As the dust settles on arguably the largest identity hack in history people have been trying to figure out exactly what went wrong. It was known that the hack used an known vulnerability with the Apache Struts framework, found in March of this year. An analysis by Ars Technica hints at an failure by Equifax to apply the patches and block the Jakarta file upload multipart parser issues when found.
Blaming OSS for your mistakes is only valid if you keep it up to date, Equifax’s mistake is a lesson for us all.
Author: Kristian
Electronic voting – will we ever get it right?
Another online / electronic voting system has been torn to pieces in an hack test. The German “PC-Wahl” system – used to by the German states to capture, aggregate and tabulate the votes during an election was tested by the German WhiteHats The Chaos Computer Club (CCC). The findings were sobering, the system full of holes to be exploited and thus German elections can be in theory be tampered with.
New Chrypto standards and government participation
There has always been a tenuous relationship between security standards and the participation of governmental agencies in setting them. There was always rumors of back-doors, NSA and DES the strongest and longest living rumor mil. Now this has impacted the next generation of chrypto, and 2 proposed NSA chrypto schemes: Simon and Speck. Through strong international objections and concerns on these becoming ISO standards they have been allowed only in their strongest versions, as there is concern that there is a potential weakness to be exploited by said governmental agencies. Another example of the world post Snowden.
iPhone headphone jack hack
What do you do when Apple decides to no longer support headphone jacks? You make your own! Scotty Allen from Strange Parts took in upon himself to solve the problem by traveling to China and remake the iPhone 7 to contain a headphone jack without impacting the rest of the phones functionalities. Maker space on steroids!
Disney leaves Netflix to go solo
Disney has decided to terminate it’s 2012 streaming deal with Netflix and to launch their own service starting in 2019. You may remember that the 2012 deal was heralded as a major thing for Netflix with the inclusion of such valuable IP’s as Marvel and Pixar (and now of course the Star Wars universe).
This is a logical extension of the investments Disney has made in BAMTech (the US MLB Streaming company) and falls in line with the plans of launching a global streaming service for it’s sports service ESPN. For the Star Wars nuts: this means the next 2 films will be on Netflix, but not the last in the new trilogy.
More fun with expired versions of Windows
Another day, another vendor is caught running critical infrastructure on expired OS’s. This time Medicine, and Siemens medical scanners. This ICS-CERT advisory points out that Siemens PET-CT solutions are running on Windows 7, un-patched by Siemens since 2015 and thus at least 3 known security holes exposed. The corresponding Siemens advisory is to disable network connections for the devices until patched. I wonder how many more proprietary solutions with this issue we will come across.
Social Bots and the creation of fake news
An enlightening article in MIT’s Technology Review on the work done by Chengcheng Shao and colleges at Indiana University on the impact of Social Bot Nets focusing on the propagation of news from 122 identified fake news sites into social media. This was then weighted against 15.000 stories from accredited news sites for comparison and setting up platforms to keep real and bot users apart in the analysis. Interesting read.
Apple TV 5: 4K and 10-bit HDR?
Guilherme Rambo has in a tweet shown future Apple TV functionality hidden in the Apple HomePod firmware, showing support for 4K as well as Dolby Vision and HDR 10. He is till digging through the firmware, go to his tweet page to learn more.
Next up: Intelligent AR glasses
Microsoft and Google are deep in the trenches planning the next generation of their Google Glass / Microsoft HoloLens respectively. They have both learned from the failure of the first generation of Google Glass and the lack of adaptation in the consumer space. They have thus refocused on the corporate sector, with slightly different approaches. Whereas Google’s post talks about the adaptation of Glass (Here refereed to as Glass Enterprise Edition) to corporate use without to much new features, Microsoft has a focus in AI integration into the next generation of HoloLens and are making their own AR chip. This focus on AR and the downplaying of the importance of VR may have an impact on companies trying to make the VR market. Will it (for now) only be a gaming thing?
Do you have one of the 306,000,000 passwords already hacked?
Troy Hunt (of Have I Been Pwned) has made his collection of 306 million pawned hashes available online with a detailed explanation of the collection of the broken passwords, the sources and a general run through of NIST suggested strategies to make you passwords more safe.
For the inpatient ones the simple approach is to go straight for the checker and see if your password has already been pawned. My current password pass the test, but a worrying amount of my older and simpler passwords are all positive as pawned. Continue reading “Do you have one of the 306,000,000 passwords already hacked?”