NIST Forensics Committees, Public Meetings
News, of planned public meetings - slated for February 16 and 17, 2015, in balmy Orlando, Florida - called by the Organization of Scientific Area Committees (OSAC). The Forensic OSAC acts as the coordinator of development of required standards and guidelines for the Forensic Science community. All, carefully crafted under the oversight of the National Institute of Standards and Technology (NIST),
Securosis' Toddle
In an outstanding video piece, the Gentlemen of Securosis contemplate the apparent second childhood of Goggle, Inc. (NasdaqGS: GOOG) and Microsoft Corporation (NasdaqGS: MSFT).
Fingerprint of Power
In which, a new analysis line-of-sight for the detection of attack, whether covert or otherwise. Absolutely fascinating ancillary evidentiary channel, utilizing power consumption differentiation between and betwixt infected and uncompromised systems. Outstanding.
Balls of Gas (Heated)
'For the Patriots to blame a change in temperature for 15% lower-pressures, requires balls to be inflated with 125-degree air.' — Neil deGrasse Tyson (@neiltyson) January 26, 2015
Kim's Big Secret →
An End-to-End Encrypted Secret, that is...
Turn's Undead Cookie
In a posting published by ProPublica, online advertising leviathan TURN is utilizing the dreaded zombie cookie, pioneered by those friendly folks at Verizon Wireless. ProPublica is also reporting that TURN's actions were originally discovered by Stanford University computer scientist and attorney Jonathan Mayer, and then tested by ProPublica staffers.
IoT, Automated Tank Gauge Infrastructure Flaws →
via Rapid7's HD Moore, comes news of the latest flaw in the Internet of Things realm, this time, focusing on the fueling infrastructure worldwide. Specifically, the gauges that meter and permit the dispensing of liquid and gaseous matériel... Evidently, these automated tank gauges (monikered ATGs) not only possess IP connectivity, but they also have tremendously flawed software componentry to boot. What Could Possibly Go Wrong.
IPv6 Mythos
Absolutely spot-on IPv6 security analysis by the Deploy360 section at ISOC, detailing security misconceptions - now full-blown myths - of IPv6 infrastructure. Along with the clarification efforts regarding IPv6 and the ramifications for what security componentry has been baked-in to the network protocol, comes the highly enhanced and approximate 3.4×10 to the 38th power addresses as compared to the measly 4.3 billion capability IPv4 address space.
Leaving the gargantuan IPv6 address space benefits for another discussion, the issue of security flaws resident within the protocols' structure must be managed effectively on such an old addressing specification. After all, the original Internet Engineering Task Force [RFC 2460], the “Internet Protocol, Version 6 (IPv6) Specification” possesses a date of December 1998...
"In order to make IPv6 as simple and interoperable as possible, it uses a minimalist standard packet header. In order to make IPv6 as extensible as possible, it allows “extension headers,” additional chunks of meta-data that can be strung behind the IP header to provide additional features and functionality. IPsec leverages the extension header mechanism to carry necessary authentication and encryption data, for one example. Unfortunately, having extension headers designed into the protocol for extensibility also means having security flaws designed in along with them." - via the ISOC Deploy360 Myth#2 Post
GoDaddy, Compromised Again... →
What, really? Apparently, GoDaddy security has failed to measure up, yet again. via Swati Khandelwal writing at HackerNews, comes the sorry tale of failed code (in the form of XSRF vulnerabilities), obvious failed quality control, and on top of all of that, no security checks pre-deployment. Astounding.
ComRat, Redux →
News via John E Dunn writing at TechWorld, of the infamous ComRat rootkit, reportedly now the oldest nation-backed bundle of malware-badness, beating Stuxnet by a single year (at least according to BAE Systems...).
Criminalization of Cryptography →
If you read anything today about cryptography today, read the work of Stanford University's Center for Internet and Society's Jeffrey Vagle, JD [Mr. Vagle is also a Lecturer in Law and the Executive Director of the Center for Technology, Innovation and Competition [CTIC] at the University of Pennsylvania Law School]; in which, Mr. Vagle examines the criminalization of cryptography [snippet of his work appears below].
'We've heard this story from governments before, of course, from the "crypto wars" of the early 1990s to recent claims by the FBI that encryption allows networks to "go dark," and prevent legitimate law enforcement efforts. But as the leaked security memo asserts, without strong crypto and secure networks, we're all put at greater risk. It is crucial that we keep this in perspective as the world's legislative bodies rush to do something--anything--in the face of these crises.' - via Jeffrey Vagle writing at the Center for Internet and Society, at Stanford University
The Sleeper Awakens →
Evidence, via George I. Seffers of indications that the United States Department of Defense has awoken to the realization, that with nearly ubiquitous connectivity, comes potentially lethal levels of vulnerability, leading to in extremis scenarios.
Side Channeled →
Interesting signals research (yet already a given in modern, rigorous and protective environments) the notion of side channel analysis of extraneous electro-magentic signals has hit the popular computer media soapbox. This time, via PCWorlds' Jeremy Kirks' story, detailing research at Georgia Institute of Technology. Evidently, the work is ostensibly an effort to block signal emanation from the platforms under scrutiny. There is always room for a commercial application of a dampening field, perhaps another Cone of Silence?