Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
Vegas is Scary
August 27, 2014 •Walt Paley
Vegas is scary. Well, not the city itself. I love Las Vegas! (And I'll be there again soon for CTIA's Super Mobility Week. Ping me to meet up.) The hackers that descended upon the desert oasis for Black Hat and DEFCON are the scary ones. Their bag of tricks, more specifically.
I was on a mission to find and pick the brains of the most interesting attendees. I came away somewhat traumatized, since I knew just enough to be truly disturbed by how many vulnerabilities were discussed. Here are just a few, with links to more commentary by PC Mag. Max Eddy and Fahmida Rashid both did a stellar job and should be followed on Twitter.
Nest is Cracked
Saw it, wrote about it, followed Yier Jin on Twitter (and he followed me back. Very cool.) Bottom line - Internet of Things devices should not be a doorway into your entire home network. Consumers should consider setting up a quarantine, at least until these manufacturers figure it out.
Side note: what the hell, Nest? You're part of Google now. You're commonly considered some of the best and brightest. Shouldn't you be setting a better example for the IoT vendors to come?
Airport Security Scanners Are Vulnerable
I'm not sure this is a great classic hack, per se, but it's definitely a candidate for the Darwin Awards. Who are the geniuses that are hardwiring login credentials into TSA-issue airport security scanners? And to make it better, connecting them to the public internet? Billy Rios, director of threat intelligence at Qualys, successfully identified two such systems. He located 6,000 connected scanners, two of which were at airports. PC Mag reported that one has been decommissioned since. I want to know where this last rogue system is located... and I'm considering not flying until it is removed.
Satcom Links Become Slot Machines
IOActive's Ruben Santamarta was able to hack the satellite communications systems used in airliners, cruise ships and other remote deployments. Again, using hardcoded credentials and backdoors, Santamarta proved that several methods of alternate communications are vulnerable. Making matters worse, the use cases when these devices are in play are exactly the situations that you don't want to be hacked. If you're hitting SOS on a plane or a boat, the last thing you want to see is a Black Hat video slot machine!
Google Glass Steals Passwords
Ok, that one looks like click bait. In a way, it is. Qinggang Yue demonstrated that an iPhone or even a traditional camcorder would still do the trick, but the popular wearable poster child is the most sneaky. He was stealing Android users' PIN codes at an alarming rate - even 100% of attempts from 44 meters away, albeit with a camcorder on the fourth floor of the building to achieve an advantageous angle. The upshot? Randomized keypads can't become ubiquitous fast enough. They will negate the advantage of most PIN-stealing techniques, including this voyeur strategy. Without a direct and clear angle, Yue's model was built to make assumptions about the location of each button. By randomizing the location, users will not be able to rely on muscle memory to unlock their phone, access the ATM, enter their front door, etc., but hackers will have to work much, much harder.
Bonus Story - The Puzzle Mastermind Behind DEFCON's Hackable Badges
Ryan Clarke aka LostboY aka LosT has a really cool gig. Wired's Kim Zetter has the story, and while it's not about a vulnerability, impending danger or security, I highly recommend taking a couple minutes to read it. Clarke designs seven badge types each year: attendees (humans), goons (conference volunteers), vendors, speakers, contest leaders, the press, and the Uber badge. Players have to collect each of them to decipher part of a math-based challenge. The lanyards holding the badges also contain puzzles. This level of creativity and craftsmanship is not commonplace, and it makes you want to attend DEFCON just to get one of these sophisticated works of art. And it makes me want to watch a movie like The Game again, just to get that thrill. Well done, LostboY, well done.
Walt Paley
Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)