close
  • Sc chevron_right

    Remotely Controlling Touchscreens

    news.movim.eu / Schneier · 2 days ago - 21:03

This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens .

From a news article :

It’s important to note that the attack has a few key limitations. Firstly, the hackers need to know the target’s phone passcode, or launch the attack while the phone is unlocked. Secondly, the victim needs to put the phone face down, otherwise the battery and motherboard will block the electromagnetic signal. Thirdly, the antenna array has to be no more than four centimeters (around 1.5 inches) away. For all these reasons the researchers themselves admit that the “invisible finger” technique is a proof of concept that at this point is far from being a threat outside of a university lab.

  • chevron_right

    How big is the risk that someone will hack an EV charging network?

    news.movim.eu / ArsTechnica · Tuesday, 26 July - 17:49 · 1 minute

There are many good reasons why an EV charger should be networked, but it does come with vulnerabilities.

Enlarge / There are many good reasons why an EV charger should be networked, but it does come with vulnerabilities. (credit: Aurich Lawson | Getty Images)

The Infrastructure Investment and Jobs Act , as passed by Congress last November, authorizes $7.5 billion to help meet US President Joe Biden's goal of installing 500,000 stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.

For the past several years, hackers have been busy aiming their attacks at electrical system vulnerabilities . In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) have suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.

Hackers perpetually seek out ways to use any and all system vulnerabilities to their maximum advantage . This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions—physical destruction; electronic jamming; creating a "Denial of Service"—are concerns about weak control systems. From his perch at PlugInAmerica.org, Ron Freund worries that the existing supervisory control and data acquisition hardware is primate.

Read 14 remaining paragraphs | Comments

  • Sc chevron_right

    Securing Open-Source Software

    news.movim.eu / Schneier · Tuesday, 26 July - 13:07 · 1 minute

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:

Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.

This is not a novel idea. Open-source code has been called the “roads and bridges” of the current digital infrastructure that warrants the same “focus and funding.” Eric Brewer of Google explicitly called open-source software “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects “just as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to “explore opportunities for dedicated support services for open source solutions [it] considers critical.”

Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny—projects that are critical to society. CISA defines critical infrastructure as industry sectors “so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Efforts should target the open-source projects that share those features.

  • Sc chevron_right

    Apple’s Lockdown Mode

    news.movim.eu / Schneier · Tuesday, 26 July - 12:57 · 1 minute

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

At launch, Lockdown Mode includes the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

News article .

  • chevron_right

    The secret US mission to bolster Ukraine’s cyber defences ahead of Russia’s invasion

    news.movim.eu / ArsTechnica · Wednesday, 9 March - 14:33

Flag of Ukraine on a computer binary codes falling from the top and fading away.

Enlarge / Flag of Ukraine on a computer binary codes falling from the top and fading away. (credit: gwengoat | Getty Images)

Months before the Russian invasion, a team of Americans fanned out across Ukraine looking for a very specific kind of threat.

Some were soldiers, with the US Army’s Cyber Command. Others were civilian contractors and some employees of American companies that help defend critical infrastructure from the kind of cyber attacks that Russian agencies had inflicted upon Ukraine for years.

The US had been helping Ukraine bolster its cyber defenses for years, ever since an infamous 2015 attack on its power grid left part of Kyiv without electricity for hours.

Read 22 remaining paragraphs | Comments

index?i=-oxacERmutw:-OzDEYYzcfY:V_sGLiPBpWUindex?i=-oxacERmutw:-OzDEYYzcfY:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Sc chevron_right

    A New Cybersecurity “Social Contract”

    news.movim.eu / Schneier · Tuesday, 22 February - 15:28 · 1 minute

The US National Cyber Director Chris Inglis wrote an essay outlining a new social contract for the cyber age:

The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each. Such a shift is momentous but not without precedent. From the Pure Food and Drug Act of 1906 to the Clean Air Act of 1963 and the public-private revolution in airline safety in the 1990s, the United States has made important adjustments following profound changes in the economy and technology.

A similarly innovative shift in the cyber-realm will likely require an intense process of development and iteration. Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense. Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Finally, both the public and private sectors must commit to moving toward true collaboration — contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.

The devil is in the details, of course, but he’s 100% right when he writes that the market cannot solve this: that the incentives are all wrong. While he never actually uses the word “regulation,” the future he postulates won’t be possible without it. Regulation is how society aligns market incentives with its own values. He also leaves out the NSA — whose effectiveness rests on all of these global insecurities — and the FBI, whose incessant push for encryption backdoors goes against his vision of increased cybersecurity. I’m not sure how he’s going to get them on board. Or the surveillance capitalists, for that matter. A lot of what he wants will require reining in that particular business model.

Good essay — worth reading in full.

  • chevron_right

    US gov’t will slap contractors with civil lawsuits for hiding breaches

    news.movim.eu / ArsTechnica · Thursday, 7 October, 2021 - 12:46 · 1 minute

US gov’t will slap contractors with civil lawsuits for hiding breaches

(credit: Stephen Melkisethian )

In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud Initiative" will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DoJ calls "cybersecurity fraud." Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.

Cyber contractors chose silence “for too long”

"For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” states Deputy Attorney General Lisa O. Monaco, who is pioneering the initiative. "Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust."

The introduction of the Civil Cyber-Fraud Initiative is the "direct result" of the department's ongoing thorough review of the cybersecurity landscape ordered by the deputy attorney general in May. The goal behind these review activities is to develop actionable recommendations that enhance and expand the DoJ's efforts for combating cyber threats.

Read 9 remaining paragraphs | Comments

index?i=Z_78P3cTIG4:EBprz4uhBXQ:V_sGLiPBpWUindex?i=Z_78P3cTIG4:EBprz4uhBXQ:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    New Yubico security keys let you use fingerprints instead of passwords

    news.movim.eu / ArsTechnica · Tuesday, 5 October, 2021 - 14:55

Security experts have long abhorred passwords. They’re hackable, forgettable, and, sometimes, guessable (looking at you, password1). As companies like Microsoft and Google move to embrace passwordless logins, Yubico thinks it has the key to keeping things simple. The YubiKey Bio Series announced today is the company’s first hardware security key to offer fingerprint logins.

Yubico’s Bio Series introduces biometric authentication to the hardware security key maker’s lineup. The new keys support the latest FIDO2/WebAuthn and U2Fopen authentication standards to which Yubico contributes.

Fit for either your USB-C (left) or USB-A (right) port.

Fit for either your USB-C (left) or USB-A (right) port. (credit: Yubico )

The keys target desktop PCs, which are typically stationary, making it easy to leave the key in a USB Type-A or USB-C port, depending on the model you pick. Each key has a built-in fingerprint reader, so you can log in with the tap of a finger instead of having to remember your password. The key could also serve as a form of two-factor authentication.

Read 6 remaining paragraphs | Comments

index?i=Z8I4bMgs-iA:Up-ZZTmjxrU:V_sGLiPBpWUindex?i=Z8I4bMgs-iA:Up-ZZTmjxrU:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA