“Security Risks of Government Hacking”
Riana Pfefferkorn, Center for Internet and Society, Stanford University, September 4, 2018
This paper addresses six main ways that government hacking can raise broader computer security risks. These include:
* Creating a disincentive to disclose vulnerabilities that should be disclosed because other attackers might independently discover them;
* Cultivating a market for surveillance tools and 0-days;
* Risking that vulnerabilities exploited by the malware will be identified and used by other attackers, as a result of either law enforcement's losing control of the hacking tools, or discovery by outsiders of law enforcement's hacking ability;
* Creating an incentive to push for less-secure software and standards; and
* Risking that malware will affect innocent users.
There's also the possibility that government cracking might discourage the use of free software, which would be extremely disadvantageous even if it were not a security risk.
“Cortana Flaw Allowed Takeover of Locked Windows 10 Device”
Lindsey O'Donnell, Threatpost, August 9, 2018
Thanks to Cortana's “universal access methods” … researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.
The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard — but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.
Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, …
“In the past, the OS made user the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it's the developers' responsibility,” said [Tal Be'ery of the Israel Institute of Technology].
Sure it is. This is another case of Microsoft designing the operating system so that it conforms to Microsoft's interests rather than to the preferences and needs of users and application developers.
“Breaking the Bluetooth Pairing — Fixed Coordinate Invalid Curve Attack”
Eli Biham and Lior Neumann, Technion, July 25, 2018
“Bluetooth Security: Flaw Could Allow Nearby Attacker to Grab Your Private Data”
Liam Tung, ZDNet, July 24, 2018
“Speculative Execution, Variant 4: Speculative Store Bypass”
Jann Horn, Monorail, Project Zero, February 6, 2018
“Side-Channel Vulnerability Variants 3a and 4”
United States Computer Emergency Readiness Team, May 22, 2018
“Spectre Chip Security Vulnerability Strikes Again; Patches Incoming”
Steven J. Vaughn-Nichols, Zero Day, May 22, 2018
Security researchers have discovered a way to hack a widely used model of electronic keys, adopted by more than forty-two thousand hotels in one hundred and sixty-six countries.
The researchers reported the vulnerability to the manufacturer about a year ago, and earlier this year the manufacturer provided customers with patches for the central server software. The firmware on each lock also needs to be upgraded by someone who is physically present at the lock. There's no way to determine how many of the locks have received the upgrade.
“Hackers Built a ‘Master Key’ for Millions of Hotel Rooms”
Zach Whittaker, Zero Day, April 25, 2018
A security researcher who is also a Panera Bread customer and has a customer account at the Panera Web site discovered a vulnerability that allowed any account holder to download Panera's dossier about any other account holder. He immediately sent an e-mail to firstname.lastname@example.org, but it bounced. He looked up the company's chief of security, who ignored his Twitter, LinkedIn, and e-mail messages until the researcher found a third party to effect a proper introduction. At that point the chief of security explained that he thought the earlier messages had been either a hoax or an scammer's attempt to drum up business.
Once communication had been established, the researcher asked for and received the chief of security's PGP public key and sent him the encrypted version of a full report on the vulnerability. The chief of security did not reply to the researcher's repeated inquiries about whether he had received and successfully decrypted the report, but ultimately declared, “Thank you for the information we are working on a resolution.”
The researcher then checked every month or so to see whether the vulnerability had been fixed. It never was. After a few months, the researcher published the details and called in some prominent reporters in the field (notably Brian Krebs of Krebs on Security and Dissent Doe of DataBreaches.net). Krebs's article on the subject managed to elicit a reaction from Panera: They took their Web site down for a while and pretended to fix the problem, and published a press release saying that the breach affected about ten thousand customers. When it came back up, an investigative team at HoldSecurity (prompted by Krebs) found that the breach affected all forty-one million of Panera's account holders, and moreover that Panera had made the same kind of mistake in many other places on its Web site, leaking a lot more data about the company.
“No, Panera Bread Doesn't Take Security Seriously”
Dylan Houlihan, Medium, April 2, 2018
1. We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don't know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.
2. We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It's easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.
3. If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. Make this process obviously distinct from the, “Hi I think my account is hacked” customer support process. Make sure this is immediately read by someone qualified and engaged to investigate those reports, both technically and practically speaking. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.
Taking off from the controversial keylogger implemented in Cascading Style Sheets, this article surveys the various security holes that Web authors sometimes open up by incautiously borrowing or linking to CSS that they have not inspected and vetted.
“Third Party CSS Is Not Safe”
Jake Archibald, February 27, 2018
A threat analysis of self-driving cars, considered as potential weapons of hackers and terrorists.
Zach Aysan, January 17, 2018
At the end of the essay, Aysan provides about forty specific recommendations about how to design secure computer networks for cars and what constraints should be imposed on them. Here's an example:
I have a number of ideas on how to approach a solution to this problem, but the most important one is this: Engineers and software professionals need to recognize that our politicians aren't able to intelligently regulate autonomous devices and our corporations lack the incentives to completely protect us. A well-funded, open source effort with clear recommendations will be the most effective way to securing the future.
Safety modules should have no ports and no network connection to debugging devices or update servers. The code that commands them should not be alterable at the hardware layer. Their job is simple: Relay commands and initiate emergency shutdowns. They should be designed to be regularly recyclable, and should be physically replaced in secure, government run facilities when requiring an upgrade.