57 Million Record Uber Hack and Coverup, MacOS High Sierra Zero Day, Net Neutrality, and more!
Infosec News
INFORMATION SECURITY NEWS
For The Week of 11/21-11/28 2017
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
MacOS High Sierra Allows Root Login Without Password
Apple has patched a vulnerability found in MacOS High Sierra which allowed people to log in as root without needing a password. Simply clicking the login button twice (with a blank password) was enough to falsely authenticate the user.
https://www.cnet.com/news/apple-flaw-allows-macos-high-sierra-logins-without-passwords/
iPhone Passcodes Bypassed with NAND Mirroring Attack
A Cambridge computer scientist has successfully executed a NAND mirroring attack on an iPhone 5C. The attack uses commodity hardware that costs less than a hundred dollars, and works by cloning the phone’s memory chip, then re-cloning it when they are locked out. Doing this bypasses the timeouts and limits on passcode attempts. Using this method, a 4 digit PIN can be brute forced in about 20 hours, and a 6 digit PIN in 3 months. This attack works against all iPhones up to the iPhone 6+. Newer iPhones are more resistant.
https://arstechnica.com/information-technology/2016/09/iphone-5c-nand-mirroring-passcode-attack/
Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data
Uber paid hackers a $100,000 ransom to keep a 2016 breach affecting 57 million driver and rider accounts a secret. The stolen information included phone numbers, email addresses, and names of both riders and drivers. The hackers approached Uber and demanded the $100,000 to delete their copy of the data. After paying the ransom, Uber went a step further, tracking down the hackers and making them sign nondisclosure agreements. Uber then tried to hide the ransom payout as part of a bug bounty program. The executives and employees involved have been let go and an investigation into Uber’s business practices has been launched by the New York attorney general’s office.
https://www.nytimes.com/2017/11/21/technology/uber-hack.html
s2n, Amazon’s open-source implementation of TLS/SSL
In 2015, Amazon introduced s2n, which is an open source implementation of TLS/SSL. Amazon is using a random number generator called AES_CTR_DRBG. They have completed a proof of the specification of the number generator, as well as doing a formal verification that the s2n code is equivalent to the specification. Both OpenSSL and glibc are going to replace their random number generators with AES_CTF_DRBG. It’s also going to be included in future Linux kernels.
Also in networking news...the net neutrality debate
At its core, the net neutrality debate is over whether or not Internet Service Providers (ISPs) can treat different data differently depending on its source or use. For example, ISP’s might throttle data-heavy services (like video streaming), or throttle traffic from a source that doesn’t pay to be in the “fast lane”. If that sounds far-fetched, think again. In 2014, Netflix paid Comcast to stop throttling their traffic. This is problematic for several reasons. For one, it would present a barrier to startups that didn’t have the resources to pay for “fast-lane” access. It could be argued that big companies which have established their own Content Delivery Networks have already paid to prioritize their traffic, and that startups probably couldn’t invest in extensive CDN infrastructure either. It would also allow an ISP to throttle services that competed with services that the ISP itself owned. The extra cost to services isn’t negligible; the cost would get passed down to the consumer. Critics of net neutrality claim that it passes the costs of big, data-heavy services on to the consumer. In the Netflix case, this would be saying that Netflix is using so much bandwidth that consumers have to pay extra to subsidize those using Netflix. However, it’s not clear that it actually costs that much to transmit extra data - if it does, it’s likely below a penny per gigabyte [1].
In 2015, the FCC classified ISP’s as “common carriers”, effectively protecting net neutrality. However, FCC members will vote on December 14 of this year to decide whether or not this designation (and net neutrality) stays.
Here is an article that explains the situation pretty well (and is in favor of net neutrality)
[1] https://broadbandnow.com/report/much-data-really-cost-isps/
Here is article, which explains the issue fairly well. (Ultimately seems against net neutrailty but provides a very good overview of the issues).
The wikipedia page is also a good resource for this issue
https://en.wikipedia.org/wiki/Net_neutrality_in_the_United_States#Opposition_to_net_neutrality