https://spectrum.ieee.org/tech-talk/telecom/security/everything-you-need-to-know-about-wpa3

WPA3 is here and is just started to be implemented in network devices. It’s been nearly 14 years and the update brings some much needed security updates, along with some useful features. WPA3 brings to the table a new authentication system named Simultaneous Authentication of Equals (SAE), this new system is more secure than the Pre-Shared Key (PSK) method and prevents the Key Reinstallation Attacks which worked well over PSK systems. Along with this, SAE also employs forward secrecy, so if someone were to nab the encrypted data it would be rendered useless, as the encryption password is changed every time a connection is made. WAP3 provides a feature named Easy Connect, simply scan a network device’s QR code and your in. Another feature is Enhanced Open, a feature which aims to reduce the number of passive attacks which can plague open networks in coffee shops and other open WiFi areas. It will be some time until WPA3 is accepted and regarded as standard, but if you want to adopt the new update right away then some WPA3 certified devices should be releasing within a few months.

https://www.riskiq.com/blog/labs/magecart-newegg/

Magecart, a hacking group known for skimming credit credits from websites, attacked Newegg after their successful attack on British Airways. Magecart created a website similar in name to Newegg and obtained a certificate by Comodo, a cyber security company, to lend an air of credence to their domain. The group then placed the skimmer on the checkout page on Newegg and was able to skim credit cards from August 14th to September 18th. The base code for the skimmer was comparable to the skimmer the group used to skim credit cards from the British Airways website. Since the skimmer was active for over a month at a popular website for computer parts and other computer accessories the amount of credit cards skimmed is assumed to be very large. If you know of any credit cards that were used at Newegg within the month it is recommended to get in touch with your credit card provider and receive a new card.

https://www.esat.kuleuven.be/cosic/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/

SUMMARY

Some high-end vehicles give you the option to enter the car and start it by just having the key fob on your person. This simple process can be described as the car talking to the key fob, the key fob responding, the car asking for authentication, and the key fob providing the info. The car being tested on is a Tesla Model S, which has the encryption cipher being DST40, a cipher which was reverse engineered in 2005 and is a largely out-of-date cipher. The car’s identifier is public, so challenges can be issued to the key fob, this can be done quickly so a time-memory-trade-off attack is used. “The attacker device consists of a Raspberry Pi 3 Model B+, Proxmark3, Yard Stick One, and a USB battery pack.” (Wouters) The Proof of Concept attack was able to clone the key fob in three seconds, a fairly practical amount of time to steal a car. The article goes on to mention that Tesla did not design the system, but bought it from Pektron. Pektron designs keyless entries for other manufacturers, implying that the same vulnerability may be present in other vehicles. The practical solution is to either disable keyless entry and use the pin to drive feature or to not make the process automatic and implement a button to enable the low frequency communication. One things for sure, some kind of security change should be implemented.

http://overthewire.org/wargames/natas/

The link I provided is to a nice little training ground for some basic server side security. Ultimately, I believe one of the best ways to learn how to protect from attacks is to get good at being able to do them in practice. If one knows how to perform a server side attack then they’ll understand the principles behind defending from them. It’s also an enjoyable way to learn as well.

Natas has you going up the ranks in various “levels”, starting from just giving you the username and password, to finding a way to discover the password on your own from the website you’ve been given. If you have a couple of minutes I recommend checking it out and see how far you can go.