pichai asking for information about GAFE’s privacy practices.

But for our student privacy campaign to succeed, we need the support of parents. On this Data Privacy Day, take the time to check out the resources we’ve compiled and regain control of your children’s privacy. And spread the word about student privacy by sharing our resources with other parents.

It’s critical that parents understand their, and their children’s, rights—especially in a world where parents may be asked by schools to waive those rights before their youngsters are permitted to use technology in the classroom. We’ve even seen third parties encourage parents to give schools consent to release their children’s information to those very third parties. Recently, in Utah, the United Way of Salt Lake City partnered with other local organizations on a campaign to do just that—i.e., encourage parents to sign forms consenting to the disclosure of student information to outside organizations. The Family Educational Rights and Privacy Act (FERPA) requires school to get such parental consent before disclosing student information to third parties. But before signing such a form, parents should know exactly what they are agreeing to, consider all their options, and make informed choices. Ads like the United Way’s—which direct parents to simply sign any consent forms that a school might send home and which are sponsored by third parties rather than the school—inappropriately discourage parents from seeking all the information they need.

As part of our student privacy campaign, we also launched a nationwide survey to collect information from parents and other concerned individuals regarding the practices and disclosure policies of K-12 schools. We’ve heard from hundreds of parents, but we still need help to collect even more useful information about what’s happening on the ground in schools across the country. Join the fight to protect student privacy by filling out our survey today.

https://www.eff.org/deeplinks/2016/01/data-privacy-day-take-charge-your-familys-privacy

GCHQ spies quashed this phone encryption because it was too good against snoopers

http://www.theregister.co.uk/2016/01/21/mikey_ibake/

MIKEY-IBAKE could alert people to fact they’re being monitored

The researcher who discovered that the UK government’s phone encryption standard has a huge backdoor installed has made another discovery: GCHQ’s rejection of a better encryption standard because it didn’t allow for undetectable spying.

Dr Steven Murdoch has updated his original post on the MIKEY-SAKKE standard, developed by UK listening post GCHQ, to include a document from the 3GPP standardization group that was responsible for the 3G mobile phone standard and which also developed the 4G and LTE standards (i.e., what your phone currently uses).

That document [PDF] stems from a meeting back in 2010 and outlines how a representative from the National Technical Assistance Centre (NTAC) – GCHQ’s decryption and data analysis arm – worked to reject the MIKEY-IBAKE standard because it could produce a slight delay in people’s phone calls when they were being intercepted.

“Due to the timing and interaction required to perform the man-in-the-middle attack during call setup, there will be additional latency in call setup,” it reads. “This will be especially pronounced when large numbers of surveillance subjects are active in one region or one switch.”

It goes on to note that the IBAKE standard would mean if an individual’s connection was tapped, it could interfere with other authentication efforts, i.e., someone might notice they were under surveillance. And it noted that the standard would make it difficult to go back retroactively and listen to past conversations.

Jigsaw pieces

Although the document is not new – it was published on the whistleblower Cryptome website back in 2014 – its relevance has only just come to light thanks to the UK government’s efforts to push the MIKEY-SAKKE standard for the latest end-to-end phone encryption products.

That effort is not limited to government departments: it is also being marketed to the broader commercial world through a product spec it has called Secure Chorus by highlighting its “government-grade security.” It has also set itself up as an evaluator of other products, one example being Cryptify Call, available for iOS and Android.

MIKEY-SAKKE is mentioned possibly for the first time in the 2010 rejection of the IBAKE approach. The document notes: “In light of these requirements, UK government has developed a similar scheme, MIKEY-SAKKE, which supports 3GPP SA3 LI requirements and has additional benefits such as low latency.”

That standard that the UK government specifically developed to allow for full and unnoticeable surveillance is the same one that six years later it is now trying to push into the expanding commercial market for more secure phone calls. It is notable that it makes no mention of the ability to invisibly intercept calls in its description of the protocol.

In short: the security services are trying to get people to hardwire the same standards that make it possible to intercept existing phone calls into products that are specifically designed to avoid that exact scenario.

Follow

Get every new post delivered to your Inbox.

Join 200 other followers