OnePlus, Amazon Key, and ADT – Hack Naked News #149
November 16, 2017
Michael Santarcangelo and Jason Wood discuss Amazon Key's launch, backdoors on phones, consumers distrusting businesses with data, IT professionals turning to cybersecurity, and more on this episode of Hack Naked News!
According to a survey by Duo Security - only 28% are using 2FA and 56% hadn’t even heard of it
“One source of the problem may be the jargon—”2FA” or “two-factor authentication”—used to describe a simple security concept: the requirement for an extra step, such as a text message code, when someone tries to login from an unfamiliar device.”
Are companies doing enough? Are you?
With Amazon Key’s launch, customers and lawyers have lots of questions
6 million tech jobs in the US; 2 million are cybersecurity!
8 out of 10 tech professionals are “mostly satisfied,” but 51% are interested in working on/in cybersecurity issues
Aside: 30% interested in IoT and 20% interested in AI — both big players in the security space
Expert Commentary: Boeing 757 Testing Shows Airplanes Vulnerable to Hacking
Here’s an interesting bit of news in the “wow, they did that!” category. According to a November 8, 2017 article by Avionics Today, the US Department of Homeland Security was able to compromise a Boeing 757 remotely using RF communication on September 21, 2016. The DHS team was made up of “government, industry and academic” individuals who were able to remotely compromise an airplane sitting on the tarmac. I’ll let that settle in for a second before we continue…
So what is the story here? Well, for some reason the DHS decided to take one of the airplanes that it owned and dedicate it to some security testing for little while. Perhaps it was Chris Roberts’ posts about using wireless networks for passengers to attack the flight controls caught someone’s attention. Either way, the DHS decided to see what they could do. According to Dr. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, they received the aircraft on September 19, 2016 and within two days had compromised the plane via a previously known RF weakness. This wasn’t done in a lab environment, nor did they have an initial foothold somewhere. Dr. Hickey went on to say, ““[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
This event apparently shocked the heck out of commercial pilots when they were told of the issue during a technical briefing. So while the weakness was known to some segment of the aviation world, the pilots themselves had no idea that the issue existed. Unfortunately (or fortunately) for us, the actual details of the test are classified, so this is about all the information that is known.
Now before anyone starts to panic, keep in mind that this was an older Boeing 757. Systems in planes change over the years as new models are released. Systems that are in a Boeing plane for the 80s probably aren’t in an Airbus built in the 90s or even a Boeing built in the 90s. What’s probably not news to anyone listening to this podcast is that complicated systems that make extensive use of software and communications with external systems end up having security flaws. The plane that was tested was built in a time when no one thought about protecting from someone hacking an airplane. Reportedly that has changed, with newer models of airplanes such as the 787 being designed with security defenses in mind. Hopefully that’s a rigorous design process with lots of testing to try to make it fail.
Very, very few of us have an influence in this situation, however here’s the thing that we can take away from it. There are more and more products being implemented that have lots of interaction with people. Automobiles are a prime example. We’ve got IoT gear that is controlling access to our homes, deploying microphones throughout them, and watching us via cameras. People and companies are coming up with all kinds of wild stuff. These are all being built with limited focus on security and primary focus on getting to market. They can be very complicated systems and will have security flaws in them. These flaws will lead to impacts that no one expects. We have to all be evangelists for security in our organizations, even if security isn’t in our job title. There are lots of news articles available to demonstrate what happens when security is not taken into design. Use relevant articles to show what could apply to your organization. It may be understandable why a plane built in 1983 didn’t have security designed into it, but it’s 2017 and there’s lots of evidence why we security needs to be a component of design now.
It is common for security teams to forget that chats and email accounts that live on breached networks will no longer be secure, a variety of breach responders, negotiators, and preparation consultants told SC Media.
Germany-based Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences tested how well 56 combinations of browsers and operating systems are protected against 34 different XS-Leaks.