INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Monday, February 25, 2013

"Broken Hearts": How plausible was the Homeland pacemaker hack?


by Barnaby Jack @barnaby_jack

    [1]


I watched the TV show Homeland for the first time a few months ago. This particular episode had a plot twist that involved a terrorist remotely hacking into the pacemaker of the Vice President of the United States.

People follow this show religiously, and there were articles questioning the plausibility of the pacemaker hack. Physicians were questioned as to the validity of the hack and were quoted saying that this is not possible in the real world [2].

In my professional opinion, the episode was not too far off the mark.

IOAsis at RSA 2013


By Jennifer Steffens @securesun

RSA has grown significantly in the 10 years I've been attending, and this year’s edition looks to be another great event. With many great talks and networking events, tradeshows can be a whirlwind of quick hellos, forgotten names, and aching feet. For years I would return home from RSA feeling as if I hadn't sat down in a week and lamenting all the conversations I started but never had the chance to finish. So a few years ago during my annual pre-RSA Vitamin D-boosting trip to a warm beach an idea came to me: Just as the beach served as my oasis before RSA, wouldn't it be great to give our VIPs an oasis to escape to during RSA? And thus the first IOAsis was born.


Tuesday, February 12, 2013

Do as I say, not as I do. RSA, Bit9 and others...

by Ian Amit - @iiamit

You thought you had everything nailed down. Perhaps you even bypassed the "best practice" (which would have driven you to compliance and your security to the gutter) and focused on protecting your assets by applying the right controls in a risk-focused manner.

You had your processes, technologies, and logs all figured out. However, you still got “owned”. Do you know why? You are still a little naive.

You placed your trust in big-name vendors. You listened to them, you were convinced by their pitch, and maybe you even placed their products through rigorous testing to make sure they actually delivered. However, you forgot one thing. The big-name vendors do not always have your best interest at heart.

Such companies will preach and guide you through to the righteous passage. However, when you look behind the curtain, the truth is revealed.



Monday, February 11, 2013

Your network may not be what it SIEMs


by Wim Remes - @wimremes

The number of reports of networks that are rampaged by adversaries is staggering. In the past few weeks alone we've seen reports from The New York Times, The Washington Post and Twitter. I would argue that the public reports are just the tip of the iceberg. What about the hacks that never were? What about the companies that absorbed the blow and just kept on trucking or … perhaps even those companies that never recovered?

When there's an uptick in media attention over security breaches, the question most often asked - but rarely answered - is "What if this happens to me?"

Today you don't want to ask that question too loudly - else you'll find product vendors selling turn-key solutions and their partners on your doorstep, closely followed by 'Managed Security Services' providers. All ready to solve your problems once you send back their signed purchase order... if you want to believe that.

Most recently they've been joined by the "let's hack the villains back" start-ups. That last one is an interesting evolution but not important for this post today.

Wednesday, February 6, 2013

The Anatomy of Unsecure Configuration: Reality Bites


By Aditya K. Sood @AdityaKSood

As a penetration tester, I encounter interesting problems with network devices and software. The most common problems that I notice in my work are configuration issues. In today’s security environment, we can accept that a zero-day exploit results in system compromise because details of the vulnerability were unknown earlier. But, what about security issues and problems that have been around for a long time and can’t seem to be eradicated completely? I believe the existence of these types of issues shows that too many administrators and developers are not paying serious attention to the general principles of computer security. I am not saying everyone is at fault, but many people continue to make common security mistakes. There are many reasons for this, but the major ones are:


Hackers Unmasked: Detecting, Analyzing, And Taking Action Against Current Threats

By Gunter Ollmann -- @gollmann

Tomorrow morning I'll be delivering the opening keynote to InformationWeek & Dark Reading's virtual security event - Hackers Unmasked -- Detecting, Analyzing, And Taking Action Against Current Threats.

You can catch my live session at 11:00am Eastern discussing the "Portrait of a Malware Author" where I'll be discussing how today's malware is more sophisticated - and more targeted - than ever before. Who are the people who write these next-generation attacks, and what are their motivations? What are their methods, and how do they chose their targets? Along with how they execute their craft, and what you can do to protect your organization.

The day's event will have a bunch of additional interesting speakers too - including Dave Aitel and our very own Iftach Ian Amit.

Please come and join the event. I promise not to stumble over my lines too many times, and you'll learn new things.

You'll need to quickly subscribe in order to get all the virtual event connection information, so visit the InformationWeek & DarkReading event subscription page HERE.


-- Gunter Ollmann, CTO -- IOActive, Inc.

Monday, February 4, 2013

2012 Vulnerability Disclosure Retrospective


By Gunter Ollmann @gollmann

Vulnerabilities, the bugbear of system administrators and security analysts alike, keep on piling up – ruining Friday nights and weekends around the world as those tasked with fixing them work against ever shortening patch deadlines.

In recent years the burden of patching vulnerable software may have felt to be lessening; and it was, if you were to go by the annual number of vulnerabilities publicly disclosed. However, if you thought 2012 was a little more intense than the previous half-decade, you’ll probably not be surprised to learn that last year bucked the downward trend and saw a rather big jump – 26% over 2011 – all according to the latest analyst brief from NSS Labs, “Vulnerability Threat Trends: A Decade in Review, Transition on the Way”.

Rather than summarize the fascinating brief from NSS Labs with a list of recycled bullet points, I’d encourage you to read it yourself and to view the fascinating video they constructed that depicts the rate and diversity of vulnerability disclosures throughout 2012 (see the video - “The Evolution of 2012 Vulnerability Disclosures by Vendor”).