mersenneforum.org

mersenneforum.org (https://www.mersenneforum.org/index.php)
-   Tales From the Crypt(o) (https://www.mersenneforum.org/forumdisplay.php?f=130)
-   -   'All Your Data ❝Я❞ Belong To Us' Thread (https://www.mersenneforum.org/showthread.php?t=20713)

ewmayer 2017-05-15 03:25

[I link to Mish here not because he's any kind of crypto expert but because both of his posts contain nice annoted sets of links]

[url=https://mishtalk.com/2017/05/13/wannacry-cyber-attack-hits-99-countries-fedex-nissan-hospitals-universities-with-nsa-developed-malware-five-questions/]WannaCry Cyber Attack Hits 99 Countries, FedEx, Nissan, Hospitals, Universities with NSA Developed Malware: Five Questions.[/url] | MishTalk

[url=https://mishtalk.com/2017/05/14/microsoft-blasts-nsa-cia-for-stockpiling-vulnerabilities-criminal-negligence-by-nsa/]Microsoft Blasts NSA, CIA for "Stockpiling Vulnerabilities" Criminal Negligence by NSA?[/url] | MishTalk

[url=https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html]How to Accidentally Stop a Global Cyber Attacks[/url] | MalwareTech -- On why the U.S., ironically enough given NSA's role in developing the weaponized malware in question, was mostly spared.

[url=www.washingtonsblog.com/2017/05/ransomware-hack.html]Top NSA Whistleblower: Ransomware Hack Due to "Swindle of the Taxpayers" by Intelligence Agencies[/url] | Washington's Blog -- some choice harsh verbiage from ex-NSA-analyst "legend" William Binney.

paulunderwood 2017-05-15 12:29

I wonder how much money has been "given" to M$ to date by the UK's NHS. Surely the powers that be must have known the XP is obsolete as will be later versions of Windoze OS one day. Of course, because of the bloat, hardware needs to be updated. So much for "total cost of ownership"!

ewmayer 2017-09-29 00:04

[url=https://www.techdirt.com/articles/20160414/09250634185/report-exposes-flaws-link-shorteners-that-reveal-sensitive-info-about-users-track-their-offline-movements.shtml]Report Exposes Flaws In Link Shorteners That Reveal Sensitive Info About Users And Track Their Offline Movements[/url] | Techdirt

ewmayer 2017-10-13 22:37

[url=https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/]With Virtual Machines, Getting Hacked Doesn’t Have to Be That Bad[/url] | The Intercept

paulunderwood 2017-10-16 10:25

[url]https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns[/url]

lavalamp 2017-10-16 12:03

[QUOTE=paulunderwood;469932][url]https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns[/url][/QUOTE]Is WPA2 entirely software based or does it have hardware requirements also? I wonder how hard this would be to patch up.

From the article it seems as though they're saying the protocol was cracked, rather than the encryption, but I'm not entirely sure.

retina 2017-10-16 12:24

[QUOTE=lavalamp;469935]Is WPA2 entirely software based or does it have hardware requirements also? I wonder how hard this would be to patch up.[/QUOTE]It is software (or firmware I guess). It can be patched. But in reality it won't be patched. Most devices won't get a patch from the manufacturer. And if they did, "no one" knows how to install it anyway, or even that it needs installing, or even that there is something to install. Welcome to the world of insecure devices.[QUOTE=lavalamp;469935]From the article it seems as though they're saying the protocol was cracked, rather than the encryption, but I'm not entirely sure.[/QUOTE]The [strike]key[/strike] 8-digit WPS negotiation was broken many years ago. Some newer devices have workarounds for that problem. But the encryption is secure in that no one has yet broken AES (that we know of anyway).

Edit: It wasn't the key, but the "secret" device number.

ewmayer 2017-10-24 20:58

An interesting angle on the WPA2 vulnerability:

[url=https://www.privateinternetaccess.com/blog/2017/10/the-recent-catastrophic-wi-fi-vulnerability-was-in-plain-sight-for-13-years-behind-a-corporate-paywall/]The recent catastrophic Wi-Fi vulnerability was in plain sight for 13 years behind a corporate paywall[/url] | privateinternetaccess.com
[quote]When this week’s KRACK wi-fi vulnerabity hit, I saw a series of tweets from Emin Gür Sirer, who’s mostly tweeting on bitcoin topics but seemed to know something many didn’t about this particular Wi-Fi vulnerability: it had been in plain sight, but behind paywalls with corporate level fees, for thirteen years. That’s how long it took open source to catch up with the destructiveness of a paywall.

Apparently, WPA2 was based on IEEE standards, which are locked up behind subscription fees that are so steep that open source activists and coders are just locked out from looking at them. This, in turn, meant that this vulnerability was in plain sight for anybody who could afford to look at it…. [W]hile ordinary activists and coders were locked out of reviewing these documents, the NSA and the like had no shortage of budget to pay for subscriptions to these specifications. Thus, the IEEE’s paywall was lopsiding the security field toward mass surveillance, away from security.[/quote]

ewmayer 2017-11-12 02:14

[url=https://www.nakedcapitalism.com/2017/11/why-you-should-never-buy-an-amazon-echo-or-even-get-near-one.html]Why You Should NEVER Buy an Amazon Echo or Even Get Near One[/url] | naked capitalism

Dr Sardonicus 2017-11-12 15:25

[QUOTE=ewmayer;471589][url=https://www.nakedcapitalism.com/2017/11/why-you-should-never-buy-an-amazon-echo-or-even-get-near-one.html]Why You Should NEVER Buy an Amazon Echo or Even Get Near One[/url] | naked capitalism[/QUOTE]Fascinating. The idea of cross-referencing to identify voices -- in particular, voice commands -- occurred to me while watching the [i]Star Trek: The Next Generation[/i] episode [b]Brothers[/b] (8 Oct, 1990). Commander Data was able, merely by imitating Captain Picard's voice, to commandeer the [i]Enterprise[/i] and lock everyone else out from voice command of computer. The thought immediately occurred to me: [i]Wait[/i] a minute! Doesn't the computer [i]know[/i] Captain Picard is somewhere [i]else[/i]?

Now, I don't expect these voice-activated "assistants" to be as sophisticated as the [i]Enterprise[/i]'s computer, so perhaps a high-quality recording of the owner's voice could be used to cause mischief...

There's another kind of voice activated "assistant" heavily advertised of late -- remote controls, in particular Comcast TV and internet services. I don't know enough details about what you can tell the remote to do, or how good its recognition capabilities are, but the potential for running up pay-per-view or other extra charges is amusing to contemplate.

ewmayer 2017-11-17 01:40

[url=https://theweek.com/articles/736984/nsa-needs-stop-hacking]The NSA Needs to Stop Hacking[/url] | The Week


All times are UTC. The time now is 15:03.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.