Friday, August 07, 2015

Did Ted Rall Lie? Firefox Security Hole Being Actively Exploited - What I am reading 8/7/2015

Boing Boing - The LA Times fired a journalist after cops told them he lied—but did they investigate? -
Ted Rall, a journalist and cartoonist often critical of police misconduct, was fired by the LA Times after the LAPD claimed he lied about a 2001 encounter with an officer. But an audio recording of the event appears to back up Rall's version of events, leaving everyone to wonder why the Times was so eager to cut him loose.
In the past I have found Boing Boing less than honest in these types of stories so I am erring on the side of yes Rall lied and Boing Boing is exaggerating again but it would be interesting to hear the tape.

Dark Reading - Out of Aspen: State of Critical Infrastructure Cybersecurity, 2015 -

The annual Aspen Security Forum takes place this week in Aspen, CO. This two-day line-up of national security panels and 1:1 discussions presents a great forum to gauge the state of critical infrastructure cybersecurity. In cooperation with the Aspen Institute, Intel Security surveyed security professionals in energy production, financial services, transportation, telecommunications, and many government functions to determine what progress has been made, and what areas require greater attention.
Our survey results revealed the good, the bad, and the potentially worse of critical infrastructure protection:
·       The good news: no catastrophic loss of life and an improved confidence in critical infrastructure cyber security postures
·       The bad news: cyber-attacks are real, increasing, and capable of real, substantive damage to our critical infrastructure
·       The potentially ugly: attacks are likely to become fatal and could escalate from the digital to physical realms.

I am somewhat involved in this type of effort at work.  It is nowhere near as easy to secure a lot of these devices as people think.  The fact that the effort is starting to show some results is good news.  Also time to once again link the SANS 20 Critical Security Controls.   The bad news is that the effort is failing everywhere that it's mainly a human factors thing (Yes I am looking at you OPM)

Wired - In GOP Debate, Cyber Security Is The New National Security -
While Paul stood his ground as a diehard opponent of government collection of public records, Christie said his experience as US Attorney of New Jersey in the aftermath of September 11th convinced him of the importance of surveillance. As president, Christie said he would push to provide even more tools to these agencies.
Rand Paul is an idiot, but given the choice between his approach and what Christie and Fiorina appear to be saying (no restrictions whatsoever on collection activities) I would prefer Paul's approach, but I don't this this is a binary problem.  

Here is my approach - Collect the metadata.  Hash / Encrypt  it so it is not human readable, but can still be used to build social networking maps for the purpose of identifying informal or hidden networks.  When a person of interest is identified get a warrant and unhash the metadata for that number / email address.  If that person is then revealed to be associated with a potential terror network unhash the data for the rest of the network. 

ValleywagHere Are the Internal Documents that Prove Uber Is a Money Loser -

Is anyone really surprised?

The Verge - Joint chiefs' network outage linked to 'sophisticated cyberattack' -
For the past two weeks, the unclassified email system serving the Joint Chiefs of Staff has been down — and a report today from NBC News suggests there may be more to the outage than meets the eye. NBC says the downtime is the result of a "sophisticated cyberattack" from Russian attackers, citing US officials. Officials said it's still unclear whether the attack is linked to the government or individuals residing in Russia. The email system is expected to come back online this week.
This is why the classified and unclassified systems are airgapped, although as Manning and Snowden proved those gaps may get jumped it's a hell of a lot harder to get to the sensitive stuff.

GizmodoThere's a Firefox Exploit in the Wild—You Should Update Right Now -

Mozilla has published a blog post explaining that a Firefox exploit is running in the wild that can search for and upload files from your computer—but you can install and update to solve the problem right now.
Malicious javascript injection.  I am not sure if noscript would offer any sort of protection.

Hitb Security News - Microsoft delivers first cumulative Windows 10 update -

I just checked and my system has downloaded it, and was the system is smart enough to schedule the restart when usage patterns indicate I won't be on the computer.

InfoSec Island - The Technical Limitations of Lloyd’s Cyber Report on the Insurance Implications of Cyberattack on the US Grid -
The recent Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US. There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing “malicious” aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.
The author of the article raises some possibly valid points about not enough detail to determine potential scope etc, but I don't think he really justifies his conclusions this that this is a high impact high likelihood event.  He may be right (hopefully not) but all he does is make an assertion with no real data to back it up.  

Network Computing Terracotta VPN Piggybacks On Network Of Compromised Windows Servers -
A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.
Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.
So they are stealing their ifrastructure and providing a haven for APT hackers.  Nice.
Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...