Viry a Červi

A man confessed to stalking and attacking a young pop star by zooming in on the reflections in her eyes from selfies.

The tiny ATtiny85 chip doesn’t look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.

Old passwords never die... they just become easier to decode.

In spite of prostitution being legal in the Netherlands, this could lead to the same type of blackmail attempts/suicide from Ashley Madison.

From hackers bypassing 2FA to an Android zero day Google thought it had fixed - get yourself up to date with everything we've written in the last seven days. It's weekly roundup time.

 Download full report (PDF)

The world of today continues its progress toward higher digitalization and mobility. From developments in the Internet of Things (IoT) through augmented reality to Industry 4.0, whichrely on stronger automation and use of robots, all of these bring more efficiency to production processes and improves user experience across the globe. According to some estimates, these systems will become the norm in wealthy households before 2040.

Nowadays, however, these “robots” are not limited to futuristic humanoid machines. They include various devices, such as robot arms in factories or delivery robots, autonomous cars, automated baby sitters, etc.

Digitized systems of the future will involve deployable robotic systems in highly networked environments, remotely communicating with various services and systems for higher efficiency. While for now, this is only expected to happen, and we cannot talk about real truly functional deployable robotic systems, there are already certain developments in that area.

Robot Operating System

The research and development community, established around a shared interest in the future of robotics, initially required a unified and standard platform. To achieve that, back in 2007, Willow Garage introduced Robot Operating System (ROS), essentially a collection of middleware frameworks for robot software development, and a distributed system providing a mechanism for nodes to exchange information over a network. It operates like a service for distribution of data among various nodes in a system. A central master service is responsible for tracking published and subscribed topics, and provides a parameter server for nodes to store various metadata. Nodes can publish data as topics by advertising to the ROS master service. Other nodes can subscribe to these topics by querying the master, which provides the IP address and TCP port number of any nodes publishing a given topic, allowing the subscriber to contact the publishers directly to establish further connections. ROS has a distributed architecture: nodes can run on the same machine as the master, or on different machines. Apart from that, ROS possesses a number of ready-to-go libraries for solving various tasks, such as recognition of objects in an image or space mapping.

That said, ROS itself hardly can be positioned as a fully functional operating system—it is rather a set of open-source libraries that helps researchers and developers to visualize and record data, easily navigate the ROS package structures, and create scripts that automate complex configuration and setup processes.

Open source for study

ROS was designed with open source in mind—by a researcher, for researchers—with the intention of enabling users to choose the configuration of the tools and libraries that interacted with the core of ROS, so that the users could shift their software stacks to fit their robot or application area.

This open-source nature brings certain peculiarities into the subject of robotics’ cyber security. ROS is mainly used in research purposes: in the universities and by engineering enthusiasts. As with many other research platforms, the ROS designers made a conscious decision to exclude security mechanisms because they did not have a clear model of security threats and were not security experts themselves—and for the sake of research and development comfort and efficiency. For instance, the ROS master node trusts all nodes that connect to it, and thus should not be exposed to the Internet or any network with unauthorized users on it, without additional measures to restrict access to the system.

Overall, ROS has no built-in security; it lacks authentication, authorization and confidentiality features. Some of those issues have been addressed in ROS 2.0, a new version of ROS that is under heavy development and will take advantage of modern libraries and technologies for core ROS functionality, adding support for real-time code and embedded hardware. However, the second version is still not quite widely spread: the first version is sufficient for most researches, and more complex projects take a long time to migrate to an updated platform.

Security

Nevertheless, ROS is expected to play an important role in robotics outside of pure research-oriented scenarios. And the significant security issues it bears should be addressed before ROS-based products like social robots, autonomous cars, etc. fly from university classrooms to reach mass markets.

By definition, networks are shared resources, so it is important to consider the security aspects of connecting systems using ROS, as a ROS master will by default respond to requests from any device on the network (or host) that can connect to it. Any host on the network can publish or subscribe topics, list or modify parameters, and so on.

In this regard, cyberattacks are a growing threat to the integrity of robotic systems at the core of this new emerging ecosystem. A robot can sense the physical world using sensors, or directly change the physical world with its actuators. Thus, a robot could leak sensitive information about its environment, such as data from sensors or cameras, if accessed by an unauthorized party, or even receive commands to move, which would create a both privacy and safety risk.

Initial studies have already validated the above consideration: in 2018, over 100 publicly accessible hosts running a ROS master node have been identified as part of analysis of the entire IPv4 address space of the Internet for instances of deployed ROS systems. Some of these appeared to be real robots, potentially exposed to either unauthorized publishing injections, or Denial of Service (DoS) attacks, or Unauthorized Data Access. This made robots potential targets, capable of being remotely moved in ways dangerous to both the robot and the objects around it.

But apart from technical aspect, there are more specific dimensions to be concerned about when it comes to robotics security. To find more in this regard, Kaspersky and the research team at the University of Ghent looked deeper into how the wide use of so-called “social robots” in the future could affect humans’ private lives, their social behavior and what the cyber security takeaways from this impact are.

It is our hope that this brief outline of robotics cybersecurity issues will encourage others to follow our example and bring about greater public and community awareness of the subject.

Including: Visual Studio Code debug hole found

Roundup  It's time for another security news catch-up.…

Without naming Huawei, the EU warns on state-backed 5G suppliers.

Hackers were able to steal an AWS administrative API key housed in a compute instance left exposed to the public internet.

A new dropper and payload show that Fin7 isn't going anywhere despite a crackdown on the infamous group by law enforcement in 2018.

Listen to the latest episode now!

A campaign first observed last year has ramped up its attack methods and appears to be linked to activity targeting President Trump’s 2020 re-election campaign.

...and wouldn't know 2FA from a hole in the ground, according to Pew Research.

Some types of 2FA security can no longer be guaranteed to keep the bad guys out, the FBI warned US companies.

According to a new report, its algorithmic labelling may expose minors to age-inappropriate, targeted advertising.

Apple was under fire this week after banning an app that tracked the location of both police and protesters in Hong Kong on a live map.

A hacker is selling the email addresses of 250,000 users of a Dutch sex-work forum -- data that researchers say could be used for blackmail.

'If only you could see what I've seen through your eyes'...

A Japanese man indicted on Tuesday for allegedly attacking a 21-year-old woman last month appears to have found where his victim lived by analyzing geographic details in an eye reflection captured in one of her social media photos.…

An alleged fraudster built a vast web of AWS cloud accounts, becoming the platform's biggest consumer of data resources.

Haben sie nicht von dem Streisand-Effekt gehört?

Malware authors behind the Finfisher spyware suite, well beloved by dictators, have sent legal threats intended to silence a German news blog that reported them to criminal prosecutors over allegedly illegal malware exports.…