IoT Device | Breaking Cybersecurity News | The Hacker News

The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for  lightweight cryptography  applications. "The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST  said . "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." Put differently, the idea is to adopt security protections via lightweight cryptography in devices that have a "limited amount of electronic resources." That said, NIST still recommends the Advanced Encryption Standard ( AES ) and SHA-256 for general use. Ascon is  credited  to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Researc

Over a dozen security flaws have been discovered in baseboard management controller ( BMC ) firmware from Lanner that could expose operational technology (OT) and internet of things (IoT) networks to remote attacks. BMC refers to a specialized service processor, a system-on-chip (SoC), that's found in server motherboards and is used for remote monitoring and management of a host system, including performing low-level system operations such as  firmware flashing  and power control. Nozomi Networks, which analyzed an Intelligent Platform Management Interface ( IPMC ) from Taiwanese vendor Lanner Electronics, said it uncovered 13 weaknesses affecting  IAC-AST2500 . All the issues affect version 1.10.0 of the standard firmware, with the exception of CVE-2021-4228, which impacts version 1.00.0. Four of the flaws (from CVE-2021-26727 to CVE-2021-26730) are rated 10 out of 10 on the CVSS scoring system. In particular, the industrial security company found that CVE-2021-44467, an ac

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces. With hidden cameras being  increasingly   used  to  snoop  on  individuals  in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle. The system, dubbed Lumos , is designed with this intent in mind and to "visualize their presence using an augmented reality interface,"  said  Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe, and Vyas Sekar of Carnegie Mellon University in a new paper. At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are avail

Taiwanese chip designer Realtek is warning of  four security vulnerabilities  in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors. The flaws, which affect Realtek SDK v2.x, Realtek "Jungle" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek "Luna" SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege — CVE-2021-35392  (CVSS score: 8.1) - Heap buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe crafting of SSDP NOTIFY messages CVE-2021-35393  (CVSS score: 8.1) - Stack buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header CVE-2021-35394  (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in 'UD

Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining. Discovered by Qihoo 360's Netlab security team, the  HEH Botnet  — written in Go language and armed with a proprietary peer-to-peer (P2P) protocol, spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands. The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC). The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module. Initially downloaded and executed by a malicious Shell script named "wpqnbw.txt," the HEH sample then uses the Shell script to download rogue programs for all