via the inimitable Dan Goodin, Security Editor at Ars Technica, comes this troubling blog post detailing the deep flaws in Bluetooth radio communications. Monikered KNOB (Key Negotiation of Bluetooth), the flaw permits interception of data in transit due to forced utilization of weak encryption. Today's MustRead!
"KNOB doesn't require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating systems they run on, making the attack almost impossible to detect without highly specialized equipment." - via Dan Goodin, Security Editor at Ars Technica
Another fix is in the works for one of the more hidden aggravations of internetworking security, the so-called Server Name Indication (SNI) extension debacle. The fix - an Encrypted Server Name Indication has been crafted by Clouflare and evidenced by the service itself - eSNI - is an indication of a Company-Doing-The-Right-Thing and enrypting-all-the-things. Additional work is currently underway targeting a IETF Draft RFC. Simply Outstanding Work, Cloudflare.
via Christian Priebe of Imperial College London, Manuel Costa and Kapil Vaswani both from Microsoft Research, comes a tour dé force of database security, ostensibly monikered EnclaveDB (published this past May 2018, in the Proceedings of the 39th IEEE Symposium on Security & Privacy, in co-operation with the International Association for Cryptologic Research). The interesting functionality descibed in the trio's paper - pursuant to a secure database (if there possibly could be such a thing) is not the security of data in-motion or at-rest, but the addition of encrypted in-memory data. More here...
News from over the weekend - via 9to5Mac writer Michael Potuck, focusing on Telegram; of which, the encrypted messaging iOS app has been permitted to publish the latest update to their bits - via Apple Inc. (Nasdaq: AAPL) iTunes App Store. This, despite the declaration of illegality by Kremlin Apparatchiki. Today's Must Read.
via Samuel H. Moore, writing at the IEEE's Spectrum Magazine, comes word of the 'Unhackable Envelope'. The Fraunhofer team (developers of the Unhackable Envelope) comprised of Vincent Immler - Fraunhofer Institute for Applied and Integrated Security (AISEC), Martin König - Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Johannes Obermaier - Fraunhofer Institute for Applied and Integrated Security (AISEC), Matthias Hiller - Fraunhofer Institute for Applied and Integrated Security (AISEC) and Georg Sigl - Fraunhofer Institute for Applied and Integrated Security (AISEC) & Technical University of Munich (TUM) appeared at the IEEE International Symposium on Hardware Oriented Security and Trust in Washington, D.C. last week. Additionally, the group's paper 'B-TREPID: Batteryless Tamper-Resistant Envelope with a PUF and Integrity Detection' won the 2018 Best Paper Award at the confrenece (Kudo's are certainly in order!).
Ray Ozzie's (the former CTO of Microsoft Corporation (Masdaq: MSFT) that created Lotus Notes...) patented encryption plan is clearly not indicative of a tenable solution to the encryption problems governement agencies, and vendors like (Nasdaq: AAPL) are grapplig with like two behemoth Olympic wrestlers on a greased floor. In answer to this rigamarole comes in the form of a particularly interesting post hand-crafted by the inimitable Dan Goodin, at ArsTechnica, in which, the Good Mr.Goodin tells all. Today's MustRead. 20180506 Update: Read El Reg's Thomas Claburn's take on the Ray Ozzie crypto-solution, such as it is...
You be the judge... Essentially, all are targeted at data-and-objects-at-rest, rather than in-motion (except, perhaps the new cross-region replication feature with KMS).
Regardless, all of the annouced new features are welcome (in my currently rather jaded opinion). Now, if we can just overcome human error (not to mention blatant developer and data-owner lack-of-attention-to-detail, read about that here)...
- Default Encryption – You can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
- Permission Checks – The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.
- Cross-Region Replication ACL Overwrite – When you replicate objects across AWS accounts, you can now specify that the object gets a new ACL that gives full access to the destination account.
- Cross-Region Replication with KMS – You can now replicate objects that are encrypted with keys that are managed by AWS Key Management Service (KMS).
- Detailed Inventory Report – The S3 Inventory report now includes the encryption status of each object. The report itself can also be encrypted. - via Jeff Barr, writing at the AWS Blog
via Firewall Consultants' Trey Blalock, comes this superb telling of the Paul Le Roux story, written by Evan Ratliff, and published by The Atavist Magazine. Mr. Le Roux also happens to be the man behind TrueCrypt... Hat Tip to Mr. Blalock for this tale of intrigue.
Editors: Katia Bachko, Joel Lovell, Additional reporting: Natalie Lampert, Designer: Thomas Rhiel, Fact checkers: Queen Arsem-O’Malley, Riley Blanton, Research: Aurora Almendral, Daniel Estrin, Copy editor: Sean Cooper, Trailer: Paul Kamuf - credits via The Atavist Magazine
SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided that it must no longer be used. RC4 is a 28 year old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used. - via Adam Langley writing at the Google Online Security blog.