Done With Chrome
via Matthew Green, PhD's blog entry Why I’m done with Chrome Dr. Green regales us with why, in fact, he has quit Chrome. Most Certainly Today's Must Read.
macOS Mojave Security - User Operability Flaws Lead To Slippery Slope
via the inimitable Rich Mogull, writing at TidBits, comes this interesting take on newly implemented user-land security operability problems in Apple Inc.'s. (Nasdaq: AAPL) desktop operating variant of Darwin (aka macOS X (10.14 Mojave). Typically, strict utilization of user-land intervention implementing security controls leads to insecure configurations. Today's Must Read (especially considering the mew macOS version is due for general release today!).
Stewart Baker and Bruce Schneier: Click Here To Kill Everbody Podcast
Quite likely one of the more entertaining CyberLaw Blog Podcast yet... In this case, the inimitable Bruce Schneier talks with Cyberlaw Blog podcast's eponymous Stewart Baker on the occasion of Bruce's latest publishing tour de force: 'Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World'. Today's Must Listen and certainly Must Read. Enjoy!
MIT: Underwater to Atmosphere Radio Communications Perfected
Incroyable! Massachusetts Institute of Technology researchers have developed what could very well be the 'holy grail' of submarine-to-surface communications. Monikered TARF, the system ostensibly converts SONAR to RADAR with no mid-processing steps required. Absolutely superb work, and today's Must Read.
Well Done, Pete, Well Done
Behold: A well crafted white paper, targeting security related white papers, that is apparently a blog post, and most importantly, dripping with the sweet, sweet wine of security sarcasm. Today's Must Read!
The Unbroken Litany of Distrust
In which, Jonathan M. Gitlin, writing at Ars Technica, describes actions sinister, by electioneers in the State of Georgia... I contend this is further evidence of both a fast spiral of free and fair elections at the Stae and below levels, yet a slower spiral on the national scale. Today's Must Read.
"We've looked at poor voting security in the state previously. In 2017, a report by a Georgian security researcher revealed a shocking lack of security throughout the state's voting system. Later that year, we discovered that servers that were thought to be key evidence for the same federal lawsuit that has led to this week's news were wiped, then repeatedly degaussed." - via Jonathan M. Gitlin emendate scribere at Ars Technica
Alejandro Hernandez's Exposing Security Weakness in Stock Trading Tech →
Superlative security research is still coming out of the IOActive game-changing environment (this has been going on for years now - how do they do it...).
Case in Point: The work of Alejandro Hernandez and his current project targeting the apparent insecurity of some (but not all, mind you) stock trading applications so popular amongst the budding young (and old - don't forget the greybeards) kings and queens of capitalism.
In the case under scrutiny, a highly detailed - most importantly: thoroughly accurate - examination of a large number of commercially available applications executing their binary bits on a variety of platforms. Read all about it on Mr. Hernandez's blog post at Iocactive, and white paper. You'll be glad you did.
The Chrysanthemum Throne, An Abdication And A Unicode Complication
Whom amongst our readers (including your's truly) would have thought that the Abdication of the Emperor of Japan (slated for mid-Spring, 2019) would have anything to do with time keeping issues - inclusive of calendaring problems, leading the island nation into it's own Y2K-like debacle? As a matter of course, the change in Epoch's also affects information security related processes and systems, including for example both role based access control and discreationary access control systems, identity management, incident logging and investigatory activities amongst others.
Now, via The Gaurdian's Alex Hern, comes word of what some might say as the coming crisis in Nipponese society due to the calendaring issues brought on by the Abdication of Emporer Akihito (the announced abdication to make way for Emperor Akihito’s son, Crown Prince Naruhito). For a country that bases it's time and date keeping functions on the Epoch which begins on the date a Crown Prince ascends the Chrysanthemum Throne as Emperor of Japan. This is not some mere disfunction of the calendar - it resonates in the very soul of the Emperor's subjects - the citizens of Japan, and their traditional method of marking the passing days, months and yeears. In regards to the Unicode debacle with the new Epoch, please read the post at The Guardian for additional details, as space is at a premium for this post. Certainly Today's MustRead!
“The magnitude of this event on computing systems using the Japanese Calendar may be similar to the Y2K event with the Gregorian Calendar,” said Microsoft Corporation Shawn Steele. “For the Y2K event, there was world-wide recognition of the upcoming change, resulting in governments and software vendors beginning to work on solutions for that problem several years before 1 Jan 2000. Even with that preparation many organisations encountered problems due to the millennial transition. - via Microsoft Corporation and MSDN's
Dave Lewis' ' The Perimter Is Dead. Send Flowers'
In a well targeted and executed blog post by Dave Lewis, writing over at Forbes, Dave distills the essence of protective measures to be implement when valiantly serving as a defender of the Realm - in this case, the Information Security Principality. A highly recommended addition for your Summertime Reading Pleasure, and Today's Must Read.
'It was a cool morning as King Arthur and his party galloped through the forest on their way towards the castle. His trusty squire kept the beat with a two halves of a coconut in lieu of actual steeds to whisk them on their way. They approached the castle walls where they were met by an impertinent French soldier who hurled insults at them. An amusing analogy for the traditional perimeter IT security defense.' - via Dave Lewis, writing at Forbes.
Take Cover! EU Threatens Privacy War Against United States
Lucian Armasu, writing at Tom's Hardware, details actions under contemplation by European Lawmakers. Today's Must Read (maintain some composure when examining the rationale of the EU Parliament...).
Facebookery: Huawei, Other Chinese Manufacturers Slurp Facebook Data →
via Ina Fried and David McCabe, writing at Axios, comes the latest revelation of feckless user data management at Facebook Inc. (Nasdaq: FB); this time, the event comes with smarmily justified sharing of Facebook Inc. user data (without user consent) to Chinese manufacturers' (including People's Republic of China's Peoples Liberation Army controlled Huawei and others) by Francisco Varela, Facebook, Inc. Vice President - Mobile Partnerships Varsela, also (apparently) is a shill ( here) for First Republic Bank. Enjoy today's Must Read and this! H/T
“Huawei is the third largest mobile manufacturer globally and its devices are used by people all around the world, including in the United States. Facebook along with many other U.S. tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones. Facebook's integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go — and we approved the Facebook experiences these companies built. Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei's servers.”' - Francisco Varela, Vice President - Mobile Partnerships, Facebook Inc.
Telegram Updated, Amidst Kremlin Capers, Apple Angst →
News from over the weekend - via 9to5Mac writer Michael Potuck, focusing on Telegram; of which, the encrypted messaging iOS app has been permitted to publish the latest update to their bits - via Apple Inc. (Nasdaq: AAPL) iTunes App Store. This, despite the declaration of illegality by Kremlin Apparatchiki. Today's Must Read.
Greg Ferenstein's 'The Birth and Death of Privacy' →
Greg Ferenstein's well crafted post - in which, he details the Birth and Death of Privacy - today's Must Read.
Google, Apple, Linkedin, Amazon, Facebook Under EU Investigation, The GDPR Chronicles
Predictable news via ZDNet's David Meyer, of the big tech players (Google, Facebook) fall from privacy-grace has appeared, with word of Apple, Amazon and let's not forget LinkedIn added to the privacy-perp-walk now de rigueur on sur lé continent. Certainement le jour doit lire!
Bad News Beemer, The Flaw Tales →
Charlie Osborne writing for ZDNet's Zero Day, regales us with the story of the proverbial Bad Beemer, and the discoveries of deep flaws in the German automaker's usually highly regarded automobiles, by Tencent's Keen Security Labs. Today's Must Read.
Consequences →
Unintended Consequences... via Alastair Paterson, writing as he often does at SecurityWeek, comes this commom sense post detailing issues with the European Union's General Data Protection Regulations (GDPR) as that regulation interfere's with what-may-seem-like-age-old-internetworking-tools - in this case Whois. Highly recommended and Today's MustRead!
All's Not Quiet On The SCADA Front →
via Zack Whittaker timely reportage for ZDNet's Zero Day group, his work provides insight to the tangled-web-we-weave in the ICS/SCADA world. This time - the ramifications of a particularly-pesky security flaw in a Schneider product (amongst thousands of other known bugs in hundreds of other software packages coupled with poor software management practices in the industrial control systems sector combine to make a very poor nap at the control boards, indeed. Just ask Homer! Today's Critical Must Read Choice.
"It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. " - via Zack Whittaker writing for ZDNet's Zero Day
The Secrets Mangler
via Tom Krazit, writing at GeekWire, details the need for security tooling assistance targeting the apparent shortcomings of customer security comprehension. Really? I chalk this up to customer facing security tooling, and enablement (Hows' that for Corporate DoubleSpeak?). Far be it for me to denigrate customer security understanding... Today's MustRead!
PowerHammer, The Mains Exploitation →
A new research paper has attracted my attention at arXiv.org; and from Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici, all from the astonishingly prolific Ben-Gurion University of the Negev, in southern Israel's blooming desert - the Negev. Interestingly, all working in the Cyber-Security Research Center a component - if you will - of the Department of Software and Information Systems Engineering.
This is one of those seemingly easy to grasp, easy to execute (for the right entities, and with the apropos hardware and software exfiltration tools) in which, data may be slurped-up, with minimal invasive telltale artifacts left behind, simply from sampling the modulated goodness of the electrical power connection to the targeted device.
Importantly, this form of attack would be devestating to the target, of which, has essentially no in-built incusion defense watching over the electrical power flow into the machies PDU (other than the usual gatekeeping set up around and amongst whatever payload is being sought (think diretory services, database passwords, API security, tokens, et cetera). Certainly, today's Must Read.
The Big Listen →
via Andy Greenberg, writing at Wired (H/T), comes this tremendous piece on device security (or insecurity, to be precise) and that device's predeliction to an incursion via radio traffic... Definately, todays' Must Read!