Glider from the game of Life, rising from the left




Topic: #security

Cracking Is a Bad Idea Even When the Good Guys Do It


Many national governments now claim the privilege of breaking into computers and networks that belong to their own citizens or subjects. Even when these system crackers are well-intentioned and wish only to promote the common good, their activities have some highly undesirable side effects.

“Security Risks of Government Hacking”
Riana Pfefferkorn, Center for Internet and Society, Stanford University, September 4, 2018

This paper addresses six main ways that government hacking can raise broader computer security risks. These include:

* Creating a disincentive to disclose vulnerabilities that should be disclosed because other attackers might independently discover them;

* Cultivating a market for surveillance tools and 0-days;

* Risking that vulnerabilities exploited by the malware will be identified and used by other attackers, as a result of either law enforcement's losing control of the hacking tools, or discovery by outsiders of law enforcement's hacking ability;

* Creating an incentive to push for less-secure software and standards; and

* Risking that malware will affect innocent users.

There's also the possibility that government cracking might discourage the use of free software, which would be extremely disadvantageous even if it were not a security risk.

#security #disclosing-vulnerabilities #state-sponsored-cracking

Cortana Runs Apps Even When the Screen Is Locked


“Cortana Flaw Allowed Takeover of Locked Windows 10 Device”
Lindsey O'Donnell, Threatpost, August 9, 2018

Thanks to Cortana's “universal access methods” … researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.

The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard — but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.

Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, …

“In the past, the OS made user the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it's the developers' responsibility,” said [Tal Be'ery of the Israel Institute of Technology].

Sure it is. This is another case of Microsoft designing the operating system so that it conforms to Microsoft's interests rather than to the preferences and needs of users and application developers.

#Cortana #Microsoft #security

Bluetooth Is Broken


When Bluetooth devices are paired, each side generates an encryption keypair in which the public key is a more-or-less randomly selected point on an agreed-upon elliptic curve in the Euclidean plane. They exchange public keys, and then each side computes a session key by performing an arithmetic operation on its own private key and the other side's public key. The mathematical basis for the encryption system guarantees that the two computations have the same result even though they reach it in different ways. Eavesdroppers cannot infer the session key because they don't have either of the private keys. However, the Bluetooth protocol doesn't authenticate both coordinates of the selected points, only the x-coordinates. This enables a “man in the middle” to insert a zero y-coordinate in place of the y-coordinate in a Bluetooth device's public key. The resulting point doesn't even lie on the agreed-upon elliptic curve, but it does lie on a curve that differs from the one actually used only by a vertical translation, and in fact lies at a point of order two on that curve, where two solutions to the curve's equation coincide. It turns out that Bluetooth can be induced to accept the attacker's bogus public key as valid half the time. When the attack works, it enables the attacker to derive a session key and then passively decrypt subsequent exchanges or forge messages from the device. When it doesn't work, the pairing attempt simply fails. The legitimate Bluetooth device doesn't get a secure connection in either case. Anyone within wireless range (which varies from ten to a hundred meters, depending on the capabilities of the Bluetooth devices) who happens to know when pairing is being attempted can mount such an attack.

“Breaking the Bluetooth Pairing — Fixed Coordinate Invalid Curve Attack”
Eli Biham and Lior Neumann, Technion, July 25, 2018

“Bluetooth Security: Flaw Could Allow Nearby Attacker to Grab Your Private Data”
Liam Tung, ZDNet, July 24, 2018

#Bluetooth #security #key-exchange

Still More Spectre Variants


Almost all processors speculatively pre-execute a load instruction when they anticipate that any store instructions that precede it will not affect the contents of the memory location from which the value is loaded. The pre-execution is cancelled and discarded if this condition turns out to be false. Like other kinds of speculative execution, this one turns out to have side effects that can be detected and exploited by attackers to exfiltrate data from memory locations to which they should not have access.

“Speculative Execution, Variant 4: Speculative Store Bypass”
Jann Horn, Monorail, Project Zero, February 6, 2018

“Side-Channel Vulnerability Variants 3a and 4”
United States Computer Emergency Readiness Team, May 22, 2018

“Spectre Chip Security Vulnerability Strikes Again; Patches Incoming”
Steven J. Vaughn-Nichols, Zero Day, May 22, 2018

#spectre #hardware-design #security

Electronic Hotel Room Keys Hacked


Security researchers have discovered a way to hack a widely used model of electronic keys, adopted by more than forty-two thousand hotels in one hundred and sixty-six countries.

The researchers reported the vulnerability to the manufacturer about a year ago, and earlier this year the manufacturer provided customers with patches for the central server software. The firmware on each lock also needs to be upgraded by someone who is physically present at the lock. There's no way to determine how many of the locks have received the upgrade.

“Hackers Built a ‘Master Key’ for Millions of Hotel Rooms”
Zach Whittaker, Zero Day, April 25, 2018

#hacking #hacker-tech #security

Data Leaks? Who Cares?


A security researcher who is also a Panera Bread customer and has a customer account at the Panera Web site discovered a vulnerability that allowed any account holder to download Panera's dossier about any other account holder. He immediately sent an e-mail to, but it bounced. He looked up the company's chief of security, who ignored his Twitter, LinkedIn, and e-mail messages until the researcher found a third party to effect a proper introduction. At that point the chief of security explained that he thought the earlier messages had been either a hoax or an scammer's attempt to drum up business.

Once communication had been established, the researcher asked for and received the chief of security's PGP public key and sent him the encrypted version of a full report on the vulnerability. The chief of security did not reply to the researcher's repeated inquiries about whether he had received and successfully decrypted the report, but ultimately declared, “Thank you for the information we are working on a resolution.”

The researcher then checked every month or so to see whether the vulnerability had been fixed. It never was. After a few months, the researcher published the details and called in some prominent reporters in the field (notably Brian Krebs of Krebs on Security and Dissent Doe of Krebs's article on the subject managed to elicit a reaction from Panera: They took their Web site down for a while and pretended to fix the problem, and published a press release saying that the breach affected about ten thousand customers. When it came back up, an investigative team at HoldSecurity (prompted by Krebs) found that the breach affected all forty-one million of Panera's account holders, and moreover that Panera had made the same kind of mistake in many other places on its Web site, leaking a lot more data about the company.

“No, Panera Bread Doesn't Take Security Seriously”
Dylan Houlihan, Medium, April 2, 2018

1. We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don't know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.

2. We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It's easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.

3. If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. Make this process obviously distinct from the, “Hi I think my account is hacked” customer support process. Make sure this is immediately read by someone qualified and engaged to investigate those reports, both technically and practically speaking. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.

#data-leaks #security #security-mindset

More Untrustworthy CSS


Taking off from the controversial keylogger implemented in Cascading Style Sheets, this article surveys the various security holes that Web authors sometimes open up by incautiously borrowing or linking to CSS that they have not inspected and vetted.

“Third Party CSS Is Not Safe”
Jake Archibald, February 27, 2018

#Cascading-Style-Sheets #security #trust

Self-Driving Cars As Networked Weapons


A threat analysis of self-driving cars, considered as potential weapons of hackers and terrorists.

“Self-Crashing Cars”
Zach Aysan, January 17, 2018

I have a number of ideas on how to approach a solution to this problem, but the most important one is this: Engineers and software professionals need to recognize that our politicians aren't able to intelligently regulate autonomous devices and our corporations lack the incentives to completely protect us. A well-funded, open source effort with clear recommendations will be the most effective way to securing the future.

At the end of the essay, Aysan provides about forty specific recommendations about how to design secure computer networks for cars and what constraints should be imposed on them. Here's an example:

Safety modules should have no ports and no network connection to debugging devices or update servers. The code that commands them should not be alterable at the hardware layer. Their job is simple: Relay commands and initiate emergency shutdowns. They should be designed to be regularly recyclable, and should be physically replaced in secure, government run facilities when requiring an upgrade.

#security #autonomous-vehicles #network-warfare

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018