Security Alerts & News
by Tymoteusz A. Góral

History
#1432 Million more devices sharing known private keys for HTTPS, SSH admin
Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications.

This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated.

Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once.

SEC Consult senior security consultant Stefan Viehböck scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.
Read more
#1436 Two-thirds of companies pay ransomware demands: But not everyone gets their data back
#1435 Google shuts down potentially massive Android bug
#1434 The missing piece – sophisticated OSX backdoor discovered
#1433 This nasty Android malware tries to bully its way past Marshmallow security features
#1432 Million more devices sharing known private keys for HTTPS, SSH admin
#1431 Modified USB ethernet adapter can steal Windows and Mac credentials
#1430 Critical flaws found in network management systems
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12