Hacking Smart Buildings
Apple Upgrades iCloud For Windows / Microsoft Patch Tuesday Waxes Zero-Day / Fake HTTPS / IoT Security Weaknesses For Smart Buildings
Tom Warren: Apple and Microsoft collaborate on new iCloud for Windows app
Apple and Microsoft have been working together on a new iCloud app for Windows 10. While iCloud has always been available on Windows, this new app is available in the Microsoft Store and includes a sync feature that’s based on the same tech behind OneDrive’s Files On-Demand feature. This means you can now access iCloud files on a Windows 10 PC without them having to be fully synced to a PC, thus saving disk space.
It’s surprising and encouraging to see both Microsoft and Apple work closely together on a Windows app, especially as Apple has used Microsoft’s latest Windows APIs for cloud storage sync. This could signal hope that Apple’s TV and Music services may eventually appear on Windows in the future. The new iCloud app for Windows is available immediately in the Microsoft Store.
You can read about this cross-platform breakthrough today over at The Verge.
Phil Muncaster: Microsoft Fixes Four SandboxEscaper Zero-Days
Microsoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.
In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.
The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019–1069 is a bug in the Windows Task Scheduler, CVE-2019–1064 is an elevation of privilege bug in Windows, CVE-2019–1053 is a vulnerability in Windows Shell which could allow elevation of privilege on the affected system by escaping a sandbox and CVE-2019–0973 is a flaw in Windows Installer.
The recently disclosed BlueKeep vulnerability (CVE-2019–0708) in RDP should also be a priority for system admins, after Microsoft warned that it could be “wormable” — that is, exploitable without the need for user interaction.
See everything going on in this month’s #PatchTuesday roundup in the article at Info Security Magazine.
John E. Dunn: FBI warns users to be wary of phishing sites abusing HTTPS
This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.
Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.
Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:
They [phishing attackers] are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts.
John explains how we got here, how Microsoft’s Azure has been exploited to host what appear to be legitimate websites, and more over at Sophos’ Naked Security site.
Juan Manuel Harán: Why cybercriminals are eyeing smart buildings
…In countries like the United States, the growth of smart buildings is estimated to reach 16.6% by 2020 compared to 2014, although this expansion is not limited to the US but rather is taking place on a global scale. This growth is largely due to the fact we live in a world increasingly permeated by technology, in which process automation and the search for energy efficiency contribute not only to sustainability, but also to cost reduction — a goal pursued in all industries, public and private sector alike. Naturally, the construction industry is no exception.
Smart buildings use technology to control a wide range of variables within their respective environments with the aim of providing more comfort and contributing to the health and productivity of the people inside them. To do so, they use so-called Building Automation Systems (BAS). With the arrival of the Internet of Things (IoT), smart buildings have redefined themselves. With the information they obtain from smart sensors, their technological equipment is used to analyze, predict, diagnose and maintain the various environments within them, as well as to automate processes and monitor numerous operational variables in real time. Ambient temperature, lighting, security cameras, elevators, parking and water management are just some of the automatable services currently supported by the technology.
…cybercriminals are already carrying out such attacks when they have the opportunity…[and this ransomware is dubbed] siegeware, or “the code-enabled ability to make a credible extortion demand based on digitally impaired building functionality.”
…This drive toward automation and the use of smart devices to gather data — in order to give a building’s users more comfort and to make more efficient use of resources such as energy — is also leading to increased security risks.
This article over at ESET’s WeLiveSecurity site describes some mitigation tactics building owners, managers and technicians can use. Anyone involved in EnergyStar building certification, LEED green buildings, and REIT management should give it a look. Risk management and human safety is a concern for us all.
Speaking of dirty pool, I’m happy to announce my latest tract, “The Dirty Deeds Playbook” is available now for pre-order at just $2.99 as a pre-launch price for Kindle. Paperback to follow.
It’s a satirical field manual for using fools and fanatics to sew chaos in American elections for 2020 and beyond. It is based on tools and techniques, observations and deception that I’ve seen in the American election process over the past few years.
Subscribe free to this blog, the RSS feed, listen with the Amazon Alexa Skill for your Flash Briefing, or Podcast available on Spotify, SoundCloud, Stitcher and Apple… or watch with BitChute, Facebook, or YouTube.
