The niner noteworthy stories of 2017 (week 2)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

N.S.A. Gets More Latitude to Share Intercepted Communications


Okay, so the NSA will share more raw mass surveillance data with other US agencies without rooting out the information which is not relevant, can we actually couple this to last year’s rule 41 giving the FBI unlimited hacking powers to computer systems abroad? It seems though that there is no limitation to the surveillance powers and data collection and dragnet searching of that data the US authorities are willing to undertake.
Yes I know 9/11 could have been prevented if the agencies would have talked to each other. But will this raw data sharing would have helped in the greater scheme of things? I have my reservations.
source: The New York Times (external link)

Attributing the DNC Hacks to Russia


This is an extremely well written piece focussing on the issues the Obama administration faced over the DNC hack and the alleged election manipulations by the Russian government.
This is indirectly however also the same way fake news either works or not, specifically the part of the article dealing with who’s claims of attribution you believe or not.
Let’s hope the upcoming elections in the Netherlands (March 15th), France (late April/early May) and Germany (September I believe) won’t face similar issues. However, don’t count on it. And how about the brexit referendum last year?
source: Schneier on Security (external link)

Microsoft sued by staff traumatized by child sex abuse vids stashed on OneDrive accounts


So, Microsoft needs to report anything “if they see it” to the relevant authorities. Isn’t the sentence “if they see” something to the complete opposite of “actively looking for” such material?
And is this “screening” of data stored on Microsoft servers actually limited to just these cases or are they looking for far more information with a far broader scope then this article points out.
In general you can ask the following questions:

  • Where does the responsibility of the government stop and can they rely on private companies to take over?
  • How far do we really want privately owned companies to do their own law enforcement research and decide possibly on people’s future?
  • What’s next, censorship of the Internet facilitated and decided by social media companies or are we already at that stage?

Sure crimes need to be solved, but do we really trust commercial companies to be the forefront of law enforcement in the digital age?
source: The Register (external link)

GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug


An interesting slip-up of the validation process, which is nicely described in this article btw. Although the validation process isn’t foolproof and depends heavily on the DNS (domain name system) playing nice as well. Although the attack factor this way is extremely small and requires other factors as well to succeed.
Revocation and re-issuing is indeed the only remedy possible.
source: The Register (external link)
An no, SSL certificates don’t protect your connection as is stated in the article on the same topic by SC Magazine UK (external link).
The certificates are only their to help you trust the server you are connecting to is actually the one it claims to be. Without a valid certificate the connection itself may be as secure as with the certificate, but only without the assurance the server is the correct one. Yes man-in-the-middle is possible with an incorrect or missing certificate, but the connection to the middleman will still be encrypted.

MongoDB Ransomware Compromises Double in a Day


Quick and dirty installation, no time or effort to upgrade and/or patch, no time to adequately activate and setup security parameters, leaving it open on the Internet because it could be handy equals lost and encrypted ransom data attack.
This unfortunately enough would all have been preventable with the right security mindset and culture within the victim organisations. Fore once this isn’t a software bug or programming code lacking security features or mechanisms, this seems to be fully attributable to the IT staff maintaining these databases.
The question will be though, what window closes first: the availability of open MongoDB instances because all that were available are already ransacked or admins finally cleaning up their act.
source: Data Breach Today (external link)

£150,000 fine for insurance company that failed to keep customers’ information safe


Dear British friends, it seems that your personal information is worthy of the total sum of 2 pounds sterling and 50 pennies per record to be precise. Not counting the additional value of creditcard data with 20000 out of the nearly 60000 records lost.
If that fact is taken into account let’s say the 20000 records with creditcard data is worthy of the total of 3 pounds sterling per record, the other 40000 records drop to a measly 2 pounds sterling and 25 pennies per record. Okay it’s still more money than for which you can obtain records in bulk from either of the yahoo breaches but still.
For the company in question it is hoped that the reputation damage in the long run far exceeds the fine by the ICO or they would have come off quite cheap and maybe over the long run even made money of not doing enough to secure your personal information.
source: ICO (external link)

On-body transmission and its biometric implications


Ultimately everything that is wireless is detectable and can be sniffed upon a long distance. This obviously greatly depending on the frequencies used, type of antenna and depending on frequency the atmospheric or ionospheric conditions.
When you are combining 2 factors (something you have, something you know and something you are) then it can be argued you are actually losing one factor in the process. e.g. Having an certificate stored on a device that requires no passcode to be used, is effectively only a single factor. If the certificate was secured by a passcode then it would become a 2-factor setup, but only if the certificate can’t either be removed from the device it is installed on or linked to the specific hardware in such a way that removing it makes the information unusable.
source: The Stack (external link)

Oh ALIS, don’t keep us waiting: F-35 jet’s software ‘delayed’


Software delays and bugs, no real news you may think. Connections of equipment that are plug-and-pray rather then play, something we all commonly have accepted over the last decades in everyday computer usage, right?
Well if it is the main weapon of choice for your air defence, the story becomes somewhat different. Lowering network security because something doesn’t work is also commonplace in office environments but probably not something you want to do on a military airbase.
And sending all data of a plane’s computers to the American manufacturer with their promise not to look at the pilot’s names, seems to be the ultimate spy gadget. Just sell the planes to the right regime and you’re done.
Oh yes and let’s not forget the F-35 bug where pilots actually had to reboot some on-board computer systems whilst, I know it sounds idiotic, being in-flight.
The final articles note on the fact that more security testing needs to be done I leave for you, the reader, to decide on what this may mean.
source: The Register (external link)

Airplane boarding display leaks passenger data


This is yet another way, patched since notification, that booking systems and check-in systems are hopelessly insecure. I already wrote about this topic two weeks ago, simply basing your entire authentication scheme on a person’s lastname and booking code may have been semi-secure a couple of decades ago, but in this day and age that’s far from being adequate.
Couple to this apparent lack of additional measures taken by airlines, I have no doubt in my mind that this incident is something unique in the aviation industry, and you probably will get the overall picture.
source: SC Magazine (external link)