Echo Dot Finds Swanky New Home In Art Deco Speaker

Echo Dot Finds Swanky New Home In Art Deco Speaker

http://ift.tt/2xKfGw9

The phrase “They don’t make them like they used to” is perhaps best exemplified by two types of products: cars and consumer electronics. Sure, the vehicles and gadgets we have now are so advanced that they may as well be classified as science-fiction when compared to their predecessors, but what about that style. Our modern hardware can rarely hold a candle to the kind of gear you used to be able to buy out of the “Sears, Roebuck and Company” catalog.

So when [Democracity] came into possession of a wickedly retro art deco speaker, it’s no surprise he saw it as a perfect opportunity to bring some of that old school style into the 21st century by rebuilding it with an Amazon Echo Dot at its core. The fact that the original device was a speaker and not a full radio made the conversion much easier, and will have everyone trolling yard sales for months trying to find a donor speaker to build their own.

To start the process, [Democracity] popped the panels off and ripped out what was left of the speaker’s paper cone and coil. In a stroke of luck, the opening where the driver used to go was nearly the perfect size to nestle in the Echo Dot. With a 3D printed cradle he found on Thingiverse and a liberal application of epoxy, the Dot could get snapped into the speaker like it was always meant to be there.

[Democracity] then picked up some absolutely gorgeous speaker cloth on eBay and hot glued it to the inside of the panels. What was presumably the volume knob was pulled out of the bottom and turned out to be a perfect place to run the Dot’s USB cable out of.

A lesser man would have called this project completed, but [Democracity] knows that no hack is truly complete without the addition of multicolored blinking LEDs. With the RGB LED strips installed inside, the light is diffused through the cloth panels and creates a pleasing subtle effect. You can almost imagine a couple of vacuum tubes glowing away inside there. Judging by the final product, it’s no surprise [Democracity] has a fair bit of experience dragging audio equipment kicking and screaming into the modern era.

This isn’t the first time we’ve seen an old piece of audio equipment get a high-tech transfusion, and isn’t even the first time we’ve seen the Dot used to do it. But it’s certainly the one we’d most like to see sitting on our shelf.

Filed under: classic hacks, home entertainment hacks, led hacks

Security News

via Hackaday https://hackaday.com

October 16, 2017 at 07:08PM

KRACK: Breaking Point Flaw For The Internet Of Things – International Business Times

KRACK: Breaking Point Flaw For The Internet Of Things – International Business Times

http://ift.tt/2xLHllc

On Monday, security researchers revealed the existence of several major security vulnerabilities that could be exploited to steal sensitive information shared by users connected to a wireless network.

The exploits—known as Key Reinstallation Attacks or KRACK —affect Wi-Fi Protected Access 2 (WPA2), a protocol that is the current industry standard for encryption that is used to secure traffic on Wi-Fi networks.

KRACK attacks, which take advantage of a fundamental flaw in the way devices and access points communicate and handle encrypted data, put essentially every Wi-Fi enabled device at risk—though the internet-connected devices that make up the Internet of Things are of particular concern.

While many vendors have already quickly moved to offer up a fix for the vulnerabilities—Microsoft has already issued a patch, Apple addressed the issue in earlier versions of its mobile operating system and Google is already concocting its fix for Android—IoT devices are notoriously slow when it comes to addressing security problems.

“There might be a lot of [Internet of Things] devices that might not receive a patch in the near future,” Candid Wueest, a threat researcher at security firm Symantec, told International Business Times.

“Sometimes they don’t have a patch mechanism, sometimes people don’t know about it. It could be that some of those devices would still be attackable, but it’s debatable on how serious it is if someone can listen in to your radio or your smart TV,” Wueest said.

This has been a long-standing issue for the Internet of Things (IoT), which is made up of everything from internet-connected light bulbs that can be turned on and off remotely to Wi-Fi enabled refrigerators and other appliances to the systems that allow massive enterprise organizations to keep track of its production lines and shipping containers.

IoT is already massive—there are an estimated 8.4 billion connected devices in use, according to Gartner—and will only continue to grow as the technology to allow a device to connect to the internet become cheaper. It is projected there will be nearly 20.5 billion IoT devices in use by 2020.

While that internet connection offers newfound convenience for consumers, allowing them to interact with devices and appliances in new ways, it has also created a massive number of new potential entry points for attackers—most of which go unaddressed.

A report from Hewlett-Packard found that 70 percent of IoT devices contain noteworthy security flaws—on average, about 25 vulnerabilities per device—that have yet to be patched by the manufacturer.

In some cases, there is a low probability that those vulnerabilities will ever be exploited so vendors choose not to address them until absolutely necessary. But the discovery of KRACK highlights a major and potentially crippling problem for the Internet of Things: in many cases, manufacturers don’t even have a protocol for patching devices.

“It’s clear to me that Internet of Things-type devices will be the hardest hit,” Alex Hudson, the chief technology officer at Iron Group, wrote. “Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates.”

While device manufacturers like Google and Apple and Microsoft must keep their devices up to date to protect users, producers of IoT devices like smart TVs may not have even thought about the possibility that a security patch may one day be necessary and therefore have no option to provide an update to address a vulnerability.

Mark Orlando, chief technology officer for cyber services at cybersecurity firm and United States defense contractor Raytheon, told IBT “speed-to-market has driven most of the development and deployment of wireless devices that make up the IoT,” rather than security. “Updating them to keep up with cyber threats and new vulnerabilities was never part of the equation for many of their developers.”

The result is the devices are affordable and widely accessible, but also incredibly vulnerable to being exploited by malicious actors.

Orlando said for the IoT to continue, it requires “active maintenance rather than deploying and forgetting about any device.” He suggested bringing transparency to the standards and protocols that govern how internet-connected devices work, allowing developers to better understand the devices and where risks may reside.

He also suggested businesses to look closely at how any wireless devices may operate before adding them to their supply chain, including performing vulnerability assessments and ensuring the devices adhere to best security practices to mitigate potential risks.

That advice may work going forward for organizations who know to provide scrutiny to the security of devices, but it likely provides little respite for those who have already invited a litany of IoT devices into their home or business operations.

There are undoubtedly millions of devices already available that will never receive a patch to protect against KRACK attacks—and millions more that may have a patch available that will never be installed. Since many IoT devices that do receive patches require users to manually check for and install the fixes, the patches never get applied.

“As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter—it’s a difficult problem to weigh,” Hudson wrote.

There is some good news when it comes to the KRACK attack in particular. First, the vulnerabilities have yet to actually be exploited in the wild. Researchers were able to complete a proof of concept attack but no one has been directly compromised from the exploits yet.

Additionally, KRACK requires a threat actor to be close to the victim they are attempting to compromise. The attack has to take place within the wireless range of a device or access point, which means about 30 feet or so. This greatly limits the potential for a widespread attack—though does leave the possibility for targeted attacks.

It’s also worth noting that IoT devices, if configured correctly by the manufacturer (which is not a guarantee), will encrypt any sensitive data that it transmits. KRACK can be used to potentially compromise an unpatched IoT device but can only intercept information that is unencrypted.

That said, KRACK needs to serve as a wake up call to makers of internet-connected device. The way wireless devices communicate was discovered to be flawed and many parts of the IoT have no mechanism to defend against the threat. The next flaw to be discovered may not be so limited in its attack radius, and device manufacturers will need to have a way to react.

“The future viability of the Internet of Things will be determined by how seriously industry takes issues like this,” Raytheon’s Orlando said.

Security News,IoT News

via IoT – Google News http://ift.tt/2pYPKZV

October 16, 2017 at 06:42PM

CVE-2017-0316

CVE-2017-0316

http://ift.tt/2x10Ule

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 06:23PM

CVE-2017-9367

CVE-2017-9367

http://ift.tt/2kSYtzv

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 06:23PM

CVE-2017-9368

CVE-2017-9368

http://ift.tt/2x0FrsG

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 06:23PM

CVE-2015-7504

CVE-2015-7504

http://ift.tt/2kSYq6N

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 06:23PM

Samsung taps the Internet of Things to track your stuff – Mashable

Samsung taps the Internet of Things to track your stuff – Mashable

http://ift.tt/2yPg1CL

Samsung taps the Internet of Things to track your stuff

Samsung's Connect Tag keeps track of your stuff.Samsung’s Connect Tag keeps track of your stuff.

Image: Samsung/Mashable composition

Samsung wants to make sure you never lose your stuff again. And is tapping the Internet of Things to do it. 

The consumer electronics giant has introduced the Samsung Connect Tag, which can clip on to any object, and accurately relay the object’s location to your smartphone. 

Connect Tag will, as its name indicates, help you keep track of your stuff. If you’ve lost a device attached to Connect Tag, you can request its location from an app on your phone. And if your kid gets lost, they can press a button on Connect Tag to send you their exact location. 

But Samsung’s late to the track-your-stuff game. There are plenty of other companies already trying to help you do just this, the difference here is that Samsung is leaning hard into the Internet of Things to extend range with its Connect Tag — no bluetooth needed.

While competitors like Tile and TrackR rely on Bluetooth, the Connect Tag will instead utilize narrowband networks. Narrowband networks are made to connect smart devices to each other over cellular data. Samsung claims they use less data, and less power, than Bluetooth, and are more secure.

Over narrowband networks, your Connect Tag will function as a smart device, joining the Internet of Things. If you carry Connect Tag with you, it will notify your other smart devices when you’re approaching and turn them on for you in advance. If you put the device on your kid or pet, your smart devices can notify you of when they’ve come into range.

This announcement is just the latest step in Samsung’s quest to dominate — and get people to join — the personal smart devices revolution. It recently released Gear Sport Watch, which allows its wearer remote control of home smart devices. 

Samsung has also recently partnered with residential security corporation ADT to launch a home security system that allows a user to control and monitor an array of smart motion sensors from a digital security hub, which can also control other smart devices.

The tag will be unveiled at the Samsung Developer Conference on October 18-19. Samsung has not disclosed the price. 

 

Security News,IoT News

via IoT – Google News http://ift.tt/2pYPKZV

October 16, 2017 at 05:06PM

What You Should Know About the ‘KRACK’ WiFi Security Weakness

What You Should Know About the ‘KRACK’ WiFi Security Weakness

http://ift.tt/2gdQJTv

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

wifi

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

For those interested in a deeper dive on the technical details of this attack, check out the paper (PDF) released by the researchers who discovered the bug.

Tags: , , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Security News

via Krebs on Security http://ift.tt/TKsn16

October 16, 2017 at 04:54PM

CVE-2014-0208

CVE-2014-0208

http://ift.tt/2ysFGQQ

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 04:23PM

CVE-2015-2780

CVE-2015-2780

http://ift.tt/2glsma6

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 16, 2017 at 04:23PM