A new proof-of-concept hardware implant shows how easy it may be to hide malicious chips inside IT equipment. //

At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access. (Full disclosure: I'll be speaking at the same conference, which paid for my travel and is providing copies of my forthcoming book to attendees.) With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control. //

Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board; not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall's serial port. //

Elkins programmed his tiny stowaway chip to carry out an attack as soon as the firewall boots up in a target's data center. It impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall's password recovery feature, creating a new admin account and gaining access to the firewall's settings. //

Once the malicious chip has access to those settings, Elkins says, his attack can change the firewall's settings to offer the hacker remote access to the device, disable its security features, and give the hacker access to the device's log of all the connections it sees, none of which would alert an administrator.

Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address. //

your email address, phone number, or social media profile­ -- can be linked to your laptop or smartphone's Media Access Control (MAC) address. That's the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.

As Euclid explains in its privacy policy, "...if you bring your mobile device to your favorite clothing store today that is a Location -- ­and then a popular local restaurant a few days later that is also a Location­ -- we may know that a mobile device was in both locations based on seeing the same MAC Address." //

The defense is to turn Wi-Fi off on your phone when you're not using it.

Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their database.

For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored in their database. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.

While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to brute force the password because online attacks are nigh impossible thanks to rate limiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small. //

apparently logging in with a misspelled email address only works when you have not deleted Facebook cookies from your earlier session. Thus, it only autocorrects your email address when it knows that you used to log in as example@gmail.com, and otherwise fails. //

If you consider the login process as a whole, this measure can actually increase security. Instead of granting users several login attempts to manually fix common misspellings, the site tries to fix those misspellings automatically. As a result, the average number of login attempts a user needs goes down, which means a more strict rate limiting to an attacker who tries out various common passwords, not slight variations of the same password.

Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there's a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.

Generate a password the bad people can't guess, but you can easily remember.

Backdoors snuck into 12 OSS packages were downloaded hundreds of thousands of times. //

The only recourse once a server installs a backdoored app is to perform a complete rebuild, a task so onerous it’s sure to be skipped by many of the 100,000 or more systems that received one of the maliciously tampered packages discovered this week.

“Without a clean reinstall of the OS and application, along with key and credential rotation, there is a significant risk that the system will remain compromised,” Kenn White, director of the Open Crypto Audit Project, told Ars. “I've declined more than one engagement because the operators believed they could manually inspect the system via, for example, file differences, and make a valid assessment themselves. That's naive, to say the least.”

But after all this talk of GPUs and algorithms and hash speeds there’s one really, really simple solution that will take you 60 seconds to implement and will make your passwords near uncrackable. It’s this:

<add name="AspNetSqlMembershipProvider" minRequiredPasswordLength="30" 

minRequiredNonalphanumericCharacters="5" />

That’s it – increase the length and complexity requirements to the point that it’s highly likely any chosen passwords will be unique, not to mention outside the range of most default cracking patterns. Of course unfortunately, nobody in their right mind is going to demand this degree of complexity because most users don’t have a means of tracking unmemorable passwords. It’s a shame though because that’s pretty much all our cracking problems solved right there.

But let me wrap this up with the following quote from the preface of Bruce Schneier’s Applied Cryptography:

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

This does indeed appear to be the case and unfortunately SHA is now firmly in the former category.

fast hashes are killing our security.

But let’s get a bit of context here – do we really need to be able to generate 4.7 billion password hashes per second? That’s like taking the entire Facebook population of over 900 million and sequentially hashing every single password 5 times every second. And that’s on consumer hardware. No, we don’t need to get anywhere even close to that.

The problem is that algorithms like MD5 and SHA were designed to demonstrate data integrity at high computational speed rather than to provide a password storage mechanism; cryptographic hash functions are not password hash functions. Even if they were “safe” for password storage when designed, MD5 goes back 20 years now so by Moore’s Law we now have processors that are now eight thousand times faster.

There are various approaches for breathing life back into old algorithms; key stretching, for example, where an algorithm which is too fast is “slowed” by repeating it over and over again, perhaps thousands of times. But the guidance around the likes of MD5 and SHA is clear and OWASP summarises it quite succinctly:

General hashing algorithms (eg, MD5, SHA-1/256/512) are not recommended for password storage. Instead an algorithm specifically designed for the purpose should be used.

What we need is a hashing algorithm which was designed from the ground up with speed in mind, not fast speed, but slow speed.
The concept of increasing the effort required to execute the hash function is one that is frequently implemented by key stretching and indeed this is modus operandi of PBKDF2. In fact PBKDF2 may then be applied to an algorithm such as SHA so strictly speaking, SHA is still being used, just not as we know it in its single iteration form. //

the thing about algorithms like these is that they’re adaptive:

Over time it can be made slower and slower so it remains resistant to specific brute-force search attacks against the hash and the salt.

Clearly the ability to increase the workload is important if we don’t want to be caught by Moore’s law again in the near future. All we need is a way to integrate this into our existing work.

@kylerankin

Ok everyone, time to reset your face and fingerprint.

@briankrebs

Major #breach found in #biometrics system used by banks, UK police and defense firms https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms … Instead of saving a hash of the fingerprint, they reportedly stored the actual fingerprint. Biometrics firms should be held to a higher standard, IMHO. c/o @joshgnosis

Claudius Link
‏ @realn2s
Aug 14
Replying to @kylerankin

Should we propose changing them every 90 days as a precaution? Or is a change your biometrics day each year sufficient?
Kyle Rankin
‏ @kylerankin
Aug 14

Don't forget adding biometrics complexity rules: "At least one digit, one thumb"
Claudius Link
‏ @realn2s
Aug 14

And length/size requirements.
Matt P
‏ @bettaa
Aug 14
Replying to @kylerankin

I guess my cigarette lighter in my car is still useful then....

the DHS announced that it was able to remotely hack a Boeing 757:

"We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

"[Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft.

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: //

Boeing denies that there's any problem: //

This being Black Hat and Las Vegas, I'll say it this way: I would bet money that Boeing is wrong. I don't have an opinion about whether or not it's lying. //

jon • August 16, 2019 2:51 PM

After all the deaths caused by recent Boeing software quality problems (Max 8) you'd think their PR team would understand that humility would get them a lot farther than defensiveness.

This privilege escalation vulnerability has lurked within Windows for 20 years.

For under $100, compact hardware can turn a shipped package into a Trojan horse for attacks. //

The point of these exercises, Henderson said, was to get companies to "start considering packages untrusted in the same way that you would consider email or USB keys."

If you eye that next Amazon box that arrives at the office a little more suspiciously, then, well, mission accomplished.

23-gigabyte database had plain-text passwords, face images, and much more.

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

One researcher's discovery suggests troubling oversights in Boeing's cybersecurity.

There are 195 countries in the world. If we assume that each country would want its own backdoor that means there will be 195 backdoors or master keys for every encrypted application.

If we also assume that on average only 100 people per country have access to the back door (a ludicrously low number) that means that around the world encryption relies on almost 20,000 people being completely honest, not willing to be bribed and not capable of being coerced. The likely reality is that the number of people with access to the back door would be a lot higher.

Basically that means no security whatsoever...apart from those really bad people who create their own, after all it is just math.

"The FBI says they're 'going dark.' Well yeah, because they've been staring at the sun." //

So, is surveillance really "going dark"? Or is this, as Graham suggested, "a Golden Age of Surveillance," where even more privacy is required? Joseph Lorenzo Hall, Chief Technologist at the Center for Democracy and Technology (CDT), leans toward the latter.

"The FBI says they're 'going dark'," Hall told Ars. "Well yeah, because they've been staring at the sun." //

HTTPS has had the biggest effect so far, and the changes in TLS will further close the door on surveillance. In 2013, less than 30% of Web traffic was encrypted, and less than 10% of websites supported secure connections. By 2017, more than half of the Web supported HTTPS, and today over 70% of Web traffic is encrypted, based on data from Google and Let's Encrypt. As of April 2019, 91% of webpages visited by US users were secured. Internationally, about 85% of webpages visited were encrypted.

Adoption of encryption for email traffic—both between client and server and from provider to provider—also grew dramatically as a direct result of the Snowden revelations. In early 2014, only about a quarter of the email traffic between Google and other providers was encrypted. Now, it's over 75%.

A tool to limit the bandwidth (upload/download) of devices connected to your network without physical or administrative access. evillimiter employs ARP spoofing and traffic shaping to throttle the bandwidth of hosts on the network. This is explained in detail below.

This tool is the Windows GUI port of the original CLI tool Evil Limiter for Linux.

Requirements -- Windows 7 or higher

Missing requirements (including 3rd party applications, like Npcap) will be installed when running the setup.

The best example that I can give you for this is, the college networks where all the students are connected to the Wi-Fi router significantly slowing down the speed. So usually the only way to remove people from the network that you are using is via getting admin privileges to the router and then using the whitelisting or blacklisting method to mark devices on the basis of their MAC address and then remove from the network but unfortunately most of the time we don’t have admin privileges.

I mean if we had admin privileges to begin with we would have configured it in such a way so that problems like these wouldn’t happen in the first place. So now our goal is to block the users on our network or at least limit their internet speed without having admin.