Archive for the ‘Security’ Category

Crimes Against Humanity

2019/06/17

(FTB stderr) – Marcus Ranum:

Just a reminder: messing with another country’s civilian power grid is a crime against humanity.

Not that that’s going to slow the US government down, in the slightest. After all, the US has been warning for years about the danger of Chinese and Russian cyberspies in its power grid, and making dire threats of consequential “real world” military action against any nation so foolish as to contemplate such a thing. …

stderr 2019/06/16 crimes-against-humanity

AMI network attack vectors

Tom Phillips and Uki Goñi: Millions across South America hit by massive power cut

Advertisements

Computer Security is a Pit of Despair

2019/01/11

(FTB stderr) – Marcus Ranum:

In case you didn’t know, or had mistakenly believed some vendors’ claims that things are getting better: computer security is still approximately as bad as it was when I got into the field in 1989. …

stderr 2019/01/10 despair

Windows Bug

Password Strength

2018/10/23

(xkcd) – Randall Munroe:

Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. …

xkcd 936

Randall Munroe: xkcd 936: Password Strength

Downsides of a Primarily Offensive Strategy

2018/10/16

(FTB stderr) – Marcus Ranum:

Offensive strategies are good if (and only if) you have an identifiable, small, number of foes that you can dominate.

As soon as you’ve got to worry about getting mobbed from several directions, you need to start worrying about how to cover your vulnerable parts while you attack each foe in sequence and defeat them in detail. Anyone who expects conflict that is more than a first strike followed by a one-shot victory, needs to defend themselves against attack. Unless you’re the US, that is. …

stderr 2018/10/16 offensive

GAO-19-128

Hacking and Propaganda

2018/10/08

(FTB stderr) – Marcus Ranum:

Your computer is a free-fire zone. It has been since the mid 1990s, when the NSA was told “no” on the Clipper chip and decided to come up with its own Plan B, C, D, and E. Then, the CIA came up with theirs. Etc. There are probably so many backdoors in our systems that it’s a miracle it works at all.

With backdoors in the BIOS, backdoors on the CPU, and wireless cellular-spectrum backdoors, there are probably backdoors in the GPUs and the physical network controllers, as well. Maybe the backdoors in the GPU come from the GRU and maybe the backdoors in the hard drives come from NSA, but who cares? The upshot is that all of our systems are so heinously compromised that they can only be considered marginally reliable. It is, literally, not your computer: it’s theirs. …

stderr 2018/10/06 hacking-and-propaganda

i big brother bug

The Elephant In The Connected Room

2018/09/03

(FTB stderr) – Marcus Ranum:

Here’s a more sophisticated attack scenario: a certain company provides air conditioning and power system maintenance and repair services in an area where there are a lot of data centers. The attacker reasons (correctly) that the HVAC company may have access to systems within a certain data center, so they launch an attack against the supplier, hoping to identify a backdoor into the actual target. Speaking of targets, that’s how Target(tm) got compromised. How did the HVAC company get compromised? Someone there appears to have opened a spreadsheet that looked like it came from Target.

These sort of attacks are possible anywhere where one business sits across another’s supply chain, or their data chain, staffing, or services provided. In other words, it’s an extremely “target rich” environment. The worst thing is: there is no way to do business, have customers, exchange data, or perform transactions without trusting someone. So it’s probably an insoluble problem. …

stderr 2018/09/01 elephant

Trojan elephant

Sunder, a New Way to Share Secrets

2018/05/19

(FPF) – Conor Schaefer:

The moment a news organization is given access to highly sensitive materials—such as the Panama Papers, the NSA disclosures or the Drone Papers—the journalist and their source may be targeted by state and non-state actors, with the goal of preventing disclosures. How can whistleblowers and news organizations prepare for the worst?

The Freedom of the Press Foundation is requesting public comments and testing of a new open source tool that may help with this and similar use cases: Sunder, a desktop application for dividing access to secret information between multiple participants. …

freedom.press sunder

Sunder: Create Secret Shares

Unlocking Encrypted Phones

2018/04/29

(ZDNet) – Zack Whittaker:

It’s 2018, and we’re still talking about cryptographic backdoors. It’s the bad idea that just won’t die.

But don’t worry: Ray Ozzie, a former Microsoft executive thinks he can beat a dead horse with a not-so-new idea that took about a day for everyone else to rip apart. …

zdnet ripped-apart

Henri Vidal: Caïn (Facepalm)

Bitcoin Snafus

2018/03/29

(FTB stderr) – Marcus Ranum:

There are so many things about bitcoin that are wrong.

Because there is no central brokerage, there’s no input validation process that prevents someone from just injecting their own garbage. From a security design perspective that is a “newb mistake” of the first water.

What a stupid design. The stupidity is an unavoidable consequence of not having a central authority: nobody exists to say “this transaction is a bunch of encrypted garbage that doesn’t look like one of our things.” …

What happens to bitcoin if someone finds a flaw in SHA-256? Go on, think that one through. All the people who have bitcoin appear not to have.

You’d think that someone who was creating the next big currency would think about operational details like that. You’d think that someone who was creating the next big currency would think about security models. Nah. Bitcoin are worth a lot of money, though, so who cares?! …

stderr 2018/03/28 bitcoin

Bitcoin bugs

Secure Your Android Phone

2018/03/05

(ZDNet) – Steven J. Vaughan-Nichols:

Malware makers, phishers, they really are all out to get you. Here’s how to stop them in their tracks. …

zdnet secure android-phone

Android locked