Internet of Things That Travel 85 Miles Per Hour
Surveyed, by the Economist : The state of “the scary world of the computerized car” – with an emphasis on the parlous state and “distressingly easy” hackability of modern, increasingly networked vehicles. They cite the best research in the field, including a whitepaper from security researcher IOActive Labs, which show how very many attack surfaces are available for exploitation.Conspiracy theorists will have plenty of fodder here – the single-car accident that killed journalist Michael Hastings in 2013 was widely viewed as deeply suspicious by the tinfoil-headgear set. This was reinforced by the real-time hacking demo DARPA performed on a vehicle for CBS’ 60 Minutes last February, showing just how straightforward taking control of everything on a modern vehicle (up to and including the brakes and throttle) could be.
Recommendation for SSLv3: Stake Through Heart, Bury Under Crossroads
Issued (PDF) by the Internet Engineering Task Force: A Request For Comments that finally and utterly deprecates the SSL 3.0 protocol. This is due to multiple vulnerabilities that SSLv3 and its close relative TLS 1.0 present. The IETF’s call only codifies what that all major browser and server software vendors have already done (some later than others, of course) and reflects the withdrawal of SSLv3/TLS1.0 support by major players including PayPal and (by June 30, 2016) the PCI Council.
Not Normally What We Assign to That Particular Acronym
Built, by Israeli reseachers: the Portable Instrument for Trace Acquisition, or PITA. Assembled from off-the-shelf parts, PITA is an unassuming little device (small enough to insert into the eponymous flatbread) employing Van Eck phreaking to steal data by reading radio signals leaked by the target computer. Although tested against keys stored by the PGP fork GnuPG in this instance, the same techniques could be theoretically used to lift other cryptographic keys – including the ones used in Bitcoin wallets. As the researchers (from Tel Aviv University and Israel’s Technion research institute) explain in their resarch paper (PDF) PITA is very much a proof of concept (with a range is less than two feet) but may be upgradable to pull secret data from much further away.
‘Security’ – I Do Not Think It Means What You Think It Means, Cisco
Issued, by megavendor Cisco; an advisory of a very serious security issue in a vast but unknown number of their appliances. Implicated are all Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances. The problems here: inclusion of a default SSH key in firmware which gives an intruder complete root control of targeted devices, and a privilege escalation vulnerability which can give admin access to remote attackers. As noted by Tod Beardsley from security firm Rapid7, with access to one of the affected devices (usually via a LAN) all that’s required is to”extract the key, and then go to town”.
In the grand, long-lost American tradition of taking long summer vacations SSL.com’s Security Roundup is taking the next month off – but rest assured that we’ll be back in four weeks with more!
As always, we appreciate your reading these words, and please let us know your take on these issues. Remember – a safer internet is a better internet.