In the news, Bitcoin mining ban considered by China's economic planner, Yahoo strikes $117.5 million data breach settlement, Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords, WikiLeaks Founder Julian Assange arrested and charged in US with computer hacking conspiracy, and How HTML5 Ping Is Used in DDoS Attacks.
Bitcoin mining ban considered by China's economic planner - A notice published online in Mandarin by the country's economic planning agency added "virtual currency mining activities [including] the production process of Bitcoin" to a list of industries that could be shut down. The suggestion is that the power consumed by the industry contributes to pollution and wastes resources. Pollution and waste resources, riiiight.
Yahoo strikes $117.5 million data breach settlement after earlier... - Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. So, 3 billion accounts were affected in this breach, meaning $0.04 per user? Or do I suck at math? Or is that not how it works?
Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords - These attacks will be around for a while: There are two ways to perform such a downgrade hack. The first is to perform a man-in-the-middle attack that modifies the wireless beacons in a way that makes a WPA3-enabled router represent itself as being able to only use WPA2. While a WPA3 client device will eventually detect the spoofed beacons and abort the handshake, this security mechanism isn’t tripped until after the attacker has captured the four-way handshake. A variation of this downgrade attack—usable if the SSID name of the targeted WPA3 network is known—is to forgo the man-in-the-middle tampering and instead create a WPA2-only network with the same name. As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-way handshake.
Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations - Help Net Security - Not too helpful: Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, set to be put into law in 2020. The law requires that manufacturers of a device that connects directly or indirectly to the internet must be equipped with “reasonable” security features that are designed to prevent unauthorized access, modification or information disclosure. The bill aims to protect consumers as a first step, but could also potentially be applied to larger, enterprise solutions with future revisions.
Follow us on Twitter: https://www.twitter.com/securityweekly
[caption id="attachment_210" align="alignleft" width="120"] Jeff Man - Sr. InfoSec Consultant, Online Business Systems.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Paul Asadorian - CEO, Security Weekly.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Doug White - Professor, Roger Williams University.[/caption]
[caption id="attachment_210" align="alignleft" width="120"] Larry Pesce - Senior Managing Consultant and Director of Research, InGuardians.[/caption]
Register for our upcoming webcasts with LogRhythm and Recorded Future by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
We just released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who's evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.