My Weekly RoundUp #103
Some interesting topics from BlackHat and DefCon!
Japanese user of Microsoft Excel asks:
“Why is the SAVE ICON a ‘Vending Machine w/ a Beverage dispensed?’ “
The save icon is not a vending machine
A researcher abused the GDPR to get information on his fiancee:
Black Hat: GDPR privacy law exploited to reveal personal data
About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.https://www.bbc.com/news/technology-49252501
The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
In each case, he asked for all the data that they held on his fiancee.
In one case, the response included the results of a criminal activity check.
Other replies included credit card information, travel details, account logins and passwords, and the target’s full US social security number.
University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.
It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.
A provocative post by Raj Bhatia:
Agile is Dead
Here’s a quiz for you. How does the first line of the Agile Manifesto begin? Let me help. It says, “We are uncovering better ways of developing software….” Stop. Notice it says, “developing software.” It does not say, “leaning out your org,” “paying down transformation debt,” “cutting it out with this command-and-control crap,” “focusing on outcomes and getting better at discovery work,” “fixing your medieval budgeting system,” or any of the other far more value-adding things people have tried to glom onto it. But the thing is, when people say that Agile pertains to the whole org, it’s revisionist history. It’s dishonest.https://www.linkedin.com/pulse/agile-dead-raj-bhatia-pmp-pmi-acp/
Notice too it begins, “We are uncovering….” It does not say, “We have received from on high….” The Snowbird signing of the Manifesto was not the work of lightening or the unseen hand. When are we going to stop pretending otherwise?
Another week, another Bluetooth vulnerability!
Serious Bluetooth flaw leaves devices open to attack
A group of researchers has discovered a critical Bluetooth vulnerability that leaves tons of wireless devices exposed to digital intrusions. The Bluetooth SIG, an organization that oversees the technology’s standards, has issued a security notice for what the researchers are calling Key Negotiation of Bluetooth or KNOB attack. It gives bad actors the ability to interfere with the Bluetooth pairing procedure, allowing them to make the connection’s encryption key shorter than what it’s supposed to be. That makes it easy for attackers to brute force their way into the connection and be able to spy on data shared between devices, such as between a phone and a speaker or a phone and another phone.https://www.engadget.com/2019/08/16/bluetooth-flaw-knob-attack/
The fact that attackers can exploit the flaw even for devices that had been previously paired makes it even worse. According to the paper the researchers published, the vulnerability affects devices that use Bluetooth BR/EDR (or Bluetooth Classic) connection. The attack will only work if both devices establishing a connection have the vulnerability.
Malicious iOS app claims to use the fingerprint Touch ID scanner to track users’s pulse, but it actually performs an in-app purchase for $89 by using fingerprint to complete the transaction in the background:
How to Spot Scam iOS Apps That Sucker You into Making Expensive Purchases
The app’s return to the App Store was reported on by 9to5Mac, who also notes that a recent report from Apps Exposed references more than 500 other apps on the App Store that are also using similar tactics to con users..https://lifehacker.com/how-to-spot-scam-ios-apps-that-sucker-you-into-making-e-1837053973
Unsurprisingly, many are based around adult content—especially peer-to-peer video chatting, free pornography, and casual sex. What is surprising, however, is that many manage to skirt Apple’s relatively strict reviews policy and artificially inflate their app scores with five-star reviews, which makes it harder to tell they’re fishy from a cursory glance. Still, if you look hard enough and comb through the reviews, you’ll find plenty calling out these apps for being scams.
A security researcher registered a vanity California license plate consisting solely of the word “NULL”, just for fun, but:
He tried to prank the DMV. Then his vanity license plate backfired big time
Everyone hates parking tickets. Not everyone, however, is an information security researcher with a mischievous side and a freshly minted vanity license plate reading “NULL.”
That would be Droogie (his handle, if that’s not obvious), a presenter at this year’s DEF CON hacking conference in Las Vegas and man with a very specific problem: He’s on the receiving end of thousands of dollars worth of tickets that aren’t his. But don’t tell that to the DMV.
It wasn’t, of course, supposed to end up this way. In fact, exactly the opposite. Droogie registered a vanity California license plate consisting solely of the word “NULL” — which in programming is a term for no specific value — for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV’s ticketing system.
“I was like, ‘I’m the shit,'” he joked to the crowd. “‘I’m gonna be invisible.’ Instead, I got all the tickets.”
Researchers found two new weaknesses in WPA3 protocol:
DRAGONBLOOD flaws allow hacking WPA3 protected WiFi passwords
Dragonblood experts devised two new side-channel attacks that allow attackers to steal your WiFi password by exploiting two flaws in the protocol.https://securityaffairs.co/wordpress/89348/hacking/dragonblood-wpa3-flaws.html
The first issue, tracked as CVE-2019-13377, is a timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves.
“During our initial disclosure, the Wi-Fi Alliance privately created security recommendations to mitigate our attacks. In these recommendations, they claim that Brainpool curves are safe to use, at least if products securely implement Dragonfly’s quadratic residue test (i.e. it
must be implemented without side-channel leaks).” reads a security advisory published by the team.
“However, we found that using Brainpool curves introduces the second class of side-channel leaks in the Dragonfly handshake of WPA3. In other words, even if the advice of the WiFi Alliance is followed, implementations remain at risk of attacks.”
Experts pointed out that the new side-channel
leak affects the password encoding algorithm of Dragonfly, the Brainpool leak works against the latest Hostapd version, and attackers can use leaked information to carry out a brute-force
The second issue, tracked as CVE-2019-13456, is an information leak flaw that resides the implementation of EAP-pwd
(Extensible Authentication Protocol-Password) in FreeRADIUS.
“Apart from this, we also discovered a new implementation-specific side-channel in the EAP-pwdt
implementation of FreeRADIUS. More worrisome, we found that the Wi-Fi firmware of Cypress chips only executes 8 iterations at minimum to prevent side-channel leaks. Although this makes attacks harder, it does not prevent them.” the experts added. “This strengthens our hypothesis that the backwards-compatible countermeasures against our attacks are too costly for lightweight devices.”
The security duo reported their findings to the WiFi Alliance that addressed the issues with an update, but the mitigations wouldn’t be compatible with the initial version of WPA3.
Boeing left its software unprotected?
A Boeing code leak exposes security flaws deep in a 787’s GUTS
last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing’s network, seemingly full of code designed to run on the company’s giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.https://www.wired.com/story/boeing-787-code-leak-security-flaws/
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.