Weekly Podcast: MouseJacking, uKnowKids, and Smart Online

This week, we look at a vulnerability affecting wireless mice and keyboards, one firm’s reaction to a security researcher, and the imprisonment of an app developer’s former employee.

Hello and welcome to the IT Governance podcast. Here are this week’s stories.

Security researchers at Bastille have identified “a class of vulnerabilities that affects the majority of wireless, non-Bluetooth keyboards and mice”. These vulnerabilities, affecting the products of seven vendors including Dell, HP, Lenovo, Logitech and Microsoft, “enable an attacker to type arbitrary commands into a victim’s computer from up to 100 meters away using a $15 USB dongle,” says Bastille. Basically, if someone within 100 metres of your machine transmits a wireless signal that purports to be from a wireless mouse, your wireless dongle will accept it. Bastille calls this a ‘MouseJack’. At the time of recording, some vendors have issued firmware updates to patch the vulnerability. Affected devices are listed at www.bastille.net/affected-devices.

uKnowKids, an American ‘child monitoring service’ that enables parents to track their children’s online activities, has been criticised for its response to a security researcher’s report into its information security. Chris Vickery of Kromtech discovered via Shodan that uKnowKids had given “public access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles [including] first and last names, email addresses, dates of birth, [GPS] coordinates, social media access credentials, and more” for at least 48 days. Vickery told uKnowKids about his discovery, and the issue was resolved within the hour. So far, so good. But uKnowKids CEO Tim Woda was unhappy about Vickery’s approach – especially his retention of redacted screenshots of the vulnerable database as evidence – and, according to Vickery, used “intimidation tactics” and issued “veiled threats over the phone” in an attempt to dissuade him from reporting the incident. In a blog in which he poured scorn on Vickery’s credentials, calling him a hacker who ‘claims to be […] a “security researcher”’, Woda stated that the “one lesson that has been reinforced for us with this hacker’s data breach [was that t]here are bad actors out there on the Internet and in our digital world that seek to exploit the vulnerabilities of our kids, our families, and our organizations for their own personal benefit.”

An IT manager has been imprisoned for 30 months after wreaking revenge on a former employer. Nikhil Nilesh Shah, 33, worked for North Carolina mobile app developer Smart Online Inc. for about five years until March 2012. Three months after he changed jobs, he sent malicious code to Smart Online’s servers and deleted large amounts of information, including intellectual property. The FBI investigated, soon obtaining incriminating evidence after getting a warrant to search his Gmail inbox and subpoenaing AT&T. Shah pleaded guilty last August, and this week was sentenced to 30 months in prison and ordered to pay the firm $324,462 in compensation.

And that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.