Oh for fuck's sake, not this fucking bullshit again (cryptography edition)


America, Canada, New Zealand, the UK and Australia are in a surveillance alliance called The Five Eyes, through which they share much of their illegally harvested surveillance data.

In a recently released Statement of Principles on Access to Evidence and Encryption, the Five Eyes powers have demanded, again, that strong cryptography be abolished and replaced with defective cryptography so that they can spy on bad guys.

They defend this by saying "Privacy is not absolute."

But of course, working crypto isn't just how we stay private from governments (though god knows all five of the Five Eyes have, in very recent times, proven themselves to be catastrophically unsuited to collect, analyze and act on all of our private and most intimate conversations). It's how we make sure that no one can break into the data from our voting machines, or push lethal fake firmware updates to our pacemakers, or steal all the money from all of the banks, or steal all of the kompromat on all 22,000,000 US military and government employees and contractors who've sought security clearance.

Also, this is bullshit.

Because it won't work.

Here's the text of my go-to post about why this is so fucking stupid. I just can't be bothered anymore. Jesus fucking christ. Seriously? Are we still fucking talking about this? Seriously? Come on, SERIOUSLY?
Before You Turn On Two-Factor Authentication… – Stuart Schechter – Medium

Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks. The second factors you can use to identify yourself include authenticator apps on your phone, which generate codes that change every 30 seconds, and security keys, small pieces of hardware similar in size and shape to USB drives. Since innovations that can actually improve the security of your online accounts are rare, there has been a great deal of well-deserved enthusiasm for two-factor authentication (as well as for password managers, which make it easy to use a different random password for every one of your online accounts.) These are technologies more people should be using.

However, in trying to persuade users to adopt second factors, advocates sometimes forget to disclose that all security measures have trade-offs . As second factors reduce the risk of some attacks, they also introduce new risks.
Breaking the Bluetooth Pairing – Fixed Coordinate Invalid Curve Attack
The Fixed Coordinate Invalid Curve Attack is a new attack, which could be applied to all current Bluetooth pairing protocols. The pairing protocol is the process of connection establishment in Bluetooth. This process supplies the ground for all of the security and privacy features provided by Bluetooth. Failing to secure this process compromises th...
I don't expect there to be an update for my $20 ear phones, I'd be surprised if they even has a mechanism to be updated. I'd also be surprised if I could track down the actual manufacturer.

If I remember correctly, the good news is that, if one of the devices is fixed, you are good. I still get monthly security updates for my phone, so hopefully it will be fixed there.
  last edited: Thu, 26 Jul 2018 08:10:39 -0400  
The "S" in IOT stands for Security.
Digikey has a pretty good high level overview of the issues surrounding Bluetooth security.  It has gotten better since BLE 4.2 introduced encryption, but the older protocols were swiss cheese, but that's what happens when your two most important design criteria are power consumption and price.
Wi-Fi security is starting to get its biggest upgrade in over a decade

Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.
Yeah I'm terrified the kangaroos will hack my wi-fi. Lord knows what insidious mischief they could cause.

I'm actually more worried about the routers themselves, because we know there has been relentless pressure to provide back doors. (The fact that every major manufacturer and every major device has pretty much the same back doors can hardly be a coincidence). And many of these have now been exposed. A wi-fi protocol upgrade would seem like the perfect way to get the masses to install new devices with updated back doors which are more difficult to detect. #justsayin
I knew there was a catch...  Why is it never easy?
Your existing client devices may be able to upgrade to WPA3, too. It all depends on the manufacturer. WPA3 access points will support both WPA2 and 3 devices at the same time, so it won't be an all or nothing situation.
Grammarly's flawed Chrome extension exposed users' private documents


The grammar-correcting browser extension is used by about 22 million users.
I’m harvesting credit card numbers and passwords from your site. Here’s how.

The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Great article.
Although this is all made up, it worries me that none of this is hard.
Spectre and Meltdown Attacks Against Microprocessors - Schneier on Security

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones.

Star Wars Episode IV.1.d: The Pentesters Strike Back
by CyberPoint International on Vimeo

It is a period of cyber war. In an effort to sustain commerce during these challenging times, the Galactic Trade Federation has required the Empire retain the services of a consultancy on Kessel (a best-value provider, and only twelve parsecs away) to assess the state of their security before signing off on the newly-constructed DEATH STAR campus.
Laptop touchpad driver included extra feature: a keylogger


Researcher finds logger, turned off by default, could be turned on with a registry change.
In the beginning was the word, and the word was 'Hey, you, Keyboard Developer!'

The subtle distinction between debugging at the keyboard and debugging the keyboard.
Germany Preparing Law for Backdoors in Any Type of Modern Device

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.
All of the last interior ministers believed they have to break basic law to do their jobs. Until now the constitutional court has decided against these attempts.
Yes, this could be prevented. It seem to be part of the political game to go into negotiations with the highest possible demand.
Pro tip: You can log into macOS High Sierra as root with no password


Apple, this is Windows 95 bad – but there is a workaround to kill the bug

The photo to go with this is epic, :-)
  last edited: Thu, 07 Sep 2017 21:26:46 -0400  
Equifax data leak may affect nearly half the US population

Hackers steal Social Security numbers, birthdates, addresses and more from potentially up to 143 million people.

When looking for this story, the first thing I found was... :-)

Humble Book Bundle: Cybersecurity presented by Wiley


Pay what you want for cybersecurity ebooks and support charity!
New Girl Scout badges focus on cyber crime, not cookie sales


Cookie sales may take a back seat to fighting identity theft and other computer crime now that Girl Scouts as young as 5 are to be offered the chance to earn their first-ever cyber security badges.
Vendors approve of NIST password draft

The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.

Some of the recommendations:
- Remove periodic password change requirements
- Drop the algorithmic complexity song and dance
- Require screening of new passwords against lists of commonly used or compromised passwords
Android devices can be fatally hacked by malicious Wi-Fi networks

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.
Critical security update: PHPMailer 5.2.18 (CVE-2016-10033) - SANS Internet Storm Center
Vulnerability: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

Severity: CRITICAL

ISC recommended action: Patch...now. This is a very popular application, left unpatched it will be exploited.
A new twist on "refer-a-friend"...

Ransomware Gives Free Decryption Keys to Victims Who Infect Others
Ransomware still under development called Popcorn Time forces victims to either pay the ransom, or try to infect other machines in exchange for the decryption key.
I'm told that in order to get the key you have to not only infect other machines, but must also get one of them to pay up. If none of your victims pays up, you're still stuffed.
That matches my reading as well.
Dirty COW explained: Get a moooo-ve on and patch Linux root hole


Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones
]InfoSec Handlers Diary Blog - Dropbox Breach
Dropbox has just been added to the myriad of sites that have been hacked.  It seems that back in 2012 there was a breach and around 60 million accounts were stolen.  There is now evidence surfacing that the details from the accounts are out there.  Dropbox is forcing password changes for a number of users that have been affected.