KRACK: Key Reinstallation Attacks

Mathy Vanhoef and Frank Piessens of KU Leuve have discovered a critical flaw in the way WPA2 encryption for all known WiFi implementations. Some time to caveat on the width of the discovery, the attacker needs physical access to the network, and will only see non-encrypted transmissions. Until the vendors patch their implementations the only interim solution is to treat your home WiFi as you would a public WiFi, using HTTPS and in an ideal world VPN form the individual client.
This overview on Github shows the current state of fixes from the vendors. I somewhat sadly note that the majority of my HW is under the “No Known Official Response” category!

 

ATM Hacking, summary of the latest techniques

Trend Micro has put up an report on the latest techniques used to hack ATM’s with a focus on the recent emergence of purpose written malware and their impacts. A good read!

Sports Hacking

This is (I suppose) an logical evolution of technology and its use: The Boston Redsox have been caught using Apple Watches to steal New York Yankees pitching calls. For those that don’t follow baseball, the pitcher and the catcher will through hand signals agree on the required pitch. The Red Sox relayed this info to the batting coach, and the batter was informed the most likely pitch to come.
An informed write-up can be found on NY Times. 

More Bluetooth Issues in the Wild

Bluetooth seems to be the flavour of the month lately in hacking, and a number of issues have been highlighted lately. The “best” on so far is the blueborne – an airborne hack through Bluetooth with great potential for harm. An analysis from Armis shows how it works.

When should you stop trusting you vendors?

There has always been an uncomfortable relationship between a customer and their security vendors, in particular with the relationship between the vendor and state agencies. Normally a concern with US vendors, bur lately Kapersky has been accused of  providing Russian Agencies access to their customers. It should be pointed out that the proof provided is not good, but enough for actors like the US Government banning the use of all Kapersky products. An breakdown of the allegation can be found in this analysis from ArsTechnica, summing up  the info from primarily sources behind pay-walls.

Equifax hack = Failure to patch Struts

As the dust settles on arguably the largest identity hack in history people have been trying to figure out exactly what went wrong. It was known that the hack used an known vulnerability with the Apache Struts framework, found in March of this year. An analysis by Ars Technica hints at an failure by Equifax to apply the patches and block the Jakarta file upload multipart parser issues when found.
Blaming OSS for your mistakes is only valid if you keep it up to date, Equifax’s mistake is a lesson for us all.

Electronic voting – will we ever get it right?

Another online / electronic voting system has been torn to pieces in an hack test. The German “PC-Wahl” system – used to by the German states to capture, aggregate and tabulate the votes during an election was tested by the German WhiteHats The Chaos Computer Club (CCC). The findings were sobering, the system full of holes to be exploited and thus German elections can be in theory be tampered with.

New Chrypto standards and government participation

There has always been a tenuous relationship between security standards and the participation of governmental agencies in setting them. There was always rumors of back-doors, NSA and DES the strongest and longest living rumor mil. Now this has impacted the next generation of chrypto, and 2 proposed NSA chrypto schemes: Simon and Speck. Through strong international objections and concerns on these becoming ISO standards they have been allowed only in their strongest versions, as there is concern that there is a potential weakness to be exploited by said governmental agencies. Another example of the world post Snowden.

iPhone headphone jack hack

What do you do when Apple decides to no longer support headphone jacks? You make your own! Scotty Allen  from Strange Parts took in upon himself to solve the problem by traveling to China and remake the iPhone 7 to contain a headphone jack without impacting the rest of the phones functionalities. Maker space on steroids!

Disney leaves Netflix to go solo

Disney has decided to terminate it’s 2012 streaming deal with Netflix and to launch their own service starting in 2019. You may remember that the 2012 deal was heralded as a major thing for Netflix with the inclusion of such valuable IP’s as  Marvel and Pixar (and now of course the Star Wars universe).
This is a logical extension of the investments Disney has made in BAMTech (the US MLB Streaming company) and falls in line with the plans of launching a global streaming service for it’s sports service ESPN. For the Star Wars nuts: this means the next 2 films will be on Netflix, but not the last in the new trilogy.