Good Luck Hacking My Alexa Microwave Now - Popular Mechanics

Good Luck Hacking My Alexa Microwave Now - Popular Mechanics
Home Affairs pushes back against encryption law proposals - ZDNet
ExtraHop Executives to Speak About Enterprise Security, Decryption, and Privacy at RSA Conference 2020 - Business Wire

Posted: 21 Feb 2020 06:30 AM PST

Researchers at Rice University have come up with custom circuits that make internet-of-things (IoT) devices up to 14,000 times more secure.
Hardware makes this all possible. Energy-efficient circuits manage the power in processing chips, leading to tightened security.
The paper describing the findings will be published later this year in 2020 IEEE International Solid-State Circuits Conference.

Without you knowing it, hackers can hang outside your home—all thanks to what's known as a side-channel attack.

These attacks detect some of the invisible radiation coming from your Internet-of-Things (IoT) devices, like your Alexa voice assistant, smart TV, or even your home security system, just by picking up on electromagnetic field radiation. It's a lot easier than resorting to illegal tactics like rubber hose cryptoanalysis, which is basically just torturing victims for a password, and takes way less time than brute force attacks, which look through all possible encryption keys that could have been used.

"Once they've found a hole, there are so many things [hackers] can do," Kaiyuan Yang, an assistant professor of electrical and computer engineering at Rice University, said in a prepared statement. "And they don't need to get into a computer system or a cell phone. For instance, a thermostat connected to the network can become an access point to a home, a company, a hospital or a city."

Thankfully, scientists are coming up with new ways to help you arm yourself against these bad actors. Yang and Yan He of Rice University have developed a hardware solution that focuses on the power management circuitry found in most central processing chips in IoT devices.

Their endeavor builds on a previous breakthrough exactly one year ago, wherein the Rice lab generated paired security keys based on fingerprint-like defects that are inherent in computer chips. Each has its own particular flaws. Only this time, they're trying to prevent side-channel attacks on IoT and mobile devices, not creating security keys.

Here's the kicker: their new method makes IoT devices 14,000 times more secure.

Side Channel Attacks

Per the National Institute of Standards and Technology (NIST), a side-channel attack is enabled through "leakage of information from a physical cryptosystem," which is basically a set of cryptographic algorithms that implement a security service, typically encryption. In other words, information somehow leeches out of the security infrastructure itself.

"Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions," the NIST notes.

In practice, that may look like that van we mentioned earlier, sitting by idly while monitoring the electromagnetic field radiation emitted by a computer screen to view information before it's encrypted. This is also known as a Transient Electromagnetic Pulse Emanation Standard (TEMPEST). In other cases, hackers may spy on the power consumption of your IoT device to steal an encryption key or use an acoustic attack that can record the sound of a user's key strokes to steal their password.

"In power and electromagnetic side-channel attacks, the attackers can figure out a secret key when your device is running without opening up the device," Yang said. "Once they have your key they can decrypt everything, no matter how good your security software is."

These kinds of attacks work because screens, like the ones on your Alexa Show or perhaps that new Roku TV, emit EMF radiation that can be detected from as far away as a few hundred meters. It's even widely speculated that intelligence agencies around the world use these kinds of attacks in investigations where they must spy on criminals or journalists.

Sure, a Faraday cage—an enclosure that blocks all electromagnetic fields—can help, but that makes the entire point of IoT devices for the connected home moot. Enter Yang and He's solution.

Encryption Circuits

Jeff Fitlow/Rice University

The scientists discovered they could use power regulators to obfuscate information that's otherwise leaked through the power consumption of encryption circuits, which bad actors may pick up on in one of those van attacks. IoT devices each have their own onboard computing chip, and Yang and He want to alter the power circuits on them.

"By replacing existing power management circuitry with our unit, we not only provide a much better way to defend against powerful threats, but also provide a much more energy-efficient solution," Yang said. The new circuits should take up no more room on a chip than current power management units.

With each continuing iteration of this design, Yang said he hopes Rice will get closer to working with manufacturers to implement the circuits into their fabrication processes. Especially because, as Yang said, side-channel attacks are becoming ubiquitous, as even YouTube videos can show you how to pull them off.

"This is a real threat, and we're in a fight to make it much more difficult and expensive for attackers to succeed," he said.

Home Affairs pushes back against encryption law proposals - ZDNet

Posted: 20 Feb 2020 09:17 PM PST

The Department of Home Affairs has rejected criticisms of Australia's controversial encryption laws, including the often-cited need for external judicial oversight and the impact of the laws on the tech industry.

The department also rejected claims that the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, generally known as the TOLA Act or AA Act, would be incompatible with the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

Under the laws as currently written, agencies can issue:

Technical Assistance Notices (TANs), which are compulsory notices for a "designated communication provider" (DCP) to use an interception capability they already have;
Technical Assistance Requests (TARs), which are "voluntary" requests, but really, how could you refuse?
Technical Capability Notices (TCNs), which are compulsory notices for a CCP to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and

TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be be approved jointly by the Attorney-General and the Minister for Communications.

Under Labor's proposal, contained in their Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, a TAN, TAR, or TCN would have to be approved by a judge.

The Independent National Security Legislation Monitor (INSLM), Dr James Renwick, went further during public hearings in Canberra this week.

Not only did he propose tougher independent oversight of TOLA actions, he repeatedly expressed his concern that the Attorney and the Minister didn't constitute an independent "double lock" for authorising TCNs.

Such a double lock is required in the UK, where the equivalent to a TCN must be approved by both the Secretary of State for Home Affairs and the independent Investigatory Powers Commissioner's Office (IPCO).

"Leaving aside the personalities and the people who might fill those offices from time to time, nevertheless the Attorney and the Minister for Communications are both members of the same government and the same cabinet," Renwick said on Friday.

"There's at least some administrative law which suggests that in those circumstances, they might both be bound by a cabinet decision."

Hamish Hansford, DHA's Acting Deputy Secretary for Policy, rejected that view.

"Notwithstanding both an Attorney and Minister for Communications are members of a cabinet, they are also independent decision-makers under statute, and they need to exercise those responsibilities independently, if you like," he said.

"[The] Attorney-General and other ministers have access to more intrusive powers, to make decisions about more intrusive powers, and this would be an aberration in the overall framework."

Hansford suggested that a DCP might even request that they be served a TCN.

"We envisage ... that companies may well request a TCN, and may well say, so they can defend to their own internal business processes and own business model, 'We would like a TCN so that you [are] compelling us to provide a new capability that we have the ability to develop'," he said.

"And the government would pay for it, potentially, and through a contract negotiation."

DHA wants specific examples of harm to the tech industry

Tech companies have repeatedly said that the TOLA Act is harming their international business, with one cloud provider claiming an exodus of data from Australia.

"It is difficult to read about or grapple with anecdotal reports of lost business that have appeared in some submissions from industry without having an understanding of the specific facts," Hansford said.

"We'd encourage specific examples to be tabled to your inquiry, or separately to the parliamentary joint committee [the PJCIS] or the department."

Hansford also rejected once more the fears that employees would be dragooned in secret to create backdoors without their boss' knowledge.

"It is not now and it has never been intended that individual employees would be asked or required to provide assistance without informing or consulting their employer," Hansford said.

While an individual employee might receive a Notice or Request, perhaps because they're the organisation's law enforcement liaison officer, the recipient is the corporate entity, not the individual.

"That individual can and should discuss their request or notice with their employer as required to consider and provide the requested assistance," he said.

However an individual who operates as a sole-trader business could still receive a notice.

Watchdog asks AFP to justify TCN's existence

Renwick noted that law enforcement agencies used their new TOLA Act powers just seven times in seven months, and all were voluntary TARs. That has continued to be the case.

TARs and TANs cover the same activities. One is voluntary, one is compulsory. But what about the far more intrusive TCNs? They haven't been used yet.

Hypothetically, Renwick asked the Australian Federal Police (AFP), what if three years go by and no one uses a TCN? Would that indicate that TCN powers weren't needed at all?

As Renwick put it, "What am I to conclude, in other words, from the fact that so far it would appear there haven't been any TCNs?"

"I think at this stage it indicates that industry would prefer to cooperate voluntarily against the known scheme than be compelled by something over which they have less control," said Karl Kent, the AFP's Deputy Commissioner for Capability.

"Simply by those tiers being in existence, I think it reflects the nature of the existing relationship between policing and providers of telecommunications."

DHA has no problem with the CLOUD Act

The CLOUD Act allows US law enforcement agencies to obtain data from foreign companies, provided that it doesn't violate privacy rights in that country.

In a submission to the PJCIS in July 2019, the Law Council said the CLOUD Act requires orders to be subject to judicial review at the issuance of a notice, something that many groups critiquing the TOLA Act have been calling for.

"US law does not allow for the mandating of the decryption of data as is now permitted under Australian law," it said.

"Irrespective of the amendments introduced by the Assistance and Access Act in Australia, the provisions of the CLOUD Act will not allow US service providers to provide technical assistance beyond their existing obligations under [the Communications Assistance for Law Enforcement Act]."

Australia's mandatory telecommunications data retention regime would also cause the CLOUD Act problems, according to the Law Council.

Home Affairs rejects that view.

"We've been in intense discussions with the Department of Justice in the United States," said Hansford.

"They have not identified any issues with the Assistance And Access Act that would prevent Australia from successfully negotiating a bilateral agreement with the United States under the CLOUD Act."

The INSLM's encryption laws inquiry is due to report by June 30. His analysis will feed into the ongoing review by the PJCIS, which is due to report by September 30.

The PJCIS is also due to report somewhat sooner, on the effectiveness of the mandatory telecommunications data retention regime, by April 30.

SEATTLE--(BUSINESS WIRE)--At RSA Conference 2020 taking place February 24-28 in San Francisco, ExtraHop will present two sessions focused on critical cybersecurity issues facing organizations around the globe. ExtraHop co-founder and CTO Jesse Rothstein will be joined by Joshua Northrup of Fiserv for a presentation on the role of decryption in security. Jeff Costlow, CISO, and Matt Cauthorn, VP of Cybersecurity Engineering at ExtraHop will co-present a session on data exfiltration focused on the vendor practice of "phoning home" data. The company is also sponsoring an event at the headquarters of WIRED magazine featuring a panel discussion on security in the age of digital privacy.

RSA Conference 2020 attendees can also visit ExtraHop at Booth N-5564 to meet with company leaders and receive a live demo of Reveal(x).

ExtraHop RSA Conference 2020 Speaking Sessions

Sessions

The Network Is Going Dark: Why Decryption Matters for SecOps

Speakers: Jesse Rothstein, Co-founder and CTO at ExtraHop & Joshua Northrup, Manager of Monitoring and Automation at Fiserv
Time: Wed., Feb. 26, 1:30 PM - 2:20 PM
Location: Moscone West
Session Details: Like it or not, TLS 1.3 is coming and will make network traffic opaque to inspection. This session will cover lessons learned from Fiserv's experience decrypting PFS-encrypted traffic and the various options available, including SSL fingerprinting, proxies and session-key forwarders installed on critical servers. Attendees will be able to formulate a strategy that works for their organization.

'Phoning Home' Impact on Enterprise Data, Security and Privacy

Speakers: Jeff Costlow, CISO at ExtraHop & Matt Cauthorn, VP of Cybersecurity Engineering at ExtraHop
Time: Wed., Feb. 26, 2:50 PM - 3:40 PM
Location: Moscone West
Session Details: Enterprises seldom know all the ways that vendors send data to their own environments. This lack of awareness can have profound implications. This session will cover four real-world examples of vendors phoning home data without the customer's authorization or knowledge, the security and regulatory implications of this activity, and the questions you should ask vendors about their data practices.

WIRED Event

Personal Privacy vs. Enterprise Security — Can We Have Both?

Speakers: Brian Barrett, Digital Director at Wired, Jesse Rothstein, CTO & Co-Founder at ExtraHop, and Mikko Hyppönen, CRO at F-Secure
Time: Wed., Feb. 26, 6:30 PM - 8:30 PM
Location: WIRED Headquarters
Event Description: Modern encryption is stronger than ever, using battle-tested algorithms that are resistant to eavesdropping. But enterprise security managers fear they have lost the ability to detect network intrusions and malicious traffic. How do we find the right balance?

About ExtraHop

ExtraHop delivers cloud-native network detection and response to secure the hybrid enterprise. Our breakthrough approach applies advanced machine learning to all cloud and network traffic to provide complete visibility, real-time threat detection, and intelligent response. With this approach, we give the world's leading enterprises including The Home Depot, Credit Suisse, Liberty Global, and Caesars Entertainment the perspective they need to rise above the noise to detect threats, ensure the availability of critical applications, and secure their investment in cloud. To experience the power of ExtraHop, explore our interactive online demo or connect with us on LinkedIn and Twitter.

Search This Blog

Android Full Encryption