Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

January 2, 2019

The Soviet Threat [American View]

Filed under: Cybersecurity,Hacking,News,Reporting — Patrick Durusau @ 2:50 pm
John Klossner at Dark Reading.

Klossner’s cartoon illustrates the nature of American reporting on international cybersecurity. Foes of American, in this case, Russians, are depicted as criminals who routinely attack American businesses.

Shrugs. For all I know, the “routinely attack American busineses” may be true, for the Russians as well as others. What distorts American reporting is it’s failure to remind readers America uses illegal cyber means, illegal activity in general and brute force to do the same.

America is not a besieged group of innocents crowded into a nunnery surrounded by child molesters and rapists. Forced to defend itself with any means that comes to hand.

No, America is more like the largest pimp at a poker game, where wagers are in human flesh and America raises its oil engorged face from time to time to question the morals of other players.

I enjoy IT cartoons but prefer satirical ones telling truths the main stream press can’t stomach.

Constructing Stoplists for Historical Languages [Hackers?]

Filed under: Classics,Cybersecurity,Hacking,Natural Language Processing — Patrick Durusau @ 9:50 am

Constructing Stoplists for Historical Languages by Patrick J. Burns.

Abstract

Stoplists are lists of words that have been filtered from documents prior to text analysis tasks, usually words that are either high frequency or that have low semantic value. This paper describes the development of a generalizable method for building stoplists in the Classical Language Toolkit (CLTK), an open-source Python platform for natural language processing research on historical languages. Stoplists are not readily available for many historical languages, and those that are available often offer little documentation about their sources or method of construction. The development of a generalizable method for building historical-language stoplists offers the following benefits: 1. better support for well-documented, data-driven, and replicable results in the use of CLTK resources; 2. reduction of arbitrary decision-making in building stoplists; 3. increased consistency in how stopwords are extracted from documents across multiple languages; and 4. clearer guidelines and standards for CLTK developers and contributors, a helpful step forward in managing the complexity of a multi-language open-source project.

I post this in part to spread the word about these stoplists for humanists.

At the same time, I’m curious about the use of stoplists by hackers to filter cruft from disassembled files. Disassembled files are “texts” of a sort and it seems to me that many of the tools used by humanists could, emphasis on could, be relevant.

Suggestions/pointers?

January 1, 2019

Sherlock – 94 Social Networks

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:37 pm

Sherlock

Sherlock self-describes as: “Find usernames across social networks”

What caught my eye was a tweet saying Sherlock searches across 94 social networks.

Are users likely to use the same password across multiple social media sites? That alone could make Sherlock quite useful.

Do password repeaters use the same password in more secure settings?

December 26, 2018

Hacker Digest – Volume 21 Released!

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:23 pm

Volume 21 of the Hacker Digest Released

From the post:

Volume 21 of The Hacker Digest is now out. If you’re a lifetime digital subscriber, you will have already received this edition. Volume 21 is comprised of issues from 2004, our 20th anniversary and a year where we embraced propaganda, at least on all of our covers. It was a time of soul searching in the hacker community, the year of The Fifth HOPE, and a changing country.

You can click here to buy Volume 21 or become a lifetime digital subscriber here. If you do the latter, you will receive digital copies of everything we have published to date, plus everything that we publish in the future. We have now digitized 31 out of our 34 years.

If you also want paper copies, we have a special offer here. And if you’re an existing paper lifetime subscriber who wants to upgrade to digital at a discounted rate, just click here.

The current list price is $260 for a lifetime digital subscription. A real bargain considering many of the hacks are still viable today.

December 6, 2018

Teaching Cybersecurity Law and Policy (Chesney) [Cui Bono?]

Filed under: Cybersecurity,Law — Patrick Durusau @ 11:43 am

Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer by Robert Chesney.

From the post:

Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use.

With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document. Now, I’m back with version 2.0.

Here’s the document.

At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone—practitioner, lawyer, engineer, student, etc.—who wants to think deeply about the various substrands of this emergent field and how they relate to one another.

Feel free to make use of this any way you wish. Share it with others who might enjoy it (or at least benefit from it), and definitely send me feedback if you are so inclined (rchesney@law.utexas.edu or @bobbychesney on Twitter).

The technical side of the law is deeply fascinating and perhaps even more so in cybersecurity. It’s worth noting that Chesney does a great job laying out normative law as a given.

You are not going to find an analysis of the statutes cited to identify who benefits or is penalized by those statutes. You know the adage about laws that prohibit the rich and the poor equally from sleeping under bridges? The same applies to cybersecurity statutes. They are always presented as fair and accomplished public policies. Nothing could be further from the truth.

That’s not a criticism of Chesney’s syllabus, the technical side of existing laws is a quite lucrative one for anyone who masters its complexities. And it is certainly a worthy subject for study. I mention looking behind laws as it were to promote an awareness that shaping the winners and losers encoded in laws, also merits your attention.

Cybersecurity laws have adversely impacted security researchers, as steps suggested to reduce the odds of your liability for disclosure of a vulnerability show:

  • Don’t ask for money in exchange for keeping vulnerability information quiet. Researchers have been accused of extortion after saying they would reveal the vulnerability unless the company wants to pay a finder’s fee or enter into a contract to fix the problem. See, e.g. GameSpy warns security researcher
  • If you are under a non-disclosure agreement, you may not be allowed to publish. Courts are likely to hold researchers to their promises to maintain confidentiality.
  • You may publish information to the general public, but do not publish directly to people you know intend to break the law.
  • Consider disclosing to the vendor or system administrator first and waiting a reasonable and fair amount of time for a patch before publishing to a wider audience.
  • Consider having a lawyer negotiate an agreement with the company under which you will provide details about the vulnerability—thus helping to make the product better—in exchange for the company’s agreement not to sue you for the way you discovered the problem.
  • Consider the risks and benefits of describing the flaw with proof-of-concept code, and whether that code could describe the problem without unnecessarily empowering an attacker.
  • Consider whether your proof of concept code is written or distributed in a manner that suggests it is “primarily” for the purpose of gaining unauthorized access or unlawful data interception, or marketed for that purpose. Courts look both to the attributes of the tool itself as well as the circumstances surrounding the distribution of that tool to determine whether it would violate such a ban.
  • Consider whether to seek advance permission to publish, even if getting it is unlikely.
  • Consider how to publish your advisory in a forum and manner that advances the state of knowledge in the field.
  • Do not publish in a manner that enables or a forum that encourages copyright infringement, privacy invasions, computer trespass or other offenses.

The oppression of independent security researchers in cybersecurity law is fairly heavy-handed but there are subtleties and nuances that lie deeper in the interests that drove drafting of such legislation.

Fairly obvious but have you noticed there is no liability for faulty software? The existence of EULAs, waivers of liability, are a momentary diversion. It is a rare case when a court finds such agreements enforceable, outside the context of software.

The discovery and publication of vulnerabilities, should vendors not fix them in a timely fashion, would raise serious questions about their “gross negligence” in failing to fix such vulnerabilities. And thence to greater abilities to attack EULAs.

Not only are major software vendors bastards, but they are clever bastards as well.

That’s only one example of an unlimited number once you ask qui bono? (whose good) for any law.

In a world where governments treat the wholesale slaughter of millions of people of color and condemning of millions to lives of deprivation and want as “business as usual,” you may ask, what obligation is there to obey any cybersecurity or other law?

Your obligation to obey any law is a risk assesment of the likelihood of a soverign attributing a particular act to you. The better your personal security, the greater the range of behavior choices you have.

December 5, 2018

Open Letter to NRCC Hackers

Filed under: Cybersecurity,Government,Hacking,Politics,Wikileaks — Patrick Durusau @ 11:04 am

We have never met or communicated but I wanted to congratulate you on the hack of top NRCC officials in 2018. Good show!

I’m sure you remember the drip-drip-drip release technique used by Wikileads with the Clinton emails. I had to check the dates but the first batch was in early October 2016, before the presidential election in November 2016.

The weekly release cycle, with the prior publicity concerning the leak, kept both alternative and mainstream media on the edge of climaxing every week. Even though the emails themselves were mostly office gossip and pettiness found in any office email system.

The most obvious target event for weekly drops of the NRCC emails is the 2020 election but that is subject to change.

Please consider the Wikileaks partial release tactic, which transformed office gossip into front-page news, when you select a target event for releasing the NRCC emails.

Your public service in damaging the NRCC will go unrewarded but not unappreciated. Once again, good show!

December 3, 2018

Remotely Hijacking Zoom Clients

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:45 pm

Remotely Hijacking Zoom Clients by David Wells.

From the post:

I would like to walkthrough a severe logic flaw vulnerability found in Zoom’s Desktop Conferencing Application. This logic flaw (CVE-2018–15715) affects Zoom clients for MacOS, Linux, and Windows and allows an attacker (doesn’t even have to be meeting attendee) to hijack various components of a live meeting such as forcefully enable desktop control permissions and send keystrokes to meeting attendees sharing their screen. Zoom has released an update for MacOS and Windows and users of Zoom should make sure they are running the most up-to-date version.

Great description of a vulnerability, even if Wells reports that Zoom servers now appear to be patched.

Telecommuting Trend Data from GlobalWorkplaceAnalytics.com leaves no doubt that remote work by employees is increasing, meaning so are avenues into corporate computer infrastructures.

To say nothing of moves towards telecommuting by the United States government, led by of all agencies, the IRS. Telecommuting Options in Government Jobs

Vulnerabilities in telecommuting and/or video conferencing software may result is a bountiful harvest of data. But you won’t know if you don’t look for them.

December 2, 2018

Programming Language Foundations in Agda [Hackers Fear Not!]

Filed under: Agda,Computer Science,Cybersecurity,Hacking,Programming,Proof Theory — Patrick Durusau @ 11:47 am

Programming Language Foundations in Agda by Philip Wadler and Wen Kokke.

From the preface:

The most profound connection between logic and computation is a pun. The doctrine of Propositions as Types asserts that a certain kind of formal structure may be read in two ways: either as a proposition in logic or as a type in computing. Further, a related structure may be read as either the proof of the proposition or as a programme of the corresponding type. Further still, simplification of proofs corresponds to evaluation of programs.

Accordingly, the title of this book also has two readings. It may be parsed as “(Programming Language) Foundations in Agda” or “Programming (Language Foundations) in Agda” — the specifications we will write in the proof assistant Agda both describe programming languages and are themselves programmes.

The book is aimed at students in the last year of an undergraduate honours programme or the first year of a master or doctorate degree. It aims to teach the fundamentals of operational semantics of programming languages, with simply-typed lambda calculus as the central example. The textbook is written as a literate script in Agda. The hope is that using a proof assistant will make the development more concrete and accessible to students, and give them rapid feedback to find and correct misapprehensions.

The book is broken into two parts. The first part, Logical Foundations, develops the needed formalisms. The second part, Programming Language Foundations, introduces basic methods of operational semantics.

Hackers should attend closely to Wadler and Kokke’s text to improve their own tools. The advantages of type-dependent programming are recited by Andrew Hynes in Why you should care about dependently typed programming and I won’t repeat them here.

Hynes also reassures hackers (perhaps not his intent) that a wave of type-dependent programming is not on the near horizon saying:

So we’ve got these types that act as self-documenting proofs that functionality works, add clarity, add confidence our code works as well as runs. And, more than that, they make sense. Why didn’t we have these before? The short answer is, they’re a new concept, they’re not in every language, a large amount of people don’t know they exist or that this is even possible. Also, there are those I mentioned earlier, who hear about its use in research and dismiss it as purely for that purpose (let’s not forget that people write papers about languages like C and [Idealized] Algol, too). The fact I felt the need to write this article extolling their virtues should be proof enough of that.

Like object orientation and other ideas before it, it may take a while before this idea seeps down into being taught at universities and seen as standard. Functional programming has only just entered this space. The main stop-gap right now is this knowledge, and it’s the same reason you can’t snap your fingers together and have a bunch of Java devs who have never seen Haskell before writing perfect Haskell day one. Dependently typed programming is still a new concept, but that doesn’t mean you need to wait. Things we take for granted were new once, too.

I’m not arguing in favour of everybody in the world switching to a dependently typed language and doing everything possible dependently typed, that would be silly, and it encourages misuse. I am arguing in favour of, whenever possible (e.g. if you’re already using Haskell or similar) perhaps thinking whether dependent types suit what you’re writing. Chances are, there’s probably something they do suit very well indeed. They’re a truly fantastic tool and I’d argue that they will get better as time goes on due to way architecture will evolve. I think we’ll be seeing a lot more of them in the future. (emphasis in original)

Vulnerabilities have been, are and will continue to be etched into silicon. Vulnerabilities exist in decades of code and in the code written to secure it. Silicon and code that will still be running as type-dependent programming slowly seeps into the mainstream.

Hackers should benefit from and not fear type-dependent programming!

November 22, 2018

(90+) Best Hacking eBooks [Suggest benchmarks for “best?”]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:25 am

Hacking eBooks Free Download 2018 – (90+) Best Hacking eBooks by Mukesh Bhardwaj.

From the post:

Here are a top and a long list of Best Hacking eBooks released in 2018. I pick these PDF best hacking eBooks from top sources with latest hacking articles inside these eBooks. These download links are spam free and ads free. However, you will also get all hacking guides as well. We Give You Best Ads Free Download Links. (emphasis in original)

This listing dates from January 4, 2018, so as of November 22, 2018, it’s due for an update.

The items I have examined look useful but it’s not clear what criteria were used for “best.”

Do you have a suggestion for general or more specific hacking resources to use as benchmarks for best?

Top 20 Hacker Holiday Gifts of 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:55 am

Top 20 Hacker Holiday Gifts of 2018

From the post:

For the uninitiated, it can be difficult to buy that special hacker in your life a perfect holiday gift. That’s why we’ve taken out the guesswork and curated a list of the top 20 most popular items our readers are buying. Whether you’re buying a gift for a friend or have been dying to share this list with someone shopping for you, we’ve got you covered with our 2018 selection of hacker holiday gifts.

For more ideas, make sure to check out our holiday hacker gift guide from last year, as well as Distortion’s excellent post for gear every hacker should try out. As for this year’s recommendations, they’re split up into different price points, so you can jump to each using the following links.

Great list of potential gifts for someone you know is hacking or who you want to encourage to hack.

Imagine the degree of transparency if hacking was taught as widely as keyboarding.

One Hacker One Computer – #OHOC

Enjoy!

November 20, 2018

Do Your Clients Know You’re Running Adobe Flash?

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 5:28 pm

Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS by Tom Spring.

From the post:

Adobe released a patch for a critical flaw on Tuesday that leaves its Flash Player vulnerable to arbitrary code execution by an adversary. Affected are versions of the Flash Player running on Windows, macOS, Linux and Chrome OS.

Unless you need the technical details to prepare an exploit, that’s about all that needs to be said about the latest Adobe Flash fail.

You aren’t running Flash? Yes?

Assuming you are not running Flash, download and save a known to be safe Flash file. Attach it to an email to your current contractor(s).

Call your contractor(s) and ask if they can open the attached Flash file. Should they say yes, start looking for new contractor(s).

What are you going to say when you get a “can you open the Flash attachment” call?

PS: I wonder if any of the techno-mages at the White House are running Flash? Thoughts?

Hackers: White, Black, Grey [, and Customer?] Hat

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:17 pm

Types of Hackers and What They Do: White, Black, and Grey:

Hackers are lumped into three (3) categories:

A black-hat hacker is an individual who attempts to gain unauthorized entry into a system or network to exploit them for malicious reasons. The black-hat hacker does not have any permission or authority to compromise their targets.

White-hat hackers, on the other hand, are deemed to be the good guys, working with organizations to strengthen the security of a system. A white hat has permission to engage the targets and to compromise them within the prescribed rules of engagement.

Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.

I suppose but where is the category Customer-hat?

Customer-hat hackers carry out actions contracted for by a customer.

The customer-hat hacker designation avoids the attempts to pre-define moral or ethical dimensions to the work of hackers, generally summarized under the rubrics of black, white and grey hats.

Picking a recent post at random: Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign, you quickly get the impression that APT29 is a black-hat, i.e., is non-American.

As a contractor or customer, I’m more comfortable wearing a customer-hat. Are you?

PS: I’m aware that the black/grey/white hat designations are attempts to shame people into joining to protect institutions and systems unworthy of respect and/or protection. I decline the invitation.

November 17, 2018

Got 20 Minutes? Black Friday ATM Hunting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:06 am

One definition of Black Friday reads:

The Day After Thanksgiving (Friday) is known as Black Friday. This used to be unofficially or officially the start of holiday shopping season. Almost all stores come out with Doorbuster Sales with the early bird special to attract consumers to their shop. People stand in line hours before the stores are opened, to grab the bargains of the year. In last few years, we have witnessed a trend towards bringing those Black Friday Sales online before Friday.

Suffice it to say it is an orgy of consumerism and consumption, which originated in the United States but it has spread to other countries.

One constant at shopping locations, Black Friday or no, is the presence of ATM (Automated Teller Machines) machines. ATM finder services are offered by Visa and Mastercard. A search using “atm location” reveals many others.

I mention all that because I encountered Most ATMs can be hacked in under 20 minutes by Catalin Cimpanu.

From the post:

“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the PT team said. “Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.” (emphasis added)

Cimpanu includes a list of the ATMs tested. Nothing is more innocent than using an ATM on Black Friday and noting its type and model number. Privacy is required for the attacks described but usually for less than 20 minutes.

Armed with a list of ATM with model numbers and locations, plus the attacks as described in the original report, you may have a reason to celebrate early this holiday season. (BTW, strictly for research purposes, did you know they sell ATMs on eBay?)

November 14, 2018

Systematic vs. Ad Hoc Attacks and Defenses

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:16 pm

A Systematic Evaluation of Transient Execution Attacks and Defenses by Claudio Canella, et al.

Abstract:

Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses.

In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.

If you guessed from the title (or experience) that being systematic wins the prize, you’re right!

Between the failure to patch behavior of users and the “good enough” responses of vendors to vulnerabilities, it’s surprising cybersecurity is in the dictionary at all. Other than as a marketing term like “salvation,” etc.

November 12, 2018

Holiday Avoidance Videos! Black Hat USA 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:25 pm

Just in time for the 2018 holiday season, Black Hat USA 2018 videos have been posted on Youtube! Abstracts/presentation materials.

I count one-hundred and twenty-five (125) videos!

I’m not suggesting you would pwn the TV remote, video game controller or surf the local mall’s wifi if forced to go shopping, but with the Black Hat videos, visions of the same can dance in your head!

Enjoy!

PS: Be sure to give a big shout out to Black Hat and presenters for all videos that stand out to you.

November 11, 2018

Why You Should Study Adobe Patch Releases

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:02 pm

Adobe ColdFusion servers under attack from APT group by Catalin Cimpanu.

A cyber-espionage group appears to have reverse engineered an Adobe security patch and is currently going after unpatched ColdFusion servers.

If you review the Adobe Security Bulletin, I don’t think “reverse engineer” is the term I would use in this case:

Nor would I use “Advanced Persistent Threat (APT)” for this vulnerability.

The Adobe fail here is the equivalent to leaving a liquor store unattended with the door propped open and the lights on. Theft there doesn’t require a criminal mastermind.

Given patch rates, reading patches could be the easiest way to add exploits to your toolkit.

November 9, 2018

RunCode – (Was Codewarz last year) – Starts Nov 10 0900 (EST)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:47 pm

RunCode.

From the webpage:

Complete challenges to attain points. Attain points to impress your friends. Impress your friends to… lol, you don’t have any friends, what are you talking about!

The competition will begin at Nov 10 0900(EST) and run until Nov 12 0900(EST). The top 10 players will be able to pick a prize out of our prize list. In order to receive the prize you must provide the RunCode team your physical mailing address as we will be shipping you the prize. If you’d rather donate your prize instead of giving us your physical mailing address, we will give the prize of your choice or donate the equivalent monetary amount to a charity you choose. If you’re looking for the list of prizes, they can be found on our twitter. Good luck in the competition, and if you have any questions feel free to reach out to us on our slack chat server for support (you’ll get an email invite to our slack after making an account).

If you’d like to practice on some of our previous challenges. Head over to our main website where we have all of our previous challenges available for you to work on (the logins/accounts for the competition site and the main site are separate).

Sign up! Not many hours left!

I’ve got a full weekend of editing on tap already but registering will give me incentive to at least try some of the challenges.

I first read about the RunCode event in: Codewarz, reloaded: programming contest ads pwning, prizes as RunCode by Sean Gallagher.

October 30, 2018

Fake News about Russian Porn Infection

Filed under: Cybersecurity,Hacking,Porn — Patrick Durusau @ 7:49 pm

Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says

From the post:

The agency’s inspector general traced the malicious software to a single unnamed USGS employee, who reportedly used a government-issued computer to visit some 9,000 adult video sites, according to a report published Oct. 17.

Many of the prohibited pages were linked to Russian websites containing malware, which was ultimately downloaded to the employee’s computer and used to infiltrate USGS networks, auditors found. The investigation found the employee saved much of the pornographic material on an unauthorized USB drive and personal Android cellphone, both of which were connected to their computer against agency protocols.

Many people breathed a sigh of relief when it was reported the USGS staff used their computer:

…to visit some 9,000 adult video site, …

They hadn’t visited 9,000 adult video sites and that’s a lot of sites, assuming you had other job duties.

Sorry to disappoint but the IG report says in fact:

…Many of the 9,000 web pages ****** visited routed through websites that originated in Russia and contained malware.

Ah, “9,000 web pages,” not “…9,000 adult video sites.” That’s quite a difference.

More than a few but a much more plausible number.

Aside from poor fact checking, the real lesson here is to realize porn is a great carrier for malware, if you didn’t know that already.

r2con 2018 – videos [Dodging Political Ads]

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:56 pm

r2con 2018 – videos

Avoid the flood of political ads this final week before the US mid-term elections! May I suggest the videos from r2con 2018?

Unlike with political ads and news coverage, laced with false information, r2con videos won’t make you dumber. May not make you smarter but you will be better informed about r2 topics.

Should you accidentally encounter political news coverage or a political ad, run to your computer and watch an r2con video. You will feel better.

Enjoy!

October 25, 2018

DMCA Exemptions – 10/26/18 or White Hat Advertising Rules

Filed under: Cybersecurity,Hacking,Intellectual Property (IP) — Patrick Durusau @ 7:57 pm

Beau Woods posted a tweet with the URL for: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies.

Cutting to the chase:


(i)Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.

(ii) For purposes of this paragraph (b)(11), “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.
… (page 65)

I have long puzzled over claims of fearing DMCA enforcement by security researchers. The FBI is busy building illegal silencers for the mentally ill. Or engaging in other illegal, if not insane, activities. When would the FBI find the time to pursue security researchers when fantasies about Russian/Chinese/North Korean election “interference” are rippling through Washington?

Although phrased as “fear of prosecution,” the DCMA issue for white hats was one of advertising. Advertising a hack could annoy a vendor. Annoying vendors along with your identity and location seemed like a bad plan. But with a DMCA exemption, white hats are free to spam the Internet with their latest “research.”

Not that I mind white hats advertising but drawing lines based on the economic interests of stakeholders doesn’t always point to greater freedom. Today it worked in favor of security researchers and possibly consumers, but there’s no guarantee that will always be the result.

CVE-2018–8414: A Case Study in Responsible Disclosure

Filed under: Cybersecurity,Hacking,Reverse Engineering — Patrick Durusau @ 3:21 pm

CVE-2018–8414: A Case Study in Responsible Disclosure by Matt Nelson.

From the post:

The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly.

I submit a lot of bugs, through both bounty programs (Bugcrowd/HackerOne) and direct reporting lines (Microsoft). I’m not here to discuss ethics. I’m not here to provide a solution to the great “vulnerability disclosure” debate. I am simply here to share one experience that really stood out to me, and I hope it causes some reflection on the reporting processes for all vendors going forward.

First, I’d like to give a little background on myself and my relationship with vulnerability research.

I’m not an experienced reverse engineer. I’m not a full-time developer. Do I know C/C++ well? No. I’m relatively new to the industry (3 years in). I give up my free time to do research and close my knowledge gaps. I don’t find crazy kernel memory leaks, rather, I find often overlooked user-mode logic bugs (DACL overwrite bugs, anyone?).

Most importantly, I do vulnerability research (VR) as a hobby in order to learn technical concepts I’m interested in that don’t necessarily apply directly to my day job. While limited, my experience in VR comes with the same pains that everyone else has.

I mention this as one data point in the submission of bug reports and as encouragement to engage in bug hunting, even if you aren’t a kernel geek.

If you follow the disclosure “ethics” described in this post, the “us” who benefits includes the CIA, NSA, Saudi Arabia, Israel, and a host of others.

October 24, 2018

Bloomberg’s “China Hack” Conspiracy

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:16 pm

Mathew Ingram writes in Pressure increases on Bloomberg to verify its China hack story:

It was a certified bombshell: Bloomberg News reported on October 4 that the Chinese government had been able to infiltrate both Apple and Amazon’s hardware systems by putting hacked microchips into the third-party motherboards they used in their servers. But as the days following the report have turned into weeks, doubts about the validity of the story have continued to grow, while the amount of independent verification and/or supporting material proving such a hack actually occurred remains at zero.

In a column on Tuesday, Washington Post media critic Erik Wemple argued the chorus of voices in opposition to the allegations in the piece—including strenuous and detailed denials from the companies involved—have put the onus on Bloomberg to come up with additional verification, or else risk casting even more doubt on its scoop. “The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics,” Wemple wrote. “Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.” Wemple also criticized the news outlet for using a photo of a generic microchip on the cover of Bloomberg BusinessWeek magazine, despite the fact that the news outlet has no photos of the actual chip that was allegedly used in the hacks.
… (emphasis in original)

Ingram has collected links to a number of the posts and refutations of the original Bloomberg claims.

But you don’t need the protests of innocence and/or deep technical analysis to be wary of the Bloomberg story.

On the face of the original report, how many people do you think would “know” about the subversion of the motherboards?

  1. Designers of the subversive chip
  2. Motherboard designers to create a motherboard that uses the subversive chip
  3. Development and testing staff for the chip and the motherboards
  4. Users of capabilities offered by the subversive chips
  5. Handlers of the intelligence produced by the subversive chips
  6. Funders for #1 – #5

Would you concede those in the “know” about the chips would have to number in the thousands?

I ask because research on conspiracies estimates to keep a secret for five years, the maximum number of participants has an upper limit of 2521 agents. On the Viability of Conspiratorial Beliefs, David Robert Grimes, PLOS, Published: January 26, 2016, https://doi.org/10.1371/journal.pone.0147905.

On the face of it, the ‘China Hack’ more closely resembles the NASA Moon-landing conspiracy than technological legerdemain.

Especially given Bloomberg’s explanation for the absence of any motherboard with the “extra” chip:


In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

Failure to detect becomes evidence of the cleverness of these conspirators.

Looks like a conspiracy theory, walks like a conspiracy theory, talks like a conspiracy theory, the absence of evidence proves the conspiracy theory, all suggests Bloomberg’s “China Hack” is a conspiracy theory.

Hacking Rent-A-Spy Vendors (Partial Target List)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:49 pm

Does “hacking” apply to data found in publicly accessible locations? Lorenzo Franceschi-Bicchierai thinks so in Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See.

However you answer that question, the post is an amusing tale of a spyware startup that left 20 gigabytes of data exposed to the public.

And it’s a valuable article, given the targeting data gthered:


Wolf Intelligence is part of the so-called “lawful intercept” industry. This is a relatively unregulated—but legal—part of the surveillance market that provides hacking and spy software to law enforcement and intelligence agencies around the world. Hacking Team, FinFisher, and NSO Group are the more well-known companies in this sector. According to a recent estimate, this market is expected to be worth $3.3 billion in 2022.

These companies generally sell spyware that infects computers and cell phones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications. But in the past, companies like Hacking Team, FinFisher, and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.

As demand for these technologies has grown, many smaller players have entered the market. Some of them have made embarrassing mistakes that have helped cybersecurity researchers expose them.

You can spend $$$ on R&D developing cutting-edge malware or wait for rent-a-spy vendors and the like to leak it. Rent-a-spy vendors hire from the same gene pool that makes phishing the #1 means of cybersecurity breaches. Picking up malware litter has a higher ROI.

Is anyone keeping a list of rent-a-spy vendors? Pointers? Thanks!

October 21, 2018

Why You Should Start Doing CTFs (Women in RE)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:16 pm

Why You Should Start Doing CTFs by Oryan De Paz.

From the post:

Capture The Flag (CTF) is a competition in the Information Security field. The main idea is to simulate different kinds of attack concepts with various challenges such as Reverse Engineering, Networks and Protocols, Programming, Crypto, Web Security, Exploits, etc.

All these challenges have one goal — capture the flag: solve the puzzle and use your skills in order to find a string that you can eventually type-in as your solution. If the solution is correct — you get the challenge points, which depend on the task difficulty. These days you can find CTF competitions in many of the infosec conferences.

De Paz has five (5) good reasons for doing Capture The Flag (CTF) exercises and pointers to additional resources.

De Paz mentions these reverse engineers as guideposts for her journey into CTF (in a Twitter thread on her post):

Great advice and leads to exploring CTF for yourself!

October 12, 2018

EraseIt! Requirements for an iPhone Security App

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:40 pm

Joseph Cox writes in: Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out:


As Apple has improved its security protections against attackers who have physical access to a phone—Touch and Face ID, the Secure Enclave Processor that handles these tools, and robust encryption used by default—law enforcement agencies have come up with varying techniques for getting into devices they seize. In the UK, police officers simulated a mugging to steal a suspect’s phone while he was using it, so it would be unlocked, and the officer repeatedly swiped the screen to make sure the phone did not close itself off again. Police lawyers determined that they would have no legal power to force the suspect to place his finger on the device, so opted for this unusual, albeit novel, approach.

In the US, however, law enforcement agencies have used both technical and legal means to get into devices. Courts have compelled suspects to unlock their device with their face or fingerprint, but the same approach does not necessarily work for demanding a passcode; under the Fifth Amendment, which protects people from incriminating themselves, a passcode may be considered as “testimonial” evidence. A number of warrants have focused on forcing suspects to place their finger onto an iPhone, and, as Forbes noted in its recent report, some warrants now include boilerplate language that would cover unlocking a device with a person’s face as well. Law enforcement agencies across the country have also bought GrayKey, a small and relatively cheap device that has had success in unlocking modern iPhones by churning through different passcode combinations.

Of all the breaches of iPhone security mentioned, GreyKey is the most disturbing. It bypasses the repeated attempt limitation and GreyKey can crack a six-digit PIN in 22.2 hours (at worst) and 11.1 hours on average. Estimates in this tweet by @matthew_d_green:

While mulling over the implications of GrayKey, I found How to Set iPhone to Erase All Data After 10 Failed Passcode Attempts by Leomar Umpad.

The downside being you may be too excited (one word for it) when the door bursts open and a flash bang grenade goes off to quickly enter the wrong passcode in your iPhone. Or your freedom of movement may be restricted by armed police officers even after calm is restored.

You iPhone needs an EraseIt! app that:

  1. Responds to verbal commands
  2. User supplied command starts erasure process
  3. Once started, erasure process disables all input, including the power button
  4. Erases all data (among other things I don’t know, how effective is data erasure in iPhones?)
  5. (Refinement) Writes 0 or 1 to all memory locations until battery failure

Relying on passcodes reminds me of Bruce Schneier’s classification of cryptography in Applied Cryptography (2 ed.):

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.

Passcodes are the former.

What other requirements would you have for an EraseIt! app?

PS: Go carefully. Most government forces differ from those of Saudi Arabia (Jamal Khashoggi) only in their preference to kill with plausible deniability.

October 11, 2018

Lost Opportunity for Microsoft Edge Remote Execution Bug

Filed under: Cybersecurity,Hacking,Microsoft — Patrick Durusau @ 8:55 pm

Proof-of-concept code published for Microsoft Edge remote code execution bug by Catalin Cimpanu.

From the post:


The proof-of-concept (PoC) code is for a Microsoft Edge vulnerability —CVE-2018-8495— that Microsoft patched this week, part of its October 2018 Patch Tuesday.

The vulnerability was discovered by Kuwaiti security researcher Abdulrahman Al-Qabandi, who reported his findings to Microsoft via Trend Micro’s Zero-Day Initiative program.

Today, after making sure Microsoft had rolled out a fix, Al-Qabandi published in-depth details about the Edge vulnerability on his blog.

Such PoCs are usually quite complex, but Al-Qabandi’s code is only HTML and JavaScript, meaning it could be be hosted on any website.

When was the last time you heard of North Korean, Russian or Chinese security researchers (sounds classier than “hackers”) reporting a zero-day exploit to a vendor?

Same here.

Consider the opportunities presented by an HTML and Javascript zero-day with regard to governments, military installations and/or corporate entities.

All of those lost by the use of a zero-day submission process and issuance of a patch by Microsoft.

Follow your own conscience but remember, none of the aforementioned are on your side. Why should you be on theirs?

“I Can See You!” * 9 million (est.)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:04 pm

Millions at risk from default webcam passwords

From the post:


The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.

Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.

The article goes on to point out how to locate these insecure devices, which are estimated at a population of 9 million around the world.

Suggestions on AI-assisted recognition software to distinguish baby pics from more interesting content?

October 9, 2018

Are You A “Lesser Skilled” Hacker? [Build Your Own Car Did Ya?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods by Jai Vijayan.

From this long prose ad for CrowdStrike:

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike’s Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike’s OverWatch and security response team. “Sophisticated techniques are becoming a little more commoditized,” she says. “Anything goes. Anyone can be a target.”

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses.

In addition to being gratuitiously ugly to hackers who use tools developed by others, Vijayan includes CrowdStrike attributed remarks about Russian hackers, of course.

When you have no evidence to present, throw off on the Russians. At least this season. Not so long ago it was those masterminds of everything digital, the North Koreans. Then the Chinese, or is it now the Chinese?

Check with the ministry of truth, sorry, Department of Homeland Security to see who the current “enemy” and greatest cyberthreat is today. It changes.

You are very unlikely to have written your own compiler, debugger, or other tools you use in cybersecurity. Building on the work of others, even nation-states, carries no shame.

By analogy, you could claim people are “lesser skilled” drivers because they didn’t assemble their own cars. Try that in a bar and watch other patrons start to edge away from you. Keep it up long enough and you will have public accomodations for the night (jail).

Find, use, build upon and share any “…tactics, techniques and procedures (TTPs)…” that you find, nation-state or otherwise.

So will I.

Weapon Systems Cybersecurity:… [Opportunity Knocks!]

Filed under: Cybersecurity,Hacking,Military,Security — Patrick Durusau @ 4:14 pm

Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities

From the webpage:

The cited reason for the “fictitious weapon system” is “classification reasons.”

Maybe, but identifying weaknesses in named weapon systems, encourages use of those security flaws as excuses for flaws in other systems. “Everybody has flaw ….. You can’t penalize me for a market standard flaw.”

Under the section title: Test Teams Easily Took Control (page 22):


Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

For “security” reasons none of the systems were named, guranteeing the same failing vendors in the same congressional districts will continue to produce failing weapon systems.

Not only does opportunity knock for present US weapon systems, but additional opportunities await in every country where such systems are sold.

Remember, “…one hour to gain initial access … one day to gain full control….” If that’s not opportunity, I don’t know what is.

October 8, 2018

Slacking Hackers? Google API Bug – 13 Internet Years

Filed under: Cybersecurity,Google+,Hacking — Patrick Durusau @ 3:29 pm

Google chose not to go public about bug that exposed Google Plus users’ data by Graham Cluley.

From the post:


No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data – it has not seen any evidence that any profile data was misused.

Estimates of an Internet year vs. a calendar year range from 1 calendar year = 2 Internet years; 1 calendar year = 4.7 Internet years; and, a high of 1 calendar year = 7 Internet years.

To be fair, let’s arbitrarily pick 1 year = 4 Internet years, which means the Google API bug has been around for 13 Internet years.

I’m not a hacker so I certainly wasn’t helping but geez. Not that anyone should have pointed the flaw out to Google by any means. Google’s moves to hide the existence of the bug, speaks volumes about some of us being in ocean going yachts and others in leaking life rafts.

There is no commonality of interests in computer security between the average user and Google. Google offers security as a commodity (think DoD in the cloud) and whether you are secure, well, have you paid Google for your security?

I’m certain that Google will protest, should they bother to notice but can you guess who has a financial interest in your free or nearly so reports of security bugs? (Hint: It’s not me.)

I’ve tried to avoid Google+ since its inception so its death won’t impact me.

I do need to set about learning how to check APIs for security flaws. 😉

« Newer PostsOlder Posts »

Powered by WordPress