Massive security hole lets hackers control millions of cameras, printers and routers

A newly discovered exploit in a technology standard known as “universal plug and play” (UPnP) is big enough that hackers on the Internet could remotely access and control “millions” of compatible devices like cameras, printers and routers, security researchers said Tuesday.

Researchers working for the security firm Rapid7 said they found bugs in the UPnP standard that exposes personal devices to being remotely accessed and controlled. That means an enterprising hacker could, say, exploit the bug to print unwanted messages on a personal printer, or turn on a webcam unbeknownst to the owner.

A hole this large has likely already been exploited on a selective, individual basis, researchers warned, noting that something like 40 to 50 million network devices make use of UPnP.

Rapid7′s announcement was confirmed Tuesday night by the United States Computer Emergency Readiness Team (US-CERT), which warned that “hundreds of vendors” that supply network-enabled hardware rely upon UPnP, including major firms like Cisco’s Linksys, D-Link, Belkin and Netgear. The agency recommended those manufacturers begin immediately updating their software to close the vulnerability — a process which could take months.

“We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,” a Cisco spokesperson told Forbes.

Rapid7 has also released a network scanning tool that should identify devices that are running UPnP and direct users to instructions to disable it. “Given the high level of exposure and potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled” on any hardware currently running it, they advised.

From RawStory.com (http://s.tt/1za9b)

NSA cybersecurity program to protect power grid confirmed

Newly released documents confirm that the National Security Agency (NSA), America’s top cyberespionage organization, is spearheading a cloaked and controversial program to develop technology that could protect the US power grid from cyberattack.

Existence of the program, dubbed Perfect Citizen, was revealed in a 2010 Wall Street Journal article. But intriguing new details are revealed in documents released by the NSA last month to the Electronic Privacy Information Center (EPIC), an Internet privacy group that petitioned for them in 2010 under the Freedom of Information Act.

Of the 188 pages of documents released by the agency, roughly half were redacted to remove classified information. Even so, the documents show Perfect Citizen to be in the fourth year of a five-year program begun in 2009. Valued at up to $91 million, the Perfect Citizen technology is being developed by Raytheon, the Waltham, Mass., defense contractor that won it.

More from Raw Story: http://www.rawstory.com/rs/2013/01/04/secret-nsa-cybersecurity-program-to-protect-power-grid-confirmed/