Security Scene: October 2021 Edition
By Adair Thaxton, Internet2 Cyberinfrastructure Security Engineer
Security Scene is a monthly roundup of cybersecurity news highlights compiled by Internet2 Cyberinfrastructure Security Engineer Adair Thaxton. Adair connects recent headlines to security best practices, within the lens of the research and education community and our broader digital society. Plus, she’s got jokes!
It’s October! You knew that, right? You’re stocked up on candy and definitely not eating it? Me too!
Syniverse, a telecom company that handles billions of text messages for its carrier clients, announced a breach that went on for five years. Syniverse handles backend transactions among several hundred customer companies, sharing billing data and call records among them. It’s not immediately clear whether metadata or SMS messages were exposed, but we can add this to the list of reasons why using SMS for two-factor authentication is a bad idea!
Here’s an interesting conundrum: we can assume our information has been leaked in at least one breach by now, right? What if researchers want to study it? The article proposes six conditions that should be met in order for studying hacked data to be ethically reasonable. It feels like it should be obvious that scientists should not hack or steal data themselves in order to study it, but it also makes an excellent point that if a scientist downloads publicly available hacked data, they may be at risk for illegally possessing stolen property.
Let’s add another aspect to TEMPEST (codename), shall we? A researcher in Israel has a proof-of-concept attack showing how a radio antenna at 250Mhz can be used to sniff traffic on CAT6A. He had to use a very low transmission rate, and noise from other cables could be a massive problem, but it’s still a new proof-of-concept for a type of attack that’s been around a long time.
Finally, oh dear.