From analysis of the new WiFi WPA2 vulnerability, to targeting the real threats facing the financial markets and a new pentest report courtesy of @HydeNS33k, here's what I’m reading this week:
- A post-mortem on KRACKing: Earlier this month, a new vulnerability in WiFi's WPA2 itself was revealed – the possibility that someone could use a key reinstallation attack to strip security from WiFi communications. The threat is a serious one, but localized. It's important to realize that an intruder looking to use this must get within immediate range of the network she wants to target. Nevertheless, understanding this vulnerability, and how it slipped through WPA2 validation, is an important lesson on security innovation. Matthew Green offers some insightful thoughts on both the threat and what it means.
I'm reading: "Falling through the KRACKs."
- It's all about the tacos: If you've been following these reports, you know that I'm a big fan of @HydeNS33k's pentest reports. They're funny, and a great read, but more than that, they're an invaluable lesson in how security really works, and what we need to do to keep our institutions safe in the physical and digital worlds.
I'm reading: "Gather ‘round ye lads and lasses! Sit ye for a while, and harken to my mournful tale."
- Not with a bang, but with many deadly whimpers: For years, the public debate has been focused on the prospect of malicious hackers "taking down" the NYSE or other stock markets. For all who think this is a scary possibility, much scarier is the prospect of tiny manipulations to trades that leave the market hopelessly corrupted, and investors fighting tooth and nail over the unfair gains and losses. This, and a hundred other subtler and more concerning schemes, are contemplated in DARPA's Financial Markets Vulnerability Project. The project brings together hackers, high speed traders, and strategists to diagnose and prepare for the real threats that our markets face. We should all be grateful they're taking the real threats behind the hype seriously. The project's outputs, when they eventually become public, will be very worth watching.
I'm reading: "Pentagon Turns to High-Speed Traders to Fortify Markets Against Cyberattack."
- The miseducation of North Korea: For many years, North Korea's technical capabilities were something of a joke. But in recent years, they have been anything but. From widespread targeting of financial systems, to massive, concealed threats over The Interview, North Korea has shown just how effective an offensive cyber capability can be for an isolated actor like itself. A recent piece in the New York Times considers how they built this capability, what it means, and how the rest of the world mostly missed their increasing sophistication until it was too late. Pundits often talk about how effective offensive cyber operations can be at leveling the playing field for weaker nation states. This is the leading case-in-point – and one we should all understand, as it could well be repeated as dozens of offensive operations bloom in capitals and countrysides around the world.
I'm reading: "The World Once Laughed at North Korean Cyberpower. No More."