Profile picture
, 9 tweets, 4 min read
My Authors
Read all threads
Unfortunately this large density of defects in IoT is not unexpected.

A study across 15 years and 3millon binaries showed that core security hygiene products in the base of IoT showed no trends towards improvement.

In fact, things more often got worse.

cyber-itl.org/2019/08/26/iot…
Left to their own accord vendors of embedded systems are not demonstrating that they improve basic security hygiene in their products.

There needs to be a more global incentive structure to address this issue.
For example Ubiquity, who’s products I like, simultaneously had their best and worst hygiene product in 2018.

You can see products in their portfolio getting random improvements and products *losing* basic safety features in the dev process.
Parker, @m0thran, did observe that Google’s (non-branched) Android releases *did* show baseline improvement over time.

However Google seems to be an exception and few others have the resources or desire to improve baseline security “just because”.

cyber-itl.org/2019/12/16/and…
If you want to find, or fix, a vulnerability that spreads across many vendors and products I would recommend looking into the collisions identified on this heat map.

Again @m0thran did all this awesome work (in the Cyber-ITL.org blog post on embedded systems/IoT)
If you want to know which binaries those are, or maybe look for the sha256 of binaries from the JSOC vuln report on other products...

The Cyber-itl.org dataset has s here:

drive.google.com/file/d/1aThJ_O…
Per numerous DMs:

The description of fields in the data set, and the larger report, are here...

Please appropriately credit cyber-itl if you use it. They are a small non-profit and every bit of support helps.

cyber-itl.org/2019/08/26/iot…
Additional:

The CITL dataset is Linux embedded systems / IoT variants.

CITL did not release RTOS datasets.
Additional additional:

Base security dev-lifecycle hygiene measurements across 24 releases of Android.

Google Android showing the rare consistent improvement exception to the observed bad trends across much of the rest of the industry.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Mudge

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dotMudge see all

Profile picture
Mudge
@dotMudge
[Thread]

The kind folk at cyber-itl.org shared a new @zoom_us security issue with me.

I want to take this opportunity to describe:

The issue

How Zoom et al should fix it

How purchasers should identify it before corporate purchasing

What individuals should do

1/
Zoom has been in the news for security issues a lot lately.

I’m choosing to share this info because Zoom has been very good in responding to security researchers and security problems.

It is apparent they care now... but how bad is their security deficit?

Let’s quantify

2/
To avoid adding to the FUD let me state this up front:

If you use Zoom at home for personal reasons to remain connected to loved ones during the pandemic - that’s very important.

You should probably continue using the product.

Hopefully Zoom will update and improve.

3/
Read 21 tweets
Profile picture
Mudge
@dotMudge
It was 20 years ago on this day that my true identity, which until then had been a tightly held secret, was unintentionally leaked by the White House.

Rob’s write up, linked here, is a quasi-factual humorous take.

Here’s what actually happened. Thread.

1/n
My name, Peiter Zatko, was a closely held secret both in the hacker community *and* the government.

In fact I was the Hacker Jeopardy final question after the White House leak.

Paraphrased: “...nobody knew his name”

To make it hard they used the short hair pic.

2/n
For several years I had been acting as a technical “voice of reason” for the NSC (National Security Council)

Before certain briefings made it to the president I was consulted. The goal was to understand technical challenges and *actual* state of the art.

en.wikipedia.org/wiki/United_St…
Read 17 tweets
Profile picture
Mudge
@dotMudge
A story...

Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”.

Here are the tricks, and here’s how it was attacked...

1/N
It was an OpenBSD system.

I had a somewhat standing bet, that neither of us had the guts to actually commit to, with Theo DeRaadt: either I did, or did not, have an 0-day against OpenBSD at any given moment.

1 year’s salary on the line.

(We were both pretty much broke then 🤷🏼‍♂️)
It was a DEC Alpha system.

I figured a little obscurity wouldn’t hurt.

Especially since I was publishing advisories with Intel shell code.

Not a fan of security through obscurity, but any time it’s cheap to move extra work to your opponent...
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!