"We Be The Humans"
Older Retired White Guy. Buddhist.
"Non nobis solum"
Likes trees better than people. Books better than trees.
"We Be The Humans"
Joined Aug 2018
#CoSoSec
Apple only
Apple today detailed two initiatives to help protect users who may be personally targeted by some of the most sophisticated digital threats, such as those from private companies developing state-sponsored mercenary spyware. Lockdown Mode, coming this fall with iOS 16, iPadOS 16, and macOS Ventura
Is an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.
Canada’s Federal Police Have Been Using Powerful Malware To Snoop On People’s Communications.
And
https://www.politico.com/news/2022/06/29/canada-national-police-spyware-phones-00043092
Ubiquitous Surveillance by ICE
Report by Georgetown’s Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement (ICE).
Taking the Elf Off the Shelf: Why the U.S. Should Consider a Civilian Cyber Defense.
A serious problem that the U.S. government should approach with urgency. Estimates show that 28 percent of data breaches occur in small businesses, with 55 percent of ransomware attacks hitting businesses with fewer than 100 employees. 37% suffered a financial loss, 25% filed for bankruptcy, and 10% went out of business”
By Maggie Smith, Mark Grzegorzewski, Barnett Koven
https://www.lawfareblog.com/taking-elf-shelf-why-us-should-consider-civilian-cyber-defense
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms.
For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation.
Bruce Schneier
Last Call at the “Star Wars Bar”: Harmonizing Incident and Breach Reporting Requirements
It’s an apt analogy. In the United States, there are currently at least two dozen individual federal cyber reporting and breach requirements. They are generally sector- or industry-specific, and are promulgated separately by more than a dozen agencies and departments under various legal authorities.
By Mary Brooks, Sofia Lesmes
PACMAN Attack on M1 Processor
Works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered.
What’s more, since there are only so many possible values for the PAC, the researchers found that it’s possible to try them all to find the right one.
https://mjtsai.com/blog/2022/07/05/pacman-attack-on-m1-processor/
First.
Then.
Andrew Appel has a long analysis of the Swiss online voting system. It’s a really good analysis of both the system and the official analyses.
https://freedom-to-tinker.com/2022/06/27/how-to-assess-an-e-voting-system/
(This a long in depth look at what legal cyber security, really means.)
A Cyber Persistence Way to Norms
"The U.S. Department of Defense’s defend forward cyber strategy as operationalized by U.S. Cyber Command’s (CYBERCOM) doctrine of persistent engagement embodies the notion of achieving security through responsible, persistent exploitation-based operations, campaigns, and activities."
By Michael P. Fischerkelle
Italian Exploit Developer Follows Hacking Team’s Lead, Sells Powerful Spyware To Human Rights Violators
Italian malware developer Hacking Team began making headlines in 2014. Infections uncovered by researchers at Toronto’s Citizen Lab and Russia’s Kaspersky Lab were traced back to servers located in the United States, Canada, UK, and Ecuador. The US servers topped the list. The second place finisher, however, was Kazakhstan.
ZuoRAT Malware Is Targeting Routers
A new Trojan that is able to infect at least eighty different targets.
The discovery of custom-built malware written for the MIPS architecture and compiled for home-office routers is significant, Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/
Abortion surveillance only incidentally involves period-trackers.
Indeed, the whole tech sector, from bottom-feeding ad-tech also-rans to multi-trillion-dollar global giants, spies on you all the time, in every way, and both their security policies and their law-enforcement cooperation policies are both exceptionally weak.
By Cory Doctorow
https://pluralistic.net/2022/06/29/no-i-in-uter-us/#egged-on
On the Subversion of NIST by the NSA
Nadiya Kostyuk and Susan Landau wrote an interesting paper: “The Consequences of Corrupting a Cryptographic Standardization Process“:
But in 2013, Edward Snowden disclosed that the National Security Agency had subverted the integrity of a NIST. Yet, a decade later, no credible alternative to NIST has emerged. NIST remains the only viable candidate for effectively developing internationally trusted cryptography standards.
https://harvardnsj.org/wp-content/uploads/sites/13/2022/06/Vol13Iss2_Kostyuk-Landau_Dual-EC-DRGB.pdf
(Nope, not good news, at all)
Stingray Manufacturer L3Harris Seeking To Acquire NSO Group
Even if it may somewhat whitewash NSO’s reputation, this merger shouldn’t be welcomed by anyone. It adds the abuses of cell tower simulator technology to the abuses of powerful cell phone-compromising exploits. When a single product can force phones to connect with it in order to deploy malware, the abuses observed to date are going to look pretty mild.
https://www.techdirt.com/2022/06/23/stingray-manufacturer-l3harris-seeking-to-acquire-nso-group/
Bolt-On vs Baked-In Cybersecurity
One of the most prominent issues in cybersecurity is that of “baking in” security into product development from the beginning, rather than “bolting on” security as an afterthought.
By Herb Lin
The EU’s Proposal on CSAM Is a Dangerous Misfire
The EU proposal would undo 20 years of progress in securing communications, while employing a set of technologies unlikely to achieve its stated goals. Even worse, the solutions it proposes for handling CSAM would create national security risks by weakening the best tool available for securing communications, end-to-end encryption, and defining a mission without the technology to accomplish it.
By Susan Landau
https://www.lawfareblog.com/eus-proposal-csam-dangerous-misfire
Daycare Apps Are Dangerously Insecure
preschools and daycares aren’t forced to use a specific application. But they are effectively trusting a third party to act ethically and securely with a school’s worth of children’s data. Regulations like COPPA (Children’s Online Privacy Protection Act) likely don’t apply to these applications.
By Alexis Hancock
https://www.eff.org/deeplinks/2022/06/daycare-apps-are-dangerously-insecure
A review of James E. Baker, “The Centaur’s Dilemma: National Security Law for the Coming AI Revolution”
Preparing National Security Officials for the Challenges of AI
By Steve Bunnell
https://www.lawfareblog.com/preparing-national-security-officials-challenges-ai
Book
Hartzbleed: A New Side-Channel Attack.
The team discovered that dynamic voltage and frequency scaling (DVFS)—a power and thermal management feature added to every modern CPU—allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries.
Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China
“I feel like with these tools, there’s some backdoor to access user data in almost all of them,” said an external auditor hired to help TikTok close off Chinese access to sensitive information, like Americans’ birthdays and phone numbers.
By Emily Baker-White
"We Be The Humans"
Older Retired White Guy. Buddhist.
"Non nobis solum"
Likes trees better than people. Books better than trees.
"We Be The Humans"
Joined Aug 2018