Security Leftovers
-
Visa vulnerability lets cybercrims bypass contactless card limit
When testing the attack with five major UK banks, Leigh-Anne Galloway and Tim Yunusov were not only able to bypass the verification limit "irrespective of the card terminal," but also found that the attack is possible with foreign cards and terminals.
-
Google’s Plans for Chrome Extensions Won’t Really Help Security
Note: Sam Jadali, the author of the DataSpii report referenced in this blog post, is an EFF Coders’ Rights client. However, the information about DataSpii in this post is based entirely on public reports.
Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the “catastrophic data leak” wrought by a collection of browser extensions that surreptitiously extracted their users’ browsing history (and in some cases portions of visited web pages). Over four million users may have had sensitive information leaked to data brokers, including tax returns, travel itineraries, medical records, and corporate secrets.
While DataSpii included extensions in both the Chrome and Firefox extension marketplaces, the majority of those affected used Chrome. Naturally, this led reporters to ask Google for comment. In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have “announced technical changes to how extensions work that will mitigate or prevent this behavior.” Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3.
As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we’re here to tell you: Google’s statement just isn’t true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation.
-
EFF at Vegas Security Week
EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and donate to become an EFF member. We'll also have our limited-edition DEF CON 27 shirts available. These shirts have a puzzle incorporated into the design—try your hand at cracking it!
-
Protecting update systems from nation-state attackers
Frequent updates are a key part of keeping systems secure, but that goal will not be met if the update mechanism itself is compromised by an attacker. At a talk during the 2019 Open Source Summit Japan, Justin Cappos described Uptane, an update delivery mechanism for automotive applications that, he said, can prevent such problems, even when the attacker has the resources of a nation state. It would seem that some automobile manufacturers agree.
The list of companies that have suffered successful attacks on their update systems is long, Cappos began; it is something that happens all too frequently. Often these attacks are carried out by governments; he listed compromises that have been attributed to North Korea and Russia. The Stuxnet attack exploited the Windows update service as well, he said. Nation-state attackers can launch complex attacks; if you are defending against them, you have to worry about holding off a dedicated team of professionals — the best attackers in the world — who command massive resources and who are focused on your company in particular. It is a scary scenario, he said.
It is even scarier when one is dealing with the software that makes a modern automobile run. An attacker who gains the ability to install new software on cars could create no end of mayhem, up to and including large-scale loss of life. Clearly, we all want our cars to be well defended against even the most sophisticated intrusion attempts.
[...]
There are multiple open-source implementations of Uptane available. It has now been mandated by several manufacturers, but he was not allowed to name them. It meets or surpasses all of the existing proposals for update security, including upcoming regulations that require compromise resistance. There is a standardization effort around Uptane that is funded by the US Department of Homeland Security, rather than by the vendors. The system has been through a number of security audits as well. Uptane has been integrated with in-toto, a mechanism for supply-chain security that has been adopted widely, including by Debian, Arch Linux, and the reproducible builds project.
This code, he said, can be expected to ship in about one-third of all new cars on US roads in the near future.
Cappos closed by saying that, regardless of the work he and others have done, some groups will use insecure designs and car companies will put lives at risk. Attacks will happen, and appeals to weak regulations for cover will not suffice; people will die and (seemingly worse for manufacturers) big lawsuits will result. Systems like Uptane are meant to prevent that from happening.
-
- Login or register to post comments
- Printer-friendly version
- 626 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
3.5-inch SBC runs Linux or Android on i.MX8M
Ibase unveiled a 3.5-inch “IBR210” SBC that runs Yocto v2.5 Linux or Android 9 on a dual- or quad -A53 i.MX8M SoC with up to 3GB soldered LPDDR4 and 64GB eMMC plus 4K-ready HDMI 2.0, MIPI, LVDS, GbE, USB 3.0, M.2, and mini-PCIe. Ibase announced a 3.5-inch SBC built around NXP’s up to 1.5GHz i.MX8M SoC. The IBR210 is designed for “multiple signage” displays at airports, train and bus stations, and shopping malls, as well as HMI passenger information applications. There’s a wide standard operating range of 0 to 70°C, as well as an optional -40 to 85°C SKU.
Games: VICCP, Brigador, Wind Runners, Total War: THREE KINGDOMS, Blessed Surface, Pegasus Frontend, Boxtron, Don't Starve Together
Arm expands Pelion IoT platform
Arm released a “Pelion Connectivity Management 2.0” platform for mobile network operators with a new automation engine to scale IoT with real-time triggers and eSIM provisioning. When Arm announced its Pelion IoT Platform last August as a SaaS IoT device management service built around Arm Mbed Cloud, one of the major components was a “connectivity management” wireless gateway stack based on technology it acquired when buying out Stream Technologies. Since then, the stack emerged as a service called Pelion Connectivity Management aimed at mobile network operators (MNOs) that offer managed gateway services for wireless technologies such as cellular, LoRa, NB-IoT, and satellite. Today, Arm announced version 2.0, adding a new automation engine for greater scalability.
What Happens When The US Government Tries To Take On The Open Source Community?
The most important aspect of this latest move by GitHub is that open source projects are unaffected, and that even those who are hit by the bans can get around them by moving from private to public repositories. Friedman rightly points out that as a company based in the US, GitHub doesn't have much scope for ignoring US laws. However, this incident does raise some important questions. For example, what happens if the US government decides that it wants to prevent programmers in certain countries from accessing open source repositories on GitHub as well? That would go against a fundamental aspect of free software, which is that it can be used by anyone, for anything -- including for bad stuff. This question has already come up before, when President Trump issued the executive order "Securing the Information and Communications Technology and Services Supply Chain", a thinly-disguised attack on the Chinese telecoms giant Huawei. As a result of the order, Google blocked Huawei's access to updates of Android. Some Chinese users were worried they were about to lose access to GitHub, which is just as crucial for software development in China as elsewhere. GitHub said that wasn't the case, but it's not hard to imagine the Trump administration putting pressure on GitHub's owner, Microsoft, to toe the line at some point in the future.
Recent comments
3 min 10 sec ago
1 hour 43 min ago
3 hours 6 min ago
3 hours 37 min ago
3 hours 59 min ago
4 hours 1 min ago
4 hours 6 min ago
19 hours 47 min ago
20 hours 37 min ago
20 hours 43 min ago