The niner noteworthy stories of 2016 (week 32)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Delta cancels hundreds more flights, expects normal operations soon

A lot of news media reported this as cause: outdated legacy computer equipment. Even this article by Reuters points to this as well. Although this may have been a factor in the entire meld-down of Delta’s central computer facility, the small fire reported by other articles has a larger effect. Although it isn’t known where exactly it burned and what equipment possibly was effected.
This article points to the Delta management saying that equipment didn’t switch-over to a backup source. Whilst this can happen in any scenario, even the well tested once, the fact that it took them a lot of time to recover does tell it’s own story. Effectively their business continuity management is not up to scratch.
Is this becoming symptomatic for the aviation industry after Southwest their technical troubles about three weeks ago and an issue with computer systems by Polish airline LOT last year remains to be seen.
source: Reuters (external link)

London’s ‘automatic’ Tube trains suffered 750 computer failures last year

Rise of the Machines? Perhaps if they’re not very good ones

Not enough testing being done? Ultimately, as we move towards driverless cars as well as tube trains, is the question on who’s to blame if it does go horribly wrong even answered? The fact that there were 750 melt-downs of computer equipment is not that shocking, though the fact that in a couple of cases the fault could not be found as the equipment seemed to work as expected however is worrying. Does this mean the automated Tube lines are unsafe? As of yet probably not, although faults that can’t be reproduced or properly diagnosed afterwards will require further scrutiny of the on-board systems for sure.
source: The Register (external link)


This by itself isn’t that much news, the scope of it is enormous though. Why is this not new? Replay attacks on these type of wireless keys have been done before but mostly for once that used the same code over and over again. These researchers not only found that carmakers replaced those with once that are easily crackable if you know enough of the rolling code sequence, they also reverse engineered internal components to see that per make and model possibly similar shared keys are used as well.
Another interesting bit in this article is the fact that NXP, whilst telling their clients to upgrade because the old product is inherently insecure, it seems they are still selling them that older product upon request. Which, from a business point-of-view, I can understand. But is it really ethical to sell products you know are insecure these days?
source: Wired (external link)

Data Breach At Oracle’s MICROS Point-of-Sale Division

Apparently some “legacy” systems were still present. Okay, could happen. Next to it Oracle says the creditcard data is encrypted in transit and in rest, fair enough but at one point the data needs to be used by the system as well I suppose to complete a transaction?
For a company which has had some trouble with a certain blog post on their website relating to security of Oracle products, which was quickly removed btw, is this symptomatic for it’s security posture or just a slip-up of one of it’s employees who got infected with malware?
source: Krebs on Security (external link)

Microsoft won’t fix Windows flaw that lets hackers steal your username and password

Okay, so don’t use Internet Explorer or Edge browsers or Outlook and don’t login to a Microsoft account as mitigating advice from the security researchers. It’s, specifically for their browsers, an advice I have seen too many times over the last years. Microsoft on the other hand probably will say that you need to set a strong password, don’t click on links you don’t trust etc. Which if all of us would do so would make the internet a far saver place for sure. Unfortunately time and time again stories surface of users clicking on links, opening attachments they should never have opened or otherwise are being tricked in doing something which they should never have done for their own security and privacy. If this flaw is indeed nearly 20 years old, why does it still exist anyway and why should a browser actually want to connect to a remote fileshare?
source: ZDNet (external link)


With this information it isn’t hard to see why there was a problem with Google account rights on it’s rival smartphone platform from Apple. That incident aside, having somebody leading this company that is known to be a privacy violator in his previous role leading the Google Streatview project and who either himself or his employer systematically lied about that, is troubling to say the least.
Yes it’s a free game, except for some thing called poké balls which you can buy, you are most likely paying for this game with your privacy including your location data and whereabout patterns, gaming habits as well as possibly all camera footage being shot during gameplay. Okay, that last bit you can circumvent, on iOS at least, by disallowing the app to access the camera. Sources tell me it makes the game easier to play too. So, you cheat on your fellow players, safeguard your privacy and have a longer battery life as well, want more reasons to disallow this app your camera data?
All cheats aside, the popularity of this app makes this a potential goldmine for people who are known to take privacy not that seriously and that’s putting it mildly.
source: The Intercept (external link)
Want to find out what the app stores about you on both iOS and Android? Read this excellent post on the SANS Digital Forensics and Incident Response Blog (external link).

Why Tor and privacy may no longer be synonymous

Interesting article with potential for misuse not only by cyber criminals but law enforcement and intelligence agencies alike. A similar warning, that unencrypted traffic can be viewed by Tor exit nodes, holds true for all those privacy enhancing VPN services that spreng up over the last years. In both cases there is no end-to-end encryption present.
source: TechRepublic (external link)

Is Apple’s Cloud Key Vault a crypto backdoor?

The short answer is no. Effectively what Apple has done here is lock even themselves out of their own hardware security modules by programming them and then destroying the signing keys required for any reprogramming. Yes there are very small potential workarounds for this, but that would require advanced planning and deception baked into this Apple internal process by design. From what I have seen on Apple’s security and privacy posture, this is highly unlikely.
So don’t let the title fool you and read the article for more details.
Btw, if you don’t want your passwords and secret keys stored by Apple but do want to use their iCloud keychain functionality, just don’t set the requested 6-digit passcode. This way your information is synced between all devices on which the keychain is active but only stored on those devices and not on Apple’s servers as backup.
source: (external link)

The privacy issue at the Olympics no one is talking about

“everything captured is already in the public domain”, so let’s fly one of these systems over the garden of the person who said this and see this still holds true. The most troubling of this article however is the lack of an adequate data protection law in Brazil potentially limiting the use of these kind of systems or at the least governing it’s usage. More often then not, even if privacy laws do exists, technology will far outpace their protective powers.
That these systems won’t help against petty crime is pointed out by this BBC (external link) article as well as the fact that a bus full of journalist was shot at last week.
source: The Daily Dot (external link)