Bluetooth? I’ll Keep My 3.5mm Headphone Jack, Thanks

This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.

Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.


“Why Schools?” – That’s The Wrong Question

Why aren’t schools doing anything to prepare? (And they’re not.) That would be a better question. Why School Systems? The Rise of Ransomware in Public Schools.

And if you ask the wrong question, any answer that you get won’t result in any useful insights.

Due to their wealth of data and limited budget for cybersecurity staff and training, schools have drawn the eye of hackers. Experts recommend backing up data and investing in cybersecurity training and preparedness.

My personal recommendation is that schools cut back on that “wealth of data” until such time as they have a wealth of “cybersecurity training and preparedness” in place, and deployed to protect it. And even then, they should ask if they really need to have that information online, because while ransomware has been in the news, there have been instances where all the data needed to steal identities was taken out of school systems. That’s a lifetime of having to worry about identity theft for people who are not old enough to drink. (Thanks Public Schools Idiots Everywhere who think you know how much you need to spend on security.) All because some administrator somewhere, with next to no knowledge of the risks, decided that he couldn’t be bothered to look up a kids address the 2 times during the year when he needed that information. And how often to school administrators need SSN? Really? They couldn’t get by 99.999% of the time with an in-house student ID number?

But back to the schools.

“The principal reason is that it’s a relatively easy target to aim for,” he said, explaining that school systems typically suffer from a fairly limited IT staff, older equipment and less-than-optimal cybersecurity expertise.

Then repeat after me. If that statement (limited expertise, limited staff, etc.) applies to your organization, that purge every last bit of data that is not needed, and some that is needed. And it isn’t needed just because you’ve “always collected it.” Schools do NOT need SSN. Not online they don’t. They don’t need every piece of information for stealing identities in a place where they can be stolen by the lowest-knowledge hacker on the planet. How big is your school? You can’t file a couple of 1000 pages of info. (Like home address, and SSN for the one time in 4 years when you MIGHT need it?) Stop pretending that having “everything at your fingertips” is a requirement. It isn’t.

Another instance where people asked the wrong question. What diet leads so many people in this area to live past 100? (Hint: It isn’t diet.)

Why Does Everything Have to be WiFi Enabled?

In this case Canon cameras. Even DSLR cameras are vulnerable to ransomware.

More to the point, why aren’t WiFi enabled interfaces secure?

The hackers (white hat) showed that if a camera had WiFi turned on, and that camera was in range of their WiFi access point, they could encrypt the photos on the camera’s memory card.

Canon issued an advisory telling folks to avoid unsecured WiFi, turn off network functions and install a new security patch.

The issue affects most of Canon’s camera lineup, from the EOS 70D to the mirrorless EOS R. It might not be limited to Canon, either, as Check Point told The Verge that other manufacturers, which use the same PTP protocol, could also be vulnerable. [My emphasis.]

PTP or Picture Transfer Protocol is an Unauthenticated interface used by a lot of cameras and software.

Could manufacturers of everything please check to see if they have

  1. any non-secure interfaces
  2. hard-coded passwords or other backdoors

and get rid of them immediately? Probably not.

Apple Only Cares About Your Privacy When They Get Bad Press

So they’re just like every other tech giant. And they did get bad press. Apple suspends Siri response grading in response to privacy concerns.

In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.

In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.

This is similar to mess Google is in.

Privacy is such a 19th Century concept.

Locking the Barn Door After the Horses Escaped

Personally I like “Putting a guard on the picket lines, after the horses have been stolen.” But few people know that saying. LAPD Police Officers’ Personal Information Stolen in Data Breach.

So after the breach…

“Out of an abundance of caution we’re applying extra layers of security around our personnel system and enhancing defenses,” Ross told NBCLA Monday.

Which would have been fine if they’d done that BEFORE the data breach took place. Shouldn’t all their sensitive data have “enhanced defenses?”

The breach itself…

A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a large breach of data held by the city of Los Angeles’ Personnel Department.

Maybe cities should consider NOT putting everything online.

What Happens When a Software Company Ignores a Disclosed Vulnerability?

Even worse, they argued that a security backdoor was “critical for their seamless user experience.” In other words, we want it to be easy, not secure. Zoom fixes webcam flaw for Macs, but security concerns linger.

When a security researcher finds a problem, you get 90 days. They ignored the issue for 10, then they were able to confirm the issue. They held the first meeting on day 72, and came up with a “solution” that didn’t fix anything. Or in other words, Epic Fail.

You can find discussions of the technology all over the place, but I’m more interested in the insanity of the corporate schmucks. (You can find one such link at the bottom of this post.)

“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom CISO Richard Farley, said in a blog post. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

That statement is the key. Here’s what the CISO was really saying, when you strip out the corporate double-speak.

We didn’t see the value in fixing the problem pointed out by the security community because we give a rat’s ass about our clients’ security and privacy, and this fix would tarnish our image (or something), but when it was clear it was turning into a PR disaster we decided that maybe we aren’t as smart as we think we are, and will promise to value security in the future. Cross our hearts…

So what happens when a SW company ignores the security of their customers? They get handed their hats. (Schneier on Security has details on the technology, if you want to more info.)

Stupid Criminals and WiFi Auto-login

It’s good to see that the American educational system is still just like it always was. Wi-Fi Auto-Login Helped Identify Hate Crime Vandalism Suspects.

The plan was to write “Class of 2018” everywhere, but it didn’t end there. They painted racist, homophobic and antisemitic graffiti all over the place.

They knew there were security cameras, so they covered their faces.

What the suspects did not realize however, is that their smartphones automatically connected to the school Wi-Fi once they were in the area. Which of course, would only possible if they have an account or attend the school. Since each student has their own unique ID, their login times were recorded on the server and could be cross-referenced with the surveillance video.

To be completely surrounded by technology, to use that technology every day of your life, and to be so completely ignorant of how that technology works… I guess they figure it is like magic, they go to school and get connected to WiFi, and don’t bother to think what that means. Or when they go to their favorite coffee shop, fast food restaurant, or anywhere else that they use the free WiFi. Privacy? What’s that? Stupidity they seem to have a handle on.