For decades, and to the delight of penetration testers everywhere, card readers that control access to secure facilities usually relied on the Wiegand protocol wiring standard. Unfortunately, the unencrypted protocol’s numerous security flaws allow those with enough know-how to waltz right into a building.

Fortunately, there’s a replacement: Open Supervised Device Protocol (OSDP), an international standard introduced in 2020. OSDP supports AES-128 encryption, monitors wiring, and introduces numerous other features. But how secure it is may vary, according to new research.

At DEF CON 31 in Las Vegas in August, Bishop Fox researchers Dan Petro and David Vargas presented a bevy of flaws with OSDP and its implementations to the audience. For example, while the key feature of OSDP is encryption—intended to thwart ESP keys; wiretaps that attackers use to capture credentials from a Wiegand interface—it doesn’t actually require encryption. Some implementations might not enforce it, either.

That means devices advertised as supporting OSDP might not have encryption at all, and could be susceptible to ESP keys. Some may also be vulnerable to downgrade attacks where an attacker could attempt to trick a controller into believing an unencrypted reader has been connected.

“The encryption [in OSDP] was implemented with something called the secure channel extension,” Vargas told IT Brew. “What we do is, when the controller asks the reader about what its capabilities are…we basically intercept that reply, and we modify it to say, ‘Well, we don’t support encryption.’”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

The road to continuous compliance never ends…juggling spreadsheets, writing policies from scratch, taking endless screenshots. Here’s an idea: Set your systems to cruise and let Drata’s autopilot system drive your compliance and security.

Drata makes achieving continuous SOC 2, ISO 27001, and GDPR compliance simple. You get a single, clear picture of your compliance status with over 85 integrations connecting to your entire tech stack. And Drata automatically collects proof of compliance for you so you’re compliant 80% faster—so no more screenshots.

With an intuitive dashboard, 24/5 live agent support, and 16+ frameworks, Drata keeps your compliance bases covered. Goodbye siloed tech stacks and manually updated spreadsheets, hello wide open road efficiencies!

Flip the switch to autopilot.

When it rains DDoS attacks, it pours.

Distributed denial of service attacks are plaguing more businesses than ever before, telecom provider Zayo found in a recent report.

The number of DDoS attacks across North America and Western Europe rose 314% YoY in the first half of 2023, according to Zayo, with especially concentrated activity in the manufacturing, media and entertainment, and cloud and SaaS industries. Customers in the healthcare, finance, and government sectors were also prime targets, the study said.

In a news release, Zayo named DDoS attacks “the most common” type of cyberattack, noting that even small attacks can be devastating, taking down systems for hours at a time and resulting in “lost money, time, customers, and reputation.”

Anna Claiborne, a software engineering SVP at Zayo, likened these attacks to a telephone operator who gets overwhelmed with the volume of incoming calls and can only put new callers on hold.

“They don’t actually get to deal with any of those calls. So, it’s the same thing that happens with a web server once it’s under DDoS attack,” Claiborne told IT Brew. “All legitimate users just go unanswered.”

Read more here.—KG

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Unemployment in the tech sector increased slightly in August, but overall numbers remain strong in the industry.

That’s according to the latest numbers from CompTIA. The nonprofit trade association’s assessment of the tech labor market over the last month—using Bureau of Labor Statistics numbers—found that 189,000 tech jobs were cut in August.

For people out of work, it wasn’t all bad news. Employers were still seeking to fill 208,000 tech positions, an increase of 12,643 from July’s 204,400.

Nonetheless, unemployment in the sector increased to 2.1% from July’s 1.8%; the latter, as IT Brew reported, was the lowest tech unemployment number since January. The increase mirrored the broader economic news, as national unemployment bumped up slightly to 3.8% overall.

Employers are looking for information security analysts; postings for those positions grew 19% from July to August. According to CompTIA’s analysis, employers are also still looking to hire “software developers, tech support specialists, computer systems analysts, and data scientists.”

The tech sector is healthy and expects to continue to see added investment through the end of the year, according to an August 31 analysis from Wedbush Securities. In the report, analysts cite the increase in overall investment in AI technology as a driver in the industry’s growth.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 59%. That’s the percentage of academic AI experts who support creating a federal watchdog (37%) or an international regulator (22%) to police AI, according to an Axios-Generation Lab-Syracuse University poll. (Axios)

Quote: “Ultimately, this boils down to return on investment from an attacker’s perspective.”—Qualys Product Management VP Mehul Revankar on why 15 of the 20 most-exploited software vulnerabilities are in Microsoft code (The Register)

Read: The Pentagon wants a vast fleet of AI drones and autonomous systems, because what could possibly go wrong? (the Wall Street Journal)

Clean up compliance: No more manually updating spreadsheets and taking screenshots to prove compliance. With Drata’s autopilot system, maintaining continuous SOC 2, ISO 27001, and GDPR compliance is simple—and 80% faster. Check it out.*

^{*A message from our sponsor.}