Uber keeps driving forward (see what I did there :)

As Peter Vogel blogged about yesterday (24 Jan 2017), Uber added Amit Singhal to its leadership.  Mr. Singhal, formerly the VP for Search at Google, will run the mapping division.  He will also work with the self-driving cars group.

For the security folks reading this, you may remember that Uber hired Charlie Miller and Chris Valasek into the self-driving cars group back in 2015 (after they demonstrated taking control of a vehicle remotely and presented the vulnerability at DefCon.)

The addition of Mr. Singhal’s brain to the team already flush with really, really, really smart people means we are one step closer to the machines rising up and I, for one, welcome our new autonomous driving overlords.

Read Peter’s much more professional and adult blog here:

Uber will likely get smarter since they hired Google’s former head of search!

O.P.B.?

In the immortal words of Naughty by Nature: are you down with O.P.B.?  O.P.B., how can I explain it… It is Other Peoples’ Blogs!

I know that you are transfixed by the Jurishacker.com blog, wearing out your F5 key, reloading over and over, waiting for that next nugget of wisdom… Who am I kidding, according to the site analytics both of you that have read this blog are from China and never came back.

Anyway, if you do stumble upon this site and would like to read more intelligent discussions than you will find here I’ve put together a list of the pages that I enjoy visiting.

I’ll start with http://www.vogelitlawblog.com/.  Peter Vogel, a Partner at Gardere in Dallas has been involved with IT and Software Law issues for almost 40 years.  In fact, his sole practice area for the past 39 years has been IT, Software, and Internet law.  He teaches (for the past 30 years) e-discovery and Internet law courses at SMU.  (Bias note: Peter and I are good friends and work together.)

Next up is http://www.gigalaw.com/blog/.  Doug Isenburg provides a good deal of insight into the law of the Internet.

The Center for Internet and Society at Stanford University always has good information on Internet law and policy.

For a couple non-legal (but provide a good amount of information on policy) I really like Brian Krebs’ Krebs on Security and Bruce Schneier’s Schneier on Security sites.  Krebs’ site is less blog and more news, but I’m including it anyway.

If you open each of these each morning, you get a pretty good idea of any large news stories, new vulnerabilities, or threats.  Either that or check https://istheinternetonfire.com/.

edit:  I’ve just been informed that the Naughty by Nature song was O.P.P., which has a completely different meaning. And here I thought Treach was a social media pioneer.  Who knew?

Backdoors, and clear text, and default credentials, oh my!

For years I’ve been warning people about insecure devices being added to their home networks.  It’s clear that the vendors haven’t really been listening because there are still consumer grade (and some enterprise grade) network devices that use clear text passwords, default credentials, and backdoor accounts.  Remember the movie War Games from 1983?  Joshua was a backdoor account.  Even IMDB knows that Falken left a backdoor!

So we cleared up the backdoors and default accounts waaaaayyyyy back in 1984 right?  Nope.

The FTC filed charges yesterday (5 Jan 2017) against D-link for inadequate security in its products.  Guess what the insecurity was (I’ll wait, guess)…

Yep, D-link use “’hard-coded’” login credentials integrated into D-Link camera software — such as the username “’guest’” and the password “’guest’” — that could allow unauthorized access to the cameras’ live feed . . .  [and] . . . leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.”

Read that again.  D-link hard-coded login credentials into the devices (that means that the consumer couldn’t change the password if they tried!).

It’s 2017 people, we have to do better than hard-coded credentials and clear text password.  We are putting these devices in our homes.  Having random strangers watching you probably isn’t a settling thought to most.

But hey, no one will find my IP enabled camera right?  Wrong:  Shodan has a large database of webcams that are open to the Internet.  Webcams are always on Shodan’s top searched list, so a lot of people are very interested in watching strangers.

 

85th Legislative Session

The 85th regular Texas legislative session begins next week (January 10th.) For those outside of The Great State of Texas the Texas legislature meets for 140 days every 2 years. In those few days things move pretty quickly; a budget must be drafted and passed, any new bills must be submitted, reviewed and adopted, state agencies face scrutiny. All-in-all it can be a whirlwind.

In the interim between sessions, legislative committees will dive deep into issues, researching topics and delivering reports to the Speaker of the House and Lt. Governor (who oversees the Senate).

So what is in store for information security or cybersecurity in the 85th?  If the interim tells us anything it is that “cyber” is on the mind of many in both houses.  Over the interim there were six House committees charged with identifying and making recommendations regarding cybersecurity policies.

  • House Committee on Business & Industry
  • House Committee on County Affairs
  • House Committee on Government Transparency & Operation
  • House Committee on House Administration
  • House Committee on Investments & Financial Services
  • House Committee on Urban Affairs

Several of these committees had hearings on the issue, at which I either testified or was used as a resource.

On the Senate side only the Business and Commerce committee was explicitly charged with reviewing cybersecurity.  The Inter-Governmental Relations committee had a charge regarding disaster preparedness planning and coordination, which has technology implications.

So, that is a long way of saying that there seems to be a concern with protection of information assets within the state.  There are already a handful of bills submitted, with more expected in the coming weeks.  The Texas Legislature Online site provides the capability to search for bills, but that can be a monotonous process to do each day.  One the Texas Legislation page, I’m tracking bills that are related to information security, cybersecurity, and privacy.

I also wrote a really bad script to search the TLO website for keywords.  It works, but it is U, L, G, Y, Ugly.  Feel free to grab it off github.  I’ll try to make it more pretty as the session goes.