🚨 Scam Alert 🚨
There’s a scam app claiming to be Midjourney, and it’s charting in the App Store.
Midjourney Scam App
Cybersecurity Regulation: It’s Not ‘Performance-Based’ If Outcomes Can’t Be Measured
"This is one of the conundrums at the heart of all cybersecurity: Perfection is not possible, but risk is not easily quantifiable. ... But unless regulators are prepared to quantify how far short of perfection entities may fall in complying with a cybersecurity requirement, there is nothing to measure.
By Jim Dempsey
October Is Cybersecurity Awareness Month.
For the past nineteen years, October has been Cybersecurity Awareness Month here in the US, and that event that has always been part advice and part ridicule. I tend to fall on the apathy end of the spectrum; I don’t think I’ve ever mentioned it before. But the memes can be funny.
Here’s a decent rundown of some of the chatter.
~ Bruce Schneier
New Folks
Some of my favorite Hashtags
#CoSoBooks
#CoSoMusic
#CoSoScience
#CoSoSec
#CoSoEnvironment
#CoSoPhilosophy
Just type them into the search box, (just above the text entry box),
And a new column will appear on the right, you can then "pin" that and make it permeant.
This is a wild story.
Security Vulnerabilities in Covert CIA Websites
Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by—at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re now learning that the CIA is still “using an irresponsibly secured system for asset communication.”
And
https://www.reuters.com/investigates/special-report/usa-spies-iran/
And
Prompt Injection/Extraction Attacks against AI Systems
This is an interesting attack I had not previously considered.
The variants are interesting, and I think we’re just starting to understand their implications.
https://simonwillison.net/2022/Sep/16/prompt-injection-solutions/
And
https://mobile.twitter.com/mkualquiera/status/1570840288188592129
Deepfake audio has a tell – researchers use fluid dynamics to spot artificial imposter voices.
"This realization demonstrates that deepfake audio, even when convincing to human listeners, is far from indistinguishable from human-generated speech. By estimating the anatomy responsible for creating the observed speech, it’s possible to identify the whether the audio was generated by a person or a computer."
By Logan Blue, Patrick Traynor
Ya know when that lack of internal security gets noticed by the NYT's... you have really "screwed the pooch"
It looks like a pretty basic phishing attack; And because Uber has lousy internal security, lots of people have access to everything. So once a hacker gains a foothold, they have access to everything.
This is the same thing that Mudge accuses Twitter of: too many employees have broad access within the company’s network.
Simon Willison on GPT-3 prompt injection attacks
The raid on the Remoteli bot was hilarious, demonstrating its potential for exploits.
Even More
Mac OS only
Interpreting XProCheck’s results and problems.
With the release of XProCheck 1.1 and its new feature to perform XProtect Remediator malware scans on demand, I’m getting more experienced at interpreting their results. Here are my current suggestions.
https://eclecticlight.co/2022/09/16/interpreting-xprochecks-results-and-problems/
Note this is how you handle bad reporting
Krebs on Security
Final Thoughts on Ubiquiti
Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.
(I believe they have pulled all the original reporting off their site)
https://krebsonsecurity.com/2022/08/final-thoughts-on-ubiquiti/
Teslas Hackers Have Found Another Unauthorized Access Vulnerability
It borrows tricks from typical radio-frequency relay attacks, but the implementation is exclusive to the most modern cars.
By Steve DaSilva
https://jalopnik.com/teslas-hackers-have-found-another-unauthorized-access-v-1849535920
And
More
Mac OS only
XProCheck 1.1 can now run XProtect Remediator scans on demand.
https://eclecticlight.co/2022/09/15/xprocheck-1-1-can-now-run-xprotect-remediator-scans-on-demand/
The Search for Dirt on the Twitter Whistle-Blower.
Many of Peiter (Mudge) Zatko’s former colleagues have received offers of payment for information about him.
By Ronan Farrow
https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower
(a week old , but new to me)
New Linux malware combines unusual stealth with a full suite of capabilities.
Dubbed Shikitega by the AT&T Alien Labs researchers who discovered it, the malware is delivered through a multistage infection chain using polymorphic encoding. It also abuses legitimate cloud services to host command-and-control servers. These things make detection extremely difficult.
Dan Goodin
And
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
From Bruce Schneier
Responsible Disclosure for Cryptocurrency Security
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.
https://www.lawfareblog.com/rethinking-responsible-disclosure-cryptocurrency-security
(He doesn’t have any good ideas to fix this. I don’t either. Just add it to the pile of blockchain’s many problems.)
https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html
Web Pages Can Overwrite Your Clipboard
Jeff Johnson:
Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104. A public demonstration of the brokenness has been posted on Web Platform News. If you simply visit the demonstration page in Google Chrome or a Chromium browser, then your system clipboard will be overwritten with the text below.
Mac OS only
This is a follow up on XProtect Remediator.
Here is nice little utility that examines Mac OS logs and tells you all the times XProtect Remediator has run. And what if anything it found
XProCheck: a new utility to inspect anti-malware scans
https://eclecticlight.co/2022/09/05/xprocheck-a-new-utility-to-inspect-anti-malware-scans/
Mac OS only
I first reported on the arrival of XProtect Remediator. Now the flames are dying down, it’s time to consider some of the more important questions all that clamour and discussion has raised.
What is considerably more concerning, though, is how the user gets to know of what XProtect Remediator is up to. Let’s say one of its scans did detect malware such as XCSSET (DubRobber), and try to remediate it. How would you know?
https://eclecticlight.co/2022/09/04/last-week-on-my-mac-breaking-the-silence/
The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.
DoD Microelectronics: Levels of Assurance Definitions and Applications.
Author(s)
National Security Agency
Cybersecurity Directorate
Joint Federated Assurance Center
Older Retired White Guy. Buddhist.
"Non nobis solum"
Likes trees better than people. Books better than trees.
"We Be The Humans"