Facbook’s People You May Know algorithm has been of interest for security minded people for a while. A number of “weird” and inappropriate suggestions has led to Gizmodo digging deeper into the underlying systems and approaches. In fairness, most of the approach is clearly highlighted in the respective EULA’s, but how many users actually reads them?
Category: Security
Another Crypto Currency Hard Fork?
Etherum (the most referred to competitor to Bitcoin currently) has had another “incident”. You may remember the USD 32 million USD hack on Etherum in July and the subsequent (heavily criticized) hard fork to zero out the hack. Now a “mistake” from a developer has locked down wallets worth USD 300 million. The attack relates to a quirk in Etherum’s multisignature wallets, and will most likely require another hard fork to rectify. Again a warning that crypto currencies are still evolving, in most cases at a slower pace than the money thrown at it.
KRACK: Key Reinstallation Attacks
Mathy Vanhoef and Frank Piessens of KU Leuve have discovered a critical flaw in the way WPA2 encryption for all known WiFi implementations. Some time to caveat on the width of the discovery, the attacker needs physical access to the network, and will only see non-encrypted transmissions. Until the vendors patch their implementations the only interim solution is to treat your home WiFi as you would a public WiFi, using HTTPS and in an ideal world VPN form the individual client.
This overview on Github shows the current state of fixes from the vendors. I somewhat sadly note that the majority of my HW is under the “No Known Official Response” category!
Sports Hacking
This is (I suppose) an logical evolution of technology and its use: The Boston Redsox have been caught using Apple Watches to steal New York Yankees pitching calls. For those that don’t follow baseball, the pitcher and the catcher will through hand signals agree on the required pitch. The Red Sox relayed this info to the batting coach, and the batter was informed the most likely pitch to come.
An informed write-up can be found on NY Times.
More Bluetooth Issues in the Wild
Bluetooth seems to be the flavour of the month lately in hacking, and a number of issues have been highlighted lately. The “best” on so far is the blueborne – an airborne hack through Bluetooth with great potential for harm. An analysis from Armis shows how it works.
When should you stop trusting you vendors?
There has always been an uncomfortable relationship between a customer and their security vendors, in particular with the relationship between the vendor and state agencies. Normally a concern with US vendors, bur lately Kapersky has been accused of providing Russian Agencies access to their customers. It should be pointed out that the proof provided is not good, but enough for actors like the US Government banning the use of all Kapersky products. An breakdown of the allegation can be found in this analysis from ArsTechnica, summing up the info from primarily sources behind pay-walls.
New Chrypto standards and government participation
There has always been a tenuous relationship between security standards and the participation of governmental agencies in setting them. There was always rumors of back-doors, NSA and DES the strongest and longest living rumor mil. Now this has impacted the next generation of chrypto, and 2 proposed NSA chrypto schemes: Simon and Speck. Through strong international objections and concerns on these becoming ISO standards they have been allowed only in their strongest versions, as there is concern that there is a potential weakness to be exploited by said governmental agencies. Another example of the world post Snowden.
More fun with expired versions of Windows
Another day, another vendor is caught running critical infrastructure on expired OS’s. This time Medicine, and Siemens medical scanners. This ICS-CERT advisory points out that Siemens PET-CT solutions are running on Windows 7, un-patched by Siemens since 2015 and thus at least 3 known security holes exposed. The corresponding Siemens advisory is to disable network connections for the devices until patched. I wonder how many more proprietary solutions with this issue we will come across.
Social Bots and the creation of fake news
An enlightening article in MIT’s Technology Review on the work done by Chengcheng Shao and colleges at Indiana University on the impact of Social Bot Nets focusing on the propagation of news from 122 identified fake news sites into social media. This was then weighted against 15.000 stories from accredited news sites for comparison and setting up platforms to keep real and bot users apart in the analysis. Interesting read.
Do you have one of the 306,000,000 passwords already hacked?
Troy Hunt (of Have I Been Pwned) has made his collection of 306 million pawned hashes available online with a detailed explanation of the collection of the broken passwords, the sources and a general run through of NIST suggested strategies to make you passwords more safe.
For the inpatient ones the simple approach is to go straight for the checker and see if your password has already been pawned. My current password pass the test, but a worrying amount of my older and simpler passwords are all positive as pawned. Continue reading “Do you have one of the 306,000,000 passwords already hacked?”