This thread is directed towards the increasing number of #EDUs and firms contacting me regarding #Police #cyberAlarm
2 weeks ago, I remotely hacked a cyberAlarm installation upon a request by an EDU. Following a brief review, a number of critical issues came to light
1/x
2 weeks ago, I remotely hacked a cyberAlarm installation upon a request by an EDU. Following a brief review, a number of critical issues came to light
1/x
... prompting a pinned tweet.
Unfortunately, the severity of the issues left me with no choice but to contact @PoliceChiefs
Since then, it's been radio silence for which I can only apologise. However, there's been a hive of activity behind the scenes.
2/x
Unfortunately, the severity of the issues left me with no choice but to contact @PoliceChiefs
Since then, it's been radio silence for which I can only apologise. However, there's been a hive of activity behind the scenes.
2/x
I'm very pleased to say that @PoliceChiefs have been absolutely exemplary throughout. Several emails, 2 video calls and a detailed walk-thru later, they made the difficult decision to take several features offline. This was done within an hour of my first call!
3/x
3/x
They have also enlisted the services of another independent security firm to validate my findings and make recommendations.
This is absolutely the correct way to handle a disclosure. I won't name the firm for the moment, but rest assured, they're one of the finest.
4/x
This is absolutely the correct way to handle a disclosure. I won't name the firm for the moment, but rest assured, they're one of the finest.
4/x
However, whilst @PoliceChiefs are making every effort to validate & rectify the issues, I disagree with the decision to leave the system live until a review has been undertaken... chiefly because I truly believe the vendor behind CA, Pervade, cannot deliver a secure app.
5/x
5/x
This is a conclusion I reached 18 months ago whilst reviewing the first production app... and one which this release only serves to reaffirm.
There will be a blog post shortly outlining everything in detail, however the "TL;DR" is this...
6/x
There will be a blog post shortly outlining everything in detail, however the "TL;DR" is this...
6/x
Please, uninstall #cyberalarm immediately. If you've reused #passwords, change them immediately as they're currently stored in plain text and returned from an API without authentication.
No, that's not a typo.
7/x
No, that's not a typo.
7/x
Please bear with me.
The risk now is far higher than 18 months ago & incredibly, some of the issues are far worse. I need to articulate & demonstrate the vulnerabilities without placing hundreds of schools, firms and people at risk... which is a balance which takes time.
8/x
The risk now is far higher than 18 months ago & incredibly, some of the issues are far worse. I need to articulate & demonstrate the vulnerabilities without placing hundreds of schools, firms and people at risk... which is a balance which takes time.
8/x
Until then, know that NPCC is working on a resolution. They've witnessed every issue on a video call & haven't disputed a word, yet
They believe it's safe to leave online, I disagree... but that doesn't mean I'm right
When the review is live, you can decide.
More coming soon.
They believe it's safe to leave online, I disagree... but that doesn't mean I'm right
When the review is live, you can decide.
More coming soon.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
