Books -
Network Forensics Tracking Hackers Through Cyberspace
Wired for War: The Robotics Revolution and Conflict in the 21st Century
Wired for War: The Robotics Revolution and Conflict in the 21st Century
Clay Cooper and his band were once the best of the best, the most feared and renowned crew of mercenaries this side of the Heartwyld.Podcast -
Their glory days long past, the mercs have grown apart and grown old, fat, drunk, or a combination of the three. Then an ex-bandmate turns up at Clay's door with a plea for help--the kind of mission that only the very brave or the very stupid would sign up for.
Darknet Diaries - Ep. 57: MS08-067
Blogs / News -
Security Week - Analyzing Cyberspace Solarium Commission's Blueprint for a Cybersecure Nation -
The Cyberspace Solarium Commission (CSC) is a modern iteration of Eisenhower's original 1953 Project Solarium. Project Solarium was tasked with developing a national strategy to contain and counter the nuclear threat from the USSR. CSC has a similar task to contain and counter the threat from cyberspace -- one that is far more complex than a single threat from a single source, but no less existential.
...
Disappointingly, the report starts with a post-apocalyptic cyber fiction. This will frighten the children (the consumers) and dismay the adults (security professionals). It comes over as pure FUD -- something not lost on Chris Morales, head of security analytics at threat hunting firm Vectra. "It describes a worst-case scenario, which to me does fall into fear, uncertainty and doubt (FUD)," he told SecurityWeek. The danger in starting a report in this manner is it colors the rest of the content.
"Overall," continued Morales, "I don't see anything new and earth shattering in the recommendations. I can't shake this feeling of another defense strategy built on attack first and have more weapons. Considering the Solarium was the start of the cold war, and this is a copy of that in principles, that would be what could be an unfortunate outcome in policy."Related - Fifth Domain - A new label to better protect critical infrastructure -
The Cyberspace Solarium Commission’s final report, released March 11 by a group of experts from in and out of government, recommended Congress implement the concept of “systemically important critical infrastructure," a designation for entities that operate systems that, if disrupted, “could have cascading, destabilizing effects on U.S. national security, economic security, and public health and safety.”
According to the report, the government “can and should bring to bear its unique authorities, resources, and intelligence capabilities to support these entities in their defense.”
For operators of critical infrastructure, this is a departure from the past procedures.
Al Jazeera - US Navy hospital ship to head to New York for coronavirus fight -
New York will get a 1,000-room hospital ship that will dock in the city's harbour to fight coronavirus, state Governor Andrew Cuomo said Wednesday.
Cuomo said US President Donald Trump would dispatch the USNS Comfort to America's financial capital immediately.HackRead - Blizzard hit by massive DDoS attack; EA Sports facing lagging issue
CNN - 5.7 magnitude earthquake in Utah knocks out power to thousands and diverts flights -
A 5.7 magnitude earthquake shook Utah's Salt Lake City area Wednesday morning, cutting power to tens of thousands and suspending work at the state's public health lab amid the coronavirus pandemic, officials said.
...
The quake was centered about 10 miles west of Salt Lake City and near the city of Magna, starting at 7:09 a.m. MT, the US Geological Survey said.Dark Reading - 500,000 Documents Exposed in Open S3 Bucket Incident -
An unprotected AWS S3 bucket exposed some 425 GB of data, representing approximately 500,000 documents related to MCA Wizard, an iOS and Android app developed by Advantage Capital Funding and Argus Capital Funding. According to vpnMentor researcher Noam Rotem, who led the team of researchers who found the open database, the app appears to be a tool for a Merchant Cash Advance (MCA), which provides relatively small, high-interest business loans typically made to small companies.Related - Bank Info Security - Unsecured Database Exposes Financial Records: Report -
In the report, Noam Rotem, a self-described security researcher and hacktivist, notes that the unsecured database, which lacked passwords and encryption, contained financial data that appears to have come from Advantage Capital Funding and Argus Capital Funding - it's not clear what connection, if any, the data had to the MCA Wizard app.
The exposed data included credit reports; bank statements; contracts; legal paperwork; driver's licenses; purchase orders and receipts; tax returns; transaction reports for credit cards and merchant bank accounts; scanned copies of bank checks; access information for bank accounts; corporate shares outlines; and Social Security information, according to the report.Related - Threatpost - Cloud Misconfig Mistakes Show Need For DevSecOps -
LO: Great. Well, I know that Unit 42 recently has released a report about cloud security. And you know, the cloud security landscape is really interesting, lots to discuss there. Can you tell me a little bit about the key takeaways of this research that you guys released?
RO: Yeah. So last month, we released our second Cloud Threat Report. In the first report, which was last summer, one of the things we were looking at was, how many breaches were occurring in the public cloud due to misconfiguration, people just making bad choices. And what we found was about 60 percent of the breaches could be attributed back to the fact that people are just making mistakes in how they configure their environment. So in this latest report, what we did was we started looking at how people were deploying that cloud infrastructure, how are they setting up databases and file systems, and were they making secure choices? And a couple of the takeaways that we found were, in one case, about 43% of the databases that people are using in the public cloud, they’re not encrypting the actual data inside the databases. When they set them up, they’re leaving that data unencrypted, which exposes them to potential risks. People might be thinking, no one’s gonna get access to the database, I don’t have to worry about it. But we’ve seen time and time again, that doesn’t turn out to be the case. And the second case, what we found was, people are not enabling logging on access to the storage that they have in the cloud. So if you can think of like Amazon s3 buckets, when someone goes and puts a file inside of that, you can turn on logging so that you can see, did someone access it and someone download it or not? And it’s sort of like building a hotel, but not having any kind of access control on whether or not people are going in and out of rooms. If you’re not monitoring that, and you do have a breach, there’s no way to say, has anyone actually seen those files? Has anyone downloaded them? Did they modify them? So just making sort of those poor configuration choices, leaves people exposed, and in some cases, it might leave them exposed to potential regulatory problems, but really, we just want to keep the data safe and making better choices up front will do that.Security Boulevard - My Top Five Cyber Security Books -
Over the last two years, I’ve read 25+ cyber security books to invest in understanding as many parts of our field (including the history of the industry) as I can. I’ve learned a ton and have been quite entertained in the process. Many have asked for a list of my favorite books in the space. With the world on lockdown from Covid-19 I figured now was a good time to share my shortlist.If you are interested I maintain a cybersecurity reading list , which is broken down by the source of the recommendation. These include industry, conferences, government military and personal It also has a movies tab if you are looking for something to watch.
Cyber Scoop - Venture funding in security startups is falling. Don't blame the coronavirus. -
Investors don’t have an unlimited appetite for cybersecurity firms after all.
Venture capital investment in security startups in the first two months of this year is down from years past. The downward trend started gaining steam in 2019 and continued into the beginning of 2020, even before the COVID-19 pandemic sent the economy into a freefall.Dark Reading - New Study Calls Common Risk Figure into Question -
Many risk models use a commonly quoted number -- $150 per record -- to estimate the cost of an incident. A new study from the Cyentia Institute says misusing that number means that estimates are almost never accurate.NBC - Mark Cuban says bailed out companies should never be allowed to buy back their stocks ever again -
Billionaire entrepreneur Mark Cuban told CNBC on Wednesday that companies that get federal assistance in response to the coronavirus crisis should be prevented from buying back stock ever again.
“No buybacks. Not now. Not a year from now. Not 20 years from now. Not ever,” Cuban said on “Squawk Box.” “Because effectively you’re spending taxpayer money to buyback stock and to me that’s just the wrong way to do that.”Reuters - Google critics see its Firebase tools as another squeeze play -
The previously unreported concerns about Firebase, a set of software that Google makes available to apps, have become part of the broad investigations launched last summer by state attorneys general and the United States Department of Justice into whether Google has unlawfully stifled competition in online advertising and other businesses, two people with knowledge of the probes said this month.The Register - Forget James Bond's super-gadgets, this chap spied for China using SD card dead drops. Now he's behind bars -
A federal district judge this week sentenced Xuehua Edward Peng, 56, of Hayward, California, after he admitted handing over the trade secrets to Beijing. Peng earlier confessed that SD cards loaded with information stolen from an unspecified US company were left for him to collect at hotels by a contact only known as Ed. Peng would also hide tens of thousands of dollars in hotel rooms for Ed to collect as payment. Lawyers said Peng spent years trafficking confidential info.#infosec #news #cybersecurity #books
No comments:
Post a Comment