10Fold – Security Never Sleeps – 82

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Computer scientists have discovered vulnerabilities in Samsung’s Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world. In March 2016, more than 2.5 million patient records were put at risk due to stolen laptops, unauthorized access, and hacking, according to data from the U.S. Department of Health and Human Services. Europe’s police agency Europol has been given enhanced cyber powers to track down terrorists and other criminals. Last week, a security researcher discovered a vulnerability that exposed all 866 million account credentials harvested by pwnedlist.com, a service designed to help companies track public password breaches that may create security problems for their users.

Samsung Smart Home flaws let hackers make keys to front door – Publication: Ars Technica – Reporter name: Dan Goodin

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung’s SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren’t easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.


What to ask your doctor, lawyer, and accountant about protecting your personal data – Publication: PCWorld- Reporter name: Robert Lemos

The issues underscore that one of the greatest benefits of the Internet economy—the ability to conduct transactions without needing to be face-to-face—is also a great weakness. As not-present transactions have become the norm, the information that can be used as a digital identity—known as “fullz” in the underground community—has become more valuable. Experts say that a little due diligence can go a long way. Here are some basic steps that consumers can take to make sure that their accountants, doctors and lawyers protect their information


Eurocops get new cyber powers to hunt down terrorists, criminals – Publication: Ars Technica – Reporter name: Jennifer Baker

The new governance rules were approved by the European Parliament’s civil liberties committee on Thursday by a massive majority. MEPs claimed that the new powers come with strong data protection safeguards and democratic oversight. It means that Europol will be able to more easily set up specialized units to respond immediately to emerging threats, in particular cross-border crimes and terrorist threats.


How the Pwnedlist Got Pwned – Publication: Krebs on Security – Reporter name: Brian Krebs

Pwnedlist is run by Scottsdale, Ariz. based InfoArmor, and is marketed as a repository of usernames and passwords that have been publicly leaked online for any period of time at Pastebin, online chat channels and other free data dump sites. The service until quite recently was free to all comers, but it makes money by allowing companies to get a live feed of usernames and passwords exposed in third-party breaches which might create security problems going forward for the subscriber organization and its employees. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials.