Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

September 28, 2018

LoJax – Coming to a Corporation/Government Near You!

Filed under: Cybersecurity,Government,Hacking,Security — Patrick Durusau @ 8:58 pm

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild by Swati Khandelwal.

From the post:

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

Khandelwal has a great explanation of LoJax with pointers to more detailed information.

At present the result of governmental development, it’s not unreasonable to expect LoJax to become commodity malware in a period of a year or two, perhaps less. Not unlike the first atomic bomb. The first one was true research, the second one and following, were matters of engineering.

Any number of governments and corporations merit being gifted with installations of LoJax.

Watching the anti-woman antics in the US Senate this week, made me think of several likely targets.

September 26, 2018

pandas: powerful Python data analysis toolkit & Data Skepticism

Filed under: Pandas,Python,Skepticism — Patrick Durusau @ 12:52 pm

pandas: powerful Python data analysis toolkit

From the webpage:

pandas is a Python package providing fast, flexible, and expressive data structures designed to make working with “relational” or “labeled” data both easy and intuitive. It aims to be the
fundamental high-level building block for doing practical, real world data analysis in Python. Additionally, it has the broader goal of becoming the most powerful and flexible open source data analysis / manipulation tool available in any language. It is already well on its way toward this goal.

pandas is well suited for many different kinds of data:

  • Tabular data with heterogeneously-typed columns, as in an SQL table or Excel spreadsheet
  • Ordered and unordered (not necessarily fixed-frequency) time series data.
  • Arbitrary matrix data (homogeneously typed or heterogeneous) with row and column labels
  • Any other form of observational / statistical data sets. The data actually need not be labeled at all to be placed into a pandas data structure

[if you need more enticement]

Here are just a few of the things that pandas does well:

  • Easy handling of missing data (represented as NaN) in floating point as well as non-floating point data
  • Size mutability: columns can be inserted and deleted from DataFrame and higher dimensional objects
  • Automatic and explicit data alignment: objects can be explicitly aligned to a set of labels, or the user can simply ignore the labels and let Series, DataFrame, etc. automatically align the data for you in computations
  • Powerful, flexible group by functionality to perform split-apply-combine operations on data sets, for both aggregating and transforming data
  • Make it easy to convert ragged, differently-indexed data in other Python and NumPy data structures into DataFrame objects
  • Intelligent label-based slicing, fancy indexing, and subsetting of large data sets
  • Intuitive merging and joining data sets
  • Flexible reshaping and pivoting of data sets
  • Hierarchical labeling of axes (possible to have multiple labels per tick)
  • Robust IO tools for loading data from flat files (CSV and delimited), Excel files, databases, and saving / loading data from the ultrafast HDF5 format
  • Time series-specific functionality: date range generation and frequency conversion, moving window statistics, moving window linear regressions, date shifting and lagging, etc.

I need to spend more time with pandas but have to confess that meta-issues with data interest me more than “alleged” data distributed by governments, corporations and others.

I saw “alleged” data because unless you know the means by which it was collected, the criteria for that collection, what was available but excluded from collection, plus a host of other questions about any data set, about all you know is that X claims the “alleged” data means “something.”

The “something” claimed for data varies on who is reporting it and what purpose they have in telling you. I immediately discount explanations that involve my or the public’s benefit. No, rather say the data was released in hopes that I or the public would see it as a benefit. A bit closer to the truth.

All that said, there are any number of interesting ways that processing data shades it as well, so a deep appreciate for pandas will help you spot those tricks as well.

PS: I don’t mean to contend we can ever be bias free, but I do think we can aspire to expose the biases of others.

I first saw this in a tweet by Kirk Borne

September 25, 2018

Abuse Apologist News Bingo

Filed under: Feminism — Patrick Durusau @ 6:21 pm

I saw a delightful “bingo” graphic that is on point for all abusers in the news, from www.shethepeopleusa.com. In reduced form:

I have also uploaded the graphic in its original size.

The Abuse Apologist Bingo game is sadly familiar. But it could also be used to play Abuse Apologist News Bingo. To see who and when news stations report, repeat and amplify these excuses for abusers.

To that end, I drafted the Abuse Apologist News Bingo game, that includes these instructions:

How often do you hear these excuses reported, repeated or amplified in news reports? Too often but do you have a record, an actual count? If not, trying playing abuse apologist bingo while you watch your regular news program.

When you hear one of these apologies for abusers, mark that square. After your program is over, record:

Date:__________ Time: __________ Station: __________

Send to your local news station with or without your name and email.

PS: For safety reasons, a close friend recommends you not use this as a drinking game.

My efforts can certainly be improved upon and if enough stations get enough Abuse Apologist News Bingo cards, who knows, maybe NRP won’t describe reports about Kavanaugh as being from thirty years ago in every broadcast. As though that has any meaning.

PS: Ping me for the source file, my ISP won’t accept word processing documents.

Twitter’s Quest to Police Public Conversation [Note on feminist power analysis]

Filed under: Censorship,Free Speech,Twitter — Patrick Durusau @ 10:05 am

Not satisfied with suppressing the free speech of millions, Twitter is expanding the power of its faceless censors to seek out and silence dehumanizing language.

From their post:


For the last three months, we have been developing a new policy to address dehumanizing language on Twitter. Language that makes someone less than human can have repercussions off the service, including normalizing serious violence. Some of this content falls within our hateful conduct policy (which prohibits the promotion of violence against or direct attacks or threats against other people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability, or serious disease), but there are still Tweets many people consider to be abusive, even when they do not break our rules. Better addressing this gap is part of our work to serve a healthy public conversation.

With this change, we want to expand our hateful conduct policy to include content that dehumanizes others based on their membership in an identifiable group, even when the material does not include a direct target. Many scholars have examined the relationship between dehumanization and violence. For example, Susan Benesch has described dehumanizing language as a hallmark of dangerous speech, because it can make violence seem acceptable, and Herbert Kelman has posited that dehumanization can reduce the strength of restraining forces against violence.

Let’s be clear: I don’t tweet, re-tweet or otherwise amplify any of the conduct that is now or would be in the future, forbidden as “dehumanizing language.”

At the same time, it is every user’s right to determine for themselves what content, harmful and/or dehumanizing, they wish to say or view.

Trivially easy for Twitter to implement filters that users could “follow” in order to avoid either harmful or dehumanizing speech, tuned to their specific choices. The same is true for followable block list of users known to spew such nonsense.

For reasons unknown to me, Twitter and its fellow travelers want to police the “public conversation.” So that its nameless and faceless censors can shape the public conversation.

Twitter censorship favors the same values I do, but even so, I find it objectionable in all respects.

If you know anyone working at Twitter, challenge them to empower users with followable content filters and block lists.

I have and all I get is silence in response.

PS: If you are interested in feminist power analysis, silence is the response of the privileged when challenged. They don’t even have to acknowledge your argument or produce facts. Just silence. Maybe I should write a post: Twitter and Patterns of Privilege. What do you think?

September 24, 2018

What Would Qualify as a Cyber 9/11?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:17 pm

One of the participants in a discussion reported by Troy Schneider in: Cybersecurity the right way attributes the formation of the Department of Homeland Security (DHS) to “…planes flew into buildings, right?”

I’m not sure reduction of 9/11 down to “…planes flew into buildings…” will be popular, but it did result in a wasted $5+ Trillion to date. If you are looking for funding, a 9/11 equivalent event would be hard to beat.

The question that came to me: What qualifies as a cyber 9/11?

I have a short list of things that didn’t:

  1. Office of Personnel Management (OPM) – “…greatest theft of sensitive personal data in history.” Why the OPM Hack Is Far Worse Than You Imagine Data on all prospective, former and current federal employees since 1985.
  2. National Security Agency hacking tools stolen and leaked on the Internet. Shadow Brokers Group Leaks Stolen National Security Agency Hacking Tools
  3. CIA hacking tools known as Vault 7 leaked by Wikileaks. Wikileaks releases document trove allegedly containing CIA hacking tools
  4. US-South Korea war plans. North Korea ‘hackers steal US-South Korea war plans’

Based on public response of the government and industry, none of those events was a cyber 9/11. (I remember the Clinton email breach, but stealing a gmail password hardly qualifies as a “hack.”)

There is an interactive visualization of data breaches that allows you to filter by organization and method of leak, then viewing the results by calendar year: World’s Biggest Data Breaches (losses > 30,000 records)

By implication, none of those breaches were sufficient to be a cyber 9/11.

I’m really at a loss to say what the cyber equivalent of “…planes flew into buildings…” would look like.

Perhaps the primary reason for the lack of a cyber 9/11 event is the distraction of hackers with more profitable targets. It might be interesting to have a copy of the National Crime Information Center (NCIC) databases, but it would be a niche item. Unless you are into suppressing civil dissent, etc.

On the other hand, the genealogy people might go nuts over it. Would need to test the market before putting a lot of effort into it.

Cyber 9/11 events? Suggestions?

September 23, 2018

Scan4You: Not Sharing Is A Crime?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:48 am

Hacker gets 14 years jail time for operating Scan4You malware scanning service by Waqas.

I’ve been puzzling over what crime was committed here, especially when I read:


The purpose was to assess whether the malicious code was detected or not during routine security checks. Scan4You is also regarded in the infosec industry as a non-distribute-scanner. The difference between VirusTotal and Scan4You is that the latter doesn’t let antivirus engines to report back results to vendors and the malware detections are kept discreet while the former does so.

The Scan4You service, according to the court documents, was hosted on Amazon Web Services servers while malware developers used to pay to get full access to its features. Trend Micro also stated that Bondars also made a very common mistake that almost every malware developer has made in the past, which is that he blocked antivirus engines from the reporting of file scans.

If you track down the indictment, Ruslans Bondars and Jurijs Martisevs incitement (h/t Catalin Cimpanu for uploading),

On a quick read, section 11 of the indictment appears to be its most worrisome point:


11. The Defendants intentionally marketed (omission) to computer hackers using the website (omission) and a hidden service accessible via The Onion Router (TOR), an online network for enabling anonymity. The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII). Moreover, the (omission) service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community, and notify their users they will do so, (omission) instead informed its users the could upload anonymously, and that data about the uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

The indictment does not contain the advertisements posted by the defendants: “The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII).” so it’s not possible to judge the intent evidenced by those ads.

On the other hand:

  • “a hidden service accessible via The Onion Router (TOR)”
  • anonymous uploads
  • not sharing with the antivirus community

By themselves, surely don’t support the conclusion:


As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

Don’t rely on this post as legal advice but I can easily see a legitimate virus scanning service offering a hidden service with anonymous uploads, for the purpose of staying ahead of its competition in detection of malware. If malware authors are more likely to upload to a service anonymously, doing otherwise makes little business sense.

Moreover, not sharing with the antivirus community rests on the mistaken assumption computer security is a shared concern. That’s demonstrably false by collection and use of zero-day vulnerabilities by the NSA. See: The challenge of offensive hacking: the NSA and zero days

Governments around the world use cyber vulnerabilities and call on you to make unpaid contributions of time and labor to improve “cybersecurity.”

I’ll pass on that request.

Hacker represent the QA staffs software vendors refuse to hire. If governments want more secure software, decriminalize hacking and establish civil liability for software vendors, contractors and users.

Incentivize security as opposed to preaching about it.

September 22, 2018

What’s The Buzz? Tell Me What’s Happening – Meltdown

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:22 pm

Meltdown: Reading Kernel Memory from User Space by Moritz Lipp, et al.

Abstract:

The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security guarantees provided by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.

A lucid presentation that has you cheering for U.S. Department of Defense migration to the cloud plans.

Go ahead, step just a little bit further into light.

September 21, 2018

Senate GMail Attack – eXist-db 5.0.0 RC 4 Release – Coincidence?

Filed under: Cybersecurity,eXist,Government,XML,XML Database,XQuery — Patrick Durusau @ 6:16 pm

First I see Senators’ Gmail accounts targeted by foreign hackers from today that reads in part:

The personal Gmail accounts of an unspecified number of US senators and Senate staff have been targeted by foreign government hackers, a Google spokesperson confirmed to CNN on Thursday.

then I see in my Twitter feed:

[eXist-db] v5.0.0-RC4 – September 21, 2018.

The campaign season has been devoid of any Clinton-like email leaks, which is both disappointing and a little surprising.

It worked so well last time, taking no news office gossip and by timed release, make back-biting chatter into widely reported news.

You should grab a copy of eXist-db v.5.0.0-RC4 or the current stable version. Practicing now will keep you in shape for any flood of congressional emails.

eXistDB is NOT in league with any hackers anywhere.

I like feeding the paranoid delusions of the IC with groundless gossip. They will write it down, talk about it, do research, all the while they are not out harming US citizens and/or hopefully citizens of any other countries.

September 20, 2018

Software disenchantment (a must read)

Filed under: Computer Science,Design,Programming,Software,Software Engineering — Patrick Durusau @ 3:34 pm

Software disenchantment by Nikita Prokopov.

From the post:


Windows 95 was 30Mb. Today we have web pages heavier than that! Windows 10 is 4Gb, which is 133 times as big. But is it 133 times as superior? I mean, functionally they are basically the same. Yes, we have Cortana, but I doubt it takes 3970 Mb. But whatever Windows 10 is, is Android really 150% of that?

Google keyboard app routinely eats 150 Mb. Is an app that draws 30 keys on a screen really five times more complex than the whole Windows 95? Google app, which is basically just a package for Google Web Search, is 350 Mb! Google Play Services, which I do not use (I don’t buy books, music or videos there)—300 Mb that just sit there and which I’m unable to delete.

Yep, that and more. Brim full of hurtful remarks but also suggestions for a leaner, faster and more effective future.

Prokopov doesn’t mention malware but “ratio of bugs per line of code” has a great summary of various estimates of bugs to lines of code.

Government programmers and their contractors should write as much bloated code as their funding will support.

Programmers working in the public interest, should read Prokopov deeply and follow his advice.

New Hacking Challenge: CLIP OS (French Cybersecurity OS)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 2:44 pm

French cyber-security agency open-sources CLIP OS, a security hardened OS by Catalin Cimpanu.

From the post:

The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

In a press release, ANSSI described CLIP OS as a “Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information.”

More details are available at The CLIP OS Project, including version 4 (current release, documentation in French), and version 5 (alpha version, documentation in English).

The lack of a build version makes me wonder the breadth of CLIP OS deployment. Within ANSSI or the French government more generally.

Not that you want to rely on security by obscurity, but if CLIP OS is a substantial security advance over comparable systems, why open source it?

The open source motivation could be to boost a French vendor has a commercial product along similar lines. Perhaps former members of the ANSSI?

In any event, enjoy getting the CLIP OS up and running as preparation to finding its soft spots.

Free CCTV Surveillance Camera Networks

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 12:51 pm

You don’t get to pick the locations but as Tom Spring details in: Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras, not only can you take over up to 800,000 existing CCTV cameras with the bugs discussed, all those cameras will require a manual upgrade.

Hard to imagine a greater deterrent to upgrading than requiring manual upgrading of each and every camera.

From the post:


The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.

The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.

Which CCTV surveillance camera networks do you have control of? (Rhetorical question. Don’t answer! Bad OpSec.)

HIDE AND SEEK… (Pegasus Spyware)

Filed under: Government,Pegasus,Privacy — Patrick Durusau @ 12:27 pm

HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert.

From the post:


Key Findings

  • Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
  • We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
  • Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
  • Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.

(The image of Pegasus infections looks far better and is more informative in the original post.)

The NSO Group responded to the Hide and Seek post here.

Any defense against the NSO Group and/or users of their software is up to you. Governments are clearly not on the side of citizens when it comes to the NSO Group.

Learning by Porting (Oldie but Goodie (2008))

Filed under: Clojure,Functional Programming,Lisp — Patrick Durusau @ 11:52 am

PCL -> Clojure by Stuart Halloway.

From the post:

My current leisure-time project is porting the examples from Peter Seibel's excellent Practical Common Lisp (PCL) to Clojure.

I think Clojure is interesting for three reasons:

  1. Clojure is Lisp, but minus historical baggage.
  2. Clojure gives full access to the JVM and Java libraries.
  3. Clojure groks concurrency and state.

My ground rules are simple:

  • I am not going to port everything, just the code samples that interest me as I re-read Practical Common Lisp.
  • Where Peter introduced Common Lisp features in a planned progression, I plan to use whatever Clojure feature come to mind. So I may jump straight into more "advanced" topics, even in the intro chapters.

Please do not assume that this port is a good introduction to Common Lisp! I am cherry-picking examples that are interesting to me from a Clojure perspective. If you want to learn Common Lisp, read PCL. In fact, you should probably read the relevant chapters in PCL first, no matter what.

Halloway credits Ola Bini with the idea for porting examples but the links to Bini’s post aren’t working at the moment.

You know the adage “the best way to learn something is to teach it.” Take this as a variant on that idea.

Porting examples avoids “nodding” understanding (one of my weaknesses). If the ported example doesn’t work, assuming it did in the original, your understanding of the example and/or porting language has failed.

September 16, 2018

Radare2 – Perils of e – 492 Settings in 32 Namespaces

Filed under: Hacking,Radare2 — Patrick Durusau @ 10:31 am

If you are new to Radare2 (that includes me), you will execute the e command at an r2 prompt, and be overwhelmed by 492 possible settings.

The manual helpfully says that you can use e (namespace). to see all the setting within a namespace.

e cfg.

returns:

cfg.bigendian = false
cfg.debug = false
cfg.editor = emacs
cfg.fortunes = true
cfg.fortunes.clippy = false
cfg.fortunes.tts = false
cfg.fortunes.type = tips,fun
cfg.hashlimit = 0x00a00000
cfg.log = false
cfg.newtab = false
cfg.plugins = true
cfg.prefixdump = dump
cfg.r2wars = false
cfg.sandbox = false
cfg.user = pid386
cfg.wseek = false

But if you don’t know the namespaces, that’s not very helpful advice.

The namespaces as of 16 September 2018 are:

  1. anal
  2. asm
  3. bin
  4. cfg
  5. cmd
  6. dbg
  7. diff
  8. dir
  9. emu
  10. esil
  11. file
  12. fs
  13. graph
  14. hex
  15. http
  16. hud
  17. io
  18. key
  19. lines
  20. magic
  21. pdb
  22. prj
  23. rap
  24. rop
  25. scr
  26. search
  27. stack
  28. str
  29. tcp
  30. time
  31. zign
  32. zoom

The use of namespaces with e produces more manageable setting listings. Ping me if you find this useful.

September 13, 2018

OpenOversight: A public, searchable database of law enforcement officers

Filed under: Government,Transparency — Patrick Durusau @ 2:41 pm

OpenOversight: A public, searchable database of law enforcement officers

From the about page:

OpenOversight is a Lucy Parsons Labs project that aims to improve law enforcement visibility and transparency using public and crowdsourced data. We maintain databases, digital galleries, and profiles of individual law enforcement officers from departments across the United States that consolidate information including names, birthdates, mentions in news articles, salaries, and photographs.

The remarkable resource was forwarded to me by Camille Fassett.

Similar resources for members of legislatures, fracking companies, etc.?

Vulmon [Ultimate Vulnerability Search Engine (self-description)]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:10 pm

Vulmon

From the about page:

Vulmon is a vulnerability search engine. Vulmon conducts full text search in its database therefore you can search everything related with vulnerabilities. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.

Vulmon aims to be both simple and advanced tool for cyber security researchers. Researchers can search everything with its simple interface and get detailed information about vulnerability and related exploits.

Offer recent vulnerabilities, discussion, trends.

Consult while you are waiting for radare2 complete its daily re-build (recommended by Megabeets).

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

September 11, 2018

EveryCRSReport.com [Better than Liberal and Conservative News Sources]

Filed under: Fake News,Journalism,News,Reporting — Patrick Durusau @ 8:42 pm

EveryCRSReport.com

From the homepage:

We’re publishing reports by Congress’s think tank, the Congressional Research Service, which provides valuable insight and non-partisan analysis of issues of public debate. These reports are already available to the well-connected — we’re making them available to everyone for free.

From the about page:

Congressional Research Service reports are the best way for anyone to quickly get up to speed on major political issues without having to worry about spin — from the same source Congress uses.

CRS is Congress’ think tank, and its reports are relied upon by academics, businesses, judges, policy advocates, students, librarians, journalists, and policymakers for accurate and timely analysis of important policy issues. The reports are not classified and do not contain individualized advice to any specific member of Congress. (More: What is a CRS report?)

Congressional Research Service reports have a point of view. Any report worth reading has a point of view. CRS reports name and evaluate their sources, give reasons for the views reported, they empower readers to evaluate reports, as opposed to swallowing them whole. (Contrast that with average media reporting.)

For example, Decision to Stop U.S. Funding of UNRWA (for Palestinian Refugees) gives a brief background on this controversial issue, followed by a factual recitation of events up to the date of the report, an evaluation of the possible impact of ending funding for UNRWA, folowed by options for Congress.

If you are at all aware of the bitterness that surrounds any discussion of Palestine and/or the Palestinians, the CRS report is a tribute to the even-handedness of the Congressional Research Service.

New reports appear daily so check back often and support this project.

Sploitus – First Search – Check It Out!

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Sploitus

New to me search engine for vulnerabilities and exploits. Archive.org reports its first mirroring of Sploitus as of today, 11 September 2018, so I assume I’m not too far behind in hearing about it.

Nice presentation of “Exploits of the week” on the homepage.

I searched for “xml injection” but the query as sent reads:

https://sploitus.com/?query=%22xml%20injection%22#exploits

Without the links, Sploitus returned (in part):

  • Microsoft Baseline Security Analyzer 2.3 – XML External Entity Injection
  • Microsoft Baseline Security Analyzer 2.3 XML Injection
  • MedDream PACS Server Premium 6.7.1.1 – ’email’ SQL Injection
  • Softneta MedDream PACS Server Premium 6.7.1.1 SQL Injection
  • Apache Roller 5.0.3 XML Injection / File Disclosure
  • Opsview Monitor 5.x Command Execution Vulnerability

Some vulnerabilties were covered by different sources, hence the duplication.

It isn’t clear to me how “xml injection” returns “SQL Injection” but I do like the sort by severity or date or default options.

Certainly a place I will be exploring more.

PS: Not to put too much emphasis on technical hacking. You could just call up tech support and have them reset the password for a known user account. Sometimes simple solution is the better solution.

Censorship Fail (no surprise) at Facebook

Filed under: Censorship,Facebook,Free Speech — Patrick Durusau @ 6:01 pm

Facebook’s idea of ‘fact-checking’: Censoring ThinkProgress because conservative site told them to by Ian Millhiser

From the post:

Last year, Facebook announced that it would partner with The Weekly Standard, a conservative magazine, to “fact check” news articles that are shared on Facebook. At the time, ThinkProgress expressed alarm at this decision.

The Weekly Standard has a history of placing right-wing ideology before accurate reporting. Among other things, it labeled the Iraq War “A War to Be Proud Of” in 2005, and it ran an article in 2017 labeling climate science “Dadaist Science,” and promoted that article with the phrase “look under the hood on climate change ‘science’ and what you see isn’t pretty.”

The Weekly Standard brought its third-party “fact-checking” power to bear against ThinkProgress on Monday, when the outlet determined a ThinkProgress story about Supreme Court nominee Brett Kavanaugh was “false,” a category defined by Facebook to indicate “the primary claim(s) in this content are factually inaccurate.”

To save you the suspense, the ThinkProgress story was true by any literate reading of its report and the claims by The Weekly Standard are false.

Millhiser details the financial impact of a “false” rating from Facebook, which reverberates through the system and the lack of responsiveness of The Weekly Standard when questioned about its “false” rating.

The Weekly Standard has been empowered by Facebook to become a scourge on free expression. Hold Facebook and The Weekly Standard accountable for their support and acts of censorship.

Middle Earth Map Style

Filed under: Cartography,Mapping,Maps — Patrick Durusau @ 4:23 pm

Middle Earth Map Style by John Nelson.

From the post:

Here are a couple maps made to resemble the epic collaboration of JRR Tolkien and Pauline Baynes. I would consume every little pen stroke as a kid, pouring over the insert maps of Middle Earth in my sister’s LOTR set (which mysteriously now live on my shelf)…

If you are interested in trying out making digital Middle Earths, here is an ArcGIS Pro style file with all the doodads you’ll need. If you don’t run that, then here is a zip file with all of the textures and graphics that you can use to symbolize your layers.

The format of my blog would mar examples of Nelson’s maps beyond recognition. Visit them at Nelson’s site and spread word of them and the aids for producing more such maps.

Any bets on where I would locate Mordor on a map of the United States? 😉

September 10, 2018

Make Yourself and Staff, Legitimate Military Targets

Filed under: Censorship,Free Speech — Patrick Durusau @ 8:20 pm

YouTube Shuts Down All Syrian State Channels As Idlib Assault Begins

From the post:

Syrian state YouTube channels have been shut down this morning just as the Syrian Army’s ground offensive has officially begun.

This includes the following now terminated Syrian state and pro-government channels: Syrian Presidency, Syria MoD (Ministry of Defense), SANA, and Sama TV. This follows YouTube reportedly closing Syria’s Ortas News last week.

The post goes on to point out that perhaps this latest censorship by YouTube is just that, more censorship.

However, YouTube and its staff should be aware that coordination, apparent or otherwise, with forces opposed to the Syrian government, makes them legitimate military targets.

Unlikely military targets but if you are allergic to military action and employed by YouTube, you should consider other employment at your earliest opportunity.

September 6, 2018

Using cURL through Tor on Ubuntu 18.04

Filed under: Cybersecurity,Tor — Patrick Durusau @ 3:01 pm

When I found Making Tor Requests with command-line cURL by NanoDano, I thought I had hit gold!

Easy enough:

Except that when I do:

curl –socks5-hostname localhost:9150 https://check.torproject.org

I get:

curl: (7) Failed to connect to localhost port 9150: Connection refused

Quick answers: Yes, the Tor browser is running, the syntax is correct, ….

I spent several minutes trying to identify the source of the problem before doing this:

curl –socks5-hostname 127.0.0.1:9150 https://check.torproject.org

Success!

Yes, I have a local mis-configuration, which I can correct, but you may find situations where correction isn’t possible.

Try substitution of 127.0.0.1 for localhost and vice-versa, before looking for more obscure causes. (That also quickly identifies this particular mis-configuration.)

Guidance for Leakers

Filed under: Journalism,Leaks,News,Reporting — Patrick Durusau @ 2:19 pm

Our who, what, why leak explainer by Hamish Boland-Rudder.

From the post:

Whistleblowers, like Deep Throat, Daniel Ellsberg, Karen Silkwood, Mordechai Vanunu, Linda Tripp, Jeffrey Wigand, Edward Snowden, Bradley — now Chelsea — Manning and John Doe, come from all walks of life, and stigma and myth tend to surround them.

The International Consortium of Investigative Journalists has lots of experience with information leaks. In the past five years alone, we’ve sifted through about 30 million leaked documents to produce groundbreaking investigations like the Panama Papers, Paradise Papers, Swiss Leaks and Lux Leaks.

The common denominator? Whistleblowers providing information, secretly, in an attempt to expose hidden wrongs.

Famously, whistleblowers have toppled President Richard Nixon, effectively ended the Vietnam War, exposed an Oval Office tryst, revealed nuclear secrets, uncovered environmental and health catastrophes and focused global attention on offshore tax havens.

ICIJ is often approached by concerned citizens who believe they’ve found an injustice that they’d like us to investigate, but few know the first thing about becoming a whistleblower or how to provide information to journalists.

So we thought a basic guide to leaking might prove useful, one laid out using an old journalistic tool: the five W’s and a H (loosely interpreted!)

I deeply respect the work the International Consortium of Investigative Journalist (ICIJ) has done in the past, is doing in the present and will continue to do in the future. Amazing work that has made a real difference for millions of ordinary people around the world.

On the other hand, I have been, am and will be highly critical of the ICIJ over its hoarding of leaks for limited groups of reporters and editing those leaks in a display of paternalism for readers, who haven’t asked for their help.

All that said, do pass this information from the ICIJ around. You never know where the next leaker may be found.

PS: I would not target anyone in government with the material. Better to send everyone in the EPA the same advice. So no one stands out. Same for other government agencies. Your a citizen, write to your government.

September 4, 2018

Of hosting files in url minifiers [Passing < 4k operational orders]

Filed under: Compression,Hosting,Intelligence,Web Server — Patrick Durusau @ 4:56 pm

Of hosting files in url minifiers by Paul Masurel.

From the post:

Today I had an epiphany while staring at a very long url. I thought: “Url minifiers are really nice to store all of this data for free”. And then it stroke me… One can really store 4KB of arbitrary data with a url minifier system and share it for free.

Now there’s a clever thought!

Apologies for missing this when it first appeared. I can imagine several interesting uses for this insight.

Such as the passing of operational orders via a url minifier system.

Tasking the intelligence community to discover and inspect every shortened url, everyday.

I saw < 4k operational orders because the more advanced the technique, the greater the technical overhead. The base 4k is trivial.

For example, https://bit.ly/2wHB3zH, which gives a 404, but also the text:

http://www.nowhere.com/Today-is-the-day-we-smite-our-oppressors-at-the-usual-location

All I needed was a public url minifier.

Please share this post with anyone who has a need to pass < 4k operational orders or information.

Be sure to credit Paul Masurel with this discovery. Me, I find interesting use cases and applications of technology.

…Access to Evidence and Encryption [Not One Step Backwards]

Filed under: Encryption,Privacy — Patrick Durusau @ 1:34 pm

Statement of Principles on Access to Evidence and Encryption (United States, the United Kingdom, Canada, Australia and New Zealand)

From the preamble:

The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights. Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

Each of the Five Eyes jurisdictions will consider how best to implement the principles of this statement, including with the voluntary cooperation of industry partners. Any response, be it legislative or otherwise, will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process. We recognize that, in giving effect to these principles, governments may have need to engage with a range of stakeholders, consistent with their domestic environment and legal frameworks.

This joint statement memorializes Five Eyes jurisdictions’ ignorance of computer encryption. Or perhaps basic logic, that material cannot be accessible and yet not accessible (encrypted) at the same time. It’s called a contradiction in terms.

The Five Eye jurisdictions may as well decide to round Pi off to 3.14. (STOP! That was sarcasm, please don’t meddle with Pi. All sorts of things, missiles, rockets, aircraft, etc., will suddenly go horribly wrong.)

Do not engage with any of the Five Eye jurisdictions on any proposal to give governments access to encrypted materials.

I mean that quite literally. There are no facts to be produced, no trade-offs to discuss, no supervisory mechanisms to considered. Cybersecurity experts have already established that data either is or is not encrypted. Any backdoor into an encryption system means it isn’t secure. (full stop)

There aren’t any viable issues open for discussion.

By your non-participation, the Five Eye jurisdictions will write their regulations more poorly than with your presence.

The poorer the regulations, the more easily breached the resulting encryptions will be.

Penetration Testing / OSCP Biggest Reference Bank

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:38 pm

Penetration Testing / OSCP Biggest Reference Bank by OlivierLaflamme (Boschko)

Forty-three (43) penetration cheatsheets as of today (4 September 2018), all dating from August 1, 2018.

Opportunity to grab cheatsheets and to contribute back to the community with comments and suggestions.

Note the difference between some communities of hackers and white-hat hackers, who practice secrecy and non-sharing. That’s the real advantage in cybersecurity matters.

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

Tor Sites – Is Your Public IP Showing? [Terrorist-in-a-Box]

Filed under: Cybersecurity,Dark Web,Tor — Patrick Durusau @ 9:32 am

Public IP Addresses of Tor Sites Exposed via SSL Certificates by Lawrence Abrams.

From the post:

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing hwo to properly configure a hidden service.

One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.

The failure of people who intentionally walk on the wild side to properly secure their sites holds out great promise that government and industry sites are even more poorly secured.

If you are running a Tor site or someday hope to run a Tor site, read this post and make sure your public IP isn’t showing.

Unless your Tor site is a honeypot for government spy agencies. They lap up false information like there is no tomorrow.

Not something I have time for now but consider mining intelligence reports as a basis for creating a Tor site, complete with information, chats, discussion forums, etc., download (not public) name “Terrorist-in-a-Box.” Unpack, install, configure (correctly) and yet another terrorist site is on the Dark Web. Have an AI running all the participants on the site. A challenging project to make it credible.

The intelligence community (IC) makes much of their ability to filter noise from content, so you can help them test that ability. It’s almost a patriotic duty.

Install OpenCV on Ubuntu – Success!

Filed under: Image Processing,Image Recognition,OpenCV — Patrick Durusau @ 8:51 am

I tried following How to install OpenCV on Ubuntu 18.04, only to crash and burn in several different ways.

Let’s see, two version of python (2.7 and 3.6), lack of some of the default packages of Ubuntu, etc. Correcting the version of python being called was easy enough, but when I ran into the dependency issues, I took the easy way out!

I downloaded Ubuntu 18.04 from OSBoxes.org, installed it on VirtualBox and then followed the instructions in How to install OpenCV on Ubuntu 18.04.

Success!

I didn’t explore the highways and byways of why my Ubuntu 18.04 doesn’t support the installation of OpenCV, but then my goal was the installation and use of OpenCV. That goal stands accomplished.

If at first you don’t succeed, grab a VM!

More on why the more than casual interest in OpenCV in a future post.

Powered by WordPress