Weekly Axis Of Easy #21
In this issue:
- All your WIFI are belong to us: Major vulnerability in WPA2 to be released
- Equifax website to address data breach infected with malware
- Mobile phone companies sell your name & location data
- Russia introduces “crypto-ruble”
WPA2, the encryption algorithm in use today on nearly all WIFI access points has been discovered to have a major security flaw which renders them hackable. The upshot is that attackers will be able to read all data traversing the WIFI access point (another reason to use VPN sessions to further encrypt your data before it flows over the air).
Security researchers will release their findings at Computer and Communications Security (CCS) on November 1, 2017. My understanding of this so far is that once the paper drops and the inevitable exploits follow, both the access point and the clients will need vendor patching to be secure. Think “heart bleed” to the exponent “shell shock”.
Also read: https://www.krackattacks.com/
The hits just keep on coming for Equifax. After one of the worst data breaches in history the company received further criticism for winning a “no-bid” contract with the IRS to “secure taxpayer data”. Now it turns out the public information website it set up to help consumers understand the nature of the data breach was itself infected and thus served up malware to those browsing it. The hostile code took form of a fake “Adobe Flash Update” which instead of updating Flash, installed third-party spyware on the subject computer.
Keep up the good work Equifax!
Techrunch reported [Shotwell Labs’ co-founder findings][URL:https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024] that even after the FCC penalized Verizon for injecting markers into their customers’ data that enabled them to be tracked without customer consent, the practice is still thriving across mobile providers and being used to sell name and location data to whoever ponies up for it.
The mobile providers are injecting a new data element similar to Verizon’s Unique Identifier Header (UIDH) which is appended to HTTP requests and allows websites visited to see personally identifiable data, including billing and location info, if they subscribe to the carriers data feed for it. While the article does enumerate some legitimate reasons for websites to gain access to this (employee tracking), it’s still concerning.
Also read: https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024
The Russian Minister of Communications announced last week the creation of a “CryptoRuble” which will be an official state currency and will enjoy full convertibility into Russian rubles. That said, since it will not be mined and the government is maintaining total control over it (the private keys I assume?) it’s a stretch to call this a full-on “crypto-currency” as much a a state controlled :”digital cash”.