Monday, October 16, 2017

Another one bites the dust...
One of the 'Biggest Online Security Threats Ever'? Wi-Fi Security May Have Been Cracked
WPA2, the security protocol used to protect most Wi-Fi connections, has reportedly been cracked. This means that wireless internet traffic could be vulnerable to eavesdroppers and attacks.
At 8 a.m. EDT October 16, researchers plan to share the findings of their proof-of-concept exploit called KRACK, which is short for Key Reinstallation Attacks.
US-CERT, the Computer Emergency Readiness Team, issued the following warning, first published by Ars Technica:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
The details and severity of the threat will become clearer once the findings have been released. However, if the vulnerability of WPA2 is similar to that of earlier security standards like WEP, this could be one of the “biggest online security threats ever.” Mashable reports that regardless of the strength of your password, Wi-Fi connections could be open to hackers, and users concerned about the security of their connection should avoid using Wi-Fi entirely until a solution is in place.

Learn to hack properly: Take our Ethical Hacking class.
Easy-to-get hacking device puts KU professors’ information in student’s hands
… The KU hacker was an engineering student who used a keystroke logger to pry into professors’ computers and change all his failing grades to A’s.
“He may never even have gotten caught, but he got greedy,” said Ron Barrett-Gonzalez, a engineering professor at KU. “It does look a little suspicious when you are on academic probation and the dean’s honor roll at the same time.”

If you should decide to hack back, remember the immortal words of Elmer Fudd, “Be vewy, vewy careful!”
Active Cyber Defense Certainty Act
by Sabrina I. Pacifici on Oct 15, 2017
The Register: “Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them. The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker. “While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” said co-sponsor Representative Tom Graves (R-GA). “The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.”
  • “I never thought of it this way. It’s basically the cyber version of being allowed to murder someone for entering your property.” — MalwareTech (@MalwareTechBlog) October 13, 2017

Big company, small country? Does Microsoft need the Netherlands?
Peter Bright reports:
The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.
To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn’t always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection—though this language still wasn’t explicit about what was collected and why—and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.
Read more on Ars Technica.

Small company, big country? This could never happen here, could it?
Russia Fines Telegram For Not Giving Backdoor Access
A Russian court on Monday fined the popular Telegram messenger app for failing to provide the country's security services with encryption keys to read users' messaging data.
According to a scan of the complaint posted online by Durov, the FSB had sent a letter to Telegram in July demanding "information necessary to decode users' sent, received, delivered and processed electronic messages".

(Related). Perhaps it could happen here!
Inside Privacy writes:
In a speech delivered at the United States Naval Academy on October 10, Deputy Attorney General Rod Rosenstein waded into the public debate between data privacy and law enforcement interests. As part of a discussion moderated by former Covington cybersecurity attorney Jeff Kosseff, Rosenstein’s remarks discussed cyber issues facing law enforcement with a particular focus on the advent of “warrant-proof” encryption. In his view, warrant-proof encrypted data and devices are unable to be intercepted or unlocked by law enforcement, even with a court order.
Noting that “[p]rivate sector entities are crucial partners” in the fight against cyber threats, Rosenstein expressed concerns about the role played by tech companies in advancing warrant-proof encryption. While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein argued that “[w]arrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.”
Read more on Covington & Burling Inside Privacy.

The new rules of the road?
Alphabet is training law enforcement on how to handle self-driving car crashes
Alphabet’s self driving car division Waymo has been testing its fleet of robot cars in four states across the country — Washington, California, Arizona, and Texas — and it has started to work with local law enforcement agencies and first responders to figure out what to do after a collision and create new protocols.
That includes what a fully driverless car should do when it hears a siren coming toward it — yes, Waymo driverless cars can hear — as well as how police officers, or first responders can access the cars in emergency situations.
In a new 43-page report (pdf) that Waymo published Thursday, the company detailed some of its efforts to respond to (and avoid) collisions. Those efforts can be broken up into three parts: How the cars stop in unsafe working conditions; how the cars respond to sirens/emergency vehicles; and what happens after an accident.

Perspective. Poor Mark Zuckerberg is going to be broke. Maybe that’s why he want to run for President?
Nearly half of U.S. teens prefer Snapchat over other social media
Snapchat is more popular among U.S. teens than ever, according to new research from investment firm Piper Jaffray. The company surveys teens in the U.S. about their media habits every spring and fall.

Hey, it’s a start!
Pen America Report – Faking News: Fraudulent News and the Fight for Truth
by Sabrina I. Pacifici on Oct 15, 2017
“Warning that the spread of “fake news” is reaching a crisis point, Faking News: Fraudulent News and the Fight for Truth evaluates the array of strategies that Facebook, Google, Twitter, newsrooms, and civil society are undertaking to address the problem, stressing solutions that empower news consumers while vigilantly avoiding new infringements on free speech. Faking News rates the range of fact-checking, algorithmic, educational, and standards-based approaches being taken to counter the proliferation of fake news and sounds a warning bell for tactics that risk suppressing controversial speech, such as giving government new powers to regulate or calling on social media companies to block specific content entirely. Arguing that Facebook, Google, and Twitter—which are many Americans’ primary channels for news consumption—must play a critical and transparent role in curbing the spread of false news, the report spells out a series of specific strategies that center on empowering news consumers with access to fact-checking initiatives and news literacy programs. The “News Consumers Bill of Rights and Responsibilities” outlines what consumers should expect from the outlets and social media platforms that convey news and how they can protect themselves and others. The report also includes an executive summary that outlines the report’s key findings.”

I love lists like this. I wonder how many Top Ten Techs have completely fizzled?
Gartner Top 10 Strategic Technology Trends for 2018
by Sabrina I. Pacifici on Oct 15, 2017
Gartner: “Artificial intelligence, immersive experiences, digital twins, event-thinking and continuous adaptive security create a foundation for the next generation of digital business models and ecosystems…”

No comments: