FCC Not Moving Forward with IoT Security Mandates

fcc_logoCurrently facing backlash from the widespread DDoS attacks last week, the FCC is being pressed on how they plan to manage and regulate the increase of IoT devices on the market. Many in congress are pressuring the FCC to regulate IoT devices as different entities than traditional computers, saying that their impact on network infrastructure is fundamentally different.

The current commissioners are pretty unanimous in their belief that the Open Internet Order gives ISP’s the correct amount of leeway to handle threats similar to the recent DDoS attacks themselves. The Open Internet Order grants ISP’s “Reasonable Network Management”. If that sound’s extremely flexible, that’s intentional.

Mostly, the FCC wants to keep their hands out of this mess, opting instead for a more advisory role.

You can read more on this subject by clicking here.

Way to go VTech.

One month ago a hacker revealed that he had broken into the toymaker VTech and retrieved a lot of information that was disturbing. Apparently, VTech had been storing  images, chat logs, home addresses, emails, names, genders and even birthdays of every customer. This would include the parents and their children who the products were most likely being used by.  Around 4,000,000 parents and 200,000 of the children using the products information was readily available for anyone who knew what they were doing. The hacker did not relinquish the way he was able to break into VTech, probably in an attempt to keep this information secret from people who want it but do not know how to hack, but has commented that he retrieved 190GB worth of photos and shared 3832 images with motherboard, a blogging site, with all the faces blocked out.VTech has yet to concretely say what their exact reasoning was but the wording of their attempt to justify it was so that they can send the password to the user directly. You know because that is such a GREAT idea, instead of just having them reset their password every time they forgot it because the company made it entirely impossible for them to access it on their own and with ease, I will just send you it back. The person that thought this was a good idea should get fired, like, two years ago.

https://nakedsecurity.sophos.com/2015/12/01/photos-of-kids-and-parents-chatlogs-audio-files-stolen-in-vtech-breach/

An Upcoming Threat To Encryption

The weakness to all encryption, to all security, is time.  What if the time that it took to crack an encryption was drastically cut down.  Quantum computers may be more than a decade away, but they not just may, but will, exponentially cut down the time it takes to crack an encryption.  This week there is going to be a computer security convention at Schloss Dagstuhl–Leibniz Center for Informatics in Wadern, Germany concentrating on quantum-resistant replacements the currently used encryption.  This convention is only one of the many convention that have recently been held or are about to be held.  Examples of other conventions include the workshop NIST, the US National Institute of Standards and Technology, in April, and the IQC team up with the European Telecommunications Standards Institute in October.  The NSA also revealed that it has plans to upgrade to quantum resistant protocols.  The Dutch Intelligence services also pointed out the threat of people/corporations/governments intercepting and storing information now to decrypt when the quantum computers are complete.

One of the most used encryptions as of now is called RSA encryption.  This is one of the encryptions that will be rendered obsolete when quantum computers are used.  “PQCRYPTO, a European consortium of quantum-cryptography researchers in academia and industry, released a preliminary report on 7 September recommending cryptographic techniques that are resistant to quantum computers.”  PQCRYPTO gave recommendations for four different types of encryption, symmetric encryption, symmetric authentication, public-key encryption, and public-key signatures.  A symmetric encryption is “the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.”1  For symmetric encryption, PQCRYPTO recommends AES-256, and Salsa20 with a 256-bit key.3  Symmetric authentication is when “the user shares a unique, secret key (usually embedded in a hard token) with an authentication server. The user is authenticated by sending to the authentication server his/her username together with a randomly generated message (the challenge) encrypted by the secret key. If the server can match the received encrypted message (the response) using its share secret key, the user is authenticated.”2  For Symmetric authentication, PQCRYPTO recommends GCM using a 96- bit nonce and a 128-bit authenticator, and Poly1305.3  Public-key encryption, also known as asymmetric-key encryption, is when “there are two related keys–a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.   Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.”1  For public-key encryption, PQCRYPTO recommends McEliece with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors.  For public-key signatures, PQCRYPTO recommends XMSS, and SPHINCS-256.3

Sources:

http://www.nature.com/news/online-security-braces-for-quantum-revolution-1.18332

1: https://support.microsoft.com/en-us/kb/246071

2: http://www.e-authentication.gov.hk/en/professional/skey.htm

3: http://pqcrypto.eu.org/docs/initial-recommendations.pdf

By Eric Weitzman

Stingray Use In Baltimore

Stingray’s are a device that act like a cell tower and are used to intercept phone and text signals. They are about $400,000 and are useful in helping to solve serious crimes.This article focuses on the use of stingrays in Baltimore. Previously, the FBI forced users of this device to sign a non-disclosure agreement; meaning that if police officers used it, they could not talk of its use. However, recently the FBI has stated that the police can talk about its use; this is a big deal because now all the cases in which stingrays are used are being published. Additionally, it has now come to light that stingrays are being used in petty crime cases such as theft. While the stingrays help facilitate the process of catching someone who has committed such a crime, it also interferes with innocent bystanders’ phones. In doing so, some believe that it is a violation of their rights. The devices do not discriminate when it comes to collecting information so innocent people are concerned for theirs. Some senators are also targeting stingrays by trying to pass a bill that would require warrants before their use. So far, stingrays have been used in over 4,300 cases in Baltimore alone. What does that mean for the rest of the country?

The problem that most people are concerned with is that the stingrays collect information on people who are innocent as well as guilty. This means that everyone who is connected to the stingray will have their information potentially read or used by the police. This is a huge security problem because there are no defenses for us against it currently nor are there laws to protect the citizens. In my opinion, the policies behind the use of stingray’s need reform because right now, people who are directly involved are in danger of having their valuable information exposed.

Thomas, Coburn

Stingray: http://goo.gl/rPQTPB

Article: https://ritcyberselfdefense.wordpress.com/wp-admin/

 

Rootpipe – Mac OSX Backdoor Privilege Escalation

Apple has released an update and a security notice about a vulnerability in their interprocess communication (XPC) entitlements. This vulnerability allowed for users to gain root access from an unprivileged user. The vulnerability involved tricking the writeconfig XPC service to generate a setuid file owned by root with read and write privileges for all.

_onewayMessageDispatcher

Attackers can easily use this file to privilege escalate to root since if it is executed it will run as root but the dangerous part is that anyone can modify the contents of a file. An attacker could replace the contents of that file with a shell which would give them a root shell. In order to trick the writeconfig XPC, the researcher had to send a nil to “authenticateUsingAuthorization” in order to get the authorization to use writeconfig.

2015-04-13-124030_390x45_scrot

This allowed them to authenticate and generate the setuid file.

2015-04-13-124316_442x23_scrot

October 14nd 2014 is when the vulnerability was originally shared with Apple, and a patch was released April 8th 2015. This means that it took nearly 6 months for Apple to fix this bug, which is nearly double the time that Google gives companies to fix the issue, I guess it’s a good thing Google didn’t find it first.

2015-04-13-124225_548x387_scrot

Edward Mead (exm6939)

Image Source & Link to full article: https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Apple Update / Notice: https://support.apple.com/en-us/HT204659