Archive for the ‘Biz & IT’ Category

Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords

April 11th, 2019
Artist's impression of wireless hackers in your computer.

Enlarge / Artist's impression of wireless hackers in your computer. (credit: TimeStopper/Getty Images)

The next-generation Wi-Fi Protected Access protocol released 15 months ago was once hailed by key architects as resistant to most types of password-theft attacks that threatened its predecessors. On Wednesday, researchers disclosed several serious design flaws in WPA3 that shattered that myth and raised troubling new questions about the future of wireless security, particularly among low-cost Internet-of-things devices.

While a big improvement over the earlier and notoriously weak Wired Equivalent Privacy and the WPA protocols, the current WPA2 version (in use since the mid 2000s) has suffered a crippling design flaw that has been known for more than a decade: the four-way handshake—a cryptographic process WPA2 uses to validate computers, phones, and tablets to an access point and vice versa—contains a hash of the network password. Anyone within range of a device connecting to the network can record this handshake. Short passwords or those that aren’t random are then trivial to crack in a matter of seconds.

One of WPA3’s most promoted changes was its use of “Dragonfly,” a completely overhauled handshake that its architects once said was resistant to the types of password guessing attacks that threatened WPA2 users. Known in Wi-Fi parlance as the Simultaneous Authentication of Equals handshake, or just SAE for short, Dragonfly augments the four-way handshake with a Pairwise Master Key that has much more entropy than network passwords. SAE also provides a feature known as forward secrecy that protects past sessions against future password compromises.

Read 18 remaining paragraphs | Comments

Posted in Biz & IT, encryption, exploits, vulnerabilities, wi-fi, wi-fi protected access, WPA, WPA2, WPA3 | Comments (0)

After pushback from states and cities, Amazon Go might accept cash

April 11th, 2019
Amazon Go interior


According to CNBC, Amazon executive Steve Kessel told employees at a recent all-hands meeting that the company's brick-and-mortar, cashier-less Amazon Go stores would start accepting "additional payment mechanisms" to combat charges of discrimination.

An Amazon spokesperson later told CNBC that those additional mechanisms included accepting cash. "You’ll check out, pay with cash, and then get your change,” the spokesperson said.

Recently, Philadelphia and New Jersey passed laws prohibiting cashless retail stores on the grounds that they discriminate against the more than eight million US households who have no access to a debit or credit card, often due to poverty. Lawmakers also said that cashless stores needlessly deny customers the option to have their purchases be private. New York City and San Francisco have been considering similar rules. Cashless stores have been illegal in Massachusetts since the 1970's.

Read 3 remaining paragraphs | Comments

Posted in amazon, amazon go, Biz & IT, cash, cashless | Comments (0)

Japanese F-35 crashed into Pacific, rest of fleet grounded

April 10th, 2019
An F-35 fighter aircraft of the Japan Air Self-Defense Force was lost in the Pacific on Tuesday.

Enlarge / An F-35 fighter aircraft of the Japan Air Self-Defense Force was lost in the Pacific on Tuesday. (credit: KAZUHIRO NOGI / Getty Images)

On Tuesday, a Japanese Air Self Defense Force (JASDF) F-35A fighter disappeared from radars suddenly only 20 minutes after takeoff in reportedly clear weather, with no distress calls from the pilot. Today, after a search-and-rescue effort involving Japanese military and US Navy ships and aircraft, the wreckage of the aircraft was located. But the search continues for the pilot.

According to a JASDF spokesperson, the F-35A was lost from radar approximately 135 kilometers (about 84 miles) east of Misawa Air Base, a joint US-Japanese air base in Aomo prefecture—about 690 kilometers (430 miles) north of Tokyo.

This is only the second F-35 crash since the aircraft completed flight testing—a Marine Corps F-35B crashed in South Carolina in September of 2018. But there have been other safety incidents with the aircraft. In June of 2014, an Air Force F-35A caught fire before take-off because of an engine failure. And in June of 2017, the Air Force briefly grounded F-35As after five incidents in which pilots experienced the symptoms of hypoxia (oxygen deprivation).

Read 3 remaining paragraphs | Comments

Posted in air crash, Biz & IT, F-35A, Japan Air Self Defense Force, Policy | Comments (0)

DHS, FBI say election systems in 50 states were targeted in 2016

April 10th, 2019
Voter registration data was one of the targets of Russian hacking efforts in the run-up to the 2016 presidential election—which DHS and FBI analysts now say went after systems in every state.

Enlarge / Voter registration data was one of the targets of Russian hacking efforts in the run-up to the 2016 presidential election—which DHS and FBI analysts now say went after systems in every state. (credit: Getty Images)

A joint intelligence bulletin (JIB) has been issued by the Department of Homeland Security and Federal Bureau of Investigation to state and local authorities regarding Russian hacking activities during the 2016 presidential election. While the bulletin contains no new technical information, it is the first official report to confirm that the Russian reconnaissance and hacking efforts in advance of the election went well beyond the 21 states confirmed in previous reports.

As reported by the intelligence newsletter OODA Loop, the JIB stated that, while the FBI and DHS "previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure," new information obtained by the agencies "indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states." While not providing specific details, the bulletin continued, "The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections."

Read 10 remaining paragraphs | Comments

Posted in 2016 presidential election, Biz & IT, DHS, FBI, Policy, robert mueller, Russian election interference | Comments (0)

Mysterious safety-tampering malware infects a second critical infrastructure site

April 10th, 2019
Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems.

Enlarge / Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems. (credit: IIP Photo Archive)

Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents.

There had been compromises of critical infrastructure sites before. What was unprecedented in this attack—and of considerable concern to some researchers and critical infrastructure operators—was the use of an advanced piece of malware that targeted the unidentified site’s safety processes. Such safety instrumented systems (SIS) are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, a SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.

By focusing on the site’s SIS, the malware carried the threat of physical destruction that depending on the site and the type of accident had the potential to be serious if not catastrophic. The malware was alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. It’s development was ultimately linked to a Russian government-backed research institute.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, critical infrastructure, Industrial Control Systems, malware, Policy, Triton | Comments (0)

Dutch F-16 flies into its own bullets, scores self-inflicted hits

April 9th, 2019
A Dutch Air Force F-16 had a close encounter with its own cannon shells in January.

Enlarge / A Dutch Air Force F-16 had a close encounter with its own cannon shells in January. (credit: Getty Images)

The Netherlands’ Defense Safety Inspection Agency (Inspectie Veiligheid Defensie) is investigating an incident during a January military exercise in which a Dutch Air Force F-16 was damaged by live fire from a 20-millimeter cannon—its own 20-millimeter cannon. At least one round fired from the aircraft’s M61A1 Vulcan Gatling gun struck the aircraft as it fired at targets on the Dutch military’s Vliehors range on the island of Vlieland, according to a report from the Netherlands’ NOS news service.

Two F-16s were conducting firing exercises on January 21. It appears that the damaged aircraft actually caught up with the 20mm rounds it fired as it pulled out of its firing run. At least one of them struck the side of the F-16’s fuselage, and parts of a round were ingested by the aircraft’s engine. The F-16’s pilot managed to land the aircraft safely at Leeuwarden Air Base.

The incident reflects why guns on a high-performance jet are perhaps a less than ideal weapon. The Vulcan is capable of firing over 6,000 shots per minute, but its magazine carries only 511 rounds—just enough for five seconds of fury. The rounds have a muzzle velocity of 3,450 feet per second (1.05 meters per second). That is speed boosted initially by the aircraft itself, but atmospheric drag slows the shells down eventually. And if a pilot accelerates and maneuvers in the wrong way after firing the cannon, the aircraft could be unexpectedly reunited with its recently departed rounds.

Read 3 remaining paragraphs | Comments

Posted in air combat, Biz & IT, Dutch Air Force, F-16, F-35A, Policy | Comments (0)

New variants of Mirai botnet detected, targeting more IoT devices

April 9th, 2019
New variants of Mirai botnet detected, targeting more IoT devices

Enlarge (credit: BeeBright/Getty Images)

Mirai, the “botnet” malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016—including one against the website of security reporter Brian Krebs—has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks’ Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors.

The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

Read 3 remaining paragraphs | Comments

Posted in altera, Biz & IT, botnets, Internet of things, IoT, mirai, OpenRisc, Xilinx, Xtensa | Comments (0)

Somebody forgot to upgrade: Flights delayed, cancelled by GPS rollover

April 9th, 2019
Your flight is arriving WAY ahead of schedule, apparently.

Enlarge / Your flight is arriving WAY ahead of schedule, apparently. (credit: China Aviation Review via Twitter)

The world did not come to an end this past weekend when the 10-bit calendar-week counter in the Global Positioning System’s precision timing system “rolled over” back to 0000000—an event that caused older, unpatched GPS systems to suddenly act like they had jumped nearly 20 years back in time. But the long-anticipated reset of the calendar count did apparently lead to cancellations of some airline flights overseas, as technicians failed to catch warnings and update firmware.

According to reports on social media, at least one KLM flight—a Boeing 777 bound from Amsterdam to Bogota—and flights involving as many as 15 Boeing 777s and 787s in China were delayed or canceled over the weekend because of calendar-rollover errors on navigation systems aboard those aircraft. Data for some of the flights identified confirmed lengthy delays in departures, with the KLM flight leaving seven hours behind schedule.

A Reddit user reported that his girlfriend’s KLM flight, KL741 from Amsterdam’s Schiphol Airport, was “grounded because of ‘something to [do] with the date being wrong and Honeywell can't guarantee the plane is safe.’”

Read 3 remaining paragraphs | Comments

Posted in Biz & IT, Boeing 777, Boeing 787, global positioning system, GPS, gps week rollover, Honeywell Aerospace | Comments (0)

Thumb drive carried by Mar-a-Lago intruder immediately installed files on a PC

April 8th, 2019
Thumb drive carried by Mar-a-Lago intruder immediately installed files on a PC

Enlarge (credit: Saurabh R. Patil)

The already suspicious account of a Chinese national who allegedly carried four cellphones, a thumb drive containing malware, and other electronics as she breached security at President Trump's private Florida club just grew even more fishy.

According to testimony presented Monday, Yujing Zhang's hotel room had a signal detector and additional suspicious possessions in it. The malware she carried may have been able to infect computers as soon as it was plugged into a computer.

The possessions in Zhang's hotel included five SIM cards, nine USB drives, yet another cell phone, and a signal detector that could scan an area for hidden cameras, according to reports widely circulated Monday. In addition to the electronics, Zhang's hotel room also contained more than $8,000, with $7,500 of it in US $100 bills and $663 in Chinese currency, The Washington Post reported.

Read 13 remaining paragraphs | Comments

Posted in Biz & IT, espionage, malware, Policy, thumb drive, US Secret Service | Comments (0)

In Verizon 5G launch city, reviewers have trouble even finding a signal

April 8th, 2019
A giant Verizon 5G logo in an expo hall.

Enlarge (credit: Verizon)

Verizon launched its mobile 5G network last week in "select areas" of Minneapolis and Chicago, and a speed test shared by a Verizon spokesperson showed an impressive download speed of 762Mbps.

But the single speed test displayed by Verizon was conducted near a tower with clear line of sight to that tower. Actually finding a 5G signal elsewhere in Verizon's launch areas is much more difficult, according to tests by The Verge and CNET.

The two news organizations each had a reporter travel through the parts of Chicago where Verizon says its 5G network is ready. The results were disappointing.

Read 22 remaining paragraphs | Comments

Posted in 5G, Biz & IT, verizon | Comments (0)