The US cybersecurity strategy won’t address today’s threats with regulation alone
https://cyberscoop.com/national-cybersecurity-strategy-regulation/
The Ethics of Network and Security Monitoring
https://www.darkreading.com/risk/the-ethics-of-network-and-security-monitoring
Cyberattackers Continue Assault Against Fortinet Devices
https://www.darkreading.com/vulnerabilities-threats/cyberattackers-continue-assault-against-fortinet-devices
Here's how Chinese cyber spies exploited a critical Fortinet bug
https://www.theregister.com/2023/03/17/chinese_cyberspies_fortinet_bug/
Inside Elon Musk’s cost-cutting drive at TwitterInside Elon Musk’s cost-cutting drive at Twitter
https://arstechnica.com/tech-policy/2023/03/inside-elon-musks-cost-cutting-drive-at-twitter/
PLATO: How an educational computer system from the ’60s shaped the future
https://arstechnica.com/gadgets/2023/03/plato-how-an-educational-computer-system-from-the-60s-shaped-the-future/
Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years
https://arstechnica.com/information-technology/2023/03/federal-agency-hacked-by-2-groups-thanks-to-flaw-that-went-unpatched-for-4-years/
US court rules Uber and Lyft workers are contractors
https://www.bbc.com/news/business-64947695?at_medium=RSS&at_campaign=KARANGA
The Only Three Classes That Mattered From My College Degree
https://www.developing.dev/p/the-only-three-classes-that-mattered
How deep is the rot in America’s banking industry?
https://finance.yahoo.com/news/deep-rot-america-banking-industry-104028781.html
Companies Say They Need Noncompete Clauses. Here’s How We Know That’s Not True.
https://slate.com/business/2023/03/noncompete-clauses-washington-research-ban-ftc.html
Meta Proposes Revamped Approach to Online Kill Chain Frameworks
https://www.darkreading.com/application-security/meta-proposes-revamped-kill-chain-framework-online-threats
‘Black Skills’ Is Killnet’s Attempt to Form a ‘Private Military Hacking Company’
https://flashpoint.io/blog/killnet-killmilk-private-military-hacking-company/
Kali Linux 2023.1 released – and so is Kali Purple!
https://www.helpnetsecurity.com/2023/03/13/kali-linux-2023-1-purple/
Utility Busted Using Fake Consumer Group To Scuttle Eugene, Oregon’s Environmental Reforms
https://www.techdirt.com/2023/03/13/utility-busted-using-fake-consumer-group-to-scuttle-eugene-oregons-environmental-reforms/
Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms
https://www.securityweek.com/counting-ics-vulnerabilities-examining-variations-in-numbers-reported-by-security-firms/
A Brief History of Time is ‘wrong’, Stephen Hawking told collaborator
https://www.theguardian.com/science/2023/mar/19/stephen-hawking-told-me-ive-changed-my-mind-my-book-is-wrong
The labor shortage is pushing American colleges into crisis, with the plunge in enrollment the worst ever recorded
https://fortune.com/2023/03/09/american-skipping-college-huge-numbers-pandemic-turned-them-off-education/
Stop worrying about Nation-States and Zero-Days; let's fix things that have been known for years!
https://www.youtube.com/watch?v=ik8pdd7VkmY
Sunday, March 19, 2023
What I am reading 3/19/2023
Sunday, March 12, 2023
What I'm Reading 3/12/2023 - I should probably make an interest to be more interesting edition
Key Proposals in Biden's Cybersecurity Strategy Face Congressional Challenges
https://www.darkreading.com/risk/key-proposals-in-biden-cybersecurity-strategy-face-congressional-challenges
Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw
https://news.hitb.org/content/stealthy-uefi-malware-bypassing-secure-boot-enabled-unpatchable-windows-flaw
Open letter demands OWASP overhaul, warns of mass project exodus
https://www.csoonline.com/article/3689811/open-letter-demands-owasp-overhaul-warns-of-mass-project-exodus.html#tk.rss_all
Municipal CISOs grapple with challenges as cyber threats soar
https://www.csoonline.com/article/3688958/municipal-cisos-grapple-with-challenges-as-cyber-threats-soar.html#tk.rss_all
PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716)
https://www.helpnetsecurity.com/2023/03/06/cve-2023-21716-poc/
Adaptable ‘Swiss Army Knife’ Malware a Growing Threat
https://securityboulevard.com/2023/03/adaptable-swiss-army-knife-malware-a-growing-threat/
Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs
https://www.securityweek.com/critical-vulnerabilities-allow-hackers-to-take-full-control-of-wago-plcs/
Threat actors are using advanced malware to backdoor business-grade routers
https://arstechnica.com/information-technology/2023/03/threat-actors-are-using-advanced-malware-to-backdoor-business-grade-routers/
5 Critical Components of Effective ICS/OT Security
https://www.darkreading.com/ics-ot/5-critical-components-of-effective-ics-ot-security-
Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems
https://www.darkreading.com/ics-ot/ransomware-s-favorite-target-critical-infrastructure-and-its-industrial-control-systems
Google over-hired talent to do ‘fake work’ and stop them working for rivals, claims former PayPal boss, Keith Rabois
https://www.yahoo.com/lifestyle/google-over-hired-talent-fake-114331193.html
What Weimar Germany Teaches Us about Universal Basic Income
https://fee.org/articles/what-weimar-germany-teaches-us-about-universal-basic-income/
3 Mistakes I Made as an Engineer, but Had To Become a Manager To See
https://www.developing.dev/p/3-mistakes-i-made-as-an-engineer
Want an unfair advantage in your tech career? Consume content meant for other roles
https://matthewgrohman.substack.com/p/want-an-unfair-advantage-in-your
North Korean hackers used polished LinkedIn profiles to target security researchers
https://cyberscoop.com/north-korea-hackers-linkedin-phishing/
Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour
https://www.darkreading.com/cloud/palo-alto-networks-global-state-of-cloud-native-security-survey-reveals-90-of-organizations-cannot-detect-contain-and-resolve-cyberthreats-within-an-hour
Building Great OT Incident Response Tabletop Exercises
https://www.youtube.com/watch?v=XobogsaxcUY
Neil deGrasse Tyson - We Stopped Dreaming (Episode 1)
https://www.youtube.com/watch?v=CbIZU8cQWXc
In addition to this stuff I am finishing up Chapter 3 of Security Engineering by Ross Anderson https://www.amazon.com/s?k=security+engineering+3rd+edition&crid=2P1CTN6GXKHAV and working on NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final as I prepare for my CISSP-ISSMP.
Sunday, March 05, 2023
Revisiting a couple old posts -
Back in November 2005 I posted these two posts:
Top 20 Geek Novels
Blatantly stolen from the Technology Blog. I do a little better on this list:
1. The HitchHiker's Guide to the Galaxy -- Douglas Adams 85% (102)
2. Nineteen Eighty-Four -- George Orwell 79% (92)
3. Brave New World -- Aldous Huxley 69% (77)
4. Do Androids Dream of Electric Sheep? -- Philip Dick 64% (67)
5. Neuromancer -- William Gibson 59% (66)
6. Dune -- Frank Herbert 53% (54)
7. I, Robot -- Isaac Asimov 52% (54)
8. Foundation -- Isaac Asimov 47% (47)
9. The Colour of Magic -- Terry Pratchett 46% (46)
10. Microserfs -- Douglas Coupland 43% (44)
11. Snow Crash -- Neal Stephenson 37% (37)
12. Watchmen -- Alan Moore & Dave Gibbons 38% (37)
13. Cryptonomicon -- Neal Stephenson 36% (36)
14. Consider Phlebas -- Iain M Banks 34% (35)
15. Stranger in a Strange Land -- Robert Heinlein 33% (33)
16. The Man in the High Castle -- Philip K Dick 34% (32)
17. American Gods -- Neil Gaiman 31% (29)
18. The Diamond Age -- Neal Stephenson 27% (27)
19. The Illuminatus! Trilogy -- Robert Shea & Robert Anton Wilson 23% (21)
20. Trouble with Lichen - John Wyndham 21% (19)
Bold = Read
Italics = Started
Bold Italics = Read since original post
Books every college freshman should read
1. The Bell Jar - Sylvia Plath
2. The Metamorphosis, In the Penal Colony and Other Stories - Franz Kafka
3. Mythology: Timeless Tales of Gods and Heroes - Edith Hamilton - Read
4. Siddartha - Herman Hess
5. The Unbearable Lightness of Being - Milan Kundera
6. The Hobbit or There and Back Again - JRR Tolkien - Read
7. Lolita - Vladimir Nabokov
8. Slaughterhouse Five - Kurt Vonnegut - Started, I hated it
9. Frankenstein or the Modern Prometheus - Read (4th Grade I might read it again)
10. The Catcher in the Rye - JD Salinger - I have started this book about 5 times I always make it to page 2.
11. Atlas Shrugged - Ayn Rand
12. Animal Farm - George Orwell -Read
13. 1984 - George Orwell -Read
I read 12 and 13 in 6th grade. Those books really helped convince me communism was evil.
14. Great Expectations - Charles Dickens
15. The Awakening and selected stories - Kate Chopin
16. Jane Eyre - Charlotte Bronte
17. Fahrenheit 451 - Ray Bradbury - Read somewhere around 7th or 8th Grade I dont remember it well but I do remember it being hard to get thru.
18. A Connecticut Yankee in King Arthur's Court - Mark Twain - Read - Boring
19. A Clockwork Orange - Anthony Burgess
20. Absalom, Absalom - William Faulkner
21. Dubliners - James Joyce
22. The Brother Karamazov - Fydor Dostevsky
23. The Great Gatsby - F. Scott Fitzgerald
24. A Streetcar Named Desire - Tenessee Williams
25. To the Lighthouse - Virginia Woolf
No point to this update really, other than to show I can actually read I guess.
What I'm Reading 3/5/2023 - Power Grid Attacks Edition
Why the US Power Grid is Under Attack
https://www.youtube.com/watch?v=U3NEfl5rtWo
Attacking the grid
https://theweek.com/crime-and-punishment/1021282/attacking-the-grid
Physical attacks on power grid rose by 71% last year, compared to 2021
https://www.cbsnews.com/news/physical-attacks-on-power-grid-rose-by-71-last-year-compared-to-2021/
The Energy Department’s Puesh Kumar on grid hacking, Ukraine and Pipedream malware
https://cyberscoop.com/puesh-kumar-energy-cybersecurity/
S.O.S for the U.S. Electric Grid
https://www.wsj.com/articles/s-o-s-for-the-u-s-electric-grid-pjm-interconnection-blackout-supply-renewables-subsidy-report-fossil-fuel-4cbdd56e
Biden administration wants to hold companies liable for bad cybersecurity
https://arstechnica.com/information-technology/2023/03/biden-administration-wants-to-hold-companies-liable-for-bad-cybersecurity/
--National Cybersecurity Strategy March 2023
https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
Industry Experts Analyze US National Cybersecurity Strategy
https://www.securityweek.com/feedback-friday-industry-reactions-to-us-national-cybersecurity-strategy/
How to Do a Dopamine Reset
https://www.artofmanliness.com/character/habits/how-to-do-a-dopamine-reset/
CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
https://www.cisa.gov/news-events/alerts/2023/02/28/cisa-red-team-shares-key-findings-improve-monitoring-and-hardening-networks
Well-funded security systems fail to prevent cyberattacks in US and Europe: Report
https://www.csoonline.com/article/3688918/well-funded-security-systems-fail-to-prevent-cyberattacks-in-us-and-europe-report.html#tk.rss_all
Hacked home computer of engineer led to second LastPass data breach
https://www.csoonline.com/article/3688922/hacked-home-computer-of-engineer-led-to-second-lastpass-data-breach.html#tk.rss_all
CISA director urges tech sector to stop shipping unsafe products
https://cyberscoop.com/jen-easterly-secure-by-design/
When Low-Tech Hacks Cause High-Impact Breaches
https://krebsonsecurity.com/2023/02/when-low-tech-hacks-cause-high-impact-breaches/
It’s all Gone Critical (Infrastructure)
https://www.forcepoint.com/blog/x-labs/all-gone-critical-infrastructure
US Electric Cooperative Association Launches Commercial OT Security Solution
https://www.securityweek.com/us-electric-cooperative-association-launches-commercial-ot-security-solution/?mc_cid=885aee189f&mc_eid=UNIQID
Netflix fights attempt to make streaming firms pay for ISP network upgrades
https://arstechnica.com/tech-policy/2023/03/netflix-fights-attempt-to-make-streaming-firms-pay-for-isp-network-upgrades/
Unpatched old vulnerabilities continue to be exploited: Report
https://www.csoonline.com/article/3689808/unpatched-old-vulnerabilities-continue-to-be-exploited-report.html#tk.rss_all
It's official: BlackLotus malware can bypass Secure Boot on Windows machines
https://www.theregister.com/2023/03/01/blacklotus_malware_eset/
30 Days Of Python
https://github.com/Asabeneh/30-Days-Of-Python/blob/master/readme.md
I quitted Infosec and I couldn't be happier.
http://paulsec.github.io/posts/i-quitted-infosec/
Sunday, February 26, 2023
What I am Reading 2/26/23 - Back from Miami Beach edition
It was a busy couple weeks traveling to Miami Beach, attending S4x23, and then coming home and dropping back into the grind, but I haven't forgotten about you guys. Without further ado a couple weeks worth of reading:
The maze is in the mouse: What ails Google and how it can turn things around.
https://medium.com/@pravse/the-maze-is-in-the-mouse-980c57cfd61a
Sensitive US military emails spill online
https://techcrunch.com/2023/02/21/sensitive-united-states-military-emails-spill-online/
Place your bets
https://www.antipope.org/charlie/blog-static/2023/02/place-your-bets.html
Dragos Report Identifies Two New Threat Groups
https://www.itsecurityguru.org/2023/02/15/dragos-report-identifies-new-threat-groups/?utm_source=rss&utm_medium=rss&utm_campaign=dragos-report-identifies-new-threat-groups
Traditional PAM solutions aren’t working, Keeper Security study finds
https://www.itsecurityguru.org/2023/02/15/traditional-pam-solutions-arent-working-keeper-security-study-finds/?utm_source=rss&utm_medium=rss&utm_campaign=traditional-pam-solutions-arent-working-keeper-security-study-finds
Cyberwar Lessons from the War in Ukraine
https://www.schneier.com/blog/archives/2023/02/cyberwar-lessons-from-the-war-in-ukraine.html
The return of Flat Earth, the grandfather of conspiracy theories
https://arstechnica.com/science/2023/02/the-return-of-flat-earth-the-grandfather-of-conspiracy-theories/
US says Google routinely destroyed evidence and lied about use of auto-delete
https://arstechnica.com/tech-policy/2023/02/us-says-google-routinely-destroyed-evidence-and-lied-about-use-of-auto-delete/
Ukraine suffered more data-wiping malware than anywhere, ever
https://arstechnica.com/information-technology/2023/02/ukraine-suffered-more-data-wiping-malware-than-anywhere-ever/
Seattle becomes first US city to ban caste discrimination
https://www.bbc.com/news/world-us-canada-64727735?at_medium=RSS&at_campaign=KARANGA
US Supreme Court wary of removing tech firms' legal shield in Google case
https://www.bbc.com/news/world-us-canada-64727712?at_medium=RSS&at_campaign=KARANGA
Technical debt? Don't spend more than one-quarter of your time dealing with it
https://www.zdnet.com/article/technical-debt-dont-spend-more-than-one-quarter-of-your-time-dealing-with-it/
Lab Leak Most Likely Origin of Covid-19 Pandemic, Energy Department Now Says
https://www.wsj.com/articles/covid-origin-china-lab-leak-807b7b0a
James Bond books edited to remove racist references
https://www.telegraph.co.uk/news/2023/02/25/james-bond-books-edited-remove-racist-references/
Beej's Guide to C Programming
https://beej.us/guide/bgc/html/split/index.html
The Capitalist Road to Serfdom
https://jacobin.com/2023/02/capitalist-road-to-serfdom-surveillance-wage-labor
High-skilled visa holders at risk of deportation amid tech layoffs
https://www.washingtonpost.com/us-policy/2023/02/24/temporary-visa-h1b-tech-layoffs/
U.S. corn-based ethanol worse for the climate than gasoline, study finds
https://www.reuters.com/business/environment/us-corn-based-ethanol-worse-climate-than-gasoline-study-finds-2022-02-14/
Even Neal Stephenson doesn't seem keen on crypto anymore
https://www.gamedeveloper.com/culture/even-neal-stephenson-doesn-t-seem-keen-on-crypto-anymore
There is a worrying amount of fraud in medical research
https://www.economist.com/science-and-technology/2023/02/22/there-is-a-worrying-amount-of-fraud-in-medical-research
Stanford Faculty Say Anonymous Student Bias Reports Threaten Free Speech
https://www.wsj.com/articles/stanford-faculty-moves-to-stop-students-from-reporting-bias-anonymously-cbac78ed
Companies Can’t Ask You to Shut up to Receive Severance, NLRB Rules
https://www.vice.com/en/article/dy7a7x/companies-cant-ask-you-to-shut-up-to-receive-severance-nlrb-rules
How India’s caste system manifests in Seattle-area workplaces and beyond
https://www.seattletimes.com/seattle-news/how-indias-caste-system-manifests-in-seattle-area-workplaces-and-beyond/
The age of Agile must end
https://uxdesign.cc/the-age-of-agile-must-end-bc89c0f084b7
5th person confirmed to be cured of HIV
https://abcnews.go.com/Health/5th-person-confirmed-cured-hiv/story?id=97323361
The Silicon Valley Loop How the dot-com crash created Palo Alto’s clueless investor class.
https://nymag.com/intelligencer/2023/02/the-silicon-valley-loop-malcolm-harriss-palo-alto.html
Speech is violence? Not if we want a liberal, intellectual society
https://bigthink.com/thinking/is-speech-violence/
Big Tech’s massive layoffs will come back to haunt it
https://www.businessinsider.com/tech-jobs-recession-layoffs-gen-z-students-class-of-2023-2023-2
OT Network Security Myths Busted in a Pair of Hacks
https://www.darkreading.com/ics-ot/ot-network-security-myths-busted-in-a-pair-of-hacks
Attacks on industrial infrastructure on the rise, defenses struggle to keep up
https://www.csoonline.com/article/3687814/attacks-on-industrial-infrastructure-on-the-rise-defenses-struggle-to-keep-up.html#tk.rss_all
PLC vulnerabilities can enable deep lateral movement inside OT networks
https://www.csoonline.com/article/3687991/plc-vulnerabilities-can-enable-deep-lateral-movement-inside-ot-networks.html#tk.rss_all
The Energy Department’s Puesh Kumar on grid hacking, Ukraine and Pipedream malware
https://cyberscoop.com/puesh-kumar-energy-cybersecurity/
Is OWASP at Risk of Irrelevance?
https://www.darkreading.com/edge-articles/is-owasp-at-risk-of-irrelevance
Bill Fehrman - CEO Berkshire Hathaway Energy talking at S4x23
https://youtube.com/watch?v=ihvrqlxk5tA&feature=shares
Saturday, February 25, 2023
Page Ranking the Cybersecurity Literature
As all of you, the imaginary voices in my head, know I maintain a pretty extensive meta-list of cybersecurity reading, a list of lists compiling recommendations from different companies, government / military organizations, academic institutions, and individuals. (30+ sources and close to 900 readings at this point). I have tried to group the sources in categories and every time a reading appears I increment a score column. This is supposed to help gauge relative importance based on community perception. The readings are listed alphabetically.
Since I started this project I have always just kind of thought of it as a handy list for myself and some of my friends, although I have blasted it out on twitter and various other forums ad nauseam, but today I realized two things:
a) other than me no one uses or cares about this list
b) In doing this I have re-invented a very clumsy way of doing page ranking, like Google's very dimwitted cousin that the family keeps locked in the basement and who they occasionally throw some food and porn and hope no one will ever learn of their shame.
c) Although I am doing this in the most moronic and labor intensive way possible there are actually possibilities here.
d) That was three things not two, obviously I am a moron who can't count.
e) Dammit, that was four!
f) Aargh!!!!
OK, had to break out of that hell...
Anyway, I have mentioned before that it would be interesting to build a list of the articles that SANS uses in their various courses. At the time I was mainly thinking of it as just an additional resource to help study for their exams, but now I am seeing a couple of other possibilities mainly in helping industry newcomers and students identify subjects that cut across various specialties. It might also help build cohesion and help reinforce learning by being able to identify subjects that are found to be important by the various course authors.
(Also now that I think about it, this could serve as the basis of a talk at a convention. DIBS!!!)
I've probably wasted enough of your time by now and I need to think about how to proceed:
I guess I could start a go-fund me for $17,500,000,000.00 so I could take all the available SANS classes and then I could manually pull the article information from the footnotes on each page, a variation, I could brush up on my python skills and try to do that automatically using digital copies. Obviously that's not gonna happen - the last time I asked for help on line all I got was one random Fuck You.
The other, more realistic scenario is that people may have already compiled some of this information. If you have and you wouldn't mind sharing let me know in the comments or on twitter.
Sunday, February 05, 2023
What I am Reading 2/5/2023 - including free course in cyber-physical system security
Richard Bartle, Top Virtual World Expert, Tries Explaining Core Problems With NFT & Blockchain at a Crypto Conference. It Does Not Go Well.
https://nwn.blogs.com/nwn/2023/02/richard-bartle-crypto-circle-blockchain-nft-virtual-worlds.html
We are ‘greening’ ourselves to extinction
https://www.aljazeera.com/opinions/2023/1/29/greening-ourselves-to-extinction
Microsoft warning: Protect this critical piece of your tech infrastructure
https://www.zdnet.com/article/microsoft-warning-protect-this-critical-piece-of-your-tech-infrastructure/#ftag=RSSbaffb68
Why you might not be done with your January Microsoft security patches
https://www.csoonline.com/article/3686692/why-you-might-not-be-done-with-your-january-microsoft-security-patches.html#tk.rss_all
Vulnerabilities could let hackers remotely shut down EV chargers, steal electricity
https://cyberscoop.com/hack-electric-vehicle-chargers/
Firmware Flaws Could Spell 'Lights Out' for Servers
https://www.darkreading.com/vulnerabilities-threats/firmware-flaws-could-spell-lights-out-for-servers
CISA to Open Supply Chain Risk Management Office
https://www.darkreading.com/application-security/cisa-to-open-supply-chain-risk-management-office
After 16 years at Google, Justin Moore was fired with an automated email
https://medium.com/developer-purpose/after-16-years-at-google-justin-moore-was-fired-with-an-automated-email-f715ab307871
St. John’s Reading List: A Great Books Curriculum
https://www.sjc.edu/academic-programs/undergraduate/great-books-reading-list
Stop Passing the Buck on Cybersecurity
https://www.foreignaffairs.com/united-states/stop-passing-buck-cybersecurity
article by Jen Easterly the Head of CISA
Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter
https://www.darkreading.com/remote-workforce/patch-critical-bug-qnap-nas-devices-ripe-slaughter
Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076)
https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/
3 ways to stop cybersecurity concerns from hindering utility infrastructure modernization efforts
https://www.helpnetsecurity.com/2023/01/31/cybersecurity-concerns-utility-infrastructure-modernization-efforts/
Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appears
https://www.theregister.com/2023/02/05/supply_chain_security_efforts/
Video - How Would a Nuclear EMP Affect the Power Grid?
https://www.youtube.com/watch?v=FksEGpBLfis
Free Course - Cyber-Physical System Security
https://www.udacity.com/course/cyber-physical-systems-security--ud279
- - Syallabus - Cyber-Physical System Security
https://sites.google.com/site/samanzonouz4n6/resume/oms-intro-cps-security?pli=1
Sunday, January 29, 2023
What I am Reading 1/29/2023
NERC-CIP Stuff - Alexa, can you tell me when my grid is hacked?
https://www.amperesec.com/blog/alexa-can-you-tell-me-when-my-gird-is-hacked
Within the next 2-3 years, if you are a NERC Registered Entity with high impact or medium impact with ERC BES cyber systems, you will need to baseline your network traffic for all applicable cyber assets inside the ESP and look for anomalies beyond the traditional anti-malware and port-restriction controls already in place as part of the existing CIP standards. Examples of anomalies could be, among other things, accounts used in ways they shouldn’t be or new unexpected devices on the network or sending legitimate commands to control systems in ways that could stop or degrade the system. Further, you will need to record/log the traffic information and protect that information from misuse.
RIP Perimeter Security: Critical Infrastructure Breaches Demand New Approach
https://securityboulevard.com/2023/01/rip-perimeter-security-critical-infrastructure-breaches-demand-new-approach/
Race to zero: Can California’s power grid handle a 15-fold increase in electric cars?
https://calmatters.org/environment/2023/01/california-electric-cars-grid/
EVs Are Essential Grid-Scale Storage
https://spectrum.ieee.org/electric-vehicle-grid-storage
Russia’s Sandworm hackers blamed in fresh Ukraine malware attack
https://cyberscoop.com/sandworm-wiper-ukraine-russia-military-intel/
National Security Agency | Cybersecurity Information Sheet | IPv6 Security Guidance
https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI_IPV6_SECURITY_GUIDANCE.PDF
Trained developers get rid of more vulnerabilities than code scanning tools
https://www.helpnetsecurity.com/2023/01/23/trained-developers-code-scanning-tools/
Microsoft will stop selling Windows 10 on January 31, but workarounds remain
https://arstechnica.com/gadgets/2023/01/microsoft-will-stop-selling-windows-10-on-january-31st-but-workarounds-remain/
NIST working on ‘potential significant updates’ to cybersecurity framework
https://fedscoop.com/nist-working-on-potential-significant-updates-to-cybersecurity-framework/
The Concept Paper - NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework
https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf
New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
https://www.securityweek.com/new-open-source-ot-security-tool-helps-address-impact-of-upcoming-microsoft-patch/
Why are so many tech companies laying people off right now?
https://www.theverge.com/2023/1/26/23571659/tech-layoffs-facebook-google-amazon
Kevin Mitnick Hacked California Law in 1983
https://www.schneier.com/blog/archives/2023/01/kevin-mitnick-hacked-california-law-in-1983.html
Google Is Screwed, Even If It Wins Its Antitrust Case
https://gizmodo.com/google-bing-microsoft-chatgpt-ai-antitrust-doj-screwed-1850029781
Two Supreme Court Cases That Could Break the Internet
https://www.newyorker.com/news/q-and-a/two-supreme-court-cases-that-could-break-the-internet
Hackers abuse legitimate remote monitoring and management tools in attacks
https://www.csoonline.com/article/3686610/hackers-abuse-legitimate-remote-monitoring-and-management-tools-in-attacks.html#tk.rss_all