cryptography

Auto Added by WPeMatico

What you missed in cybersecurity this week

There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

Malicious websites were used to secretly hack into iPhones for years, says Google

TechCrunch: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

TechCrunch: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

TechCrunch: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

TechCrunch: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.

Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data

Most modern computers, even devices with disk encryption, are vulnerable to a new attack that can steal sensitive data in a matter of minutes, new research says.

In new findings published Wednesday, F-Secure said that none of the existing firmware security measures in every laptop it tested “does a good enough job” of preventing data theft.

F-Secure principal security consultant Olle Segerdahl told TechCrunch that the vulnerabilities put “nearly all” laptops and desktops — both Windows and Mac users — at risk.

The new exploit is built on the foundations of a traditional cold boot attack, which hackers have long used to steal data from a shut-down computer. Modern computers overwrite their memory when a device is powered down to scramble the data from being read. But Segerdahl and his colleague Pasi Saarinen found a way to disable the overwriting process, making a cold boot attack possible again.

“It takes some extra steps,” said Segerdahl, but the flaw is “easy to exploit.” So much so, he said, that it would “very much surprise” him if this technique isn’t already known by some hacker groups.

“We are convinced that anybody tasked with stealing data off laptops would have already come to the same conclusions as us,” he said.

It’s no secret that if you have physical access to a computer, the chances of someone stealing your data is usually greater. That’s why so many use disk encryption — like BitLocker for Windows and FileVault for Macs — to scramble and protect data when a device is turned off.

But the researchers found that in nearly all cases they can still steal data protected by BitLocker and FileVault regardless.

After the researchers figured out how the memory overwriting process works, they said it took just a few hours to build a proof-of-concept tool that prevented the firmware from clearing secrets from memory. From there, the researchers scanned for disk encryption keys, which, when obtained, could be used to mount the protected volume.

It’s not just disk encryption keys at risk, Segerdahl said. A successful attacker can steal “anything that happens to be in memory,” like passwords and corporate network credentials, which can lead to a deeper compromise.

Their findings were shared with Microsoft, Apple, and Intel prior to release. According to the researchers, only a smattering of devices aren’t affected by the attack. Microsoft said in a recently updated article on BitLocker countermeasures that using a startup PIN can mitigate cold boot attacks, but Windows users with “Home” licenses are out of luck. And, any Apple Mac equipped with a T2 chip are not affected, but a firmware password would still improve protection.

Both Microsoft and Apple downplayed the risk.

Acknowledging that an attacker needs physical access to a device, Microsoft said it encourages customers to “practice good security habits, including preventing unauthorized physical access to their device.” Apple said it was looking into measures to protect Macs that don’t come with the T2 chip.

When reached, Intel would not to comment on the record.

In any case, the researchers say, there’s not much hope that affected computer makers can fix their fleet of existing devices.

“Unfortunately, there is nothing Microsoft can do, since we are using flaws in PC hardware vendors’ firmware,” said Segerdahl. “Intel can only do so much, their position in the ecosystem is providing a reference platform for the vendors to extend and build their new models on.”

Companies, and users, are “on their own,” said Segerdahl.

“Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case,” he said.

Coinbase plots to become the New York Stock Exchange of crypto securities

The future of Coinbase looks something like the New York Stock Exchange. That’s according a vision laid out by CEO Brian Amstrong who was interviewed on stage at TechCrunch Disrupt in San Francisco today.

Coinbase is known for being the most popular exchange for converting fiat currency into crypto — most of the largest traded exchanges are crypto-to-crypto — but he foresees a future in which it plays host to a growing number of cryptocurrencies as it becomes standard for companies to create their own token, which runs alongside equity as an alternative investment system.

“It makes sense that any company out there who has a cap table… should have their own token. Every open source project, every charity, potentially every fund or these new types of decentralized organizations [and] apps, they’re all going to have their own tokens,” Armstrong said.

“We want to be the bridge all over the world where people come and they take fiat currency and they can get it into these different cryptocurrencies,” he added.

Brian Armstrong (Coinbase) says crypto regulation will result in the next version of the stock market #TCDisrupt pic.twitter.com/2kyxAmhPSZ

— TechCrunch (@TechCrunch) September 7, 2018

That tokenized future could see Coinbase host hundreds of tokens within “years” and even potentially “millions” in the future, according to Armstrong. That’s a big jump on the five cryptocurrencies that it currently supports today, and it would make it way larger than financial institutions like the New York Stock Exchange, which is actually a Coinbase investor and is getting into Bitcoin, or the NASDAQ.

One of the critical pieces of making this vision a reality is, of course, regulation. This week at Disrupt, others in crypto space have argued that a lack of clarity around crypto regulation is costing the U.S. as innovation and startups are being developed in overseas markets. As the founder of a U.S.-based crypto startup that is valued at over $1 billion and is hiring hard, Armstrong doesn’t subscribe to that thesis but he did admit that there is “a big open question” over whether the majority of the new rush of tokens he foresees will be securities or not.

Still, Coinbase has made moves to add security tokens to its portfolio with the acquisition of a securities dealer earlier this year.

“We do feel a substantial subset of these tokens will be securities,” he said. “Our approach has always been to be the most trusted [exchange] and the easiest to use. So we want to be the legal compliant place where you can start to trade these tokens that are classified as securities.”

“Web 1.0 was about publishing information, web 2.0 was about interaction and web 3.0 is going to be about value transfer on the internet because now the web has this native currency and so applications can be built that instantly tap into this global economy on the internet,” Armstrong added.

How international can crypto become? The Coinbase CEO thinks that the total number of people in the crypto ecosystem can reach one billion within the next five years, up from around 40 million today.

You can watch the full video from Armstrong’s interview below.

Note: The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.

Researchers create a light-based key distribution system for quantum encryption

 Researchers at Duke University, OSU, and Oak Ridge National Laboratory have solved one of the biggest problems with new forms of quantum encryption: quantum key distribution. QKD is the process of distributing keys during a transmission and in a way that will tell both sides of the conversation that someone is eavesdropping. The new system, which uses lasers to transmit multiple bits at once,… Read More

Powered by WPeMatico

Researchers critique security in messaging app Confide

 White House staffers have been drawn to Confide by its security features, which include messages that require a reader to run their finger over the text as they read and destruct after reading. But security researchers say Confide isn’t living up to its encryption guarantee.
Fred Reynal and Jean-Baptiste Bédrune of Quarkslab published a proof-of-concept paper and video today that… Read More

Powered by WPeMatico