Tuesday, August 3, 2021

Security Smorgasbord, vol. 13 no. 4

This Security Smorgasbord now has more snark!

Congress catches up to Borepatch from 2009, holds hearings on Power Grid security:

The lack of adequate security features in critical electrical grid equipment - including high-power transformers - that's made in other nations poses a serious U.S. cybersecurity threat, according to federal officials who testified at a Congressional hearing this week. Supply chain vulnerabilities could result in a grid takedown by nation-state actors and a lengthy recovery period, they said.

Prediction: nothing happens because the $1.2T "Infrastructure" bill is about funding Democratic Party clients, not providing reliable infrastructure.

The top 30 security exploits, per the NSA, UK NCSC, Australian, CSC, and the FBI.  Given the recent news about FBI assets formenting all sorts of plots that didn't exist before, you have to wonder if they're behind some of the Black Hat rings too.

"Swatting" perpetrator sentenced to 5 years in prison after victim dies.  Enjoy your time in jail, jerk.  "Swatting" is when some jerk sends a spoofed 911 call to the victim's local Po-po to get an armed response.  Victims of this sometimes die, either shot by the first responders or in this case from a heart attack.  This spoofing should be getting harder to do now.

D-Link issues fix for home WiFi routers:

D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.

Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state.

The DIR-3040 security flaws discovered and reported by Cisco Talos security researcher Dave McDaniel include hardcoded passwords, command injection, and information disclosure bugs.

Hardcoded passwords.  Top Men, right there.  Top.  Men.  This is why we can't have nice things on the Internet.

Cell phone encryption was intentionally weakened:

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper.

The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case.

Ah, the Bad Old Days of export control'ed crypto.  Good thing that that would never happen now, amirite?


Unknown # 4B, Jr. said...

yeah, I'll send a thank you note to the Dems for their continued vigilence.

Speaking of routers....I'm due to replace mine (5+ years old) - any recommendations for a really good, secure wi-fi router?


SiGraybeard said...

Hardcoded passwords? In 2021?

YHGTBSM That's almost grounds to say, "never by a D-LINK product ever again."