Etherum (the most referred to competitor to Bitcoin currently) has had another “incident”. You may remember the USD 32 million USD hack on Etherum in July and the subsequent (heavily criticized) hard fork to zero out the hack. Now a “mistake” from a developer has locked down wallets worth USD 300 million. The attack relates to a quirk in Etherum’s multisignature wallets, and will most likely require another hard fork to rectify. Again a warning that crypto currencies are still evolving, in most cases at a slower pace than the money thrown at it.
Tag: Security
KRACK: Key Reinstallation Attacks
Mathy Vanhoef and Frank Piessens of KU Leuve have discovered a critical flaw in the way WPA2 encryption for all known WiFi implementations. Some time to caveat on the width of the discovery, the attacker needs physical access to the network, and will only see non-encrypted transmissions. Until the vendors patch their implementations the only interim solution is to treat your home WiFi as you would a public WiFi, using HTTPS and in an ideal world VPN form the individual client.
This overview on Github shows the current state of fixes from the vendors. I somewhat sadly note that the majority of my HW is under the “No Known Official Response” category!
More fun with expired versions of Windows
Another day, another vendor is caught running critical infrastructure on expired OS’s. This time Medicine, and Siemens medical scanners. This ICS-CERT advisory points out that Siemens PET-CT solutions are running on Windows 7, un-patched by Siemens since 2015 and thus at least 3 known security holes exposed. The corresponding Siemens advisory is to disable network connections for the devices until patched. I wonder how many more proprietary solutions with this issue we will come across.
Do you have one of the 306,000,000 passwords already hacked?
Troy Hunt (of Have I Been Pwned) has made his collection of 306 million pawned hashes available online with a detailed explanation of the collection of the broken passwords, the sources and a general run through of NIST suggested strategies to make you passwords more safe.
For the inpatient ones the simple approach is to go straight for the checker and see if your password has already been pawned. My current password pass the test, but a worrying amount of my older and simpler passwords are all positive as pawned. Continue reading “Do you have one of the 306,000,000 passwords already hacked?”
The end of Symantec as a Root CA
Symantec’s CA services have been in a lot of trouble in the last couple of years, caught multiple times issues certificates to others that the owners of the domains. They have been or are being removed as trusted root CA’s among the browser manufacturers. Google (and thus Chrome) last ones to publish their plans. Bleepingcomputers has a nice breakdown of the steps agreed between Google and Symantec – in essence demoting Symantec to be a child of a more trusted root CA. There is an opening for Symantec to start a new CA root attempt, but one must expect that they’ve burnt their fingers enough in this business area.
Skimming devices now call home
A new generation of mag-stripe skimmers with a fully built in GSM device has been found in US Petrol pumps, as shown in a recent article by Brian Krebs. The captured devices contained a common T-Mobile GSM SIM, allowing for the captured data to be immediately transferred via SMS to the skimmers for real time use and abuse. All of course down the the US slowness in implementing the Chip / PIN security aspects ot EMV.
Nation State hacking and it’s impacts (this time in the Middle East)
Nation State hacking gets little attention outside of when stupid mistakes are made (Stuxnet springs to mind), but is still prevalent. An op-ed by Adam Segal in NY Times has a good update on the recent activities in the Middle East, focusing on the alleged UAE hacking’s into Qatar news ond government systems. As was noted by Peter G. Neumann, this is not the first time we have seen this lately. Continue reading “Nation State hacking and it’s impacts (this time in the Middle East)”
DEFCON 25 – Wired’s favorite Black Hat Hacks
Summary article from Wired on the best of the Black Hat hacks shown DEFON 25. From hacking smart guns, to hacking Teslas and other cars, new Botnet technologies and their take downs and the general worry that is IOT. Well worth a read.
DEFCON 25 – Electronic Voting Machines hacked
A write up on Alternet on the DFCON 25 hack attack on American Electronic Voting with an attached video showing the hacks done live. The attacks took from minutes to hours, but all where hacked and altered with little or no traces left behind. Another warning on using technology before it is ready for the use you intend. The safety in electronic voting has always been questioned, here is further argumentation against using the technology for elections until it is fault proof.
Bitcoin Hard Fork – What Now?
There has been a serious amount of unrest in the Bitcoin community over how to address the block chain constraints and increase the processing efficiency of Bitcoin. The initial conflict around “Bitcoin Improvement Proposal 91” was initially addressed and closed. The current argument over Segwit2x has however not been resolved, and the argument has now led to a hard fork of bitcoin and the creation of Bitcoin Cash for those that wanted to changes in the block chains. Turmoil on conversions, who will support what, and how to move forward with Bitcoin. I am sure the other digital currencies are happy about this chaos!