Security News Bites for the Week Ending March 1, 2019
We Don’t Need Back Doors in Crypto – We Have Enough Bugs Already!
Researchers have found three new bugs in the protocol design (as opposed to the implementation) in both 4G and 4G cellular networks. The design flaws can be carried out by any person with a little knowledge of cellular paging protocols.
The hardware to carry out the attack can be purchased for less than $200 and all four major carriers are vulnerable since these are protocol design problems and not implementation bugs.
The good news is that since these are protocol design flaws, the networks of all of our adversaries (and our friends) are also vulnerable, which probably makes the spy-guys happy too.
There is no fix approved or planned for the security holes. Source: Techcrunch.
Google Slipped a Microphone into your Nest Security System – Forgot to Tell Buyers.
When Google announced that the Nest security system would now support “Hey Google” with no hardware upgrade, a few geniuses figured out that there must have always been a microphone in the Nest that Google just accidentally forgot to tell people about.
Google is trying to spin down the tornado saying that yes, they just forgot to tell people that there is a microphone in there, but not to worry because it isn’t enabled by default. They put it in there to detect breaking glass and other features, they say.
Alarm systems often have microphones, usually to detect glass breaking, but the control panel, where Google put it, might not be close enough to all of the windows in the house to detect that. Some alarms support two way voice communications to the alarm monitoring center, but if a system has that, it is not a secret, but rather a feature, loudly announced. More likely, Google kept it a secret so that competitors wouldn’t figure out their future plans. Source: The Intercept.
Hacking Tools Going Mainstream
Celebrite, the Israeli company that makes tools for law enforcement (and, I think, for anyone else who’s check clears) to hack iPhones and Android phones has grown a conscience.
Used Celebrite devices are showing up on eBay for as little as $100 – and, of course, will the ex-owner’s data still intact.
Celebrite is “warning” their customers not to do that but rather to return their devices to them for destruction. If you think they are really concerned about your security, then that makes sense. On the other, if you believe that they would rather sell you a new one for $6,000 rather than you buying it on eBay for $100 …..
In any case, they are available and many of them still have the captured data on them. Source: Forbes.
TSA’s Pipeline Security Team Has Five People
2.7 million miles of pipeline and five employees.
Roughly half a million miles of pipe per person.
And none of them have cyber expertise.
Since 2010 the number of people assigned to pipeline security have ranged from a low of 1 to a high of 14. Not very comforting.
And they don’t plan to add any cyber expertise anytime soon, instead they are relying on begging other parts of Homeland Security for help.
Given that TSA hasn’t figured this out in almost 19 years, some folks in Congress want to move the responsibility elsewhere.
In the meantime, lets hope that the terrorists do not understand how bad things are. Source: FCW.