Mondays With Miranda: May 14, 2018
Good morning, Everyone! What’s a better way to start off your week than with some fun cybersecurity news? As usual, I’m going to tell you about a few events that are coming up later this month, but I’ll get back to those in just a second. First, I want to remind you about the event I discussed last week that a few members of the NeQter Labs team will be attending. The “DFARS Cybersecurity 2.0: The Year of Continuous Monitoring” event is going to be put on at Raytheon’s Freedom Theater, on Thursday, May 24th, from 7:30 AM EDT until 5:00 PM. Be sure to find our team members there! Getting back to the new events that are coming up… Tomorrow, May 15th, the Cyber Investing Summit is being held in New York City. This is the third year that it is being put on, and it is an all-day conference that focuses on investing in the cybersecurity industry. Another event that is coming up fairly soon is the Gartner Security & Risk Management Summit 2018. This event will be taking place in National Harbor, Maryland, from June 4th-7th. The purpose of this event is to provide information to professionals about new and upcoming threats, as well as information about emerging technologies such as Artificial Intelligence. Feel free to look into these events and attend if you can!
As for current news… I’m sure you all know what 7-Zip is, but if you don’t, it is a file decompression tool that many people use on windows computers. 7-Zip supports many different types of files, including RAR files, which is where a recent vulnerability was discovered. The bug was derived from open source code from the standalone UnRAR utility. Now that it has been patched, details regarding how the bug was found and what was involved have been released. The person who discovered the vulnerability is a cybersecurity researcher who calls himself LANDAVE, or just Dave for short. He said that “the problem arose from an all-too-common conflict between complexity and security.” In other words, the UnRAR decompression code was not configuring itself correctly while it was being used by 7-Zip, which means that there was failure in the code itself. Once the exploitable vulnerability was discovered, Dave created an exploit, for demonstration purposes, to show that he was able to create a RAR file that would sneakily launch the Calculator app on a Windows computer. In order to prevent any issues on your own devices, ensure that you are updated to the latest version of 7-Zip, version 18.05.
The “Skeleton Key” Hack
Apple has recently been made aware of a “Skeleton Key” hack on home WiFi. The hack consists of turning Apple’s iPhone security chips into a type of “skeleton key.” The way the attack works, is that it requires the hacker to take control of an IoT, or Internet-of-Things device, such as a toaster, that is exposed on the internet and is easily accessible to outsiders. The reason why I said “easily accessible to others,” is because IoT devices have been known to hold numerous vulnerabilities, which makes them extremely susceptible to attacks. If a hacker takes control of a device with an Apple MFi chip, they have the ability to impersonate any host device they want that also uses an Apple MFi chip, as well as the ability to trick the network into giving them the security keys. The catch is, the user of the Apple device must accept the keys being provisioned to the device, which could help prevent the attack. It has been stated that this problem will take a considerable length of time to address, as it would require updating the IoT technology itself, as well as the MFi chips.
Terminating Password Reusal
Currently in the idea stage, a new suggestion has been made that passwords should not be able to be reused between websites. A few researchers at the University of North Carolina have come up with a way to make this idea possible, and have proven how it can work. The researchers say that it can work if a framework is designed for websites to check similarities between passwords without revealing private information about any individuals. Basically, when a user would attempt to request a password on any particular site, the password would be checked against all other passwords by the same user, on other websites. I think that this sounds like a great idea, as long as many sites are planning on implementing it. Otherwise, it will prove to be ineffective.