Archive for December, 2017

IoT Security Skills in Energy Companies

December 5th, 2017

Inmarsat survey of senior IT decision makers from 100 large energy companies worldwide shows that fifty four percent need additional security skills to deliver successful IoT projects. Fifty three percent need to make significant investments to fulfill requirements.

Other findings include-

Only two percent mentioned that IoT do not create new challenges

Thirty percent said they have given special consideration for IoT in security apparatus

Fifty nine percent mentioned that their board has insufficient knowledge of IoT

“The core operations of energy companies have traditionally been insulated from the destructive cyber attacks that have destablized other industries, as they were not connected to the Internet,” Inmarsat senior director for energy Chuck Moseley said in a statement. “But with the advent of IoT, more and more parts of their infrastructure are being connected, creating new vulnerabilities and risks.”

“Worryingly, our research shows that many energy businesses lack the security processes and skills to address these new vulnerabilities,” Moseley added. “This needs to be quickly addressed, and it must be driven by senior leadership within energy businesses, to ensure that they do not miss out on the huge potential value that IoT can bring to the energy sector.”

Another survey conducted by CyberX study of 375 industrial networks worldwide shows that thirty one percent are connected to the public Internet. Seventy six percent are running outdated and unpatchable operating systems like Windows XP and Windows 2000.

“Most of these ICS/SCADA sites were built years ago, long before the proliferation of Internet connectivity and the need for real-time intelligence,” the report states. “The key priorities were performance and reliability rather than security.”

“We don’t want to be cyber Cassandras — and this isn’t about creating FUD — but we think business leaders should have a realistic, data-driven view of the current risk and what can be done about it,” CyberX CEO and co-founder Omer Schneider said in a statement.

 ___________________________________________________________________________________

AlertSec ACCESS checks for full disk encryption on PCs running Windows 7, 8, and 10 Home, Pro and Enterprise as well as Mac OS El Capitan and Sierra.

New Google Patch for Android

December 2nd, 2017

Google released possibly its final Android security update for 2017. The latest patch addresses at least 42 different vulnerabilities which includes 11 flaws in the media framework (five are critical remote code execution issues).

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google warned in its advisory.

Libmedia and libstagefright components of the Android media framework is patched in every single security update provided by Google since August 2015. Google provided update every single month after the Stagefright vulnerability which was first publicly disclosed at Black Hat USA 2015.

“The state of the union for Android security is strong and I have spent time making sure it stays strong,” Adrian Ludwig said, the man who runs Android security for Google. “It’s not just about building a safe; it’s about building something that can react and respond to security quickly.”

In this new update, the critical remote code execution flaw in the system component is also addressed.

“We’re updating all Nexus devices — the Nexus 4, 5, 6, 7, 9 and 10 and even the Nexus players — and we’re patching for libstagefright,” Ludwig said. “This is the single largest mobile software update the world has ever seen.”

Security support will extend for three years from a time Nexus device appears in the market.

“The industry has looked at recent events and realized that it needs to move fast, and we need to tell people what we’re doing,” Ludwig said.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google warned in its advisory.

Ludwig also mentioned that, “We’re taking an aggressive stance to see if an application is doing something wrong, and we’re working with the developers and the development process to make it right.”

 ___________________________________________________________________________________

AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.