Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

August 3, 2017

Sophisticated, Chilling, Alarming, Nefarious, Vicious … HBO Hack 2017

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:44 pm

Sophisticated, chilling, alarming, nefarious, vicious, are all terms used to describe the recent HBO hack.

For your reading pleasure, try HBO Hack: Insiders Fear Leaked Emails as FBI Joins Investigation by Tatiana Siegel, or HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE) by Janko Roettgers

There’s a shortage of facts available concerning this hack of HBO (Home Box Office) but 1.5 terabytes is being thrown around as a scary number for the data loss.

While everyone else oohs and aahs over 1.5 terabytes of data, you can smile knowing that a new Dell XPS 27 sells pre-configured with a 2 terabyte drive for $1899.99, shipping, taxes, blah, blah extra. That’s a mid to low range desktop.

Hackers may have gotten 1.5 terabytes of data but that’s no indication of its worth. How do you count emails with dozens of people on the cc: line? Or multiple versions of the same video?

I don’t have time to watch the majority of HBO content on my legitimate subscription so I’m not interested in the stolen content, assuming it includes anything worth watching.

Of greater interest is forensic analysis of how the hack was performed, because post-Sony, one expects HBO avoided the obvious faults that led to the Sony hack. If they did, perhaps there is something to be learned here.

Unlike the Podesta “hack,” which consisted of losing his email password in a phishing attack. That’s not really a hack, that’s just dumb

Watch your favorite sites for alleged HBO content.

Alleged HBO content with viruses, malware and ransomeware! Oh, my!

July 28, 2017

Microsoft Fuzzing (Linux Too)

Filed under: Cybersecurity,Fuzzing,Security — Patrick Durusau @ 4:53 pm

Microsoft Security Risk Detection

From the webpage:

What is Microsoft Security Risk Detection?

Security Risk Detection is Microsoft’s unique fuzz testing service for finding security critical bugs in software. Security Risk Detection helps customers quickly adopt practices and technology battle-tested over the last 15 years at Microsoft.

“Million dollar” bugs

Security Risk Detection uses “Whitebox Fuzzing” technology which discovered 1/3rd of the “million dollar” security bugs during Windows 7 development.

Battle tested tech

The same state-of-the-art tools and practices honed at Microsoft for the last decade and instrumental in hardening Windows and Office — with the results to prove it.

Scalable fuzz lab in the cloud

One click scalable, automated, Intelligent Security testing lab in the cloud.

Cross-platform support

Linux Fuzzing is now available. So, whether you’re building or deploying software for Windows or Linux or both, you can utilize our Service.

No bug detection and/or fuzzing technique is 100%.

Here MS says for one product its “Whitebox Fuzzing” was 33% effective against “million dollar” security bugs.

A more meaningful evaluation of “Whitebox Fuzzing” would be to say which of the 806 Windows 7 vulnerabilities listed at CVE Details were detected and which ones were not.

I don’t know your definition of a “million dollar” security bugs so statistics against known bugs would be more meaningful.

Yes?

Surveillance Industry Index – Update – 223 More Sources/Targets

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:31 am

Surveillance Industry Index

When I last mentioned the Surveillance Industry Index in Vendors, Targets, Both? (August 2, 2016), it listed 2350 vendors.

As of today (28 August 2017), that listing has grown to 2573 vendors, and increase of 223.

Enjoy!

July 26, 2017

Fancy Airline Lounges W/O Fancy Airline Ticket

Filed under: Cybersecurity,QR Codes,Security — Patrick Durusau @ 2:26 pm

Andy Greenberg posted a hot travel tip last August (2016) in Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges:

As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he’d never be locked out of an airline lounge again.

The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he’s now used dozens of times to enter airline lounges all over Europe. It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists. And that security flaw, he says, allows him or anyone else capable of generating a simple QR code to both access exclusive airport lounges and buy things at duty free shops that require proof of international travel, all without even buying a ticket.

See Greenberg’s post for details on prior work with boarding passes.

Caveat: This has not been tested outside of Europe.

Airlines could challenge your right to use a lounge, based on your appearance, but an incident or two with legitimate customers being booted, should cure them of that pettiness.

Greenberg posted this in August of 2016 and I haven’t seen any updates.

You?

Happy travels!

July 25, 2017

We’ll Pay You to #HackTor

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 4:02 pm

We’ll Pay You to #HackTor

From the post:

THERE ARE BUGS AMONG US

Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical. Bugs in our code pose one of the biggest threats to our users’ safety; they allow skilled attackers to bypass Tor’s protections and compromise the safety of Tor users.

We’re constantly looking for flaws in our software and been fortunate to have a large community of hackers who help us identify and fix serious issues early on, but we think we can do even more to protect our users. That’s why if you can #HackTor and find bugs in our software, we want reward you.

JOIN OUR FIRST PUBLIC BUG BOUNTY

With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution. In January 2016, we launched a private bug bounty; hackers helped us catch 3 crash/DoS bugs (2 OOB-read bugs + 1 infinite loop bug) and 4 edge-case memory corruption bugs.

Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks. We’ll award up to $4,000 per bug report, depending on the impact and severity of what you find.

HERE’S HOW TO GET STARTED

Sign up for an account at HackerOne. Visit https://hackerone.com/torproject for the complete guidelines, details, terms, and conditions of our bug bounty. Then, start finding and reporting bugs to help keep Tor and Tor Browser safe.

Happy bug hunting!

The pay isn’t great but it’s for a worthy cause.

Any improvement individual security is a net win for individuals everywhere.

July 14, 2017

Next Office of Personnel Management (OPM) Leak, When, Not If

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 4:52 pm

2 Years After Massive Breach, OPM Isn’t Sufficiently Vetting IT Systems by Joseph Marks.

From the post:

More than two years after suffering a massive data beach, the Office of Personnel Management still isn’t sufficiently vetting many of its information systems, an auditor found.

In some cases, OPM is past due to re-authorize IT systems, the inspector general’s audit said. In other cases, OPM did reauthorize those systems but did it in a haphazard and shoddy way during a 2016 “authorization sprint,” the IG said.

“The lack of a valid authorization does not necessarily mean that a system is insecure,” the auditors said. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”

The full audit provides more details but suffice it to say OPM security is as farcical as ever.

Do you think use of https://www.opm.gov/ in hacking examples and scripts, would call greater attention to flaws at the OPM?

Detecting Leaky AWS Buckets

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:22 pm

Experts Warn Too Often AWS S3 Are Misconfigured, Leak Data by Tom Spring.

From the post:

A rash of misconfigured Amazon Web Services storage servers leaking data to the internet have plagued companies recently. Earlier this week, data belonging to anywhere between six million and 14 million Verizon customers were left on an unprotected server belonging to a partner of the telecommunications firm. Last week, wrestling giant World Wide Entertainment accidentally exposed personal data of three million fans. In both cases, it was reported that data was stored on AWS S3 storage buckets.

Reasons why this keeps on happening vary. But, Detectify Labs believes many leaky servers trace back to common errors when it comes to setting up access controls for AWS Simple Storage Service (S3) buckets.

In a report released Thursday, Detectify’s Security Advisor Frans Rosén said network administrators too often gloss over rules for configuring AWS’ Access Control Lists (ACL) and the results are disastrous.

Jump to the report released Thursday for the juicy details.

Any thoughts on the going rate for discovery of leaky AWS buckets?

Could be something, could be nothing.

In any event, you should be checking your own AWS buckets.

Successful Phishing Subject Lines

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:47 pm

Gone Phishing: The Top 10 Attractive Lures by Roy Urrico.

From the post:

The list shows there’s still a lot of room to train employees on how to spot a phishing or spoofed email. Here they are:

  • Security Alert – 21%
  • Revised Vacation and Sick Time Policy – 14%
  • UPS Label Delivery 1ZBE312TNY00015011 – 10%
  • BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10%
  • A Delivery Attempt was made – 10%
  • All Employees: Update your Healthcare Info – 9%
  • Change of Password Required Immediately – 8%
  • Password Check Required Immediately – 7%
  • Unusual sign-in activity – 6%
  • Urgent Action Required – 6%

*Capitalization is as it was in the phishing test subject line

A puff piece for KnowBe4 but a good starting point. KnowBe4 has an online phishing test among others. The phishing test requires registration.

Enjoy!

Targets of Government Cybercrimnal Units

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 12:27 pm

The Unfortunate Many: How Nation States Select Targets

From the post:

Key Takeaways

  • It’s safe to assume that all governments are developing and deploying cyber capabilities at some level. It’s also safe to assume most governments are far from open about the extent of their cyber activity.
  • If you take the time to understand why nation states get involved with cyber activity in the first place, you’ll find their attacks are much more predictable than they seem.
  • Each nation state has its own objectives and motivations for cyber activity. Even amongst big players like China, Russia, and the U.S. there’s a lot of variation.
  • Most nation states develop national five-year plans that inform all their cyber activities. Understanding these plans enables an organization to prioritize preparations for the most likely threats.

There’s a name for those who rely on governments, national or otherwise, to protect their cybersecurity: victims.

Recorded Future gives a quick overview of factors that may drive the objectives of government cybercriminal units.

I use “cybercriminal units” to avoid the false dichotomy between alleged “legitimate” government hacking and that of other governments and individuals.

We’re all adults here and realize government is a particular distribution of reward and stripes, nothing more. It has no vision, no goal beyond self-preservation and certainly, beyond your locally owned officials, no interest in you or yours.

That is to say governments undertaking hacking to further a “particular distribution of reward and stripes” and their choices are no more (or less) legitimate than anyone else’s.

Government choices are certainly no more legitimate than your choices. Although governments claim a monopoly on criminal prosecutions, which accounts for why criminals acting on their behalf are never prosecuted. That monopoly also explains why governments, assuming they have possession of your person, may prosecute you for locally defined “criminal” acts.

Read the Recorded Future post to judge your odds of being a victim of a national government. Then consider which governments should be your victims.

Summer Pocket Change – OrientDB Code Execution

Filed under: Cybersecurity,Security,Software — Patrick Durusau @ 10:32 am

SSD Advisory – OrientDB Code Execution

From the webpage:

Want to get paid for a vulnerability similar to this one?

Contact us at: ssd@beyondsecurity.com

Vulnerability Summary

The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code.

OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database.

Credit

An independent security researcher, Francis Alexander, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response

The vendor has released patches to address this vulnerability.

For more information: https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#security.

Some vulnerabilities require deep code analysis, others, well, just asking the right questions.

If you are looking for summer pocket change, check out default users, permissions, etc. on popular software.

July 6, 2017

Kaspersky: Is Source Code Disclosure Meaningful?

Filed under: Cybersecurity,Government,Open Source,Security — Patrick Durusau @ 2:23 pm

Responding to a proposed ban of Kaspersky Labs software, Eugene Kaspersky, chief executive of Kaspersky, is quoted in Russia’s Kaspersky Lab offers up source code for US government scrutiny, as saying:

The chief executive of Russia’s Kaspersky Lab says he’s ready to have his company’s source code examined by U.S. government officials to help dispel long-lingering suspicions about his company’s ties to the Kremlin.

In an interview with The Associated Press at his Moscow headquarters, Eugene Kaspersky said Saturday that he’s also ready to move part of his research work to the U.S. to help counter rumors that he said were first started more than two decades ago out of professional jealousy.

“If the United States needs, we can disclose the source code,” he said, adding that he was ready to testify before U.S. lawmakers as well. “Anything I can do to prove that we don’t behave maliciously I will do it.”

Personally I think Kaspersky is about to be victimized by anti-Russia hysteria, where repetition of rumors, not facts, are the coin of the realm.

Is source code disclosure is meaningful? A question applicable to Kasperky disclosures to U.S. government officials, or Microsoft or Oracle disclosures of source code to foreign governments.

My answer is no, at least if you mean source code disclosure limited to governments or other clients.

Here’s why:

  • Limited competence: For the FBI in particular, source code disclosure is meaningless. Recall the FBI blew away $170 million in the Virtual Case File project with nothing to show and no prospect of a timeline, after four years of effort.
  • Limited resources: Guido Vranken‘s The OpenVPN post-audit bug bonanza demonstrates that after two (2) manual audits, vulnerabilities remain to be found in OpenVPN. Unlike OpenVPN, any source code given to a government will be reviewed at most once and then only by a limited number of individuals. Contrast that with OpenVPN, which has been reviewed for years by a large number of people and yets flaws remain to be discovered.
  • Limited staff: Closely related to my point about limited resources, the people in government who are competent to undertake a software review are already busy with other tasks. Most governments don’t have a corps of idle but competent programmers waiting for source code disclosures to evaluate. Whatever source code review takes place, it will be the minimum required and that only as other priorities allow.

If Kaspersky Labs were to open source but retain copyright on their software, then their source code could be reviewed by:

  • As many competent programmers as are interested
  • On an ongoing basis
  • By people with varying skills and approaches to software auditing

Setting a new standard, that is open source but copyrighted for security software, would be to the advantage of leaders in Gartner’s Magic Quadrant, others, not so much.

It’s entirely possible for someone to compile source code and avoid paying a license fee but seriously, is anyone going to pursue pennies on the ground when there are $100 bills blowing overhead? Auditing, code review, transparency, trust. (I know, the RIAA chases pennies but it’s run by delusional paranoids.)

Three additional reasons for Kaspersky to go open source but copyrighted:

  • Angst among its more poorly managed competitors will soar.
  • Example for government mandated open source but copyright for domestic sales. (Think China, EU, Russia.)
  • Front page news featuring Kaspersky Labs as breaking away from the pack.

Entirely possible for Kaspersky to take advantage of the narrow-minded nationalism now so popular in some circles of the U.S. government. Not to mention changing the landscape of security software to its advantage.

June 30, 2017

Reinventing Wheels with No Wheel Experience

Filed under: Cybersecurity,Programming,Security,Software Engineering — Patrick Durusau @ 9:33 am

Rob Graham, @ErrataRob, captured an essential truth when he tweeted:

Wheel re-invention is inherent every new programming language, every new library, and no doubt, nearly every new program.

How much “wheel experience” every programmer has across the breath of software vulnerabilities?

Hard to imagine meaningful numbers on the “wheel experience” of programmers in general but vulnerability reports make it clear either “wheel experience” is lacking or the lesson didn’t stick. Your call.

Vulnerabilities may occur in any release so standard practice is to check every release, however small. Have your results independently verified by trusted others.

PS: For the details on systemd, see: Sergey Bratus and the systemd thread.

June 29, 2017

Fuzzing To Find Subjects

Filed under: Cybersecurity,Fuzzing,Security,Subject Identity — Patrick Durusau @ 4:51 pm

Guido Vranken‘s post: The OpenVPN post-audit bug bonanza is an important review of bugs discovered in OpenVPN.

Jump to “How I fuzzed OpenVPN” for the details on Vranken fuzzing OpenVPN.

Not for the novice but an inspiration to devote time to the art of fuzzing.

The Open Web Application Security Project (OWASP) defines fuzzing this way:

Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.

OWASP’s fuzzing mentions a number of resources and software, but omits the Basic Fuzzing Framework by CERT. That’s odd don’t you think?

The CERT Basic Fuzzing Framework (BFF), is current through 2016. Allen Householder has a description of version 2.8 at: Announcing CERT Basic Fuzzing Framework Version 2.8. Details on BFF, see: CERT BFF – Basic Fuzzing Framework.

Caution: One resource in the top ten (#9) for “fuzzing software” is: Fuzzing: Brute Force Vulnerability Discovery, by Michael Sutton, Adam Greene, and Pedram Amini. Great historical reference but it was published in 2007, some ten years ago. Look for more recent literature and software.

Fuzzing is obviously an important topic in finding subjects (read vulnerabilities) in software. Whether your intent is to fix those vulnerabilities or use them for your own purposes.

While reading Vranken‘s post, it occurred to me that “fuzzing” is also useful in discovering subjects in unmapped data sets.

Not all nine-digit numbers are Social Security Numbers but if you find a column of such numbers, along with what you think are street addresses and zip codes, it would not be a bad guess. Of course, if it is a 16-digit number, a criminal opportunity may be knocking at your door. (credit card)

While TMDM topic maps emphasized the use of URIs for subject identifiers, we all know that subject identifications outside of topic maps are more complex than string matching and far messier.

How would you create “fuzzy” searches to detect subjects across different data sets? Are there general principles for classes of subjects?

While your results might be presented as a curated topic map, the grist for that map would originate in the messy details of diverse information.

This sounds like an empirical question to me, especially since most search engines offer API access.

Thoughts?

Tor descriptors à la carte: Tor Metrics Library 2

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 1:23 pm

Tor descriptors à la carte: Tor Metrics Library 2.

From the post:

We’re often asked by researchers, users, and journalists for Tor network data. How can you find out how many people use the Tor network daily? How many relays make up the network? How many times has Tor Browser been downloaded in your country? In order to get to these answers from archived data, we have to continuously fetch, parse, and evaluate Tor descriptors. We do this with the Tor Metrics Library.

Today, the Tor Metrics Team is proud to announce major improvements and launch Tor Metrics Library version 2.0.0. These improvements, supported by a Mozilla Open Source Support (MOSS) “Mission Partners” award, enhance our ability to monitor the performance and stability of the Tor network.

Tutorials too! How very cool!

From the tutorials page:

“Tor metrics are the ammunition that lets Tor and other security advocates argue for a more private and secure Internet from a position of data, rather than just dogma or perspective.”
— Bruce Schneier (June 1, 2016

Rocks!

Encourage your family, friends, visitors to all use Tor. Consider an auto-updated display of Tor statistics to drive further use.

Relying on governments, vendors and interested others for security, is by definition, insecurity.

Targeting Data: Law Firms

Filed under: Cybersecurity,Security,Transparency — Patrick Durusau @ 12:58 pm

Law Firm Cyber Security Scorecard

From the webpage:

If you believe your law firm is cyber secure, we recommend that you download this report. We believe you will be quite surprised at the state the law firm industry as it relates to cyber security. This report demonstrates three key findings. First, law firms are woefully insecure. Second, billions of dollars are at-risk from corporate and government clients. Third, there exists little transparency between firms and clients about this issue.

How do we know this? LOGICFORCE surveyed and assessed over 200 law firms, ranging in size from 1 to 450+ total attorneys, located throughout the United States, working in a full complement of practice areas. The insights in this study come from critical data points gathered through authorized collection of anonymized LOGICFORCE system monitoring data, responses to client surveys, our proprietary SYNTHESIS E-IT SECURE™ assessments and published industry information.

Key Findings:

  • Every law firm assessed was targeted for confidential client data in 2016-2017. Approximately 40% did not know they were breached.
  • We see consistent evidence that cyber attacks on law firms are non-discriminatory. Size and revenues don’t seem to matter.
  • Only 23% of firms have cybersecurity insurance policies.
  • 95% of assessments conducted by LOGICFORCE show firms are not compliant with their data governance and cyber security policies.
  • 100% of those firms are not compliant with their client’s policy standards.

LOGICFORCE does not want your law firm to make headlines for the wrong reasons. Download this report now so you can understand your risks and begin to take appropriate action.

The “full report,” which I downloaded, is a sales brochure for LOGICFORCE and not a detailed technical analysis. (12 pages including cover front and back.)

It signals the general cyber vulnerability of law firms, but not so much of what works, what doesn’t, security by practice area, etc.

The Panama Papers provided a start on much needed transparency for governments and the super wealthy. That start was the result of a breach at one (1) law firm.

Martindale.com lists over one million (1,000,000) lawyers and law firms from around the world.

The Panama Papers and following fallout were the result of breaching 1 out of 1,000,000+ lawyers and law firms.

Do you ever wonder what lies hidden in the remaining 1,000,000+ lawyers and law firms?

According to Logicforce, that desire isn’t a difficult one to satisfy.

Fleeing the Country?

Filed under: Law,Security — Patrick Durusau @ 10:16 am

Laws on Extradition of Citizens – Library of Congress Report.

Freedom/resistance fighters need to bookmark this report! A bit dated (2013) but still a serviceable guide to extradition laws in 157 countries.

The extradition map, reduced in scale here, is encouraging:

Always consult legal professionals for updated information and realize that governments make and choose the laws they will enforce. Your local safety in a “no extradition” country depends upon the whims and caprices of government officials.

Just like your cybersecurity, take multiple steps to secure yourself against unwanted government attention, both local and foreign.

June 27, 2017

MS Streamlines Malware Delivery

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 4:38 pm

Microsoft is building a smart antivirus using 400 million PCs by Alfred Ng.

Malware delivery takes a giant leap forward with the MS Fall Creators Update:


If new malware is detected on any computer running Windows 10 in the world, Microsoft said it will be able to develop a signature for it and protect all the other users worldwide. The first victim will be safe as well because the virus will be set off in a virtual sandbox on the cloud, not on the person’s device.

Microsoft sees artificial intelligence as the next solution for security as attacks get more sophisticated.

“If we’re going to stay on top of anything that is changing that fast, you have to automate,” Lefferts said.

About 96 percent of detected cyberattacks are brand new, he noted.

With Microsoft’s current researchers working at their fastest pace, it can take a few hours to develop protections from the first moment they detect malware.

It’s during those few hours when people are really hit by malware. Using cloud data from Microsoft Office to develop malware signatures is crucial, for example, because recent attacks relied on Word vulnerabilities.

Two scenarios immediately come to mind:

  1. The “malware” detection is “false,” the file/operation/URL is benign but now 400 million computers see it as “malware,” or,
  2. Due to MTM attacks, false reports are sent to Windows computers on a particular sub-net.

Global security decision making is a great leap, but the question is in what direction?

PS: Did you notice the claim “96 percent of detected cyberattacks are brand news…?” I ask because that’s inconsistent with the documented long lives of cyber exploits, Website Security Statistics Report 2015 (WhiteHat Security).

Impact of Microsoft Leaks On Programming Practice

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 9:40 am

Mohit Kumar’s great graphic:

leads for his story: Microsoft’s Private Windows 10 Internal Builds and Partial Source Code Leaked Online.

The use of MS source code for discovery of vulnerabilities is obvious.

Less obvious questions:

  • Do programmers follow leaked MS source code?
  • Do programmers following leaked MS source code commit similar vulnerability errors?

Evidence for a public good argument for not spreading leaked MS source code anyone?

June 25, 2017

Improved Tracking of .onion links by Facebook

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 8:51 pm

Improved sharing of .onion links on Facebook by Will Shackleton.

From the post:

Today we are rolling out two new features on Facebook to improve the experience of sharing, discovering and clicking .onion links to Tor hidden services especially for people who are not on Tor.

First, Facebook can now show previews for .onion links. Hidden service owners can use Open Graph tags to customise these previews, much like regular websites do.

Second, people who are not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work. The message enables people to find out more about Tor and – for hidden services which have opted in – helps visit the service’s equivalent regular website. For people who are already using Tor, we send them straight through to the hidden service without showing any message.

Try sharing your favorite .onion link on Facebook and let us know in the comments what you think about our improvements!

This is a very bad plan!

If you are:

not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work.

and, Facebook captures your non-Tor accessing of that link.

Accessing .onion links on Facebook, without using Tor, in the words of Admiral Ackbar, “It’s a trap!”:

Consumer Warning: Stale Passwords For Sale

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:35 pm

Russian hackers are selling British officials’ passwords by Alfred Ng.

The important take away: the passwords are from a 2012 LinkedIn breach.

Unless you like paying for and mining low grade ore, considering passing on this offer.

Claims of stolen government passwords don’t make someone trustworthy. 😉

June 19, 2017

E-Cigarette Can Hack Your Computer (Is Nothing Sacred?)

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 8:29 pm

Kavita Iyer has the details on how an e-cigarette can be used to hack your computer at: Know How E-Cigarette Can Be Used By Hackers To Target Your Computer.

I’m guessing you aren’t so certain that expensive e-cigarette you “found” is harmless after all?

Malware in e-cigarettes seems like a stretch given the number of successful phishing emails every year.

But, a recent non-smoker maybe the security lapse you need.

June 17, 2017

OpSec Reminder

Filed under: Cybersecurity,Government Data,Security — Patrick Durusau @ 9:59 am

Catalin Cimpanu covers a hack of the DoD’s Enhanced Mobile Satellite Services (EMSS) satellite phone network in 2014 in British Hacker Used Home Internet Connection to Hack the DoD in 2014.

The details are amusing but the most important part of Cimpanu’s post is a reminder about OpSec:


In a statement released yesterday, the NCA said it had a solid case against Caffrey because they traced back the attack to his house, and found the stolen data on his computer. Furthermore, officers found an online messaging account linked to the hack on Caffrey’s computer.

Caffrey’s OpSec stumbles:

  1. Connection traced to his computer (No use of Tor or VPN)
  2. Data found on his hard drive (No use of encryption and/or storage elsewhere)
  3. Online account used in hack operated from his computer (Again, no use of Tor or VPN)

I’m sure the hack was a clever one but Caffrey’s OpSec was less so. Decidedly less so.

PS: The National Criminal Agency (NCA) report on Caffrey.

June 13, 2017

Tails 3.0 is out (Don’t be a Bank or the NHS, Upgrade Today)

Filed under: Cybersecurity,Security,Tails — Patrick Durusau @ 4:46 pm

Tails 3.0 is out

From the webpage:

We are especially proud to present you Tails 3.0, the first version of Tails based on Debian 9 (Stretch). It brings a completely new startup and shutdown experience, a lot of polishing to the desktop, security improvements in depth, and major upgrades to a lot of the included software.

Debian 9 (Stretch) will be released on June 17. It is the first time that we are releasing a new version of Tails almost at the same time as the version of Debian it is based upon. This was an important objective for us as it is beneficial to both our users and users of Debian in general and strengthens our relationship with upstream:

  • Our users can benefit from the cool changes in Debian earlier.
  • We can detect and fix issues in the new version of Debian while it is still in development so that our work also benefits Debian earlier.

This release also fixes many security issues and users should upgrade as soon as possible.

Upgrade today, not tomorrow, not next week. Today!

Don’t be like banks and NHS and run out-dated software.

Promote software upgrades by

  • barring civil liability for
  • decriminalizing
  • prohibiting insurance coverage for damages due to

hacking of out-dated software.

Management will develop an interest in software upgrade policies.

Power Outage Data – 15 Years Worth

Filed under: Data,Security,Terrorism — Patrick Durusau @ 2:08 pm

Data: Explore 15 Years Of Power Outages by Jordan Wirfs-Brock.

From the post:

This database details 15 years of power outages across the United States, compiled and standardized from annual data available at from the Department of Energy.

For an explanation of what it means, how it came about, and how we got here, listen to this conversation between Inside Energy Reporter Dan Boyce and Data Journalist Jordan Wirfs-Brock:

You can also view the data as a Google Spreadsheet (where you can download it as a CSV). This version of the database also includes information about the amount of time it took power to be restored, the demand loss in megawatts, the NERC region, (NERC refers to the North American Electricity Reliability Corporation, formed to ensure the reliability of the grid) and a list of standardized tags.

The data set isn’t useful for tactical information, the submissions are too general to replicate the events leading up to an outage.

On the other hand, identifiable outage events, dates, locations, etc., do make recovery of tactical data from grid literature a manageable search problem.

Enjoy!

Electric Grid Threats – Squirrels 952 : CrashOverride 1 (maybe)

Filed under: Cybersecurity,Security,Terrorism — Patrick Durusau @ 9:44 am

If you are monitoring cyberthreats to the electric grid, compare the teaser document, Crash Override: Analysis of the Treat to Electric Grid Operators from Dragos, Inc. to the stats at CyberSquirrel1.com:

I say a “teaser” documents because the modules of greatest interest include: “This module was unavailable to Dragos at the time of publication” statements (4 out of 7) and:


If you are a Dragos, Inc. customer, you will have already received the more concise and technically in-depth intelligence report. It will be accompanied by follow-on reports, and the Dragos team will keep you up-to-date as things evolve.

If you have a copy of Dragos customer data on CrashOverride, be a dear and publish a diff against this public document.

Inquiring minds want to know. 😉

If you are planning to mount/defeat operations against an electric grid, a close study CyberSquirrel1.com cases will be instructive.

Creating and deploying grid damaging malware remains a challenging task.

Training an operative to mimic a squirrel, not so much.

June 7, 2017

Personal Malware Analysis Lab – Summer Project

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 7:30 pm

Set up your own malware analysis lab with VirtualBox, INetSim and Burp by Christophe Tafani-Dereeper.

Whether you are setting this up for yourself and/or a restless child, what a great summer project!

You can play as well so long as you don’t mind losing to nimble minded tweens and teens. 😉

It’s never too early to teach cybersecurity and penetration skills or to practice your own.

With a little imagination as far as prizes, this could be a great family activity.

It’s a long way from playing Yahtzee with your girlfriend, her little brother and her mother, but we have all come a long way since then.

June 6, 2017

Are Printer Dots The Only Risk?

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:29 pm

Seth Schoen gives a good summary of printer dot issues in Printer Tracking Dots Back in the News.

From the post:

Several journalists and experts have recently focused on the fact that a scanned document published by The Intercept contained tiny yellow dots produced by a Xerox DocuColor printer. Those dots allow the document’s origin and date of printing to be ascertained, which could have played a role in the arrest of Reality Leigh Winner, accused of leaking the document. EFF has previously researched this tracking technology at some length; our work on it has helped bring it to public attention, including in a somewhat hilarious video.

Schoen’s post and references are fine as far as they go, but there are other dangers associated with printers.

For example:

  • The material in or omitted from a document can by used to identify the origin of a document.
  • The order of material in a document, a list, paragraph or footnote can be used to identify the origin of a document.
  • Micro-spacing of characters, invisible to the naked eye, may represent identification patterns.
  • Micro-spacing of margins or other white space characteristics may represent identification patterns.
  • Changes to the placement of headers, footers, page numbers, may represent identification patterns.

All of these techniques work with black and white printers as well as color printers.

The less security associated with a document and/or the wider its distribution, the less likely you are to encounter such techniques. Maybe.

Even if your source has an ironclad alibi, sharing a leaked document with a government agency is risky business. (full stop)

Just don’t do it!

June 5, 2017

Google Capture the Flag 2017

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:34 pm

Google Capture the Flag 2017 by Josh Armour.

From the post:

On 00:00:01 UTC of June 17th and 18th, 2017 we’ll be hosting the online qualification round of our second annual Capture The Flag (CTF) competition. In a ‘Capture the Flag’ competition we create security challenges and puzzles in which contestants can earn points for solving them. We will be inviting the top 10 finalist teams to a secret undisclosed location (spoiler alert: it’s Google) to compete onsite for a prize pool of over USD$31,337 and we’ll help subsidize travel to the venue for the finals to four participants for each of the ten finalist teams. In addition to grand prizes given at the finals, we’ll be rewarding some of the best and creative write-ups that we receive during the qualifying round. We want to give you an opportunity to share with the world the clever way you solve challenges.

Sounds cool!

You playing?

June 2, 2017

Unknown Buyers + Unknown Sellers ~= Closed Source Software

Filed under: Cybersecurity,NSA,Security,Uncategorized — Patrick Durusau @ 4:29 pm

TurkuSec Community reports another collaborative effort to buy into the Shadow Brokers malware-of-the-month club:



“What Could Go Wrong?” is a valid question.

On the other hand, you are already spending $billions on insecure software every year.

Most of which is closed-source, meaning it may contain CIA/NSA backdoors.

A few hires in the right places and unbeknownst to the vendor, they would be distributing CIA/NSA malware.

If you credit denials of such activities by the CIA/NSA or any other government spy agency, you should stop using computers. You are a security risk to your employer.

A Shadow Brokers subscription, where 2,500 people risk $100 each for each release, on the other hand, is far safer than commercial software. If the the first release prove bogus, don’t buy a second one.

Contrast that with insecure closed source software for an OS or database that may contain CIA/NSA/etc. backdoors. You don’t get to avoid the second purchase. (You bought the maintenance package too. Am I right?)

I can’t and won’t counsel anyone to risk more than $100, but shared risk is the fundamental principle of insurance. Losses can and will happen. That’s why we distribute the risk.

That link again: https://t.co/wjMn3DjzQp.

PS: Shadow Brokers: Even a list of the names with brief descriptions might help attract people who want to share the risk of subscribing. The “big” corporations are likely too arrogant to think they need the release.

June 1, 2017

Another Patriarchy Triumph – Crowd Funding Shadow Brokers Fails

Filed under: Cybersecurity,Funding,Security — Patrick Durusau @ 2:18 pm

Hackers shelve crowdfunding drive for Shadow Brokers exploits by Bill Brenner.

From the post:

To some, it was a terrible idea akin to paying bad people to do harm. To others, it was a chance to build more powerful defenses against the next WannaCry.

It’s now a moot point.

Forty-eight hours after they started a crowdsourcing effort on Patreon to raise $25,000 a month for a monthly Shadow Brokers subscription service, security researchers Matthew Hickey – perhaps better known as Hacker Fantastic – and x0rz, announced the fund’s cancellation. Thursday morning, the page was empty:

Brenner covers alleged reasons for the cancellation and concludes with poor advice:

Better to not go there.

As I pointed out yesterday, if 2500 people each contributed %100, the goal of raising $25,000 would be met without significant risk to anyone. Cable bills, to say nothing of mobile phone charges, easily exceed $100 for a month.

If a subscription were purchased for one month and either the Shadow Brokers don’t release new malware or what they release was cobbled up from standard malware sites, don’t buy a second one. At $100 each, isn’t that a risk you would take?

Assuming Shadow Brokers are serious about their malware-by-the-month club, a crowd funded subscription, premised on the immediate and public release of each installment, damages existing systems of patriarchy among/at:

  • Blackhat hackers
  • Governments (all levels)
  • Software vendors
  • Spy agencies (worldwide)
  • Whitehat advisors/hackers

Whitehat-only distribution follows that old saw of patriarchy, “we know what is best for you to know, etc.”

Some innocent people will be hurt by future malware releases. That’s a fact. But it’s an odd complaint for governments, spy agencies and their whitehat and vendor allies to raise.

Governments, spy agencies, whitehats and vendors have jointly participated in the slaughter of millions of people and the oppression of millions more.

Now facing some sharing of their cyberpower, they are concerned about potential injuries?

Looking forward to a deeply concealed entity stepping forward to purchase or crowd fund a release on delivery copy of the first Shadow Brokers malware-by-the-month, month 1.

Take a chance on damaging those patriarchies? Sure, that’s worth $100.

You?

« Newer PostsOlder Posts »

Powered by WordPress