Security flaws found in some smart city devices, shortcut nearly short-circuits U.S. service provider Comcast and update your Linux
Welcome to Cyber Security Today. It’s Friday August 10th. To hear the podcast, click on the arrow below:
Many municipalities enter annual contests to be declared a smart city – in fact the government of Canada sponsors one. The goal is to show how the town or city uses technology to solve problems and improve livability. And who doesn’t want to be called a smart city? But a study by IBM and Threatcare released this week shows some smart city devices like wireless traffic or water sensors include security flaws.
After examining products from three companies they found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical bugs. These include using default passwords, and the ability to bypass login authentication systems. The vendors were told of the problems and patches were quickly issued. As the report points out, attackers can cause chaos in a city because municipal systems can be so interconnected. In the rush to get into the smart city business some product manufacturers aren’t being smart.
Making things easier for customers is a prime goal of business. But sometimes it also increases security risks. Take Comcast, the big U.S. internet and TV service provider. To make it easier for customers to pay their bills online, it set up an “in-home authentication” page where customers could pay their bills without signing in with a password. The portal asks customers to verify their account by choosing from one of four partially obscured home addresses. The customer would know the right address because of some of the letters and numbers can be seen. However, BuzzFeed reports a security researcher found a flaw: If a hacker knows the customer’s IP address and can spoof the Comcast page, the correct address could be figured out. Alerted to the problem, Comcast canceled the shortcut and now makes customers type in verification information the usual way. Sometimes shortcuts just make things worse.
Wait. We’re not done with Comcast. The researcher also found a different flaw, this one on a page where retailers could sign up to be Comcast authorized dealers. The sign-up page would show the last four digits of an approved dealer’s Social Security number. Unfortunately the page didn’t limit the number of attempts someone could make to fill in those four digits. So an attacker could get hold of that prized personal data by repeatedly trying number combinations, which is called a brute force attack. After being notified Comcast now limits the number of attempts anyone can make to fill in the form. It’s another good security policy.
Finally, if you’re running Linux or Free BSD, or a device you use like a router has software using those operating systems, make sure you have the latest patch. Earlier this week the Carnegie Mellon University Computer Emergency Readiness Team warned the Linux kernel has a vulnerability that could be used for denial of service attacks. Patches have been issued from a range of companies including Juniper Networks, SUSE Linux, Debian Linux, 3com and others.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.