Evidently, this bug is active if not all eight user fields are populated by a configured userid and password. The flaw exists even on fairly recent versions of the webcam firmware.
Foscam, the camera vendor, has released a new firmware version and has provided common sense tips for securing the webcams. Since a reported 20% of these cameras use the default admin password, common sense tips are not out of place.
Because NTP uses UDP as its transport protocol, and because it responds to certain queries with larger amounts of data than is used to perform the query, an amplification attack can tremendously increase the amount of traffic hitting a DOS (Denial of Service) target. TCP-based services require a handshake with the initial sender before replying, and so are not easily usable for amplification attacks.
US CERT has posted resolution steps for admins of systems with this vulnerability. The Open NTP Project also provides a scanner to help identify vulnerable systems.
The malware itself grabbed the unencrypted data from memory during the period of time that it is unencrypted in order to allow authentication to take place. The data was then stored locally and transmitted to a compromised collection server on a scheduled basis.
Several security researchers have commented on how vociferously Target had insisted that the data on its hard drives had been encrypted using strong encryption. Memory scrapers are an attack vector that can bypass on-disk encryption techniques.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
...
It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.
Last week, Target admitted that its security breach compromised on the order of 110 million cards, which puts it in the top tier of such security breaches.
While the people responsible for the Target hack have not been identified, Krebs identified one person who has been selling credit card numbers that were stolen from Target.
UPDATE: CNET has an interesting article where Target describes the reasons for the delay in notification about a breach that was discovered on Dec 15. It amounts to "we were trying to get ready for the storm."
Microsoft announced that Windows XP Security Essentials will also not be available after XP is declared "unsupported" in April.
If Security Essentials is no longer available, other vendors are likely to also drop support for XP product lines. This may include vendors like anti-virus and other security software vendors.
If XP systems can be upgraded, they should be upgraded immediately. Systems that cannot be upgraded need to be protected by air gaps and firewall rules. Services on these systems should be limited to only those functions that cannot be migrated.
Even with these measures, there will be a lot of insecure, poorly managed systems in the global IT environment. Black hats are rubbing their hands in anticipation of the feast.
But if computers are driving cars, we have to take a serious look at information security in the context of a self-driving automobile. Unfortunately, most current automation does not have adequate safeguards to protect from malicious inputs.
In particular, components do not do checking or validation to make sure that commands are being issued from an appropriate source. Security researchers have demonstrated that they are able to issue commands to a Prius to control steering, braking, acceleration, and dashboard displays. They were also able to disable an Escape's brakes at slow speed.
Ford and Toyota both point out that the researchers were connecting directly to the car's CAN (Controller Area Network), which limits the impact of some of their demonstrations. But keep in mind that wireless controllers on on-board systems such as Bluetooth controllers on sound systems and telematics units on satellite roadside assistance services may provide an entry point into the automobile. Anywhere a wireless connection allows access to a component connected to a CAN is a possible entry point for malicious code.
The sorts of security measures we use for other network-connected items would still work inside a car. Provide air gaps between components that don't need to be connected. And provide for validation and authentication of commands from components that do need to be connected.
I remember discussions about PC security in the early days of the Internet, when most computer viruses were still spread by injudicious insertion of floppy disks. Way back when, we were told that PCs didn't need to have security programmed in from the ground up. I'm hoping we learn from the history of those poor decisions. A Blue Screen of Death is one thing, but a traffic fatality is another.
