Security Alerts & News
by Tymoteusz A. Góral

History
#1212 Unpatched smart lighting flaws pose IoT risk to businesses
A host of web-based vulnerabilities in Orsam Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC.

Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available.

Orsam Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices.

Researchers Deral Highland, principal security consultant at Rapid7, said that a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours.
Read more
#1214 New attack that cripples HTTPS crypto works on Mac, Windows and Linux
#1213 KeySniffer vulnerability opens wireless keyboards to snooping
#1212 Unpatched smart lighting flaws pose IoT risk to businesses
#1211 Amazon Silk browser ignored SSL searches, failing to protect your privacy
#1210 Microsoft Authenticator – coming August 15th! Supports AzureAD & Microsoft acct!
#1209 In-the-wild Ransomware Protection Comparative Analysis 2016 Q3 (PDF)
#1208 Windows UAC bypass leaves systems open to malicious DLLs
#1207 O2 customer data sold on dark net
#1206 Facebook admits blocking WikiLeaks’ DNC email links, but won’t say why
#1205 New evidence suggests DNC hackers penetrated deeper than previously thought
#1204 NIST prepares to ban SMS-based two-factor authentication
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12