Sep 03 2021

New BrakTooth flaws potentially impact millions of Bluetooth-enabled devices

Security flaws in commercial Bluetooth stacks dubbed BrakTooth can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.

The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.

As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.

“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “

The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).

The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities

braktooth

Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)

Tags: Bluetooth security


Mar 13 2021

Developing a Strong Security Posture in the Era of Remote Work

Tags: Remote work


Feb 28 2021

Why enterprises need rugged devices with integrated endpoint management systems

Paired longevity solutions in hardware and software

There is a solution to both these issues – durability and security.

Rugged devices are designed specifically for your hardworking enterprise operations. They integrate seamlessly into UEM and MDM platforms, can be trained to only engage with secure networks, and can be geofenced to turn themselves into expensive paperweights if taken off-property.

Rugged devices are not only trusted for their durability and performance, but their security capabilities are also unparalleled when it comes to providing your IT security team with top-down controls over device management and data security.

Their sturdy construction, replaceable shift batteries, and stable software platform ensures that your investment will last for years and will eliminate “down-time” (if used correctly).

What’s more, a survey conducted by Samsung found that employees were not only open to using ruggedized devices, over 90% of respondents currently using rugged tech – and over half of non-user respondents – wanted management to invest more into such devices.

Why enterprises need rugged devices with integrated endpoint management systems

Tags: MDM, UEM


Oct 25 2012

Off Premises Equipment Security in ISMS

Category: Laptop SecurityDISC @ 11:22 am

Control  A 9.2.5 in annex A of ISO 27001 standard requires organization to have authorized policies and procedures in place for security of off-premises equipment and these controls should be implemented based on risk assessment of physical particular assets.  There should be a formal approval procedure before taking the equipment offsite. Approval authority will depend upon the classification of an asset and can be determined through risk assessment process for potential risk to an organization. Below are some of the ISO 27002 recommendations for taking equipments off site.

Laptop computers, mobile phones, USB flash drive should be encrypted and password  protected, especially when these equipments are carrying a classified or sensitive information and exposure of this information may significantly harm the organization. Laptop computers and flash drives should be carried in an unidentified secure laptop bags and your bag should stay in your possession at all time and never be unattended in any circumstance. Some organizations are allocating separate laptop for travel to avoid personal and corporate data exposure and placing a limit on data that can be carried on the laptop or USB drive. Some travelers are asked to backup their data on web based backup service in case they lose the equipment or it may get corrupted. Especially in case of laptop, screen saver and privacy screen are must policies to have in an organization which has a healthy group of folks on the road on a regular basis.

Awareness is a key to every successful implementation of security control. A special awareness session should be designed for off-site staff which covers the off premises security.  Completing this awareness training and risk assessment of an asset should be built in the user authorization form.





Aug 08 2010

TSA Approved – checkpoint freindly laptop case

Category: Laptop SecurityDISC @ 10:57 pm

HP EZ Check Laptop Case – TSA Approved – Checkpoint Freindly to Easy Your Travel

HP EZ Check Laptop Case – TSA Approved – Black Protect your laptop in this HP EZ Check Briefcase, carry it-and your accessories in style. This case has been tested and meets the new Transportation Security Administration (TSA) guidelines for carry-on luggage.

Now you can travel through airport screening checks more quickly as you can keep the notebook inside the bag when going through the X-Ray

  • Fits up to 16″ laptop
  • Pad and cushion your laptop with the durable materials and nylon zipper
  • Zip through airport security with the checkpoint friendly design
  • Store accessories like as your AC adapter, mouse, extra battery, or Ipod in the front zippered pocket
  • Carry easily with the padded shoulder strap
  • 15.7 inches Length X 11 inches Height and 2 inches Wide




  • Oct 29 2008

    Laptop and traveling precautions

    Category: Laptop SecurityDISC @ 12:58 am

    Laptop security

    Best practice emphasize the fact to backup the data if you can’t live without it, in the same way a traveler must avoid taking sensitive data on the road unless it’s absolutely necessary to do so. If you do plan to take sensitive data with you on the laptop, the necessary security controls must be implemented and go with the sensitive data. The data protection controls should be based on your information security policy data classification.

    The laptop hardware itself is only worth few hundred dollars these days, but on the other hand it’s hard to put a price tag on the exposed data which may have a drastic impact on your organization, especially these days when most of the organizations are at the edge due to financial chaos.
    Frequent travelers know it’s possible to lose a laptop or lose data because laptop may become inoperable due to hardware malfunction. Planning an important business trip should include encrypting sensitive data and backup on a remote website (Carbonite). So in case you lose your laptop or it’s is inoperable for some reason, you can remotely recover backed up files from site within reasonable time.

    [TABLE=8]

    Here is how you can encrypt your data on Windows laptop with built-in utility EFS

    1. Create a new folder, and name the folder Private.
    2. Right click the new folder and choose properties
    3. Click advanced button
    4. Check encrypt contents to secure data box and then click OK, Apply and OK again.

    You have created a secure area where you can put your sensitive documents. Any file or subfolder you add to this folder (Private) will be encrypted automatically. Basically any type of file except Windows system file will be encrypted in this folder. Now if the attacker steal your laptop and remove your hard drive and mount on a system where the attacker has administrative privileges, the attacker will not be able to access the contents of the folder Private. On the other hand 256-bit AES encryption key is stored in encrypted form as a file attribute called the data decryption field (DDF). The EFS private key, needed to decrypt the DDF and extract the file encryption key, is also stored in encrypted form in the registry. The master key, which is used to obtain the key needed to access the EFS private key, is encrypted by the systems key and also stored locally. So the attacker will be able to decrypt the EFS protected files if he can somehow get possession of the system key.

    Luckily we do have a choice whether to store the system key locally on your laptop. If you click start, then Run and then launch syskey.exe utility, you can choose how and where the system key will be stored. The dialogue box will present three options.

    1. Store the startup key locally
    2. Store the startup key on the floppy disk
    3. Generate the startup key from a password

    With the two non default options, you will be requiring to either insert the floppy or enter the password whenever the laptop is BOOTED. The floppy option is highly inconvenient for laptop users but the password options seem sufficient to protect the laptop data. On the laptop which doesn’t have a floppy drive, don’t try to click the floppy option because when you boot next time the laptop will be looking for the system key on a floppy before booting.

    Survey: CISOs worried about mobile data security

    **The real Hustle – Laptop Theft Scam
    httpv://www.youtube.com/watch?v=Gb3ZiTJkCaA


    Reblog this post [with Zemanta]




    Tags: aes, Backup, Booting, carbonite, Cryptography, data classification, data ptotection, ddf, efs, encryption, exposed data, financial chaos, Hardware, Notebooks and Laptops, private key, Security, security controls, sensitive data, system key, threats, Windows


    Aug 25 2008

    Laptop security and vendor assessment

    Category: Laptop Security,Vendor AssessmentDISC @ 2:37 am

    Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.

    According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
    The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
    The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
    Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
    The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”

    When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
    This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
    Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
    Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.

    Laptop Security
    httpv://www.youtube.com/watch?v=dytZBBlDMJs


    (Free Two-Day Shipping from Amazon Prime).




    Tags: assessment, business affiliate, compliance, data sensitivity, iso 27001, iso 27002, laptop stolen, privacy, service contract, social security numbers, TSA, verified identity