Armis announced the discovery of five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. The vulnerabilities, dubbed CDPwn, affect a wide variety of Cisco equipment. Read More

//cdn.iframe.ly/embed.js

[via Synack]

On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures. The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. IoT equipment suppliers are being asked to implement “security by design”. The FCC states the definition as “A development practice that reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Many are speculating if other states will adopt similar laws, but in the meantime, the California market is too big for suppliers to walk away from and many are trying to understand how these laws will impact their products.

The Cybersecurity and Infrastructure Security Agency within the US Department of Homeland Security also released an advisory in July about the cybersecurity vulnerabilities, known as URGENT/11. “Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine,” FDA says. [via CI Security]

Researchers at the Georgia Institute of Technology recently shed light on a less-discussed aspect of the threats of connecting the digital and physical worlds. In a study published in the journal Physical Review E, the researchers showed how hacked cars can cause mass mayhem by freezing traffic and gridlocking large cities. […] Yunker and his colleagues found that randomly hacking and stalling as much as 10 percent of cars during rush hour could bring traffic in a city such as Manhattan to a stand-still and disrupt critical services. This means that only a fraction of cars needs to be connected to the internet to make this threat a reality. [via CI Security 9/30/19]

“The abundance of technology investments gives firms a false sense of confidence in their security posture. Their challenges reveal a different story,” said the report. Security executives currently employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, they are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive, and insufficient in scale, explained the report. [via CI Security 9/30/19]

[via CI Security] Researchers say these new variants have the potential to impact cloud servers and heavily compromise information and insurance services and more. https://www.scmagazine.com/home/security-news/cybercrime/the-infamous-mirai-malware-has-grown-into-more-than-60-known-variants-and-has-since-set-its-sights-on-enterprise-devices/

As a result, connected devices at the enterprise level including medical devices, utility company meters, robots tracking warehouse inventory, and other devices are at risk. Devices connected to the cloud could allow Mirai adversaries to gain access to cloud servers, infect a server with additional malware dropped by Mirai, or expose all IoT devices connected to the server to further compromise.