Thursday, June 04, 2020

6/4/2020 - Software Audits, Hacked Nuclear Missile Systems, the French Destroying Civilization, and the Chinese Jumping Airgaps

BBC - Porn star Nacho Vidal held in Spain after man dies in toad-venom ritual  -

There's really nothing to say here; I don't know who Nacho Vidal is , I don't know what a toad-venom ritual is and by popular consent as an American I don't know here Spain is.  I just thought the headline was hilarious.

The US is protected by what’s known as a nuclear triad: a three-pronged attack force that consists of land-launched nuclear missiles, nuclear missiles on submarines, and aircraft equipped with nuclear bombs and missiles.

One of the triad’s legs – the land-based LGM-30 Minuteman intercontinental ballistic missile (ICBM) – has been kicked by hackers who’ve inflicted Maze ransomware on the computer network of a Northrup Grumman contractor.

An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

Unsecured test environment - 74000 records

Postmodernism presents a threat not only to liberal democracy but to modernity itself. That may sound like a bold or even hyperbolic claim, but the reality is that the cluster of ideas and values at the root of postmodernism have broken the bounds of academia and gained great cultural power in western society. The irrational and identitarian “symptoms” of postmodernism are easily recognizable and much criticized, but the ethos underlying them is not well understood. This is partly because postmodernists rarely explain themselves clearly and partly because of the inherent contradictions and inconsistencies of a way of thought which denies a stable reality or reliable knowledge to exist. However, there are consistent ideas at the root of postmodernism and understanding them is essential if we intend to counter them. They underlie the problems we see today in Social Justice Activism, undermine the credibility of the Left and threaten to return us to an irrational and tribal “pre-modern” culture.
A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday.

The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos.

"One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data," Kaspersky said. "This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose." 

You know how it is: the economy is in meltdown; half the company is working from home and the other half is furloughed. What is there to look forward to? Software audits, that's what.

Yes, audits are among the advice global accountancy and consultancy PWC has delivered to a software industry beleaguered by the economic impacts of COVID-19.

California's attorney general Xavier Becerra revealed the details [PDF] for how his office will define and enforce the landmark law, which is supposed to give residents of America's Golden State the right to demand what data companies hold on them, the right to request that this information is not sold, and the right to demand that it be deleted.

But despite the California Consumer Privacy Act (CCPA) passing two years ago, the rules still have huge gaps in how they will be applied; holes that will undoubtedly be exploited to avoid the intent of the law after the attorney general starts to enforce it on July 1.

Most significant is a failure to state that the vast databases companies like Google and Facebook are subject to the CCPA; an omission that tech giants are certain to view in their favor. Both companies have long argued that since they don’t directly sell personal information to advertisers, but only access to carefully segmented people on their platforms, that most privacy laws don’t apply to them.

The networking giant on June 3 published its semiannual bundled publication of security advisories for IOS and IOS XE software. The advisories describe 25 vulnerabilities that have been rated critical or high severity. In addition, the company has published tens of other advisories for high- and medium-severity issues affecting IOS and other software.

A dozen vulnerabilities appear to impact the company’s industrial products. One of the security bugs rated critical is CVE-2020-3205, which allows an unauthenticated attacker with network access to execute arbitrary shell commands on the virtual device server of affected devices.
The last thing cybersecurity executives and practitioners need are even more tools that are difficult to operate. Here's what they look for when assessing new tools.
 


No comments: