A collection point
...and some of my own.
Pixel 4a is the first device to go through ioXt at launch The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones. ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization. NCC Group (a sanctioned auditor) has published an audit report that included assessments of the following: 1. The product shall not have a universal password; unique security credentials will be required for operation. 2. All product interfaces shall be appropriately secured by the manufacturer. 3. Product security shall use strong, proven, updatable cryptography using open, peer-reviewed methods and algorithms. 4. Product security shall be appropriately enabled by default by the manufacturer. 5. The product shall only support signed software updates. 6. The manufacturer shall act quickly to apply timely security updates. 7. The manufacturer shall implement a vulnerability reporting program, which will be addressed in a timely manner. 8. The manufacturer shall be transparent about the period of time that security updates will be provided. TikTok, WeChat Bans Not Crucial to US Security AFP: An all-in-one tool, WeChat provides messaging, financial transactions, group chats, and social media, all of which is stored on Chinese servers that a 2017 security law says must be accessible by Chinese intelligence. TikTok, a simple app for making and sharing short videos, meanwhile mines users' accounts and phones for lots of identifying information. "WeChat is bad," said Nicholas Weaver, a lecturer in computer security at the University of California in Berkeley. "It uses encrypted links to WeChat's servers in China... but the servers see all messages, so the Chinese government can see any message it wants," he said. However, Weaver said, there few alternatives if you want to communicate widely with people in China, from inside or outside the country. More of a concern are US companies in China who might be banned from the WeChat App. As it would effectively cut them out of huge amounts of online commerce in China. Smart Lock Vulnerability Bruce Schneier: Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary codes and 'Ekeys' to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device's MAC address can help themselves to an access key, too. UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they're doing. Travelex Forced into Administration (the UK's equivalent of the US' chapter 11) After Ransomware Attack. Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed join administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. Have I Been Pwned to release code base to the open source community Data breach and record exposure search engine "Have I Been Pwned" is going open source. Developed and maintained by security expert Troy Hunt, the search engine has become increasingly popular over time as the volume of reported data breaches ramped up, prompted by legislation and demands for transparency by companies suffering such a security incident. Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been "pwned," and if their emails have been linked to a data breach, each one and a summary of what happened is displayed -- as well as what information has been exposed. At the heart, one main operator isn't enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life's work. By going open source, Hunt says this will take the "nuts and bolts" of the service and "put them in the hands of people who can help sustain the service regardless of what happens to me." Have I Been Pwned was developed to improve the security landscape and give individuals impacted by a data breach the knowledge required to potentially improve their own security posture -- such as by changing passwords linked to compromised accounts and to hammer the lesson home that passwords should not be re-used across different services. With this in mind, going open source would also contribute to this concept by opening up code to other eyes -- increasing trust through transparency, and also potentially improving the platform's own security via the discovery of vulnerabilities. "All that backlog, all those bugs, all the great new ideas people have but I simply can't implement myself can, if the community is willing, finally be contributed back into the project," the security expert added. WhatsApp Users To Get This Ground-Breaking New Upgrade: Just Perfect Timing Zak Doffman: The biggest missing feature with WhatsApp are options for multiple device access. According to WABetaInfo a new release will make using WhatsApp seamless, from your phone(s) to your iPad to your desktop. And no more clunky front-end to the message store on your primary phone. This will work even if that main device is not switched on or online. “WhatsApp has also developed an iPad app, that will be released after the activation of the feature, so you will be able to use WhatsApp on your iPhone and your iPad at the same time.” Why is this so difficult? It all comes down to end-to-end encryption. Clearly, introducing linked devices means that you need to ensure the end-to-end encryption security extends to multiple endpoints on each side of a conversation, whether person-to-person or within groups. That’s challenging but achievable. The issue, though, is that to maintain a full user experience you need to sync the entire message history across each of those devices and keep them aligned. That’s significantly harder. WhatsApp’s closest rival—by feature if not install base—Signal, takes a similar approach to transferring an account from an old phone to a new one. But every one of its linked devices is a separate instance, with its message history limited to the time window during which it is linked. The reported WhatsApp approach is a significant step-up from that. The other serious update coming from WhatsApp is to extend end-to-end encryption to cloud backups. Right now, when you backup chats to Google’s or Apple’s cloud, you only have the protection of their encryption over your backup—not WhatsApp’s end-to-end protection. That means law enforcement or others can access your content with keys held by those platforms. The new update will fix this, extending the same protection from your devices to your backups. Huawei Confirms ‘Big Loss’ For Smartphones After New Trump Strike Zak Doffman: Back in May, the Trump administration tightened its blacklist restrictions on Huawei, denying the company access to the custom “Kirin” chips designed by its HiSilicon subsidiary, but fabricated by external suppliers. At the time, there were varying reports as to how well prepared Huawei was for the change, how many chips it had managed to stockpile, how long the company would have to shift from in-house designs to off-the-shelf alternatives, or find a design to fabrication process absent any American technology. The consensus seemed to be that the company might only have enough to see of through the next 12-months. Fast forward three-months and that impact seems to have come much faster than anticipated. This has been making headlines through the weekend, after Huawei’s fairly sovereign consumer boss, Ricard Yu, admitted that the imminent Mate 40 flagship would likely be the last to carry a Kirin chip. In the second quarter, ending June 30, Huawei finally achieved its long-stated goal of overtaking Samsung to lead the world’s smartphone makers. Leadership status, however, may be short lived. But the next three to six months will likely be the most telling yet as regards the impact they will have. Until now, Huawei has maintained its share of the smartphone market by replacing international sales softened by its loss of Google, with soaring growth in China. Meanwhile, Huawei’s 5G business is also heavily impacted by reversals like those used by the U.K. to reverse a decision to allow Huawei into its new networks, claiming new security vulnerabilities might be introduced. How the International Space Station Enables Cybersecurity Sean Michael Kerner: “Now we know that our key infrastructure is at risk on the ground as it is in space, from both physical and cyber-threats,” former NASA astronaut Pamela Melroy stated. Attacks against space-based infrastructure including satellites are not theoretical. Melroy noted that the simplest type of attack is a Denial of Service (DoS) which is essentially a signal jamming activity. She added that it already happens now, sometimes inadvertently, that a space-based signal is blocked. There is also a more limited risk that a data transmission could be intercepted and manipulated by an attacker. The entire network by which NASA controllers at Mission Control communicate with ISS is a private network, operated by NASA. Melroy emphasized that the control does not go over the open internet at any point. There is also a very rigorous verification system for any commands and data communications that are sent from the ground to ISS. Melroy noted that the primary idea behind the verification is not necessarily about malicious hacking, but rather about limiting the risk of a ground controller sending a bad command to space. “There’s a very rigorous certification process required for controllers in the International Space Station Mission Control Center (MCC) to allow them to send commands to the space station,” she explained. “In addition there are screening protocols both before a message ever leaves MCC going up to the ISS and once it’s on board ISS, to check and make sure that the command will not inadvertently do some damage to the station.” There is also a local area network on the station with support computers used for limited internet access including email and social media like Twitter. While the local ISS network has internet access, it is not directly connected to the public internet. Melroy explained that there is a proxy computer inside the firewall at the Johnson Space Center, in Houston, Texas, that is connected with ISS. As such, the space station support computers talk to the proxy computer, which then goes out onto the public internet. “The most serious problem I think we have in space is complacency. We are going to have to figure out how to insert cybersecurity and an awareness of that into the values and the culture of aerospace, all the way from the beginning in design and through to operations.” Leave a Reply. |
Linking the world
Sharing is caring Archives
May 2024
Categories |