Security expert calls home routers a clear and present danger

LAS VEGAS—During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that "could probably take down the Internet." Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative.

Geer spoke about the threat posed by home routers in advance of "SOHOpelessly Broken," a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. "Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn't been updated in a while," Geer explained.

Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers' signatures. "They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs," he said. "If I can build a botnet on the outside of the routers, I could probably take down the Internet."

Read 2 remaining paragraphs | Comments

CIA’s venture firm security chief: US should buy zero-days, reveal them

Dan Geer, speaking at Black Hat, outlined a series of policies he believes will help make the Internet more secure.
Sean Gallagher

LAS VEGAS—In a wide-ranging keynote speech at the Black Hat information security conference today, computer security icon Dan Geer gave attendees a sort of personal top 10 list of things that could be done to make the Internet more secure, more resilient, and less of a threat to personal privacy. Among his top policy picks: the US government should move to “corner the market” on security vulnerabilities by paying top dollar for them and then publish them to the world.

Geer is the chief information security officer for In-Q-Tel, the not-for-profit venture capital firm funded by the Central Intelligence Agency to incubate technologies that aid intelligence operations. However, he noted that he was speaking in a private capacity at the event and not as a public official.

“We could pay 10 times the market price" for zero-day vulnerabilities, Geer said. “If we make them public, we zero the inventory of cyber weapons where it stands.”

Read 24 remaining paragraphs | Comments

Cisco EnergyWise Module Vulnerability

Original release date: August 06, 2014

Cisco has released an advisory to address a vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to cause a Denial of Service condition on the affected system.

Users and administrators are encouraged to review the Cisco Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Internet Explorer to start blocking old Java plugins

This month's Patch Tuesday update for Internet Explorer will include a new feature: it will block out-of-date ActiveX controls.

More specifically, it will block out-of-date versions of the Java plugin. Although Microsoft is describing the feature as an ActiveX block, the list of prohibited plugins is currently Java-centric. Stale versions of Flash and Silverlight will be able to stick around, at least for now, though Microsoft says that other out-of-date ActiveX controls will be added to the block list later.

Old, buggy versions of the Java plugin have long been used as an exploit vector, with Microsoft's own security report fingering Java in 84.6 to 98.5 percent of detected exploit kits (bundles of malware sold commercially). Blocking obsolete Java plugins should therefore go a long way toward securing end-user systems.

Read 1 remaining paragraphs | Comments