WINDING DOWN
An idiosyncratic look at, and comment on, the week's net, technology and science news
by Alan Lenton
It’s been bad for security for the last couple of weeks, and that seems to be dominating Winding Down this week. We have material on Accenture, KRACK, SSH keys, TPM key generation, and EU crypto back doors. We also cover the top ten cloud security hacks of this year (so far). Other topics include flying autonomous taxis, a possible AI cabbie chatbot, tools for web developers, a video about how to turn a very long lorry in a very tight space, and a quote from Isaac Newton. Once you are through that little lot, there are URLs in the scanner section on a much wider set of topics, including a US$2million jetpack competition, radioactive pigs, the next lot of security risks, the real meaning of ‘Anglo-Saxon’, big drones, Sputnik 1 – the first satellite launched into space, and, finally, Microsoft’s foray into mobile phones.
Phew! Well – here it is...
Shorts:
You know if I used it as part of a game or story, I would be denounced for stretching peoples credulity. But it’s true. Yet another big consultancy, this time Accenture, has screwed up its security and exposed important data to the masses. Accenture’s slogan is ‘IMAGINE. INVENT. CHANGE.’ Maybe they should add to the slogan so it reads ‘IMAGINE. INVENT. CHANGE. BLOW IT.’
In case you’re wondering, they left hundreds of gigabytes of data open to the public on the AWS (Amazon Web Services) cloud. The hoard contained everything from internal email to login credentials, stored in plain text, not to mention a set of what looked like cryptographic keys and credentials for accessing internal Accenture systems. And there was an area labelled ‘Secure Store’ holding the master access key for Accenture’s account with the ASW Key Management Service!
And Accenture’s take on all this? In a statement to The Register they said, “There was no risk to any of our clients – no active credentials, PII or other sensitive information was compromised. We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”
I’m sure that’s laid a lot of fears to rest...
http://www.theregister.co.uk/2017/10/10/accenture_amazon_aws_s3/
https://www.accenture.com/gb-en/insight-cybersecurity-digital-trust-2016 [I thought people might appreciate the irony -AL]
Not that the Accenture revelations are the only security topics grabbing the headlines this week. In fact I ended up with quite a stack of URLs about crypto/security problems, and was wondering how to handle them all when I came across a ‘Dark Reading’ summary, which I thought I would share with you.
The headline news was, of course, the wireless network KRACK vulnerability which had the potential to compromise all networks using the WPA2 encryption method. Fortunately, it’s not that easy to exploit the problem, since a hacker would have to be physically near to the wireless antenna of the system you want to hack. Not impossible, but not that convenient, and there are probably easier targets to compromise.
Less known is the fact that a massive scanning operation to find unprotected SSH keys is currently going on by attackers, who are scanning something in the region of 25,000 systems a day looking for insecure crypto keys. SSH (stands for ‘Secure Shell) is a secure communications program that lets you fire up a shell in a remote Linux server, transfer files, and issue commands. Sometimes, people put copies of the crypto keys in insecure places, and that’s what the hackers are scanning for. There’s no technical fix for this problem. Only teaching people to be more careful will resolve it.
And then there is what is known as the ROCA attack. This problem exists because a flaw in the key generation on mother boards using Infineon Technology’s Trusted Platform Module (TPM). This isn’t the time or place to explain how public key cryptography works, so you will have to take my word for it that the software is generating keys that are too weak to stand up to serious cryptographic hacking. Google ‘public key cryptography’ if you want to know more about the subject, or get yourself a recent edition of Bruce Schneier’s ‘Applied Cryptography’.
Finally, to top it all, the European Commission is sending out mixed signals about whether they want to legislate ‘backdoors’ into crypto systems or not. Sigh... The way things are going, banks are soon going to have to send all their customers one time code pads so we can safely access our bank accounts over the internet!
https://www.darkreading.com/vulnerabilities---threats/the-week-in-crypto-bad-news-for-ssh-wpa2-rsa-and-privacy-/d/d-id/1330187
Homework:
As a follow up to the story about Accenture’s security blunder, I thought I’d draw your attention to a roundup of the top ten cloud security blunders so far this year . Apart from Accenture, the naughty list features such well-known companies as Verizon, Dow Jones, and Time Warner Cable. You know what they say – “Just because you’re paranoid, it doesn’t mean they’re not out to hack you!”
https://www.darkreading.com/cloud/10-major-cloud-storage-security-slip-ups-(so-far)-this-year/d/d-id/1330122
Dubai, which always seems to try to be one up when it comes to technology, has been trying out an unmanned (and presumably unwomanned) flying taxi. It seems to have been fairly successful. But you know, in all these stories of unmanned taxis (flying or otherwise) there is a vital thing missing – the cabbie AI chatbot!
https://newatlas.com/volocopter-flying-taxi-dubai/51492/
Based on my experiences with London black cabs, with an AI cabbie you would get a stream of talk along the lines of:
“I can take you there darlin’. Hop in...”
“You know, I was manufactured within the sound of the Bow Bells – that makes me a Cockney AI...”
“I once had the Man From Uncle in the back of this cab you know. Really nice guy...”
“Me transistors are playin’ up summit terrible today...”
“You took the right decision not to take an Oober cab. They got none of that security stuff. They’re always getting ’acked, you know...”
“Off peak I’m doing an internet course on human psychology, using deep learning...”
“Your Alexa just asked me to tell you that you left the oven on...”
“Must get a new processor fan, the bearing are gettin’ noisy...”
“Hope you don’t mind me doin’ a bit o’ Bitcoin mining while we talk...”
“Had that Deep Blue in the back once you know. I beat him at chess...”
...
“I’m sorry Dave, I can’t do that...”
Geek Stuff:
Any web developers out there might like to take a look at HackerNoon’s round up of 67 useful tools, libraries, and resources. I know all developers have their own preferred tools and tend to stick with them, but it’s probably worth a look. You might find something you missed, that fits into your workflow.
https://hackernoon.com/67-useful-tools-libraries-and-resources-for-saving-your-time-as-a-web-developer-7d3fb8667030
Pictures:
Ever fancied yourself driving one of those massive long articulated lorries? Well, if you ever get the chance, here is a video of how to get it round sharp corners in really narrow roads!
https://vimeo.com/236974684
Coda:
This week’s quote is from Isaac Newton. In a letter to Robert Hooke in 1676 he wrote, “If I have seen further it is by standing on the shoulders of giants.”
Scanner:
Boeing slams $2m on the desk, bellows: Now where’s my jetpack?
http://www.theregister.co.uk/2017/09/26/boeing_2m_prize_for_working_jetpack/
Radioactive pigs are wandering Central Europe, 30 years after the Chernobyl nuclear disaster
https://www.theverge.com/2017/2/24/14733094/radioactive-pigs-boars-czech-republic-central-europe-germany-chernobyl
US-CERT study predicts machine learning, and transport systems to become security risks
http://www.theregister.co.uk/2017/10/19/cert_cc_threat_survey/
Not just American or British, the Anglo-Saxon is a mirror to Frenchness: the country’s alter-ego and most feared enemy
https://aeon.co/essays/the-anglo-saxon-is-not-american-or-british-but-a-french-alter-ego
The bigger the drone, the bigger the impact
http://www.theregister.co.uk/2017/09/11/big_drones_and_cargo_culture/
Sputnik remembered: The first race to space
http://www.thespacereview.com/article/3341/1 [Part 1]
http://www.thespacereview.com/article/3344/1 [Part 2]
Microsoft’s foray into phones was a bumbling, half-hearted fiasco, and Nadella always knew it
http://www.theregister.co.uk/2017/10/09/microsofts_mobile_fail/?page=1
Acknowledgements
Thanks to readers Barb and Fi for drawing my attention to material for Winding Down.
Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Thunderbird spam filter...
Alan Lenton
alan@ibgames.com
22 October 2017
Alan Lenton is an on-line games designer, programmer and sociologist, the order of which depends on what he is currently working on! His web site is at http://www.ibgames.net/alan/index.html.
Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html.
