HNNEpisode179

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #179

Recorded June 26, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Mozilla tests new Firefox Privacy Monitor tool - Mozilla’s enthusiasm for Troy Hunt’s Have I Been Pwned? (HIBP) has cranked up a level with the news it plans to integrate its breach checking into a new service called Privacy Monitor. Once up and running, it will work in a similar way to the HIBP website itself – Firefox users will be able to check whether email addresses associated with online accounts have turned up in breached data know to HIBP. If you want access to this new feature, you will just have to be patient as: The company will next week start sending out invites to 250,000 mostly US-based Firefox users to test Privacy Monitor for themselves. The development is no surprise given that Mozilla last year trailed HIBP Firefox alerts, although these only activated when visiting a site that had been breached.
    2. Beware Malicious Software Updates for Legitimate Apps - The ACLU’s report, entitled “How malicious software updates endanger everyone”, warns software developers that “government agents may try to force you to create or install malicious software in products to help them with surveillance.” You see, a poisoned software update for a legitimate app could be an excellent opportunity for an intelligence agency to plant spyware onto a target’s computer. If you want to try out these attacks, check out Evilgrade
    3. Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure - Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input. in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.
    4. Python-Based Adware Evolves to Install Malicious Browser Extensions - Dubbed PBot, or PythonBot, the adware was first uncovered more than a year ago, but since then the malware has evolved, as its authors have been trying different money-making schemes to profit themselves, according to researchers at Kaspersky Labs. The previous versions of the PBot malware were designed to perform man-in-the-browser (MITB) attacks to inject unwanted advertising scripts on web pages visited by the victim, but the newer variants have been found installing malicious ad extensions in the web browser.
    5. Fairhair Alliance Building IoT Security Architecture - An alliance of companies with products and services in the building automation and IoT fields is working to enhance security by creating a single architecture that brings together the wide variety of standards and protocols used in IoT applications. The Fairhair Alliance has released initial documentation on its approach and has described a timeline for adoption.
    6. Next-Generation WPA3 WiFi Security Standard Launches - The Wi-Fi Alliance officially announced the launch of the WiFi Certified WPA3 wireless security technology late on June 25, providing next-generation WiFi security capabilities. WPA3 is the successor to the widely deployed WPA2 WiFi security model that was launched in September 2004. WPA2 has been found to have multiple weaknesses including the KRACK vulnerabilities that were publicly disclosed in October 2017. WPA3 includes additional security capabilities on top of what WPA2 provides in an effort to offer a higher degree of wireless security.
    7. Hotels, airlines and travel sites battle bot attacks - Akamai researchers analysed nearly 112 billion bot requests and 3.9 billion malicious login attempts that targeted sites in this industry including airlines, cruise lines and hotels among others. Nearly 40 percent of the traffic seen across hotel and travel sites is classified as "impersonators of known browsers" - which Akamai described as a known vector for fraud.
    8. The Shift From 4G to 5G Will Change Just About Everything - “The application of 5G technology will result in massive changes for both consumers and enterprises,” said Jeff Weisbein, founder and CEO of digital media company Best Techie. “5G networks will offer consumers incredible broadband speeds at home (up to 20Gb/s). It will also enable companies to make advancements such as even smarter, better connected cars, advancements in medical technologies and improved retail experiences through personalization.” In addition to increasing the features and capabilities of IoT devices, I believ 5G is important to offer consumers more options for Internet access in the home, and may increase Internet usage as a whole across the globe.

    Expert Commentary

    School facial recognition system sparks privacy concerns George Orwell is coming to a school district in New York state. School districts around the US are looking for ways to make schools safer for students. One of the ideas that has come up in several places is the widespread use of video surveillance. A school district in New York has decided to implement a system that steps up that coverage with facial recognition. Lockport City School District (LCSD) has purchased facial and object recognition to alert on dangerous people coming on to school properties.

    According to LCSD’s implementation plan, “Existing cameras will be upgraded and new cameras and wiring will be added to provide viewing and automated facial and object recognition of live and recorded surveillance video. Additional surveillance servers are being added to provide enhanced storage of recorded video and processing of live and recorded surveillance video.” The system is supposed to be capable of automatically searching through video feeds for specific people and alert school staff if someone shows up on campus. The Naked Security blog gave several examples of who would be watched for, including “sex offenders, suspended students, fired employees or known gang members.” It is also supposed to be able to recognize the top 10 guns used in school shootings.

    The ACLU has responded to this purchase with a letter of protest to the New York State Education Department. They are concerned with the privacy issues around such a system as well as the accuracy of the technology. Their argument is that the facial recognition software creates a biometric record of students and are personally identifiable information. The video is apparently planned to be stored for 60 days after capture, so there is time available to to go back and track students’ activities on campus. According to the ACLU, “These systems could potentially turn students’ and staff members’ every step into evidence of an infraction or crime and could criminalize ordinary child misbehavior and personal interactions.”

    This type of system bothers me for all the reasons that I’m uncomfortable with the NSA’s surveillance inside the US. There is a pressing problem that needs to be addressed. In this case, it is safety on school campuses. To improve our ability to respond to events quickly, we implement mass surveillance and, in this case, put facial recognition software on top if it. Once it is in use and (hopefully) not much is happening with it, someone asks a question that could be answered by the surveillance system. “Hey, we’ve noticed that Johnny is acting kind of dodgy and he may be a danger. Can we tell the surveillance system to track his movements and see what he’s been up to?” As a society we’ve accepted video surveillance, but should we accept this kind of targeted surveillance? Especially in places such as schools?

    This strikes me as a well intentioned but risky practice to accept. It may be that we have decided to move in this direction and there is no stopping it. If that is the case, then we need to make sure that there are protocols for the use of these systems. Who authorizes the targeting of students in the surveillance system? Do multiple parties have to sign off on it? What level of concern must be reached before students are picked for detailed review of their activities?

    You may look at this and think that this is only an issues in Lockport City, NY, but a similar system is being implemented in Arkansas’ Magnolia School District too. This sort of thing may be coming to a school district near you. I personally plan on watching for similar systems in my area and getting involved if these or similar ideas are suggested. Keep an eye out on your local school district because this could becoming your way.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+