In light of the various hacks and liquidations of crypto exchanges and Decentralise Finance (DeFi) platforms, experts advise crypto investors to not keep their crypto funds in any such places. But what other options do investors have?

Well, investors have not just one, but several other options, based on their requirements. But let us first understand why it is not safe to store your crypto in the aforementioned places.

Why should you not store your crypto on an exchange or on any DeFi platform?

It is advisable to not store one's crypto holdings on any centralised platform like exchanges or DeFi platforms. It is because the custody of the funds is with the platform itself and not the investor. Moreover, these platforms are prone to hacks.

In the recent past, DeFi platforms, like the Celsius Network, 3 Arrows Capital, Voyager Digital, Vauld, and other faced financial strains because of which investors' funds became inaccessible.And hence investors are advised to store their cryptos in different types of crypto wallets.

But what are crypto wallets?

Crypto wallets are pieces of hardware or software used to store your crypto assets. Every crypto wallet has an identity, which comprises a pair of private keys and public keys.

What are public and private keys and what do they do?

Public and private keys provide an alphanumeric identifier for your crypto wallet, which is called, your wallet address.

What does a crypto wallet address do?

The crypto wallet address specifies where the crypto tokens can be sent on the blockchain network. The private keys of a crypto wallet are never supposed to be disclosed. The public key is disclosed to sender of cryptos to identify the address.

Crypto wallets can be divided into groups

a) Based on how frequently they are connected to the internet and

b) Based on their technology.

Based on internet connectivity, they are divided into two categories

1. Hot Wallets

Hot wallets are regularly connected to the internet. They are more user-friendly but less secure since they are frequently connected to the Internet. Hot wallets are usually utilised for daily transactions. They offer immediate access to the funds and are easy to set up.

2. Cold Wallets

Cold wallets are not connected to the internet frequently. As a result, they are highly secure. HODLers benefit most from cold wallets.

Cryptowallets are split into two broad categories based on the underlying technology with which they are built

1. HardwareWallets

2.Wallets for software

Hardwarewallets are further subdivided into:

i. USB flash drives

These devices use USB ports to connect to your computer or laptop. Coldwallets are frequently used for long-term storage.

ii. Bluetooth

These gadgets use Bluetooth to communicate with your PC, laptop, or mobile phone. Coldwallets are also commonly utilised for long-term storage.

iii. PaperWallets

The QR codes of the receiver are printed on paper in paperwallets. These are no longer relevant. Their main disadvantage is that they do not permit partial fund transfers.

Softwarewallets are further classified as follows:

(a)DesktopWallets

These are software packages that may be installed on numerous operating systems and are becoming more popular over time. Anti-virus protection is required since any computer linked to the internet poses significant security hazards. Desktopcryptowallets are preferable over holdingcryptocurrency on an exchange because of incessant hacks on exchanges.

b) Mobile Applications

Mobile apps are similar to desktopwallets. Thesewallets are designed to be utilised on mobile phones. They are particularly convenient because they conduct transactions using QR codes. They are appropriate for frequent everyday use. However, they are vulnerable to malware attacks. Encryption is required for mobilewallets. They are portable and convenient, yet they are vulnerable to viruses. Two popular mobilewallets are Coinomi and Mycelium.

(c) Browser basedwallets

Thesewallets can be added as browser extensions on your browser. It is worth noting that private keys in the case of browser extensionwallets are susceptible to DDOS attacks. They can be hosted by themselves or by a third party. Being self-hosted is preferred since money is always in the investors control. Two examples of browser extensionwallets are MetaMask and Coinbase.

Also Read:MATIC crypto zooms 20%, Polygon Joins Disneys 2022 Accelerator Program - BusinessToday

Also Read:Bitcoin reclaims $21,000, Polygon rallies 6% as crypto markets recover after rout - BusinessToday

Excerpt from:
EXPLAINED: How to store your crypto safely and avoid hacks - Business Today

For many years, Irans educated elites have been leaving the country in growing numbers. From doctors to scientists and researchers to engineers, they are emigrating, mostly to Western countries, for various reasons, but chief among them are poor economic conditions and a lack of political and social freedoms at home.

While estimates of the actual number of Iranians who have left the country differ, researchers agree that the overall size of this emigration wave has been growing like never before. According to the 2021 Iran Migration Outlook report, produced by the Iran Migration Observatory research institution, the number of Iranian migrants has more than doubled over the past three decades, rising from a total of around 800,000 in 1990 to 1.8 million in 2020.

While the growing quantity of mostly skilled and young people heading abroad clearly affects the country in multiple ways, Irans information technology sector is among those hit hardest due to the burgeoning outflow of its experts in recent years. Thanks to the relatively fast-paced expansion of telecommunications infrastructure and increased access to the internet the country has nearly 107 million internet subscribers with a penetration rate of over 127% the share of the digital economy in Irans GDP has grown from just 2.6% to 6.87% over the past decade.

According to official government data released by the Statistical Center of Iran, the value of the national digital economy during the past Iranian calendar year of 1400 (March 23, 2020 to March 22, 2021) was around $45 billion. The authorities aim to increase the digital economys share to 10% of GDP over the next three years, but in light of the escalating brain drain of Iranian IT experts, many have warned about the growing challenges to achieving this objective.

Drought of IT professionals

According to the above-mentioned Iran Migration Outlook report, 50% of those involved in Irans startup community, along with 44% of university students and graduates, are planning to emigrate. The report adds that 55% of those active in the startup community believe they will definitely not return after leaving the country. While there is no clear data on the number of IT experts who have left Iran, the growing emigration trend has rattled officials and businesses, including tech startups.

Adel Talebi, the secretary of the Internet Business Association, was quoted by local Iranian media last month as saying that the country faces a shortage of highly skilled individuals due to emigration. This has affected not only the field of cyber security but all areas of information technology, including development, software engineering, and programming. Back in February, Hamid Behnegar, a senior member of the Iran Chamber of Commerce, Industries, Mines and Agriculture, also warned about what he described as a drought of specialized manpower in the IT industry.

Similar sentiment is expressed by members of the Iranian startup community. For example, Ehsan, a Tehran-based entrepreneur who managed a company of around 40 employees until last year, told the author that despite managing to survive the countrys poor economic conditions, his firm went bankrupt after several key members of his team decided to leave Iran for better working conditions abroad. The shortage in human resources in the IT sector is a crisis. Global demand for IT professionals has grown, and Iranian companies are unable to compete with them when it comes to recruitment, Ehsan noted.

But the deteriorating conditions do not stop there. Some professionals, while remaining in their home country, have turned to virtual migration and are now doing remote work for foreign companies and benefiting from much higher wages without having to bear the hardships of emigration.

Why do they leave?

A broad array of reasons motivates some highly educated Iranians to leave Iran, including the countrys poor economic conditions, a lack of political stability, and absence of social freedoms. However, for those active in Irans IT industry, the governments restrictive measures on internet use and the censorship of popular social media platforms, along with the unpredictability of regulations in this regard, can be seen as important factors behind the tsunami of IT experts leaving Iran.

Mohammad, 32, is illustrative of the above-described trend. A computer programmer, he initially moved to Istanbul before his second migration to the Netherlands, which has become a popular stop for many Iranian IT professionals. For him, political instability, deteriorating economic conditions, and social obstructions were the main factors that triggered his decision to leave Iran. Morteza, 38, is another Iranian IT professional who left Iran last year and shares Mohammads views. As he noted in an interview with this author, I could not bear the harassments of different regulatory institutions and the internet censorship that was directly affecting my work.

Future of Irans IT industry

Experts warn that the loss of human capital in this industry will have widespread consequences due to the expanding role of technology in all businesses and industries. According to entrepreneurs like Ehsan, Iranian startup companies have suffered the most because of the current situation. Many of these firms are being forced to shut down or postpone launching new services or products because they cannot afford or even find the talented experts needed to help them reach their targets. Since a large number of top IT professionals have left the country over the past couple of years, the demand for the remaining professionals is very high; and therefore, only the large companies can afford to pay a salary as high as $2,000 or even $3,000 a month, literally pushing the small companies out of the market, he contended.

Yet the consequences of such an exodus do not end there. According to many experts, Irans growing cyber vulnerabilities in different businesses, industries, and national infrastructure are already costing the country both in terms of economic loss and growing insecurity. Iran has been targeted by a number of cyber attacks in recent years, many of which the authorities have blamed on the United States and Israel. Cyber attacks against Irans railway system (July 2021), the countrys national fuel distribution system (October 2021), a number of major steel producers (June 2022), and the municipal government website of Tehran (June 2022) are just a few examples.

As Iran tries to assert increasing control over the internet and amid growing local discontent and stalled international negotiations over reviving the 2015 nuclear agreement many expect the flight of the country's IT professionals to continue. This worsening drought in highly skilled human capital will only further burden an already struggling industry.

Maysam Bizaer is an analyst and commentator who focuses mostly on Iran's foreign policy, politics, and economy. He is a frequent contributor to a number of international media and U.S.-based think tanks. Follow Maysam on Twitter@m_bizar.The views expressed in this piece are his own.

Photo by Scott Peterson/Getty Images

The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors views. For a listing of MEI donors, please click here.

Follow this link:
Escalating emigration and the drought in Iran's IT industry - Middle East Institute

On June 14, 2022, the Canadian government tabled Bill C-26, An Act Respecting Cyber Security (ARCS), [1] which introduces significant new cybersecurity requirements for federally regulated industries and new national security requirements for the telecommunications sector. As it is currently drafted, ARCS would create a comprehensive framework for regulating the security of Canadian critical infrastructure and enhancing oversight over telecommunications security:

As noted in the official Backgrounder, ARCS is intended to empower the Canadian government to respond to emerging cyber threats and strengthen baseline cyber security for vital services and systems. In the current cyber risk landscape, operators of critical infrastructure are recognized as being at a heightened risk of cyber-attacks from malicious actors given the potential for severe disruption. [2] For enterprises in the telecommunications, energy, finance, and transport sectors in particular, ARCS is a strong signal that the Canadian government intends to take these risks seriously by increasing its regulatory supervision and intervention going forward.

CCSPA would apply to operators in the telecommunications, energy, finance, and transport sectors. More specifically, under the CCSPA, the Canadian government may designate:

The requirements of CCSPA apply to designated operators that own, control or operate a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information [] that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system (critical cyber system).

Although the current draft of CCSPA lists no designated operators in its Schedule 2, it enumerates six vital systems and services in its Schedule 1, each with a corresponding regulator:

Designated operators must comply with four key requirements under CCSPA:

1. Establish, implement, maintain, and review a cyber security program;2. Report cyber security incidents;3. Comply with cyber security directions; and4. Maintain records of compliance and incidents.

Designated operators must establish, implement, and maintain a cyber security program as it relates to their critical cyber systems. In addition to any requirements prescribed by regulations, these cyber security programs must include reasonable steps to:

1. Identify and manage cyber security risks, including risks associated with their supply chain and their use of third-party products and service providers;2. Protect their critical cyber systems from being compromised;3. Detect cyber security incidents that are affecting or potentially may affect their critical cyber systems; and4. Minimize the impact of cyber security incidents affecting critical cyber systems.

Within 90 days after being designated (or a longer period at the regulators discretion), designated operators must establish their cyber security program, notify the appropriate regulator in writing confirming same, and provide them with a copy. Designated operators must also:

Designated operators must immediately report cyber security incidents affectingtheir criticalcyber systems to the Communications Security Establishment (CSE), [3] followed by notification to the appropriate regulator, who is entitled to a copy of the report from both the designated operator and the CSE upon request.

CCSPA defines a cyber security incident as an act, omission, or circumstance that interferes or may interfere with (a) the continuity or security of a vital service or system; or (b) the confidentiality, integrity, or availability of a critical cyber system.

These reporting obligations are in addition to existing obligations. For example:

Designated operators must comply with cyber security directions made by the Canadian government, which may include specific measures and conditions for the purpose of protection of a critical cyber system, as well as a timeline for compliance.

Cyber security directions must be kept confidential by the designated operator, which may not disclose their existence and content, except to the extent required for compliance. However, CCSPA expressly permits extensive information collection and sharing between designated Canadian government officials and entities in relation to cyber security directions.

Designated operators must keep records related to each of their obligations under CCSPA, which differ from recordkeeping requirements in privacy laws. Records must document reported cyber security incidents and steps taken to implement the cyber security program, to mitigate supply chain or third-party risks, and to implement cyber security directions.

In addition, designated operators are required to keep all records in a prescribed manner in Canada, at a prescribed location or otherwise at their place of business. Absent evidence to the contrary, entries in records will serve as proof against the person who made the entry or the designated operator required to keep the record.

Regulators are granted broad enforcement powers to verify compliance or prevent non-compliance with CCSPA. Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted or that a document, information or thing relevant to that purpose is located there. Regulators may exercise powers such as examining anything at the place, taking or copying any document or data, and using any cyber system (or causing it to be used) to examine information available through the system. Moreover, regulators are entitled to all reasonable assistance from the owner or operator of the place, and anyone found there.

To prevent non-compliance or mitigate the risks thereof, regulators may also audit an operator and issue a compliance order.

CCSPA also balances its broad disclosure requirements with certain protections for confidential information, which is defined as information (1) about vulnerabilities or protection measures of critical cyber systems of a designated operator that is treated confidentially; (2) that could reasonably be expected to have a material financial impact on the operator or prejudice their competitive position; or (3) that could reasonably be expected to interfere with their negotiations.

Accordingly, confidential information may only be disclosed under specific circumstances, including legal requirements, consent of the designated operator, and necessity for the protection of vital services, systems or critical cyber systems. Moreover, confidential information may be shared under agreements or arrangements between certain government entities and regulators.

CCSPA relies on both an administrative monetary penalty regime and statutory offences regime for enforcement of its provisions, similar to the one in the Telecommunications Act. Either regime can involve the personal liability of directors and officers that direct, authorize, assent to, acquiesce in or participate in a violation of the CCSPA, which can result in significant fines or imprisonment.

Eventual regulations may classify violations as minor, serious or very serious and determine the maximum penalty for each type of violation. However, penalties for each violation may not exceed $1,000,000 for individuals and $15,000,000 for other cases.

Designated operators have the right to make representations or exercise a defence of due diligence. Regulators are granted discretion to correct errors in a notice of violation, cancel it or enter into compliance agreements with terms the regulator considers appropriate, including the reduction of the amount of the penalty in part or in whole.

Violations of certain provisions of CCSPA is a punishable offence. Individuals and corporations are liable for fines at the discretion of the court. Moreover, individuals may be sentenced to a term of up to two years on summary conviction or five years upon conviction on indictment.

ARCS also establishes special rules for securing the telecommunications sector, recognizing its importance to national security. Part 1 of ARCS would amend the Telecommunications Act to provide the Canadian government and the Minister of Industry with sweeping new regulatory powers to secure the Canadian telecommunications system.

The amendments would also add the promotion of the security of the Canadian telecommunications system to the Canadian telecommunications policy objectives. Thiswould provide the Canadian Radio-television and Telecommunications Commission (or CRTC) with an express statutory basis to consider security ramifications when crafting regulatory policies affecting the industry.

ARCS would amend the Telecommunications Act to enable the Canadian government and the Minister to make orders respecting a TSPs (i) use of products and services of specific vendors and other TSPs in telecommunications networks; and (ii) provision of specific telecommunications services in Canada (each a form of a security order).

This distinction between these two types of security order is important one form of security order relates to inputs (both physical products and services) into telecommunications networks and the other relates to the type of telecommunications services that a TSP may offer using telecommunications networks. However, both must be based on the opinion that the security order is necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.

Specifically, the Canadian government may make a security order that:

Separately, the Minister of Industry will be given the authority to:

The Minister of Industry will also have the power to order precise measures, such as imposing conditions on a TSPs use of a specific product or service, prohibiting a TSP from entering a service agreement (or requiring the termination of an existing agreement), requiring TSPs to develop a security plan, requiring a TSP to conduct vulnerability assessments and mitigate identified vulnerabilities, or requiring that a TSP implement specified standards in relation to their products and services. The enumerated powers are not exhaustive, meaning the Minister has very broad power to determine the contents of a security order, subject only to general administrative law principles.

Significantly, the Canadian government and the Minister willhave the authority to prohibit the disclosure or publicization of any security order, meaning these decision-makers will have the ability to make each form of security order without other actors in the telecommunications industryor, indeed, the publicbeing aware.

Similar to the CCSPA, ARCS also provides the Minister of Industry with a broad power to compel the production of information, subject to limited exceptions. Specifically, the Minister may require any person to provide any information that the Minister believes on reasonable grounds is relevant for the purpose of making, amending or revoking a security order. Information provided in response may be designated as confidential if it includes trade secrets, commercial, scientific or technical information that is consistently treated as confidential, and information that may result in economic prejudice if disclosed.

The Minister may designate any qualified person as an inspector for the purpose of verifying compliance or preventing non-compliance with a security order.

ARCS extends the existing administrative monetary penalty regime in the Telecommunications Act to ensure compliance with the security order provisions and other new obligations. Specifically, violations of these new obligations expose individuals and corporations to penalties of up to $25,000 and $10,000,000, respectively, for a first violation and to $50,000 and $15,000,000, respectively, for each subsequent violation. These penalties are made even more substantial by the fact that each day that a violation continues constitutes a separate violation.

Although many details will need to be clarified in its regulations, ARCS becoming law would represent a significant development in Canadian cybersecurity law and the telecommunications security landscape.

Operators involved with critical cyber systems in federally regulated industries, particularly those which qualify as a vital system or service, should carefully review its provisions and evaluate the potential compliance issues based on their existing cybersecurity practices. In particular, operators potentially subject to these requirements should consider preparatory measures, including:

Given the requirements for designated operators to manage third-party risks, service providers and suppliers who do business with them should prepare for closer scrutiny of their cybersecurity standards and consider similar preparatory measures.

TSPs should strategically prepare for federal political decision makers being given new legal and policy tools to shape the Canadian telecommunications industry by denying access to commercial actors who may present a risk to the Canadian telecommunications system.

From a national security perspective, ARCS and the anticipated CCSPA represent the fulfilment of a national critical infrastructure protection initiative that began in 2009 with the first federal-provincial National Strategy for Critical Infrastructure. [4] With the advent of the Internet of Things, cyber threats to Canadas essential security interests can increasingly manifest into real world consequences. The growing digital interconnectivity of these systems in relation to critical infrastructure represents a vulnerability that ARCS looks to address with the achievement of a baseline level of cyber resilience and recoverability.

Fasken offers a suite of services to assist organizations in their cybersecurity journey, including:

Please contact our Privacy and Cybersecurity group, National Security group, or Technology, Media and Telecommunications group for more information.

For more information on the potential implications of the new Bill C-27, Digital Charter Implementation Act, 2022, please see our bulletin on this topic.

[1]Short title for Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, 1st Sess, 44th Parl, 2022, 70-71 (First Reading, June 2022)

[2] See Canadian Centre for Cyber Security, National cyber threat assessment 2020 (2020), online: https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020

[3] Subject to being prescribed in CCSPA or its regulations, engagement with the CSE will potentially be conducted through the Canadian Centre for Cyber Security, which is the arm of the CSE responsible for securing national critical infrastructure.

[4] For the most recent version, see: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx.

Continued here:
New Cybersecurity Requirements in Critical Infrastructure: Assessing the Impact of Bill C-26, An Act Respecting Cyber Security (ARCS) - Fasken

Cybersecurity threats come in many different forms. While things like malware, bugs and phishing attacks can cause serious harm in their own right, when coupled with threat and misinformation it can often lead devestating impacts.

These kinds of threats are formed in various ways and evade cybersecurity and personal cyber safety measures with ease. Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.

Hate speech, threat and extremism are issues that have caused significant problems in Aotearoa, and the root of much of it is unfortunately active in an online environment. Threat actors with sinister agendas covertly break down cybersecurity and threat prevention barriers to promote their own unique brand of hate and extremism, using a variety of tools and systems to cause widespread harm.

It is often the case that much of the harm is initiated in dark corners of the internet, blocked by complex coding and security technology. It can also be initiated on social media, with large companies struggling to police and monitor with efficient legal security measures. Threat actors hide behind fake profiles, and even with the strongest regulations and cybersecurity and safety measures, misinformation can break down these walls in an instant.

Threat and misinformation come in a variety of forms. Concerning statistics from InternetNZ show that 58% of New Zealanders - up from 42% last year - are either 'extremely concerned' or 'very concerned' about online conspiracy theories. Kiwi's general level of concern about misinformation has also dramatically risen this year, with 66% of New Zealanders being either extremely or very concerned that information is misleading or wrong. The number of people who said they were extremely or very concerned about hate speech online has also jumped from 58% to 65%.

Research like this highlights that we need solid cyber safety and security measures in place to prevent long-lasting damage.

"InternetNZ wants to see an Internet where everyone in Aotearoa can fully participate online. Scams, cybersecurity risks, and abusive behaviours online are all linked in that they make it harder for people in our community to be safe," says InternetNZ senior policy advisor James Ting-Edwards.

"It is vital that work to address these issues starts by listening to the people most affected by abusive behaviours online, whether these are threats to the security of people's computers and bank accounts, or threats to their personal safety and their ability to go online without facing harassment."

He says there needs to be an extended community effort to prevent threatening behaviour, and laws and technologies can only do so much.

"Governments and online services are well aware of these issues, but the gap we see is a need for more work to include community voices in developing solutions," he says.

"This is not just about laws and technologies, it's about how communities in Aotearoa get a voice in the online environments we participate in."

Dr Ethan R. Plaut from the University of Auckland reinforced that hate speech and threat should be perceived as a matter of our national security, and it is an increasingly prevalent issue worldwide.

"Online hate speech is a matter of national security in multiple different ways," he says.

"This is clearly true in the sense that foreign actors may be involved in the creation and circulation of hateful misinformation, and in the sense that domestic online extremism has been implicated in the radicalisation of people involved in violent attacks, including here in Aotearoa New Zealand.

"These issues also intersect in online attacks against people doing advocacy for Mori, women, racial minorities, and LGBTQ and other vulnerable communities, who are vulnerable to doxxing, threats, and other forms of online attacks."

A prominent example of these types of threats in action can be seen both before and after the devastating Christchurch terror attacks in 2019.

The perpetrator was highly active in a covert online environment, operating to promote hate and infiltrating various social media platforms to spread it. The terrorist also released a manifesto and live-streamed his actions, causing widespread significant harm. CERT NZ reported a variety of issues in the wake of the tragedy, saying that scammers and attackers were using the tragic event as an opportunity to perform targeted online cyber attacks against New Zealanders. Some of these included:

So it's clear that cybersecurity and safety intersect with hate speech and threat, so what can be done to help prevent serious issues in the future?

While Netsafe, CERT NZ and other organisations play a key advisory role in helping inform the public of threats and stop the spread of misinformation here in Aotearoa, there is also a collective agreement in place that aims to tackle these issues at the source. The Christchurch Call was formed in Paris on May 15 2019, and acted as a collective agreement from countries around the world aiming to create a safer online environment that stops hate, threat and misinformation in its tracks.

Consisting of over 50 countries and delegations worldwide, the Paris and New Zealand initiated agreement found that outlines collective, voluntary commitments from Governments and online service providers that aim to address the issue of terrorist and violent extremist content online and to prevent the abuse of the internet as occurred in and after the Christchurch attacks.

The agreement highlights five key points that governments should collectively aim to achieve, with topics ranging from using law and regulation, to supporting frameworks for companies in order to combat hate and abuse online.

While some of the points apply directly to broadcast media, when examining ones relating to cyber safety and security the framework advises:

Social media giants such as Meta, Twitter, Google and YouTube are some of the many organisations that have pledged support to the agreement; however it may take years for them to fully implement secure systems and technologies worldwide.

As with many things online, cybersecurity and safety remain distinctly human issues and can often only be adequately solved with a widespread community effort.

As governments worldwide struggle with increasing threat, misinformation and extremism, there is hope that leadership shown through agreements like the Christchurch Call can promote safer online communities for everyone.

Visit link:
The link between cybersecurity, extremist threat and misinformation online in Aotearoa - SecurityBrief New Zealand

Theres not one, but two side-channel attacks to talk about this week. Up first is Pacman, a bypass for ARMs Pointer Authentication Code. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. If the hash is not set correctly, the program simply crashes. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. The PAC is actually indicated in the unused bits of the pointer itself. The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. This leaves 11 bits for the PAC value. Keep in mind that the application doesnt hold the keys and doesnt calculate this value. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys.

What Pacman introduces is an oracle, which is a method to gain insight on data the attacker shouldnt be able to see. In this case, the oracle works via speculation attacks, very similar to Meltdown and Spectre. The key is to attempt a protected pointer dereference speculatively, and to then observe the change in system state as a result. What you may notice is that this requires an attack to already be running code on the target system, in order to run the PAC oracle technique. Pacman is not a Remote Code Execution flaw, nor is it useful in gaining RCE.

One more important note is that an application has to have PAC support compiled in, in order to benefit from this protection. The platform that has made wide use of PAC is MacOS, as its a feature baked in to their M1 processor. The attack chain would likely start with a remote execution bug in an application missing PAC support. Once a foothold is established in uprivileged userspace, Pacman would be used as part of an exploit against the kernel. See the PDF paper for all the details.

The other side-channel technique is a new take on an old idea. Hertzbleed is based on the idea that its possible to detect the difference between a CPU running at base frequency, and that CPU running at a boost frequency. The difference between those two states can actually leak some information about what the CPU is doing. Theres a pre-release PDF of their paper to check out for the details. The biggest result is that the standard safeguard against timing attacks, constant-time programming, is not always a reliable security measure.

It works because max frequency is dependent on the processor Thermal Design Power (TDP), the maximum amount of power a CPU is designed to use and amount of heat to dissipate. Different instructions will actually use different amounts of power and generate more or less heat based on this. More heat means earlier throttling. And throttling can be detected in response times. The details of this are quite fascinating. Did you know that even running the same instructions, with different register values, results in slightly different power draw? They picked a single cryptographic algorithm, SIKE, a quantum-safe key exchange technique, and attempted to extract a servers secret key through timing attacks.

There is a quirk in SIKE, also discovered and disclosed in this research, that its possible to short-circuit part of the algorithm, such that a series of internal, intermediary steps result in a value of zero. If you know multiple consecutive bits of the static key, its possible to construct a challenge that hits this quirk. By extension, you can take a guess at the next unknown bit, and it will only fall into the quirk if you guessed correctly. SIKE uses constant-time programming, so this odd behavior shouldnt matter. And here the Hertzbleed observation factors in. The SIKE algorithm consumes less power when doing a run containing this cascading-zero behavior. Consuming less power means that the processor can stay at full boost clocks for longer, which means that the key exchange completes slightly more quickly. Enough so, that it can be detected even over a network connection. They tested against Cloudflares CIRCL library, and Microsofts PQCrypto-SIDH, and were able to recover secret keys from both implementations, in 36 and 89 hours respectively.

There is a mitigation against this particular flaw, where its possible to detect a challenge value that could trigger the cascading zeros, and block that value before any processing happens. It will be interesting to see if quirks in other algorithms can be discovered and weaponized using this same technique. Unfortunately, on the processor side, the only real mitigation is to disable boost clocks altogether, which has a significant negative effect on processor performance.

[Frdric Basse] has a Google Nest Hub, and he really wanted to run his own Linux distro on it. Theres a problem, though. The Nest uses secure boot, and theres no official way to unlock the bootloader. Since when would a dedicated hacker let that stop him? The first step was finding a UART interface, hidden away on some unterminated channels of a ribbon cable. A custom breakout board later, and he had a U-Boot log. Next was to run through the bootup button combinations, and see what U-Boot tried to do with each. One of those combinations allows booting from a recovery.img, which would be ideal, if not for secure boot.

The great thing about U-Boot is that its Open Source under the GPL, which means that the source code should be available for perusal. Find a bug in that source, and you have your secure boot bypass. Open Source also allows some fun approaches, like running portions of the U-Boot code in userspace, and exercising it with a fuzzer. Thats the approach that found a bug, where a block size greater than 512 bytes triggers a buffer overflow. Its a generally safe assumption, as there arent really any USB storage devices with a block size greater than 512.

Never fear, a device like the Raspberry Pi Pico can run TinyUSB, which allows emulating a USB device with whatever block size you specify. A test determined that this approach did result in a repeatable crash on the real device. The code execution is fairly straightforward, writing a bunch of instructions that are essentially noop codes pointing to a payload, and then overwriting the return pointer. Code execution in the can, all that remained was to overwrite the command list and execute a custom U-Boot script. A thing of beauty.

The lowly ping command. How much can a single pair of packets tell us about a network and remote host? According to [HD Moore], quite a bit. For example, take the time given for a ping response, and calculate a distance based on 186 miles per millisecond. Thats the absolute maximum distance away that host is, though a quarter and half of that amount are reasonable lower and upper limits for a distance estimate. TTL very likely started at 64, 128, or 255, and you can take a really good guess at the hops encountered along the way. Oh, and if that response started at 64, its likely a Linux machine, 128 for Windows, and 255 usually indicates a BSD-derived OS.

Receiving a destination host unreachable message is interesting in itself, and tells you about the router that should be able to reach the given IP. Then theres the broadcast IP, which sends the message to every IP in the subnet. Using something like Wireshark for packet capture is enlightening here. The command itself may only show one response, even though multiple devices may have responded. Each of those responses have a MAC address that has can be looked up to figure out the vendor. Another interesting trick is to spoof the source IP address of a ping packet, using a machine you control with a public IP address. Ping every device on the network, and many of them will send the response via their default gateway. You might find an Internet connection or VPN that isnt supposed to be there. Who knew you could learn so much from the humble ping.

Internet Explorer is Really, Truly, Dead. If you were under the impression, as I was, that Internet Explorer was retired years ago, then it may come as a surprise to know that it was finally done in only this past week. This months patch Tuesday was the last day IE was officially supported, and from now on its totally unsupported, and is slated to eventually be automatically uninstalled from Windows 10 machines. Also coming in this months patch drop was finally the fix for Follina, as well as a few other important fixes.

Theres a new record for HTTPS DDOS attacks, set last week: Cloudflare mitigated an attack consisting of 26 million requests per second. HTTPS attacks are a one-two punch consisting of both raw data saturation, as well as server resource exhaustion. The attack came from a botnet of VMs and servers, with the largest slice coming from Indonesia.

Running the free tier of Travis CI? Did you know that your logs are accessible to the whole world via a Travis API call? And on top of that, the whole history of runs since 2013 seems to be available. It might be time to go revoke some access keys. Travis makes an attempt to censor access tokens, but quite a few of them make it through the sieve anyways.

Ever wonder what the risk matrix looks like for TPM key sniffing on boot? Its not pretty. Researchers at Secura looked at six popular encryption and secure boot applications, and none of them used the parameter encryption features that would encrypt keys on the wire. The ironic conclusion? discrete TPM chips are less secure than those built in to the motherboards firmware.

Here is the original post:
This Week In Security: Pacman, Hetzbleed, And The Death Of Internet Explorer - Hackaday