Daily Archives: December 17, 2019

IoT gear is generating easy-to-crack keys because they repeat the key once every 172 times

Posted on by

A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won’t be an easy one to solve.

This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.

Comparing the millions of keys on an Azure cloud instance, the team found common factors were used to generate keys at a rate of 1 in 172 (435,000 in total). By comparison, the team also analyzed 100 million certificates collected from the Certificate Transparency logs on desktops, where they found common factors in just five certificates, or a rate of 1 in 20 million.

The team believes that the reason for this poor entropy is down to IoT devices. Because the embedded gear is often based on very low-power hardware, the devices are unable to properly generate random numbers.

The result is keys that could be easier for an attacker to break, leaving the device and all of its users vulnerable.

“The widespread susceptibility of these IoT devices poses a potential risk to the public due to their presence in sensitive settings,” Keyfactor researchers Jonathan Kilgallin and Ross Vasko noted.

“We conclude that device manufacturers must ensure their devices have access to sufficient entropy and adhere to best practices in cryptography to protect consumers.”

Source: Internet of crap (encryption): IoT gear is generating easy-to-crack keys • The Register

Controversial sale of money grabbing .org domain faces review at ICANN

Posted on by

ICANN is reviewing the pending sale of the .org domain manager from a nonprofit to a private equity firm and says it could try to block the transfer.

The .org domain is managed by the Public Internet Registry (PIR), which is a subsidiary of the Internet Society, a nonprofit. The Internet Society is trying to sell PIR to private equity firm Ethos Capital.

ICANN (Internet Corporation for Assigned Names and Numbers) said last week that it sent requests for information to PIR in order to determine whether the transfer should be allowed. “ICANN will thoroughly evaluate the responses, and then ICANN has 30 additional days to provide or withhold its consent to the request,” the organization said.

ICANN, which is also a nonprofit, previously told the Financial Times that it “does not have authority over the proposed acquisition,” making it seem like the sale was practically a done deal. But even that earlier statement gave ICANN some wiggle room. ICANN “said its job was simply to ‘assure the continued operation of the .org domain’—implying that it could only stop the sale if the stability and security of the domain-name infrastructure were at risk,” the Financial Times wrote on November 28.

Further Reading

Private equity firm buys .org domain months after ICANN lifted price caps

In its newer statement last week, ICANN noted that the .org registry agreement between PIR and ICANN requires PIR to “obtain ICANN’s prior approval before any transaction that would result in a change of control of the registry operator.”

ICANN can raise “reasonable” objection

The registry agreement lets ICANN request transaction details “including information about the party acquiring control, its ultimate parent entity, and whether they meet the ICANN-adopted registry operator criteria (as well as financial resources, and operational and technical capabilities),” ICANN noted. ICANN’s 30-day review period begins after PIR provides those details.

Per the registry agreement, ICANN said it will apply “a standard of reasonableness” when determining whether to allow the change in control over the .org domain. As Domain Name Wire noted in a news story, whether ICANN can block the transfer using that standard “might ultimately have to be determined by the courts.”

The agreement between PIR and ICANN designates PIR as the registry operator for the .org top-level domain. It says that “neither party may assign any of its rights and obligations under this Agreement without the prior written approval of the other party, which approval will not be unreasonably withheld.”

Concern about price hikes, transparency

The pending sale comes a few months after ICANN approved a contract change that eliminates price caps on .org domain names. The sale has raised concerns that Ethos Capital could impose large price hikes.

Source: Controversial sale of .org domain manager faces review at ICANN | Ars Technica

Amazon Blocks Sellers From Using FedEx Ground For Prime Shipments – way to have fun using a monopoly!

Posted on by

Amazon.com is blocking its third-party sellers from using FedEx’s ground delivery network for Prime shipments, citing a decline in performance heading into the final stretch of the holiday shopping season. The ban on using FedEx’s Ground and Home services starts this week and will last “until the delivery performance of these ship methods improves,” according to an email Amazon sent Sunday to merchants that was reviewed by The Wall Street Journal. Amazon has stopped using FedEx for its own deliveries in the U.S., but third-party merchants had still been able to use FedEx. Such sellers now account for more than half of the merchandise sold on Amazon’s website, including many items listed as eligible for Prime.

FedEx said the decision impacts a small number of shippers but “limits the options for those small businesses on some of the highest shipping days in history.” The carrier said it still expects to handle a record number of packages this holiday season. “The overall impact to our business is minuscule,” a FedEx spokeswoman said. In its email to merchants, Amazon said sellers can use FedEx’s speedier and more expensive Express service for Prime orders or FedEx Ground for non-Prime shipments.

Source: Amazon Blocks Sellers From Using FedEx Ground For Prime Shipments – Slashdot

How can a marketplace justify controlling marketpeoples’ logistics?