Weekend Reads 081018: Security and Privacy in Focus

It started with a lengthy email to the NANOG mailing list on 25 June 2018 — independent security researcher Ronald Guilmette detailed the suspicious routing activities of a company called Bitcanal, which he referred to as a “Hijack Factory”. —Doug Madory @APNIC

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security. @Krebs on Security

A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack). @Krebs on Security

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the world, and senior figures from companies like Facebook, Microsoft, Apple and Cloudflare—it’s easy to imagine a covert machination or two. —Katitza Rodriguez, Danny O’brien, And Maryant Fernandez @EFF

The Resource Public Key Infrastructure (RPKI) is a modern reimagination of the good ole’ Internet Routing Registry (IRR) system we have come to love and hate. The main advantage of RPKI is that consumers of the data can cryptographically verify whether they were the actual owners of the IP prefix that created a so-called RPKI Route Origin Authorization (ROA). —Job Snijders @APNIC

A new policy paper making the rounds in Congress and tech circles could signal the future of regulating big tech. The white paper, which was first obtained by Axios, was written by the office of Sen. Mark Warner (D., Va.), vice chairman of the Senate Intelligence Committee. Warner is one of the leading Democrats investigating Russian interference in the 2016 election. —Charles Fain Lehman @The Free Beacon

In 2013, revelations made by German paper Der Spiegel showed that the NSA was taking advantage of certain backdoors in Cisco’s routers. Cisco denied accusations that it was working with the NSA to implement these backdoors. In 2014, a new undocumented backdoor was found in Cisco’s routers for small businesses, which could allow attackers to access user credentials and issue arbitrary commands with escalated privileges. —Lucian Armasu @Tom’s Hardware

A team of security researchers has discovered a new Spectre attack that can be launched over the network, unlike all other Spectre variants that require some form of local code execution on the target system. —Mohit Kumar @The Hacker News

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. @Vulnerability Notes