UNM4SK3D: Net Neutrality, Starbucks, and ROBOT

December 15, 2017 | Views: 3957

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

#badnews

Today was a sad day for the Internet and sites like Cybrary. The Federal Communications Commission voted today to deregulate the broadband industry and eliminate net neutrality rules that “prohibit Internet service providers from blocking and throttling Internet traffic.” 

For those of you have been following the news, there’s been much debate surrounding this issue as polls indicated that majorities of both Democratic and Republican voters supported keeping net neutrality, and net neutrality supporters protested outside the FCC headquarters before the vote.  It was also discovered through an in-depth analysis that prior to the vote, two million online comments about net neutrality stole real Americans’ identity. These comments included more than 100,000 comments per state from New York, Florida, Texas, and California, which are the most heavily affected states.

The result of the vote means that Internet service providers and mobile carriers will no longer have to adhere to strict net neutrality rules and will be allowed to block or slow down Internet traffic or offer priority to websites and online services in exchange for payment. Say goodbye to a cheap Netflix membership with quick streaming. It appears many were for net neutrality rather than against, yet it was still able to pass. We’ll keep our thoughts as to why to ourselves.

Ajit Pai, FCC Chairman, was a major proponent of this new ruling, saying “under Title II, investment in high-speed networks has declined by billions of dollars.” However, there have been no statistics to support this statement, not to mention that major broadband providers have told investors that Title II hasn’t harmed their investment. There is also no data to support his claim that “only a few small Internet providers were hurt by the rules.” As a matter of fact,  Comcast already deleted a ‘no paid prioritization’ pledge from its net neutrality webpage, opening the door to charging websites for priority. There are also a number of consumer protections being lost in this vote, including the removal of mandatory notices to customers regarding hidden fees and penalties for exceeding data caps.

I dissent. I dissent from this fiercely spun, legally lightweight, consumer-harming, corporate-enabling Destroying Internet Freedom Order. The FCC is handing the keys to the Internet… over to a handful of multi-billion dollar corporations,” she continued. The repeal plan has drawn a bipartisan outcry “because the large majority of Americans are in favor of keeping strong net neutrality rules in place. -FCC Commissioner Mignon Clyburn

For the initial coverage on Cybrary about net neutrality, read this edition of ‘UNM4SK3D.’

#cryptocurrency

There’s nothing better than free Wi-Fi to compliment your Starbucks latte, right? Maybe not. At least not at the Starbucks in Buenos Aires, Argentina where it was discovered the network was secretly using customer’s computing power to mine cryptocurrency. 

The issue was first noticed by store patron and Stensul CEO Noah Dinkin who became suspicious of the wireless connection after he noticed there was a 10-second delay when connecting. Most unauthorized cryptocurrency mining occurs via malware, but in this case, Dinkin found Coinhive’s Monero Miner code in the Starbucks’ reward site for Argentina. Monero is similar to Bitcoin but designed for even greater privacy. Through the CoinHive code, there is a JavaScript miner for generating a cryptocurrency.

“It appears as if the Starbucks store wasn’t intentionally running the cryptocurrency mining software, rather the internet service provider was either compromised or running it intentionally,” said Javvad Malik, security advocate at AlienVault. “It goes to highlight once again the threats that lurk in the supply chain.” While Starbucks confirmed the secret mining, they stated the Wi-Fi wasn’t controlled by them and that the company isn’t concerned of this being a widespread issue.

Hi @Starbucks @StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer’s laptop? Feels a little off-brand.. cc @GMFlickinger -tweet from Noah Dinkin

Keep your cryptocurrency safe! Read  ‘Cryptocurrency Security: How to Safely Invest in Digital Currency’ from Heimdal Security

#vulnerability

A ROBOT from 1998? Yup- this critical vulnerability has resurfaced and is making websites vulnerable to attackers who could decrypt encrypted data and sign communications using the sites’ own private encryption key.

ROBOT, which stands for ‘Return Of Bleichenbacher’s Oracle Threat,’ named after Daniel Bleichenbacher, the researcher who originally discovered it, has returned. This vulnerability is found in the transport layer security protocol used for Web encryption. “A successful attack could allow an attacker to passively record traffic and later decrypt it or open the door for a man-in-the-middle attack, according to researchers.” The most recent version of this attack was discovered through Facebook’s bug bounty program, by researchers Hanno Böck, Juraj Somorovsky, and Craig Young.

The attack involves sending queries which generate “yes” or “no” answers in a type of brute-force guessing attack. Using this technique, called an ‘adaptive chosen-ciphertext attack,’ can force the TLS server to reveal the session key, allowing an attacker to decrypt HTTPS traffic sent between the TLS server and the user’s browser. “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet,” said the researchers. From this discovery, it seems a number of vendors failed to properly implement countermeasures needed to protect against this vulnerability.

We have identified vulnerable implementations from at least seven vendors including F5, Citrix, and Cisco. Some of the most popular webpages on the Internet were affected, including Facebook and Paypal. In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa. -researchers

Want to learn more about man-in-the-middle attacks? Read ‘Man in the Middle Attacks’ Explained Through ARP Cache Poisoning.’

#factbyte

A new Kaspersky Lab report states that the company’s threat detection technologies identified an average of 360,000 malicious files per day in 2017, an 11.5 percent increase over the previous year, and a five-fold increase since 2011.

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel