dealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
Robotics & Automation News Market trends and business perspectives January 5 , 2017 by Mark Allinson A globally co-ordinated cyber attack has hit 500 industrial companies in 50 countries in the past few months , according to security company Kaspersky . The worst affected were companies in the smelting , electric power generation and transmission , construction , and engineering industries . The attacksAttack.Phishingtake the form of emails purportedly fromAttack.Phishingfamous companies – such as DHL and Saudi Aramco – and most were sentAttack.Phishingfrom “ legitimate email addresses belonging to valid organizations ” , says Kaspersky . However , Kaspersky says its analysis of the emails compared to known malware shows that “ no new code was written specifically for this attack ” . Kaspersky says the hackers could have accessedAttack.Databreachand read previous communications between the target and their partners . They may then have used this information to craftAttack.Phishingemail communications which appear to be legitimate , so that the victim didn ’ t recognize the malicious aspect of the email . If the email is opened , it can stealAttack.Databreachthe user ’ s authentication credentials , which are send to a remote server .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack
Robots with inadequate security could be hacked and cause physical harm or be used to spy on unsuspecting owners in the near future . Researchers at IOActive Labs released a reportVulnerability-related.DiscoverVulnerabilityWednesday warning that consumer , industrial and service robots in use today have serious security vulnerabilities making them easy targets for hackers or accidental breaches . In a review of 10 robots , which ranged from home , business , and industrial , IOActive saidVulnerability-related.DiscoverVulnerabilitythe risks ranged from insecure communications , authentication issues , weak cryptography and missing authorization . Cesar Cerrudo , CTO of IOActive Labs , said robots suffer from many of the same security shortcomings of as IoT , medical devices , smart cars and plush toys . “ We foundVulnerability-related.DiscoverVulnerabilitynearly 50 cybersecurity vulnerabilities in the robot ecosystem components , many of which were common problems , ” according to the IOActive Labs reportVulnerability-related.DiscoverVulnerability. As part of its investigation , IOActive analyzed some robot hardware as well as robot ecosystems . Some of the robots examined included SoftBank Robotics ’ NAO and Pepper robots , UBTECH Robotics ’ Alpha 1S and Alpha 2 robots and Rethink Robotics ’ Baxter and Sawyer robots . Underlying issues within the robots studied for the report , Cerrudo saidVulnerability-related.DiscoverVulnerability, included weak default configurations , a big security problem responsible for privacy breaches and DDoS attacks in other internet-connected devices . “ We foundVulnerability-related.DiscoverVulnerabilityrobots with insecure features that couldn ’ t be easily disabled or protected , as well as features with default passwords that were either difficult to change or could not be changed at all , ” according to the report . In a closer examination of the robot ecosystems , IOActive Labs saidVulnerability-related.DiscoverVulnerabilitymany of the robot platforms it analyzedVulnerability-related.DiscoverVulnerabilityuse open source frameworks and libraries that suffer from known vulnerabilities such as cleartext communication , authentication issues , and weak authorization schemes . “ In the robotics community , it seems common to share software frameworks , libraries , operating systems , etc. , for robot development and programming . This isn ’ t bad if the software is secure ; unfortunately , this isn ’ t the case here , ” according to IOActive Labs . Cerrudo said the threat of robots is unique in that many are semiautonomous and can wander and impact their immediate physical environment . “ The threat is limited today , compared to what robots will be capable of in the future , ” he said . Robot components such as microphones , cameras , network connectivity , remote control applications and mobility features that help robots navigate physical environments need better security , Cerrudo said . “ A hacked autonomous robot can move around as long as its battery continues to provide power . This allows hackers to control an ‘ insider threat ’ and stealAttack.Databreachinformation or cause harm to nearby objects or people , ” according to the report . When asked , Cerrudo could not point to any known cases of a hacked robot causing personal harm or posing a security risk . Nevertheless , he cited several robot-related accidents that he said demonstrate potential risks posed by a hacked robot . In one case cited by IOActive Labs , a woman was killed in an industrial accident in 2015 in Alabama when an industrial robot restarted abruptly . It cited additional loss of life incidents tied to robotic functions within computerized medical and military equipment . “ We aren ’ t aware of any robots that have been hacked . But security of the robots we tested are very poor . Eventually in the future , when robots are more mainstream , we expect cybercriminals will start seeing hacking robots as a way to make money , ” said Lucas Apa , senior security consultant with IOActive Labs . That timeline of mass robot adoption is still a little foggy , according to Apa . According to market research firm IDC , worldwide spending on robots will reach $ 188 billion by 2020 , up from $ 91.5 billion in 2016 . According to IDC many of those robots will include consumer , industrial , and service robots for industries such as healthcare and retail . “ The industry doesn ’ t appear to learn from it ’ s mistakes , ” Cerrudo said .
It 's been quiet since 2015 , but TorrentLocker has suddenly returned . And this time it wants to stealAttack.Databreachyour passwords too . Cybercriminals are always adding new malicious tricks to ransomware . A ransomware variant which has been relatively inactive for almost two years is back , and this time it 's stealingAttack.Databreachuser credentials from victims in addition to demanding a ransomAttack.Ransomto unencrypt locked files . TorrentLocker -- also known as Cryptolocker -- started targeting Windows users in 2014 before dropping off by the summer of 2015 . Like the majority of ransomware schemes , TorrentLocker spreads via spam email messages containing malicious attachments . Rising Bitcoin prices force Cryptolocker ransomware scammers to drop asking priceAttack.RansomBitcoin 's wild fluctuations have forced a price update to the Cryptolocker ransomware . If the victim enables the macros by choosing to 'Enable Editing ' , a PowerShell code is executed and the ransomware is downloaded , encrypting the victims ' files until they pay a ransomAttack.Ransom. But that is n't where the malicious activity ends , because as noted by cybersecurity researchers at Heimdal Security , this incarnation of TorrentLocker has new features , including the ability to spread itself to other computers via shared files ; something which could see the ransomware taking over a whole network in a very short space of time . In addition to holding networks to ransomAttack.Ransom, the new version of TorrentLocker also harvestsAttack.Databreachusernames and passwords from infected computers , putting businesses at risk of cyberespionage and data breachesAttack.Databreach, while users could see their personal or financial information leakedAttack.Databreachand sold to cybercriminals on the dark web . The researchers warn that the revived TorrentLocker campaign is `` very aggressive '' and that many well known antivirus software products have n't been updated to protect against it , even days after the campaign began . Heimdal Security warns users in its native Denmark that they 're being highly targeted by TorrentLocker . Indeed , it appears that European internet users are the main target for those behind the campaign , as Microsoft told BleepingComputer that Italy is by far the most targeted by the perpetrators .