SWN #3 | SC Media
Backup and recovery, Container security, Cloud security, Attack surface mgmt, Bug bounties, Configuration management

SWN #3

January 14, 2020

 

 

This week on Security Weekly News, Dr. Doug White covers the following stories: Tesla Goes Pwn2Own Again This Year, GRU “hacks” a Ukranian Gas Company at the Heart of Scandals in DC, Is Iran Shutting Down Social Media to Prevent Protests?, The US Government Issues Phones to the Poor Which Contain Chinese Malware. Oh, and the phones were Chinese too, Cloudflare Expands Into VPN and Firewalling, Microsoft has Officially Ended Support for Win 7 and Server 2008, A Nasty Bug in Firefox, Citrix Exploits are Being Well… Exploited, Can We Just Go Ahead and Read the Patterns in Encryption?, Cisco Data Center Vulnerabilities, More Lawsuits in Georgia, The Return of Emotet, Never Give the Victim a Break if You Want Them to Pay, and Is the US Better Than Anyone in the World at Cyber? In the expert commentary segment, Jason Wood covers the State of 5G Security.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

January 14, 2020

News Stories

Commentary – Jason Wood, Paladin Security

State of 5G Security

While I was reading this week I found a security prediction for 2020 that caught my eye. The prediction was that the growth and combination of IoT and 5G would be a major source of security issues in 2020. I kind of chuckled because the annual predictions are usually interesting, but frequently off from what ends up occurring. But because my mind was on 5G, I noticed a blog post released today by Bruce Schneier on 5G security. Bruce explains his view on why 5G is not going to be as secure as people may hope and it’s definitely worth the read.

When you hear about 5G security, there is a lot of focus on hardware that is made in China. The US is strongly against the use of Huawei and other Chinese networking suppliers out of the 5G infrastructure. The fear is that these companies will include backdoors, security weaknesses, or other issues into their products due to pressure or collaboration with the Chinese government. Due to China’s history of content monitoring, censorship, and espionage, that’s a real risk to consider. Are they overblown or underplayed? That depends on who you are talking to. Everyone has their own experiences and biases when talking about these topics. But rather than focusing on this, Bruce pivots to other issues with 5G that don’t get as much attention.

First, he states, the 5G standards are really complex and cannot be implemented securely. If you’ve ever been unable to fall asleep and decided to read an RFC to help you doze off, you know that standards lay out requirements, but do not get into how to build something. They are subject to interpretation. So security errors will still be made while writing the actual implementation. This is further complicated by the standards trying to not only handle the wireless portion of the communication but the infrastructure that will perform the routing and transmission of that data. 5G apparently isn’t just a wireless standard.

Second, Bruce points out that even if 5G was super secure, it still has all the baggage that it is carrying from 4G networking. Backwards compatibility is still an important thing since it’s going to be a while until only 5G and greater capable devices are in use. Because of this 5G will inherit a number of issues from 4G. The need for backwards compatibility is obvious since providers have already started implementing 5G networks, but few people have devices that support it. To expect a “clean break” (as Bruce termed it) with 4G is unrealistic. So we are going to have to live with older security flaws. The idea of a downgrade attack would seem to apply here.

Finally, he explains that the standards committees just skipped out on opportunities to make security improvements. Even where they did propose security features, many were made optional. Don’t like it and think it is too expensive? Then skip it and move on. On top of that, even if it is a requirement can you get away with skipping out on it? It’s not like someone will prevent you from putting it out on the market. Then once it is out there, we end up living with it.

Bruce made one statement that I thought sounded almost silly because it applies to pretty much every technology. “But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.” Well, yeah. That’s always the way this seems to work out. It always ends up causing us problems, but it’s always the case. I don’t think Bruce is being naive here. It’s a lament from him and likely goes back to his calls for government regulation of IoT devices and having mandates for security being implemented. That way the market forces don’t cause security to be treated as something to be bolted on later.

One bit of advice I really liked in his post was this statement from Susan Gordon, who was the U.S. principal deputy director of national intelligence at the time. “You have to presume a dirty network.” In fact, she goes on to say, “That’s what we’re going to have to presume about the world.” While we may agree with that statement as security professionals, it certainly makes for a messy landscape and a rough experience for those who don’t work in security.

The overall takeaway is this. 5G isn’t going to solve wireless communications problems. It will change things, but it won’t be a solution here. It will provide more opportunities for IoT device makers. This makes me wonder if we are going to have to get a data plan for doorbells, refrigerators, and other IoT doodads. So the spread of the network will go further, reach deeper into our lives, but will only provide a feeling of security with the reality very much in question. It will be very interesting to see how this actually plays out.

Hosts

Doug White

Doug White – Professor

Jason Wood

Jason Wood – Founder; Primary Consultant

Guests

Announcements

  • Our next webcast is January 15th with Cecilia Marinier, RSAC Program Director, Innovation & Scholars where we will discuss RSAC Sandbox, RSAC Innovation Sandbox, RSAC Launch Pad, RSAC Security Scholar and their “How to” Seminar for Innovators and Entrepreneurs! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.

This week in the Security Weekly News Wrap Up, Brute Forcing Returns, Zero Days in Salt and SOPHOS, COVID Tracking APPS and privacy, Drones delivering drugs, Digital Identity, and no more double spacing at the end of a sentence!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Brute Forcing, Drones, Zero Days, & Tracking Apps – Wrap Up

Hosts

Doug White

Doug White – Professor

Guests

This week, Hackers are using infected movie downloads to spread malware to PC, Esoteric Exfiltration using Power Supplies on Airgapped machines, US Government bans purchase of bulk power system equipment from hostile foreign powers, Eventbot malware targets banking apps on Android Phones, and Apple makes it easier to unlock your phone while wearing a mask! In the Expert Commentary, we welcome Corey Thuen, Co-Founder at Gravwell, to discuss how Gravwell is built to ingest data from anything for collection and correlation with logs, security events, or network packets. They’re releasing Packetfleet open source as a tool that makes it easier to do on-demand packet capture from multiple locations!

To learn more about Gravwell, visit: https://securityweekly.com/gravwellVisit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

Trojans, VBScripts, I Love You Returns, and Corey Thuen

Hosts

Doug White

Doug White – Professor

Guests

Corey Thuen

Corey Thuen – Co-Founder

This week, Doug White wraps up the hot topics and interviews across all of our shows on the network! Then delving into some of the top news stories like No more foreign power equipment, AppleGoogle bans the use of GPS in tracking, power supply oohs and aahs, and the Love Bug Remembered!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

PerSwaysion, ILoveYou, & POWER-SUPPLaY – Wrap Up

Hosts

Doug White

Doug White – Professor

This week in the Security Weekly News, DEFCON 28 is indeed cancelled, Paying Ransomware may double the recovery cost, Thunderspy evil maid attack on thunderbolt devices, FBI to release a warning about Chinese hackers targeting virus research, and more! Jason Wood returns for the Expert Commentary to talk about Four GDPR Violations that multiple companies have been fined for!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

ThunderSpy, Hacking COVID Research, & GDPR Fines

Hosts

Doug White

Doug White – Professor

Jason Wood

Jason Wood – Founder; Primary Consultant

This week, Doug wraps up all the shows across our network, including the Show News, Bunny Lebowski’s toes, STAMINA, RAMSAY, and US-Cert Vulnerabilities!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

STAMINA, RAMSAY, and US-Cert Vulnerabilities – Wrap Up

Hosts

Doug White

Doug White – Professor

This week, Dr. Doug returns to the studio, to discuss how DEFCON is Cancelled, Many Applications have Security flaws, Verizon Security Report for 2019, The FBI and DoJ want encryption backdoors, and Space, the final Frontier! The Master of Commentary Jason Wood joins us to talk about how a Ransomware Gang Was Arrested for Spreading Locky to Hospitals!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

DEFCON Safe Mode, Ransomware Gangs, & SpaceX to ISS

Hosts

Doug White

Doug White – Professor

Jason Wood

Jason Wood – Founder; Primary Consultant

This week on the Wrap Up, Danny Trejo, COVID-19 Contact Tracing, SaltStack, and lots of hacked Supercomputers with cool names!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

Danny Trejo, Animal Crossing, Contact Tracing, & SaltStack – Wrap Up

Hosts

Doug White

Doug White – Professor

This week, Defcon is still cancelled, Cyber insurance?, Phishing, rogue drones, the return of the dark web, Sarwent malware, and Dutch Grandmothers in trouble. Jason Wood joins us for the Expert Commentary on how eBay users spot the online auction house port-scanning their PCs!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

Rogue Drones, Sarwent Malware, Microsoft MFA Attack

Hosts

Doug White

Doug White – Professor

Jason Wood

Jason Wood – Founder; Primary Consultant

Show news, 5G Quantum Oscillations, Ragnar, Windows Hello, Facebook, and FISA!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

Ragnar Locker, Windows Hello, & OpenSSH – Wrap Up

Hosts

Doug White

Doug White – Professor

This week, SpaceX docks, Anonymous returns, Apple pays, Zephyr blows, and Mobile Phishing is Expensive!Visit https://www.securityweekly.com/swn for all the latest episodes!
Full Episode Show Notes

Anonymous Returns, Zephyr Vulns, & SpaceX Docks

Hosts

Doug White

Doug White – Professor

Jason Wood

Jason Wood – Founder; Primary Consultant

prestitial ad