What I'm Reading 3/29/2021

 Security Affairs -  US Gov Executive Order would oblige to disclose security breach impacting gov users -

The executive order is expected to be released the next week and will also require federal agencies to enhance their security posture through the implementation of measures such as multi-factor authentication and data encryption. The order seems to be part of the response of the US government to the recently disclosed SolarWinds supply chain attack.

 Security Affairs - 62,000 Microsoft Exchange Servers potentially left unpatched, weeks after software bugs were first uncovered - 

On March 2, Microsoft detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. Microsoft attributed the campaign to the China-linked threat actor group Hafnium. However, vulnerabilities are being exploited by threat actors beyond Hafnium.

Al Jazeera - Stranded ship in Suez Canal re-floated -

The giant container ship that blocked the Suez Canal for almost a week was fully floated on Monday and traffic in the waterway would resume, the canal authority said in a statement.

 CSO - States enact safe harbor laws against cyberattacks, but demand adoption of cybersecurity frameworks -

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s [NIST] Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

 

 

What I am reading 3/26/2021

 Schneier on Security - Hacking Weapons Systems -

Basically, there is no reason to believe that software in weapons systems is any more vulnerability free than any other software

Naked Security - Alan Turing’s £50 banknote officially unveiled

IT Security Guru - Two vulnerabilities found in Intel Processors -

Receiving access to the two vulnerabilities opens up a special mode, which is normally only available to Intel engineers. They affect processors used in netbooks, tablets, and cash registers, although potentially may be present in all current Intel processors. Experts have stated that the instructions ”allow you to bypass all the existing protection mechanisms of the x86 architecture in modern processors”. This poses a huge potential threat to Intel and their devices.

 Al Jazeera - Dislodging Suez Canal ship said to need at least a week -

The task of re-floating the 200,000-ton ship, still firmly wedged across the vital maritime trading route, will require about a week of work and potentially longer, said people familiar with the matter, who requested anonymity to discuss private details. Rescue efforts had initially been expected to last only a couple of days.

Al Jazeera - Philippines, Vietnam press China over South China Sea activities -

Philippine President Rodrigo Duterte has expressed “concern” to China’s ambassador about Chinese vessels massing in the disputed South China Sea, his spokesman said, as Vietnam urged Beijing to respect its maritime sovereignty.

International concern has grown in recent days over what the Philippines has described as a “swarming and threatening presence” of more than 200 vessels that it believes are part of China’s maritime militia.

Fox News - Facebook whistleblower pens tell-all book after work to expose anti-conservative bias leaves her unemployable -

But after a few weeks on the job in Texas, she said she noticed that some profiles and pages were secretly marked in a way that would reduce the reach of their live videos.

She said in the following weeks she saw a pattern, and she only noticed such flags on pages belonging to conservatives, not to any liberals. And that they were hidden from the account holders.

I have no idea how true any of what she says is, I just posted this because it reminded me of  Chaos Monkeys - Revised Edition: Obscene Fortune and Random Failure in Silicon Valley  which was a pretty good book.

What I Am Reading 3/25/2021

 IT Security Guru - Engineer punished for reporting data leak -

Security engineer Rob Dyke recently reported a data leak to the Apperta Foundation, which is a non-profit, supported by NHS England and NHS Digital. The organisation thanked him for responsible reporting, however later ‘thanked him’ with legal correspondence and police intervention. 

Al Jazeera - Big Tech chiefs face fresh grilling over misinformation -

As malicious conspiracy theories continue to spread, lawmakers are pounding the social media companies over their market dominance, harvesting of user data and practices that some believe actually encourage the spread of engaging but potentially harmful misinformation. Some Republicans have also alleged, without proof, that censorship and political bias against conservatives are another reason to rein in the enormous firms.

The Register - Whatever 'normal' is, global CEOs don't expect to see it return before 2022 and are ploughing funds into security - 

KPMG's latest survey of global CEOs shows widespread belief that the remote-working trend will linger into 2022 as the world gets to grip with COVID-19.

Almost half (45 per cent) of bosses surveyed by the accountancy biz said they don't expect a return to "normal" by next year. A further third (31 per cent) were more upbeat, expecting normality to be restored by the end of this year.

 

What I am Reading 3/23/3021

IT Security Guru -  IT Admin sentenced after mass-deleting company accounts -

The client was not satisfied with Kher’s work, who was fired once this feedback reached the head office. Two months after returning to India, Kher took revenge on his former company, by infiltrating the firm’s servers and deleting over 80% of the employee accounts. Out of 1,500 Microsoft accounts, 1,200 were wiped.

AP -  Casting a wide intrusion net: Dozens burned with single hack -

Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used. 

The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.

The two-stage mega-hack in December and January of a popular file-transfer program from the Silicon Valley company Accellion highlights a threat that security experts fear may be getting out of hand: intrusions by top-flight criminal and state-backed hackers into software supply chains and third-party services. 

IT Security Guru - Royal Dutch Shell are the latest victim of the Accellion breach -

Royal Dutch Shell has revealed that they have been affected by the Accellion FTA file transfer appliance hack. Last week Shell posted a company statement which said, “Shell has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files.”

Al Jazeera - Bitcoin’s dirty secret: ‘This thing is taking a lot of energy’ - 

The energy used by the network of computers that power the digital coin is comparable to that of many developed countries and rivals the emissions from major fossil-fuel users and producers such as American Airlines Group Inc. and ConocoPhillips, according to a report by Bank of America Corp. The level of emissions, which have risen alongside a spike in Bitcoin’s price, have grown by more than 40 million tons in the past two years. And when the digital asset is trading around $50,000 — which it’s done for much of this year — it uses about 0.4% of global energy consumption.

TechCrunch - Biden will nominate Big Tech critic and antitrust star Lina Khan to the FTC -

The White House confirmed its intentions to nominate Lina Khan to the FTC Monday, sending a clear signal that his administration will break from the Silicon Valley-friendly precedents of the Obama era. Politico first reported Biden’s planned nomination of Khan, which will be subject to Senate confirmation, earlier this month.

Lina Khan is a star of the antitrust movement, insofar as a topic like regulating big business can produce one. Khan is best known for a paper she published as a law student in 2017 called “Amazon’s Antitrust Paradox.” The paper argues that thinking about what qualifies as monopolistic behavior hasn’t kept pace with how modern businesses operate, particularly within the tech sector.

Data Breach Today - Swiss Firm Says It Accessed SolarWinds Attackers' Servers -

Swiss cybersecurity firm Prodaft says it has accessed several servers used by an advanced persistent threat group tied to the SolarWinds supply chain attack. These attackers continue to target large corporations and public institutions worldwide, with a focus on the U.S. and the European Union, the researchers say.

Prodaft says the APT group, which it calls the SilverFish group, "has designed an unprecedented malware detection sandbox formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on actual live victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks." 

Wall Street Journal - Hospitals Hide Pricing Data From Search Results -

Hospitals that have published their previously confidential prices to comply with a new federal rule have also blocked that information from web searches with special coding embedded on their websites, according to a Wall Street Journal examination.

The information must be disclosed under a federal rule aimed at making the $1 trillion sector more consumer friendly. But hundreds of hospitals embedded code in their websites that prevented Alphabet Inc.’s GOOG +1.41% Google and other search engines from displaying pages with the price lists, according to the Journal examination of more than 3,100 sites.

What I'm Reading 3/22/2021 -

 Back Again - I keep leaving this format because of time constraints, but if I don't do it I fall behind on the news and on professional reading.

ZDNet - API security becomes a ‘top’ priority for enterprise players - 

According to the report, 91% of IT professionals say API security should be considered a priority in the next two years, especially as over 70% of enterprise firms are estimated to use over 50 APIs. 

The main aspects of API security respondents consider priority is access control, cited by 63% of those surveyed; regular testing (53%), and anomaly detection and prevention (43%). In total, eight out of 10 IT admins want more control over their organization's APIs.

 CNN - What's keeping America's top economists up at night -

 Inflation concerns have been in the spotlight thanks to anxiety on Wall Street. Investors, fearful that a rush to eat out at restaurants and hop on planes later this year could trigger a spike in prices, have sold US government bonds in recent weeks. Inflation, not coronavirus, is now the top risk cited by portfolio managers recently polled by Bank of America.

 The big worry is that a burst of inflation could force the Fed to raise interest rates or taper bond purchases sooner than expected in order to cool off the economy. Almost half of NABE respondents think the central bank could roll back some stimulus measures by the end of 2022, while 40% don't think that will happen until at least 2023.

 Data Breach Today - Microsoft Exchange Flaw: Attacks Surge After Code Published -

A new report by security firm F-Secure says that since proof-of-concept code for exploiting the ProxyLogon flaw was first released on March 13, it has been increasingly exploited globally by criminal gangs, state-backed threat actors and script kiddies.

Malicious activity tied to such attacks includes the "Downloader.Gen" Trojan web shell, F-Secure says, noting that detections of the tool surged following the release of the proof-of-concept exploit. F-Secure says it saw increases especially in Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands and Taiwan.

Cyberscoop -  US racing to address Microsoft vulnerabilities, especially for small businesses -

Overall, the number of vulnerable systems systems fell 45% last week, the National Security Council (NSC) spokesperson said in a statement, and there are now fewer than 10,000 vulnerable systems in the U.S., compared to the more than 120,000 entities that were vulnerable when the software bugs were first uncovered.

The key to that apparent decrease is the fact that entities are taking advantage of a new tool Microsoft released to the public last week in an attempt to protect protect smaller organizations against hackers seeking to exploit the Exchange Server flaws, according to the NSC spokesperson. Microsoft developed the tool, the Exchange On-Premises Mitigation tool — which works in an automated way, scanning for compromises and remediating issues — in coordination with Anne Neuberger, the deputy national security adviser for cyber and emerging technology, the NSC spokesperson said.

Reuters - U.S. Supreme Court rebuffs Facebook appeal in user tracking lawsuit -

The U.S. Supreme Court on Monday turned away Facebook Inc’s bid to pare back a $15 billion class action lawsuit accusing the company of illegally tracking the activities of internet users even when they are logged out of the social media platform.

Axios -  Inside the Democrats' strategy to bombard Big Tech - 

In an interview with Axios on Sunday, Rep. David Cicilline (D-R.I.) said he didn't want to give the major technology companies and their armies of lobbyists the easy target of a massive antitrust bill.

Instead, in his role running the House Judiciary Committee's antitrust panel, he plans to craft a series of smaller bills — perhaps 10 or more — that will be ready in May.

2021 Goals

Most of my goals for the coming year revolve around work, because lets face it I am already a gem of a human being requiring little to no attention in that area (and yes I hear all the moaning and gagging coming from you people - Shut up!).

1. Read one cybersecurity book, and one general networking / IT book per month.
2. Complete 2 CTFs
3. Submit a non-ICS related proposal for a talk
4. Get my Palo Alto PNCSE

I was going to put down a bunch of stuff about being a better mentor / leader but on my current team I have no one to mentor and have no leadership responsibilities.  If that changes I'll revisit that set of goals.

What I'm Reading 9/22/2020 - Just Because You Can Do Something Doesn't Mean You Should: Civvl Aims to Be the Uber of Foreclosures, Capitalizing on Pandemic Caused Misfortune

 Motherboard - Gig Economy Company Launches Uber, But for Evicting People -

Civvl aims to marry the gig economy with the devastation of a pandemic, complete with signature gig startup language like "be your own boss," and "flexible hours," and "looking for self-motivated individuals with positive attitudes:" "FASTEST GROWING MONEY MAKING GIG DUE TO COVID-19," its website says. "Literally thousands of process servers are needed in the coming months due courts being backed up in judgements that needs to be served to defendants."

Landlords, absolutely have a right to evict tenants who fail to pay are to meet other obligations, but the marketing of this service (as presented by Motherboard) is just plain evil.  Especially given the many moratoriums on evictions, specifically issued in response to Covid-9.

ZDNet - Commentary: How India's ancient caste system is ruining lives in Silicon Valley -

The lawsuit alleges that the upper-caste Iyer recognised John Doe and instantly began ridiculing him in front of all the other higher-caste Indian employees at Cisco, saying that John Doe was a Dalit and only got into the engineering school because of affirmative action, which India implemented in 1980 under the then-Prime Minister VP Singh.

When John Doe indicated to Cisco's human resources team that he wanted to file a complaint, he was allegedly told by the department that "caste discrimination was not unlawful". Soon after, John Doe found himself demoted from his lead role on two projects. The lawsuit says that for two years, Iyer waged a sustained onslaught against John Doe's career. He isolated him, didn't give him any bonuses, and thwarted any chances for promotion.

Reuters -  Boeing gearing up for 787 move to South Carolina: sources -

Barring a last-minute U-turn, Boeing is “all but certain” to move the rest of 787 production away from its traditional base to South Carolina, two people briefed on its thinking said.

It could be announced by late October when Boeing reports earnings, they said. Pressure for a decision is imminent as suppliers need to know what parts to make for jets in 2022. The decision is “weeks not months” away, one of them said.

From what I have heard, both quality and production time suffer at the South Carolina plant.  Seems like a bad move, but I'm sure the MBAs will find a way to justify it.  What this really is is a fuck you to the unions and Seattle area politicians.

 ZDNet - Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI -

According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.

Moscow officials aren't looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure.

Instead, the government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.

 The Register - 'I don’t want to see another computer for the rest of my life'... Brit Dark Overlord cyber-extortionist thrown in an American clink for five years -

The front man for the notorious Dark Overlord hacker gang, which threatened to leak stolen confidential information unless paid off, has been sentenced to five years behind bars in America.

Nathan Wyatt, 39, formerly of London, England, was sent down on Monday by a judge in a federal district court in eastern Missouri. He was also told to pay $1,467,048 in restitution to his victims. The Brit had pleaded guilty to conspiracy to commit computer fraud and aggravated identity theft.

BBC - Dark web drugs raid leads to 179 arrests -

Police forces around the world have seized more than $6.5m (£5m) in cash and virtual currencies, as well as drugs and guns in a co-ordinated raid on dark web marketplaces.

Some 179 people were arrested across Europe and the US, and 500kg (1,102lb) of drugs and 64 guns confiscated.

It ends the "golden age" of these underground marketplaces, Europol said.

"The hidden internet is no longer hidden", said Edvardas Sileris, head of Europol's cyber-crime centre.

 The Register - She was praised by the CEO and promoted. After her brother and mom died, she returned from compassionate leave. IBM laid her off -

"Upon her return, IBM stripped Kinney of her newly appointed high-level responsibilities without explanation," the complaint says. "Two months later, Kinney was informed she was going to be included in a Resource Action – IBM code for its rolling layoffs – because her skills were 'too technical.' Her managers refused to elaborate beyond this cited reason."