Security News Bites for the Week Ending April 12, 2019
A New Reason to Not Use Huawei 5G Telecom Equipment
The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.
Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000. And, they don’t seem to be getting any better. Source: BBC .
Researchers Figure Out How to Attack WPA 3
Standards for WiFi protocols are designed in secret by members of the WiFi Alliance. Those members are sworn to secrecy regarding the protocols. The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.
These protocols are never subjected to outside independent security tests. Anyone who wants to hack it has to do so treating it as a black box. And some researchers have done so.
Now WPA3, which is not widely deployed yet, has been compromised by researchers. One of the attacks is a downgrade attack; the other attacks are side channel attacks. They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.
Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable. Hackers would use the tools to launch attacks.
The WiFi Alliance is working with vendors to try and patch the holes. The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched. After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them. Source: The Hacker News.
Amazon Employs Thousands to Listen to Your Alexa Requests
For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.
Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them. Probably not in real time, but rather, after the fact.
The staff, both full time and contractors, work in offices as far flung as Boston and India. They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift. Doesn’t that sound like fun. Source: Bloomberg.
Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016
Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.
While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress. Source: Ars Technica.
Researchers Reveal New Spyware Framework – Taj Mahal
The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.
The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others. Some of the tricks have never been seen before like intercepting documents in a print queue. The tool, according to Kaspersky, has been around for FIVE YEARS.
While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack. Source: Wired.