Sunday, March 19, 2023

What I am reading 3/19/2023

 The US cybersecurity strategy won’t address today’s threats with regulation alone

The Ethics of Network and Security Monitoring

Cyberattackers Continue Assault Against Fortinet Devices

Here's how Chinese cyber spies exploited a critical Fortinet bug

Inside Elon Musk’s cost-cutting drive at TwitterInside Elon Musk’s cost-cutting drive at Twitter

PLATO: How an educational computer system from the ’60s shaped the future

Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years

US court rules Uber and Lyft workers are contractors

The Only Three Classes That Mattered From My College Degree

How deep is the rot in America’s banking industry?

Companies Say They Need Noncompete Clauses. Here’s How We Know That’s Not True.

Meta Proposes Revamped Approach to Online Kill Chain Frameworks

‘Black Skills’ Is Killnet’s Attempt to Form a ‘Private Military Hacking Company’

Kali Linux 2023.1 released – and so is Kali Purple!

Utility Busted Using Fake Consumer Group To Scuttle Eugene, Oregon’s Environmental Reforms

Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms

A Brief History of Time is ‘wrong’, Stephen Hawking told collaborator

The labor shortage is pushing American colleges into crisis, with the plunge in enrollment the worst ever recorded

Stop worrying about Nation-States and Zero-Days; let's fix things that have been known for years!

Sunday, March 12, 2023

What I'm Reading 3/12/2023 - I should probably make an interest to be more interesting edition

Key Proposals in Biden's Cybersecurity Strategy Face Congressional Challenges

Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw

Open letter demands OWASP overhaul, warns of mass project exodus

Municipal CISOs grapple with challenges as cyber threats soar

PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716)

Adaptable ‘Swiss Army Knife’ Malware a Growing Threat

Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs

Threat actors are using advanced malware to backdoor business-grade routers

5 Critical Components of Effective ICS/OT Security

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

Google over-hired talent to do ‘fake work’ and stop them working for rivals, claims former PayPal boss, Keith Rabois

What Weimar Germany Teaches Us about Universal Basic Income

3 Mistakes I Made as an Engineer, but Had To Become a Manager To See

Want an unfair advantage in your tech career? Consume content meant for other roles

North Korean hackers used polished LinkedIn profiles to target security researchers

Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour

Building Great OT Incident Response Tabletop Exercises

Neil deGrasse Tyson - We Stopped Dreaming (Episode 1)

In addition to this stuff I am finishing up Chapter 3 of Security Engineering by Ross Anderson and working on NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy as I prepare for my CISSP-ISSMP.

Sunday, March 05, 2023

Revisiting a couple old posts -

 Back in November 2005 I posted these two posts:

Top 20 Geek Novels

Blatantly stolen from the Technology Blog. I do a little better on this list:

1. The HitchHiker's Guide to the Galaxy -- Douglas Adams 85% (102)
2. Nineteen Eighty-Four -- George Orwell 79% (92)
3. Brave New World -- Aldous Huxley 69% (77)
4. Do Androids Dream of Electric Sheep? -- Philip Dick 64% (67)
5. Neuromancer -- William Gibson 59% (66)
6. Dune -- Frank Herbert 53% (54)
7. I, Robot -- Isaac Asimov 52% (54)
8. Foundation -- Isaac Asimov 47% (47)
9. The Colour of Magic -- Terry Pratchett 46% (46)
10. Microserfs -- Douglas Coupland 43% (44)
11. Snow Crash -- Neal Stephenson 37% (37)
12. Watchmen -- Alan Moore & Dave Gibbons 38% (37)
13. Cryptonomicon -- Neal Stephenson 36% (36)
14. Consider Phlebas -- Iain M Banks 34% (35)

15. Stranger in a Strange Land -- Robert Heinlein 33% (33)
16. The Man in the High Castle -- Philip K Dick 34% (32)
17. American Gods -- Neil Gaiman 31% (29)
18. The Diamond Age -- Neal Stephenson 27% (27)
19. The Illuminatus! Trilogy -- Robert Shea & Robert Anton Wilson 23% (21)
20. Trouble with Lichen - John Wyndham 21% (19)

Bold = Read
Italics = Started 

Bold Italics = Read since original post

Books every college freshman should read

I am shamelessly stealing this list from I dont know how many people will agree with it but see what you think do you agree with the author?

1. The Bell Jar - Sylvia Plath
2. The Metamorphosis, In the Penal Colony and Other Stories - Franz Kafka

3. Mythology: Timeless Tales of Gods and Heroes - Edith Hamilton - Read
4. Siddartha - Herman Hess
5. The Unbearable Lightness of Being - Milan Kundera
6. The Hobbit or There and Back Again - JRR Tolkien - Read
7. Lolita - Vladimir Nabokov
8. Slaughterhouse Five - Kurt Vonnegut - Started, I hated it

9. Frankenstein or the Modern Prometheus - Read (4th Grade I might read it again)
10. The Catcher in the Rye - JD Salinger - I have started this book about 5 times I always make it to page 2.
11. Atlas Shrugged - Ayn Rand
12. Animal Farm - George Orwell -Read
13. 1984 - George Orwell -Read
I read 12 and 13 in 6th grade. Those books really helped convince me communism was evil.
14. Great Expectations - Charles Dickens
15. The Awakening and selected stories - Kate Chopin
16. Jane Eyre - Charlotte Bronte

17. Fahrenheit 451 - Ray Bradbury - Read somewhere around 7th or 8th Grade I dont remember it well but I do remember it being hard to get thru.
18. A Connecticut Yankee in King Arthur's Court - Mark Twain - Read - Boring
19. A Clockwork Orange - Anthony Burgess
20. Absalom, Absalom - William Faulkner
21. Dubliners - James Joyce
22. The Brother Karamazov - Fydor Dostevsky
23. The Great Gatsby - F. Scott Fitzgerald

24. A Streetcar Named Desire - Tenessee Williams
25. To the Lighthouse - Virginia Woolf

 No point to this update really, other than to show I can actually read I guess.

What I'm Reading 3/5/2023 - Power Grid Attacks Edition

 Why the US Power Grid is Under Attack

Attacking the grid

Physical attacks on power grid rose by 71% last year, compared to 2021

The Energy Department’s Puesh Kumar on grid hacking, Ukraine and Pipedream malware

S.O.S for the U.S. Electric Grid

Biden administration wants to hold companies liable for bad cybersecurity

--National Cybersecurity Strategy March 2023

Industry Experts Analyze US National Cybersecurity Strategy

How to Do a Dopamine Reset

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

Well-funded security systems fail to prevent cyberattacks in US and Europe: Report

Hacked home computer of engineer led to second LastPass data breach

CISA director urges tech sector to stop shipping unsafe products

When Low-Tech Hacks Cause High-Impact Breaches

It’s all Gone Critical (Infrastructure)

US Electric Cooperative Association Launches Commercial OT Security Solution

Netflix fights attempt to make streaming firms pay for ISP network upgrades

Unpatched old vulnerabilities continue to be exploited: Report

It's official: BlackLotus malware can bypass Secure Boot on Windows machines

30 Days Of Python

I quitted Infosec and I couldn't be happier.

Sunday, February 26, 2023

What I am Reading 2/26/23 - Back from Miami Beach edition

 It was a busy couple weeks traveling to Miami Beach, attending S4x23, and then coming home and dropping back into the grind, but I haven't forgotten about you guys.  Without further ado a couple weeks worth of reading:

The maze is in the mouse:  What ails Google and how it can turn things around.

Sensitive US military emails spill online

Place your bets

Dragos Report Identifies Two New Threat Groups

Traditional PAM solutions aren’t working, Keeper Security study finds

Cyberwar Lessons from the War in Ukraine

The return of Flat Earth, the grandfather of conspiracy theories

US says Google routinely destroyed evidence and lied about use of auto-delete

Ukraine suffered more data-wiping malware than anywhere, ever

Seattle becomes first US city to ban caste discrimination

US Supreme Court wary of removing tech firms' legal shield in Google case

Technical debt? Don't spend more than one-quarter of your time dealing with it

Lab Leak Most Likely Origin of Covid-19 Pandemic, Energy Department Now Says

James Bond books edited to remove racist references

Beej's Guide to C Programming

The Capitalist Road to Serfdom

High-skilled visa holders at risk of deportation amid tech layoffs

U.S. corn-based ethanol worse for the climate than gasoline, study finds

Even Neal Stephenson doesn't seem keen on crypto anymore

There is a worrying amount of fraud in medical research

Stanford Faculty Say Anonymous Student Bias Reports Threaten Free Speech

Companies Can’t Ask You to Shut up to Receive Severance, NLRB Rules

How India’s caste system manifests in Seattle-area workplaces and beyond

The age of Agile must end

5th person confirmed to be cured of HIV

The Silicon Valley Loop How the dot-com crash created Palo Alto’s clueless investor class.

Speech is violence? Not if we want a liberal, intellectual society

Big Tech’s massive layoffs will come back to haunt it

OT Network Security Myths Busted in a Pair of Hacks

Attacks on industrial infrastructure on the rise, defenses struggle to keep up

PLC vulnerabilities can enable deep lateral movement inside OT networks

The Energy Department’s Puesh Kumar on grid hacking, Ukraine and Pipedream malware

Is OWASP at Risk of Irrelevance?

Bill Fehrman - CEO Berkshire Hathaway Energy talking at S4x23

Saturday, February 25, 2023

Page Ranking the Cybersecurity Literature

 As all of you, the imaginary voices in my head, know  I maintain a pretty extensive meta-list of cybersecurity reading, a list of lists compiling recommendations from different companies, government / military organizations, academic institutions, and individuals.  (30+ sources and close to 900 readings at this point).  I have tried to group the sources in categories and every time a reading appears I increment a score column.  This is supposed to help gauge relative importance based on community perception.  The readings are listed alphabetically.


Since I started this project I have always just kind of thought of it as a handy list for myself and some of my friends, although I have blasted it out on twitter and various other forums ad nauseam, but today I realized two things:

a) other than me no one uses or cares about this list

b) In doing this I have re-invented a very clumsy way of doing page ranking,  like Google's very dimwitted cousin that the family keeps locked in the basement and who they occasionally throw some food and porn and hope no one will ever learn of their shame.

c) Although I am doing this in the most moronic and labor intensive way possible there are actually possibilities here.

d) That was three things not two, obviously I am a moron who can't count.

e) Dammit, that was four!

f) Aargh!!!!

OK, had to break out of that hell...

Anyway, I have mentioned before that it would be interesting to build a list of the articles that SANS uses in their various courses.  At the time I was mainly thinking of it as just an additional resource to help study for their exams, but now I am seeing a couple of other possibilities mainly in helping industry newcomers and students identify subjects that cut across various specialties.  It might also help build cohesion and help reinforce learning by being able to identify subjects that are found to be important by the various course authors.

(Also now that I think about it, this could serve as the basis of a talk at a convention.  DIBS!!!)

I've probably wasted enough of your time by now and I need to think about how to proceed:

I guess I could start a go-fund me for $17,500,000,000.00 so I could take all the available SANS classes and then I could manually pull the article information from the footnotes on each page, a variation, I could brush up on my python skills and try to do that automatically using digital copies.  Obviously that's not gonna happen - the last time I asked for help on line all I got was one random Fuck You.  

The other, more realistic scenario is that people may have already compiled some of this information.  If you have and you wouldn't mind sharing let me know in the comments or on twitter.  

Sunday, February 05, 2023

What I am Reading 2/5/2023 - including free course in cyber-physical system security

Richard Bartle, Top Virtual World Expert, Tries Explaining Core Problems With NFT & Blockchain at a Crypto Conference. It Does Not Go Well.

We are ‘greening’ ourselves to extinction

Microsoft warning: Protect this critical piece of your tech infrastructure

Why you might not be done with your January Microsoft security patches

Vulnerabilities could let hackers remotely shut down EV chargers, steal electricity

Firmware Flaws Could Spell 'Lights Out' for Servers

CISA to Open Supply Chain Risk Management Office

After 16 years at Google, Justin Moore was fired with an automated email

St. John’s Reading List: A Great Books Curriculum

Stop Passing the Buck on Cybersecurity

article by Jen Easterly the Head of CISA

Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter

Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076)

3 ways to stop cybersecurity concerns from hindering utility infrastructure modernization efforts

Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appears

Video - How Would a Nuclear EMP Affect the Power Grid?

Free Course - Cyber-Physical System Security

- - Syallabus - Cyber-Physical System Security

Sunday, January 29, 2023

What I am Reading 1/29/2023

 NERC-CIP Stuff - Alexa, can you tell me when my grid is hacked?

Within the next 2-3 years, if you are a NERC Registered Entity with high impact or medium impact with ERC BES cyber systems, you will need to baseline your network traffic for all applicable cyber assets inside the ESP and look for anomalies beyond the traditional anti-malware and port-restriction controls already in place as part of the existing CIP standards. Examples of anomalies could be, among other things, accounts used in ways they shouldn’t be or new unexpected devices on the network or sending legitimate commands to control systems in ways that could stop or degrade the system. Further, you will need to record/log the traffic information and protect that information from misuse.

RIP Perimeter Security: Critical Infrastructure Breaches Demand New Approach

Race to zero: Can California’s power grid handle a 15-fold increase in electric cars?

EVs Are Essential Grid-Scale Storage

Russia’s Sandworm hackers blamed in fresh Ukraine malware attack

National Security Agency | Cybersecurity Information Sheet | IPv6 Security Guidance

Trained developers get rid of more vulnerabilities than code scanning tools

Microsoft will stop selling Windows 10 on January 31, but workarounds remain

NIST working on ‘potential significant updates’ to cybersecurity framework

The Concept Paper - NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework

New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch

Why are so many tech companies laying people off right now?

Kevin Mitnick Hacked California Law in 1983

Google Is Screwed, Even If It Wins Its Antitrust Case

Two Supreme Court Cases That Could Break the Internet

Hackers abuse legitimate remote monitoring and management tools in attacks