The niner noteworthy stories of 2016 (week 31)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Airport lounges will let anyone in, provided you can fake a QR code

With the ever growing perceived threat of terrorism and other security threats to aviation, the sector apparently needs to come to terms with the fact that access controls, even for something benign as an airport lounge, don’t meet any adequacy level if it is apparently this easy to enter a lounge with a fake access identifier. Although it is not a great risk, the question that arises is: if I can enter a lounge like this, could I also pass thru the initial boarding pass scans at airport entrances to the secure area?
If airports want to mitigate this risk, coupling these kind of security checking with airline databases and passenger lists is almost if not completely mandatory. Though doing so will have it’s own set of risks in the fields of information security and above all privacy related to the data we share with airlines to book our tickets. Therefore whilst it may mitigate one physical security risk, others pop-up in it’s place which require careful scrutiny.
source: Boing Boing (external link)

This tiny $6 gadget lets you break into hotel rooms

Partially brute-forcing to which a system could be protected to disallow a certain number of cards being used within a small amount of time (who is actually trying out their door cart in a hotel 48 times per minute?). The other method uses knowledge obtained by reading out the carts data and making educated guesses about other valid combinations.
The problem for hotel chains is that these carts often get lost, misplaced, damaged or otherwise become unusable. More secure carts are certainly available but would drive up the costs for door entry systems in hotels as well.
Whilst pretty interesting, this will come down to a risk management decision on guest security versus costs and ease of use of the system. I remember a Frensh hotel back in 2003 where we stayed for two nights and for every night you had to obtain a new multi-digit pincode to be able to enter your room. Not very convenient obviously, but more secure then swipe carts and maybe even cost effective as well depending on the maintenance required on the keypads.
source: ZDNet (external link)

How to withdraw up to $50,000 in cash from an ATM by using data stolen from EMV cards

This just goes to show that 100% secure systems simply don’t exists. Interesting concept but the window of opportunity, just about 1 minute, is pretty short and requires planning. With a lot of ATM’s, at least in my country, having camera’s trained on them as well, this would potentially not be very lucrative.
source: Security Affairs (external link)

This is what Apple should tell you when you lose your iPhone

A good lesson in what could go horribly wrong if your device is lost or stolen. Interesting to see somebody made a real effort to get the phone uncoupled from the associated AppleID, although if the person holding it didn’t have the pass-code it may not have worked. Probably the best thing to do is remotely wipe the phone as well, having regular backups certainly need to be part of that plan as well. Even better, have these backups on your mobile or desktop computer instead of on your iCloud account. Because if you are unfortunate enough to not catch the attempt, as this lucky guy did, you will lose access to your iCloud account and a lot of sensitive data as well.
source: Hacker Noon (external link)

Hackers break into Telegram, revealing 15 million users’ phone numbers

Telegram, unless you activate the private chat mode, does not use end-2-end encryption but only encrypts data to and from their servers. Text messages are stored in clear-text on their systems as well as lists of your contacts you share to see who has signed-up for the service as well, see this Telegram FAQ.
This is different from solutions like iMessage from Apple, Signal messenger from Open Whisper Systems, or the Threema app. All of which have their own drawbacks and ways of compromise. As related to this attack, the Threema app doesn’t even work on multiple devices for the same registered ID and if you don’t want to you don’t even have to share a phone number or mail address. This does make it probably a bit less user friendly then the others in the list, but that is a choice you as user needs to make for yourself.
source: Reuters (external link)

UK patients should have greater data slurp opt-out powers – report

Explicit ‘don’t take my info’ box needed for uses beyond direct care

Another question I would be interested to see the answer to is why this needs to be opt-out and not an opt-in sharing of health data with further then required with personal care. Another related question would focus on how anonymous that data, if shared, actually is. At least, in the UK that is, there is a start of an open debate around this topic. In the Netherlands sharing health data within the healthcare sector itself was blocked by parliament but, as so often happens, still implemented by a commercial entity anyway.
With a lot of healthcare data leaking out all the time, as I have wrote about in several previous additions of this weekly post, the problem of confidentiality of such data is much broader scoped then this specific issue surrounding the UK’s national health service (NHS), although it is exemplary for issues we face around the globe.
Health records are treated as special data within European privacy laws and should be treated as such by any company wanting to use them, regardless of purpose and form in which the data is obtained. Anonymising such data is very important but may prove to be extremely difficult if not impossible to do.
source: The Register (external link)

The Fight Over Consumer Encryption Is Moving Into a Strange New Phase

So if in all their mighty knowledge of information security and privacy the US lawmakers decide the tech industry and privacy groups can’t successfully argue that compromising encryption does not harm security and privacy, they will continue with their plans to mandate backdoors in such systems? Interesting to say the least and not very comforting either.
source: National Journal Group (external link)

Security of seismic sensor grid probed

Essentially this again, with so many internet of things and/or industrial systems, comes down to the fact that these systems were never designed to be connected to the internet directly in the first place. Although with IOT devices this is not entirely true and it’s just the manufacturers lacking the willingness to adequately secure their products, with industrial systems this is mostly unfortunately the case.
The potential misuse of these sensors for malicious intent is indeed low, it may show a far deeper problem with industrial systems and sensors being interconnected and not adequately protected.
source: BBC Technology (external link)

BBC detector vans are back to spy on your home Wi-Fi – if you can believe it

Auntie ‘sniffs packets’ for licence-fee dodging

This sounds all too familiarly to Monty Pyton’s “Eric” sketch where a cat detector van from the ministry of Housinge who could pinpoint a purr at 800 yards. Unless these are the looney detector vans referred to in the same sketch.
If the BBC really wants to make sure you pay for your on-demand streaming, just put it behind a paywall to which you can obtain free access if you can demonstrate reliably you paid your annual viewing taxes.
source: The Register (external link)