Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks
Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in many industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.
The low-power Wi-Fi module is designed for use in embedded devices. It is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security. Tracked as CVE-2020-9395, the most severe flaw is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. An attacker can exploit the vulnerability in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK).
Man Charged in $11m Crypto Scheme that Featured Steven Seagal
A California man was charged with securities fraud after allegedly tricking cryptocurrency investors out of $11 million and using actor Steven Seagal to promote a fake company. He allegedly tricked cryptocurrency investors out of millions and took their money and spent it on sports cars, jewelry and upgrades to his home. False and misleading representations were made about 2 companies: Start Options and B2G. Investors were apparently told that their money would be held for a specified contract period, after which they could withdraw major profits. When the end of a Start Options contract approached, they allegedly tried to persuade investors to roll over their accounts into an Initial Coin Offering (ICO) for B2G. They falsely claimed that B2G could generate an 8000% return for investors within one year, and that Segal was a participant in the ICO.
Researchers extract secret key used to encrypt Intel CPU code
Intel chip security is at risk as researchers were able to extract the secret key that encrypts microcode updates. With this key, the microcode updates used in fixing security vulnerabilities and bugs can now be decrypted. Decrypting updates puts them at risk of reverse engineering; hence hackers/hobbyists might learn the exact way to exploit any vulnerability the microcode is fixing, based on how the code is being applied to vulnerabilities.
The decrypted key also allows attackers the ability to update the chips with custom/personalized updates when the system is running. The current security impact has not been fully assessed, but it has been found that the key can be extracted for any chip based on the Goldmount architecture (Atom, Celeron, or Pentium).
FonixCrypter, a cybercrime group that is known for their ransomware attacks, made a big announcement on Twitter. The group has been present since June 2020 and has decided to shut down their operations and deleted the source code of their ransomware. Additionally, they released a package which includes a decryption tool, the ransomware’s master decryption key and instructions on how to use it. However, researchers highly advise against using their decryption tool since it could contain other malware that can further affect the systems. A software company, Emsisoft, is in the process of building a clean and safe version of the decryption tool and recommends waiting for the release of this tool. In 2020, ransomware damage amounted upwards to $20 billion.
NSA advises defense, national security supply chain on replacing deprecated encryption protocols
This article reviews the new guidelines issued by the NSA to avoid TLS 1.0 and TLS 1.1. They recommend all organizations use TLS 1.2 or TLS 1.3. They said there are exploits of TLS 1.0/1.1 which require ‘very few’ skills required by the end user. Using TLS 1.0 or TLS 1.1 can leave an organization susceptible to man in the middle attacks. This would allow someone to review the data it can capture. The NSA data is fully protected when you use authorized TLS with a compliant cipher suite and strong key exchange methods.
One thing I liked about the article is it calls out the NSA for still recommended old RSA key exchanges and CBC-mode. Robert Merget said the following, ” I am a little disappointed that the NSA still recommends RSA and DH(E) key exchange algorithms, as both have shown to have weaknesses and implementation pitfalls in the past. I was also surprised that the CBC-mode was not explicitly mentioned, as it is also a common cause for implementation errors in TLS and should be avoided if possible.”
A study published today by the Identity Defined Security Alliance (IDSA) uncovered significant delays in giving and rescinding access to corporate systems, impacting operations and increasing potential risk to the organization.
According to the report, for the majority of companies (72%) it takes one week or longer for a typical employee to obtain access to required systems. After a worker leaves, it takes half of organizations three days or longer to revoke the former employee’s system access, creating regulatory compliance issues and prolonging the risk of data theft. Only 23% said system access enablement is automated, while 35% report revoking system access is automated.
“Though the report findings are unsettling, they reflect the realities of today’s complex work-from-home environment and hybrid landscape of cloud and on-premises applications,” Greenlight president Kevin Dunne told Infosecurity Magazine.
“Typically, IT security teams rely on a hodgepodge of point solutions for each application with little visibility across the enterprise landscape. Fortunately, many new advancements have been made in the area of just-in-time provisioning, which can automate much of the access governance process and shave provisioning and deprovisioning time from days down to seconds.”
Industry Perspective: Protecting Employees Doesn’t Have to Sacrifice Data Privacy
Covid-19 presents “a range of cyber security challenges.” The Ernst & Young Internet team reports “a significant increase in phishing and targeted spear-phishing complaints.” KPMG has reported a rapid increase in ransomware themed around Covid-19. To properly protect employees, companies need to implement security tools that provide visibility and monitoring. However, employees will resist or avoid any negligence that feels like an invasion of privacy. This desire for privacy has been enshrined in law. In the European Union, a number of companies already have been fined over-zealous monitoring of their remote workforce.
Security and compliance teams should seek tools that achieve this balance and allow them to detect threats while implementing controls that protect privacy. They need a solution that can scan without spying, and that can monitor without reading. Content and digital voice can remain private, even if threats can be addressed immediately.
Researchers have publicly disclosed security flaws found in ADT-owned LifeShield security cameras, which, if exploited, could have allowed a local attacker to eavesdrop on victims’ conversations or tap into a live video feed. The life shield brand is owned by ADT Security Services (Leading in the security industry) Specifically affected is the LifeShield DIY HD Video Doorbell, which connects to users’ Wi-Fi networks and lets them answer the door remotely using the LifeShield mobile app.According to ADT, 1,500 devices were affected by the flaw. These devices were part of a single model of LifeShield doorbell camera, which was marketed and sold as a residential device, and is no longer currently sold. In order to exploit the flaw, “an attacker would only need to be connected to the same network as the wireless camera, When connected to the same Wi-Fi network the attacker can view credentials from the cloud for each device. Which allowed an attacker to obtain the administrator password of the camera by simply knowing its MAC address.After gaining credentials via the device MAC address, attackers could have easily accessed the interface. This would have given them unauthenticated access to the RTSP server – allowing them to access both video and audio of the camera’s streaming live feed. Researchers contacted ADT before publicly disclosing the flaw, and ADT has deployed patches to all impacted devices. However, security experts warn that ADT’s glitches serve as a warning and are just the latest camera maker to patch similar security issues tied to connected cameras.
Crypto Fund Founder Pleads Guilty to $100m Fraud Scheme
Two cryptocurrency hedge funds, Virgil Sama and VQR, has pleaded guilty to securities fraud, defrauding investors almost out of $100M. Stefan He Qin launched these hedge funds as a way to earn money from an algorithm that took advantage of market price differences for digital currencies. The funds have an accrued value of over $114 M.
Stefan Qin has been using these funds as his personal slush funds, using the investments to fund his lifestyle and other assets. He lied to his investors and sent them false account statements and tax forms. By having two funds, he was able to trick investors who were attempting to pull out to reinvest in VQR. Investors were defrauded for nearly $100M.
Collision avoidance: OpenSSH lays out plans to ditch aging SHA-1 hashing algorithm
The developers behind OpenSSH have announced their intention to stop supporting the aging SHA-1 hashing algorithm in the near future. OpenSSH, a set of open source utilities based on the Secure Shell (SSH) protocol, a technology typically used for server management, is preparing to ditch SHA-1 in favor of more secure, modern alternatives such as SHA-2. Web browser vendors such as Mozilla dropped support for SHA-1 SSL certificates back in 2017, along with the popular software repository site Git, following suit, as the algorithm’s shortcomings become too severe to ignore.
Hashing functions like SHA-1 work by processing an input to give a fixed size hash value, or message digest. The message digest can be compared to determine if two files, documents, digital certificates, or executable files are the same without a computationally expensive byte-by-byte comparison. In essence, this validates the integrity of the data. This process falls apart in cases where two different files give the same hash value, which is known as a collision. This was demonstrated by Google’s security team back in 2017. The aging encryption algorithm was further exploited when scientists were able to add data to two different documents in a way that they both returned the same SHA-1 hash, which is called a “chosen-prefix collision.”
In order for attackers to compute a chosen-prefix collision they need quite a bit of computing power. The process requires quite a bit of number crunching that has an exchange rate of 50k on the black market. This cost is sure to drop over time. Due to the price drop of creating a prefix collision OpenSSH wil be disabling the ‘ssh-rsa’ public key signature algorithm by default with their future releases. The deprecation of the SHA-1 hashing algorithm has been know for years since Google demonstrated that it could be cracked in 2017. NIST actually called for the elimination of SHA-1 almost 15 years ago.
This notorious cipher written by the infamous Zodiac Killer was finally cracked by an international team! The stars of the show are Dave Oranchak, a software developer in Virginia, Sam Blake, an applied mathematician who lives in Australia, and Jarl Van Eycke, a warehouse operator in Belgium and software developer behind the AZdecrypt, a code-breaking app that was inspired by his drive to crack the 340.
The cipher, dubbed the “340”, has been around for 51 years and even though FBI and private citizens/cryptographers around the world have attempted to crack it it wasn’t until recently that it was solved. The cryptographers developed an app that helped him solve the Transposition cipher. This type of cipher rely on “relics from the past that use rules to rearrange characters or groups of characters in the message.”
The latest research shows that in granting and revoking system access rights, US organizations are using fine-tuning to affect its security. A study released today by the Identity Definition Security Alliance (IDSA) found that there are significant delays in granting and revoking access to company systems, which affects operations and increases potential risks for the organization. After 72% of the employees of the organization left, it took three days or more for the organization to revoke the system access rights of the former employees, which caused regulatory compliance issues and prolonged the risk of data theft. Usually, IT security teams need to provide a large number of point solutions for each application, but they have very little understanding of the entire enterprise environment. Configuration upgrades can automate most of the access control process. Reduce the configuration and de-configuration time from days to seconds.
A Swiss technology company, Terra Quantum AG, states that using quantum computers can identify vulnerabilities in commonly used encryption, and it could affect many technology companies to change the understanding of unbreakable encryption. However, other security experts are surprised, and one of the computer science professors at the University of Texas does not believe that it is possible to use quantum computing to break encryption easily. Moreover, Terra Quantum AG explains that the current view is being post-quantum secure is not post-quantum secure, and they can prove that the encryption is not secure and can be hacked. In their research, the vulnerabilities can affect symmetric encryption ciphers, and these used to secure data transmission via the internet and encrypt files. They emphasize that even the strongest versions of advanced encryption standards can be decipherable by quantum computing in the next couple of years. Therefore, this new technology will have a dramatic change to cybersecurity in the future.
I picked the same article as Cami and while it is theoretical, it is interesting to me how they solved the vulnerability. The article explains how current state Advanced Encryption Standard (AES) and the Message Digest 5 (MD5) hashing standard using an algorithm on a quantum annealer containing 20k qubits. The annealer or quantum strengthener does not exist today but could become available to hackers anytime in the future. The two encryption schemes have an data leakage inversion weakness when matched against quantum computing where a properly equipped hacker can use all the transmission line losses to reverse engineer and decipher the communication. How they solved for the vulnerability was to use Boltzman-Planck protected secure information transmission. The concept is that the transmission line leakage occurs due to scattering of small signal imperfections propagating through optical fiber. The method uses an unbreakable one-time pad combined with extreme high speeds to monitor the optical fiber and the scattering matrix to minimize the fraction of the signal leaked. The fraction of leakage is so tiny that the hacker is unable to decrypt the communication.
A Belgian security researcher found a way to get unlimited free coffee drinks from older model Nespresso machines. The hacker was able to do this by modifying smart cards to have any amount of funds possible. This is only possible because the currency is stored on the card and not routed through the coffee machine to a backend server to verify the contents on the card. The exploits had been known since 2008 as a fault with the specific card, and the card manufacturer has since updated the cards to be more secure, but the old cards still in circulation were able to be read by the machine. The hacker told Nespresso about this exploit in September, and they have allowed him to make this information public. This could mean that Nespresso is putting measures in place to replace the machines or patch this exploit out, but no official confirmation as such has come forward as of yet.
In this article, the author touches on the authentication gap between generations. Now most of us would believe that the younger generations who are more tech savvy and understand good security techniques would be the ones with stronger passwords and login credentials. However, the author goes on to make the case that the younger generation is actually worse at keeping info safe whether that be lazy passwords or sharing passwords, and actually denotes the older generations as smarter. At first I did not completely agree, however, with all the streaming and subscription services there are, it makes sense as kids share usernames and passwords to use these rather than pay for their own account. In addition, when younger generations are signing up for things they know they will rarely use, I find it more common that they will use a simple password and just say it isn’t that important. This can be dangerous because attackers will eventually be able to find links and reused passwords, possibly to more important accounts.
Quantum-resistant cryptography technology applied to medical information system
Korean Medical Information System has applied quantum resistant cryptography technology at a general hospital to achieve a quantum/Future proof security. LG Uplus (LGU+) has commercialized post-quantum cryptography (PQC) technology, which refers to cryptographic algorithms that are thought to be secure against an attack by a quantum computer. Cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat. LGU+ tested the usefulness of Post Quantum Cryptography technology by applying it to some exclusive commercial lines. Data that is encoded in a quantum state is virtually unhackable without quantum keys which are basically random number tables used to decipher encrypted information.
Law Firm Data Breach Impacts UPMC Patients
A cyber-attack on a Pennsylvania law firm has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC). Law firm Charles J. Hilton & Associates P.C. (CJH), which provides legal services to UPMC, discovered suspicious activity in its employee email system in June 2020. An investigation determined that hackers had gained access to several employee email accounts between April 1, 2020, and June 25, 2020. UPMC received a breach notification report from CJH confirming that whoever hacked into the email accounts may have accessed patient data.
Exposed data includes names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, and trip numbers. Hackers were also able to access Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational health, diagnosis, symptoms, treatment, prescriptions or medications, drug tests, billing or claims, and/or disability.
Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks
Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in many industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.
The low-power Wi-Fi module is designed for use in embedded devices. It is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security. Tracked as CVE-2020-9395, the most severe flaw is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. An attacker can exploit the vulnerability in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK).
https://www.securityweek.com/vulnerabilities-realtek-wi-fi-module-expose-many-devices-remote-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
Man Charged in $11m Crypto Scheme that Featured Steven Seagal
A California man was charged with securities fraud after allegedly tricking cryptocurrency investors out of $11 million and using actor Steven Seagal to promote a fake company. He allegedly tricked cryptocurrency investors out of millions and took their money and spent it on sports cars, jewelry and upgrades to his home. False and misleading representations were made about 2 companies: Start Options and B2G. Investors were apparently told that their money would be held for a specified contract period, after which they could withdraw major profits. When the end of a Start Options contract approached, they allegedly tried to persuade investors to roll over their accounts into an Initial Coin Offering (ICO) for B2G. They falsely claimed that B2G could generate an 8000% return for investors within one year, and that Segal was a participant in the ICO.
https://www.infosecurity-magazine.com/news/man-charged-11m-crypto-steven/
Researchers extract secret key used to encrypt Intel CPU code
Intel chip security is at risk as researchers were able to extract the secret key that encrypts microcode updates. With this key, the microcode updates used in fixing security vulnerabilities and bugs can now be decrypted. Decrypting updates puts them at risk of reverse engineering; hence hackers/hobbyists might learn the exact way to exploit any vulnerability the microcode is fixing, based on how the code is being applied to vulnerabilities.
The decrypted key also allows attackers the ability to update the chips with custom/personalized updates when the system is running. The current security impact has not been fully assessed, but it has been found that the key can be extracted for any chip based on the Goldmount architecture (Atom, Celeron, or Pentium).
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/?web_view=true
FonixCrypter, a cybercrime group that is known for their ransomware attacks, made a big announcement on Twitter. The group has been present since June 2020 and has decided to shut down their operations and deleted the source code of their ransomware. Additionally, they released a package which includes a decryption tool, the ransomware’s master decryption key and instructions on how to use it. However, researchers highly advise against using their decryption tool since it could contain other malware that can further affect the systems. A software company, Emsisoft, is in the process of building a clean and safe version of the decryption tool and recommends waiting for the release of this tool. In 2020, ransomware damage amounted upwards to $20 billion.
https://www.zdnet.com/article/fonixcrypter-ransomware-gang-releases-master-decryption-key/
https://purplesec.us/resources/cyber-security-statistics/ransomware/#:~:text=The%20estimated%20cost%20of%20ransomware,2018%20%E2%80%93%20%248%20billion
NSA advises defense, national security supply chain on replacing deprecated encryption protocols
This article reviews the new guidelines issued by the NSA to avoid TLS 1.0 and TLS 1.1. They recommend all organizations use TLS 1.2 or TLS 1.3. They said there are exploits of TLS 1.0/1.1 which require ‘very few’ skills required by the end user. Using TLS 1.0 or TLS 1.1 can leave an organization susceptible to man in the middle attacks. This would allow someone to review the data it can capture. The NSA data is fully protected when you use authorized TLS with a compliant cipher suite and strong key exchange methods.
One thing I liked about the article is it calls out the NSA for still recommended old RSA key exchanges and CBC-mode. Robert Merget said the following, ” I am a little disappointed that the NSA still recommends RSA and DH(E) key exchange algorithms, as both have shown to have weaknesses and implementation pitfalls in the past. I was also surprised that the CBC-mode was not explicitly mentioned, as it is also a common cause for implementation errors in TLS and should be avoided if possible.”
https://portswigger.net/daily-swig/nsa-advises-defense-national-security-supply-chain-on-replacing-deprecated-encryption-protocols
https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF
Study Finds Delays in Revoking System Access
A study published today by the Identity Defined Security Alliance (IDSA) uncovered significant delays in giving and rescinding access to corporate systems, impacting operations and increasing potential risk to the organization.
According to the report, for the majority of companies (72%) it takes one week or longer for a typical employee to obtain access to required systems. After a worker leaves, it takes half of organizations three days or longer to revoke the former employee’s system access, creating regulatory compliance issues and prolonging the risk of data theft. Only 23% said system access enablement is automated, while 35% report revoking system access is automated.
“Though the report findings are unsettling, they reflect the realities of today’s complex work-from-home environment and hybrid landscape of cloud and on-premises applications,” Greenlight president Kevin Dunne told Infosecurity Magazine.
“Typically, IT security teams rely on a hodgepodge of point solutions for each application with little visibility across the enterprise landscape. Fortunately, many new advancements have been made in the area of just-in-time provisioning, which can automate much of the access governance process and shave provisioning and deprovisioning time from days down to seconds.”
https://www.infosecurity-magazine.com/news/study-finds-delays-in-revoking/
Industry Perspective: Protecting Employees Doesn’t Have to Sacrifice Data Privacy
Covid-19 presents “a range of cyber security challenges.” The Ernst & Young Internet team reports “a significant increase in phishing and targeted spear-phishing complaints.” KPMG has reported a rapid increase in ransomware themed around Covid-19. To properly protect employees, companies need to implement security tools that provide visibility and monitoring. However, employees will resist or avoid any negligence that feels like an invasion of privacy. This desire for privacy has been enshrined in law. In the European Union, a number of companies already have been fined over-zealous monitoring of their remote workforce.
Security and compliance teams should seek tools that achieve this balance and allow them to detect threats while implementing controls that protect privacy. They need a solution that can scan without spying, and that can monitor without reading. Content and digital voice can remain private, even if threats can be addressed immediately.
https://www.eweek.com/security/protecting-employees-doesn-t-have-to-sacrifice-data-privacy
Researchers have publicly disclosed security flaws found in ADT-owned LifeShield security cameras, which, if exploited, could have allowed a local attacker to eavesdrop on victims’ conversations or tap into a live video feed. The life shield brand is owned by ADT Security Services (Leading in the security industry) Specifically affected is the LifeShield DIY HD Video Doorbell, which connects to users’ Wi-Fi networks and lets them answer the door remotely using the LifeShield mobile app.According to ADT, 1,500 devices were affected by the flaw. These devices were part of a single model of LifeShield doorbell camera, which was marketed and sold as a residential device, and is no longer currently sold. In order to exploit the flaw, “an attacker would only need to be connected to the same network as the wireless camera, When connected to the same Wi-Fi network the attacker can view credentials from the cloud for each device. Which allowed an attacker to obtain the administrator password of the camera by simply knowing its MAC address.After gaining credentials via the device MAC address, attackers could have easily accessed the interface. This would have given them unauthenticated access to the RTSP server – allowing them to access both video and audio of the camera’s streaming live feed. Researchers contacted ADT before publicly disclosing the flaw, and ADT has deployed patches to all impacted devices. However, security experts warn that ADT’s glitches serve as a warning and are just the latest camera maker to patch similar security issues tied to connected cameras.
https://www.buzzfeednews.com/article/salvadorhernandez/home-security-camera-hacked-adt
Crypto Fund Founder Pleads Guilty to $100m Fraud Scheme
Two cryptocurrency hedge funds, Virgil Sama and VQR, has pleaded guilty to securities fraud, defrauding investors almost out of $100M. Stefan He Qin launched these hedge funds as a way to earn money from an algorithm that took advantage of market price differences for digital currencies. The funds have an accrued value of over $114 M.
Stefan Qin has been using these funds as his personal slush funds, using the investments to fund his lifestyle and other assets. He lied to his investors and sent them false account statements and tax forms. By having two funds, he was able to trick investors who were attempting to pull out to reinvest in VQR. Investors were defrauded for nearly $100M.
https://www.infosecurity-magazine.com/news/crypto-founder-pleads-guilty-100m/
Collision avoidance: OpenSSH lays out plans to ditch aging SHA-1 hashing algorithm
The developers behind OpenSSH have announced their intention to stop supporting the aging SHA-1 hashing algorithm in the near future. OpenSSH, a set of open source utilities based on the Secure Shell (SSH) protocol, a technology typically used for server management, is preparing to ditch SHA-1 in favor of more secure, modern alternatives such as SHA-2. Web browser vendors such as Mozilla dropped support for SHA-1 SSL certificates back in 2017, along with the popular software repository site Git, following suit, as the algorithm’s shortcomings become too severe to ignore.
Hashing functions like SHA-1 work by processing an input to give a fixed size hash value, or message digest. The message digest can be compared to determine if two files, documents, digital certificates, or executable files are the same without a computationally expensive byte-by-byte comparison. In essence, this validates the integrity of the data. This process falls apart in cases where two different files give the same hash value, which is known as a collision. This was demonstrated by Google’s security team back in 2017. The aging encryption algorithm was further exploited when scientists were able to add data to two different documents in a way that they both returned the same SHA-1 hash, which is called a “chosen-prefix collision.”
In order for attackers to compute a chosen-prefix collision they need quite a bit of computing power. The process requires quite a bit of number crunching that has an exchange rate of 50k on the black market. This cost is sure to drop over time. Due to the price drop of creating a prefix collision OpenSSH wil be disabling the ‘ssh-rsa’ public key signature algorithm by default with their future releases. The deprecation of the SHA-1 hashing algorithm has been know for years since Google demonstrated that it could be cracked in 2017. NIST actually called for the elimination of SHA-1 almost 15 years ago.
https://portswigger.net/daily-swig/collision-avoidance-openssh-lays-out-plans-to-ditch-aging-sha-1-hashing-algorithm
A little cryptography fun!
This notorious cipher written by the infamous Zodiac Killer was finally cracked by an international team! The stars of the show are Dave Oranchak, a software developer in Virginia, Sam Blake, an applied mathematician who lives in Australia, and Jarl Van Eycke, a warehouse operator in Belgium and software developer behind the AZdecrypt, a code-breaking app that was inspired by his drive to crack the 340.
The cipher, dubbed the “340”, has been around for 51 years and even though FBI and private citizens/cryptographers around the world have attempted to crack it it wasn’t until recently that it was solved. The cryptographers developed an app that helped him solve the Transposition cipher. This type of cipher rely on “relics from the past that use rules to rearrange characters or groups of characters in the message.”
https://arstechnica.com/information-technology/2020/12/zodiac-killer-cipher-is-cracked-after-eluding-sleuths-for-51-years/
https://en.wikipedia.org/wiki/Transposition_cipher#:~:text=In%20cryptography%2C%20a%20transposition%20cipher,a%20permutation%20of%20the%20plaintext.
The latest research shows that in granting and revoking system access rights, US organizations are using fine-tuning to affect its security. A study released today by the Identity Definition Security Alliance (IDSA) found that there are significant delays in granting and revoking access to company systems, which affects operations and increases potential risks for the organization. After 72% of the employees of the organization left, it took three days or more for the organization to revoke the system access rights of the former employees, which caused regulatory compliance issues and prolonged the risk of data theft. Usually, IT security teams need to provide a large number of point solutions for each application, but they have very little understanding of the entire enterprise environment. Configuration upgrades can automate most of the access control process. Reduce the configuration and de-configuration time from days to seconds.
https://www.infosecurity-magazine.com/news/study-finds-delays-in-revoking/
A Swiss technology company, Terra Quantum AG, states that using quantum computers can identify vulnerabilities in commonly used encryption, and it could affect many technology companies to change the understanding of unbreakable encryption. However, other security experts are surprised, and one of the computer science professors at the University of Texas does not believe that it is possible to use quantum computing to break encryption easily. Moreover, Terra Quantum AG explains that the current view is being post-quantum secure is not post-quantum secure, and they can prove that the encryption is not secure and can be hacked. In their research, the vulnerabilities can affect symmetric encryption ciphers, and these used to secure data transmission via the internet and encrypt files. They emphasize that even the strongest versions of advanced encryption standards can be decipherable by quantum computing in the next couple of years. Therefore, this new technology will have a dramatic change to cybersecurity in the future.
https://www.bloomberg.com/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption
I picked the same article as Cami and while it is theoretical, it is interesting to me how they solved the vulnerability. The article explains how current state Advanced Encryption Standard (AES) and the Message Digest 5 (MD5) hashing standard using an algorithm on a quantum annealer containing 20k qubits. The annealer or quantum strengthener does not exist today but could become available to hackers anytime in the future. The two encryption schemes have an data leakage inversion weakness when matched against quantum computing where a properly equipped hacker can use all the transmission line losses to reverse engineer and decipher the communication. How they solved for the vulnerability was to use Boltzman-Planck protected secure information transmission. The concept is that the transmission line leakage occurs due to scattering of small signal imperfections propagating through optical fiber. The method uses an unbreakable one-time pad combined with extreme high speeds to monitor the optical fiber and the scattering matrix to minimize the fraction of the signal leaked. The fraction of leakage is so tiny that the hacker is unable to decrypt the communication.
https://www.businesswire.com/news/home/20210208005290/en/Terra-Quantum-Makes-Electronically-Transmitted-Communications-Unbreakable-After-Revealing-Weakness-in-%E2%80%98post-quantum-Cryptography%E2%80%99
A Belgian security researcher found a way to get unlimited free coffee drinks from older model Nespresso machines. The hacker was able to do this by modifying smart cards to have any amount of funds possible. This is only possible because the currency is stored on the card and not routed through the coffee machine to a backend server to verify the contents on the card. The exploits had been known since 2008 as a fault with the specific card, and the card manufacturer has since updated the cards to be more secure, but the old cards still in circulation were able to be read by the machine. The hacker told Nespresso about this exploit in September, and they have allowed him to make this information public. This could mean that Nespresso is putting measures in place to replace the machines or patch this exploit out, but no official confirmation as such has come forward as of yet.
https://portswigger.net/daily-swig/hack-against-older-nespresso-vending-machines-facilitates-endless-free-beverage-exploit
https://www.infosecurity-magazine.com/next-gen-infosec/password-habits-differ-generations/
In this article, the author touches on the authentication gap between generations. Now most of us would believe that the younger generations who are more tech savvy and understand good security techniques would be the ones with stronger passwords and login credentials. However, the author goes on to make the case that the younger generation is actually worse at keeping info safe whether that be lazy passwords or sharing passwords, and actually denotes the older generations as smarter. At first I did not completely agree, however, with all the streaming and subscription services there are, it makes sense as kids share usernames and passwords to use these rather than pay for their own account. In addition, when younger generations are signing up for things they know they will rarely use, I find it more common that they will use a simple password and just say it isn’t that important. This can be dangerous because attackers will eventually be able to find links and reused passwords, possibly to more important accounts.
https://www.ajudaily.com/view/20210201111358948
Quantum-resistant cryptography technology applied to medical information system
Korean Medical Information System has applied quantum resistant cryptography technology at a general hospital to achieve a quantum/Future proof security. LG Uplus (LGU+) has commercialized post-quantum cryptography (PQC) technology, which refers to cryptographic algorithms that are thought to be secure against an attack by a quantum computer. Cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat. LGU+ tested the usefulness of Post Quantum Cryptography technology by applying it to some exclusive commercial lines. Data that is encoded in a quantum state is virtually unhackable without quantum keys which are basically random number tables used to decipher encrypted information.
Law Firm Data Breach Impacts UPMC Patients
A cyber-attack on a Pennsylvania law firm has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC). Law firm Charles J. Hilton & Associates P.C. (CJH), which provides legal services to UPMC, discovered suspicious activity in its employee email system in June 2020. An investigation determined that hackers had gained access to several employee email accounts between April 1, 2020, and June 25, 2020. UPMC received a breach notification report from CJH confirming that whoever hacked into the email accounts may have accessed patient data.
Exposed data includes names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, and trip numbers. Hackers were also able to access Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational health, diagnosis, symptoms, treatment, prescriptions or medications, drug tests, billing or claims, and/or disability.
https://www.infosecurity-magazine.com/news/law-firm-data-breach-impacts-upmc/?&web_view=true