Tag Archive for: standards
Uncovering security issues in the latest 5G standards
As 5G becomes more ubiquitous across the globe, the security community is given more of a chance to review and understand the potential security concerns associated with implementing the standard. These security concerns fall into two categories: inherited flaws and out-of-specification issues.
Inherited flaws
Bloomberg reports that it will cost hundreds of billions of dollars to upgrade from 4G/LTE to 5G. This is a massive cost for any company or nation to bear, requiring many companies to slowly phase in the next generation of cellular technology over the next decade. Because these partial 5G networks rely heavily on pre-existing 4G/LTE technology, they will also absorb their vulnerabilities.
Because of how fast technology moves forward, it can be difficult even for tech enthusiasts to keep up to date, let alone non-technical people. To ensure that everyone has sufficient time to upgrade, new standards are typically made to support older ones as well. However, in allowing support for older generations, downgrade attacks can potentially be performed.
Downgrade attacks trick users into leveraging the insecure and out-of-date versions of a protocol. These types of attacks can be found everywhere. For instance, the Transport Layer Security (TLS) protocol that a browser leverages to securely surf the internet. Even the latest TLS version published in 2018 has been found to be vulnerable to downgrade attacks. But, there’s an easy fix. A web browser can be configured to limit access to websites that leverage the latest, most secure protocols, disabling anything deemed insecure. With those protocols disabled, if someone attempts a downgrade attack against, the browser will simply refuse.
“The Electronic Frontier Foundation (EFF) are actively lobbying tech giants, namely Apple, Samsung, and Google, to allow users the ability to disable insecure cellular standards.”
Adam Greenhill, Security Compass.
Cellular devices don’t have the same flexibility that web browsers do. When a mobile device connects to a cellular network, the user has no control over the process. There’s no setting in an iPhone or a Pixel that can be configured to prevent a phone from connecting to out of date and…
Financial Regulators Eye Stricter Cybersecurity Incident Reporting Standards
The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Regulators) are considering a new rule that would require banks to notify their primary federal regulator within 36 hours of when they believe certain security incidents have occurred.
The Regulators are also proposing a new rule that would require bank service providers to notify at least two individuals at the affected bank immediately after the service provider experiences a computer security incident that could disrupt, degrade, or impair the provision of services for more than four hours.
The Regulators published a notice of proposed rulemaking (NPR) in the Federal Register on January 12, 2021, which allows for public comments for 90 days (until April 12, 2021).
Banks should consider the potential impact on procedures, operations, and vendor relations. If new rules are implemented, banks may need to update numerous documents, policies, and contracts that touch on these issues.
Renewed interest in the cyber health of the financial sector
The impetus behind the NPR is not the Regulators’ desire to start policing banks’ cybersecurity programs, or a desire to add a new regulatory burden on banks and their service providers. Rather, the Regulators want to make the rules governing notification consistent, and they want to gather more information about the types of cybersecurity incidents that could impact the stability of the financial sector.
Regardless, it has been quite some time since the Regulators have addressed cybersecurity rulemaking, so it is indicative of a renewed interest in the cyber health of the financial sector.
According to the Regulators, receiving this type of information about cybersecurity incidents from banks early and often can help the Regulators gather intelligence about emerging threats to individual banks and the financial system at large.
Banks required to notify primary regulators of “notification incidents” within 36 hours
Although the NPR sets a new, somewhat strict 36-hour reporting timeline for banks experiencing a cybersecurity incident, the Regulators…
The Cybersecurity 202: New voting machine security standards are already drawing controversy
“Adopting VVSG 2.0 is the most important action the EAC has taken in 15 years” EAC Commissioner Ben Hovland said at the vote yesterday.
But the new standards are already drawing scrutiny from lawmakers and voting security advocates.
They worry they leave loopholes allowing voting machine companies to skirt best practices and leave machines vulnerable to interference. They were approved as some of the nation’s most prominent voting machine companies are suing Fox News and top lawyers for Trump because of their unfounded fraud claims related to their machines.
In a letter led by Rep. Bill Foster (D-Ill.), more than 20 members of Congress are asking the EAC to reconsider its recommendations. The letter expresses concerns about how the guidelines frame the use of machines with parts that can connect to the Internet.
“This is extremely troubling, as computer security and networking experts have warned that merely disabling networking capability is not enough,” they wrote. “Benign misconfigurations that could enable connectivity are commonplace and malicious software can be directed to enable connectivity silently and undetectable, allowing hackers access to the voting system software.”
Foster tweeted after the meeting:
House Homeland Security Committee Democrats also expressed disappointment on Twitter:
More than two dozen election security experts and voter advocacy groups also have criticized the language, accusing the agency of pulling a last-minute switch from draft guidelines that went through a public comment process before approval. (The new language did not go through the comment process.)
“The EAC’s decision to make substantive security changes to the VVSG 2.0 draft, outside of the legally mandated process is not just legally troubling, it is particularly tone-deaf. Transparency, accountability and trust in our election processes and systems are principles the EAC should be advancing, not degrading,” Susan Greenhalgh, senior adviser on election security at Free Speech For People wrote in a statement.
The group believes there are “valid concerns that the EAC amended requirements … as a result of nonpublic meetings with voting system vendors.”
Election…