Tuesday, December 15, 2015

Fluffy falls asleep on the job again, your internet connected refrigerator will try and kill you and the 10 most liberal cities in the US - What I am reading 12/15/2015

Dark Reading - Twitter Says Nation-State Hackers Targeted Some Accounts -

In an unprecedented move, Twitter has alerted some users that nation-state sponsored attackers may have attempted to steal their account information -- such as email address, IP address, and phone numbers. None of the small number of Twitter user accounts targeted appear to have been successfully breached, however, according to the alert.

I predict that this will soon be a new status symbol.  People will have I was hacked by Bunfuckistan badges on their various social media accounts.  That's how you will know who is worth following.

The Register - 'Devastating' flaw found in Windows' authentication system -

The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don't exist.
A slightly more in-depth explanation is found here:

“Well, we just encrypt current timestamp with our secret key. That's what a normal process looks like. So, if we have an access to the key – we can repeat this process on behalf of the user and gain legitimate Kerberos tickets and thus access. Essentially skipping the part of Kerberos authentication, where user secret key is created from his password,” he asserts.
...
“The attacker can control every aspect of the forged ticket including the Ticket's user identity, permissions and ticket life time. Attackers typically set Golden Tickets to have an unusually long lifetime, which allows the possessing entity to keep using them for a long period without renewal. In addition to the lifetime, other important attributes of the ticket are typically forged to achieve other nefarious goals, such as assigning very high permissions, impersonating other users and even using non-existing user names,” write Be'ery and Cherny.
It seems to me I have heard about this problem before, but I may be mis-remembering.  I haven't seen a response from Microsoft yet.

GizmodoApplying for a US Visa? Expect DHS to Look at Your Facebook Posts  -

This new push dovetails with amplified fears about extremist immigrants. The day that she and her husband killed 14 people in San Bernadino, Ca., Tashfeen Malik “pledged allegiance” to ISIS on Facebook. Today, the Wall Street Journal reports that DHS is working on a new strategy for scouring social media posts in the wake of that attack.

Let's not forget the multi-year history of pro-jihad comments she had made before immigration.  This wasn't just one post made the morning she went off to kill 14 people.

Hacker News - Hacker-Friendly Search Engine That Lists Every Internet-Connected Device -


NY Times - The Experts Were Wrong About the Best Places for Better and Cheaper Health Care -

All of the attention stemmed from academic work showing that Grand Junction spent far less money on Medicare treatments – with no apparent detriment to people’s health. The lesson seemed obvious: If the rest of the country became more like Grand Junction, this nation’s notoriously high medical costs would fall.
But a new study casts doubt on that simple message.
The research looked not only at Medicare but also at a huge, new database drawn from private-insurance plans – the sorts used by most Americans for health care. And it shows that places that spend less on Medicare do not necessarily spend less on health care over all. Grand Junction, as it happens, is one of the most expensive health care markets in the country for the privately insured – despite its unusually low spending on Medicare.


Imagine that.

Washington Post - The 10 most liberal and conservative cities in the U.S. — as judged by campaign donors -








Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...