Weekend Reads 012222


When you’re out and about, and especially when you’re traveling, you might find yourself feeling quite a bit of anxiety when logging into public Wi-Fi.


There are a lot of resources out there on Twitter, Reddit, and YouTube about this epic vulnerability. I wanted to create this post to summarize the main things I learned, ways to test it as pentester, and the mitigation controls that help prevent the exploitation of this vulnerability.


A Romanian vulnerability researcher has discovered more than 70 flaws in combinations of cloud applications and content delivery networks (CDNs) that could be used to poison the CDN caches and result in denial-of-service (DoS) attacks on the applications.


As we look ahead into 2022, the datacenter compute landscape is considerably richer than it was a decade ago.


In a perfectly regulated industry, both the industry and the public should be miffed at regulators for not fully supporting their issues.


One could argue that the last few years have highlighted some of the most pressing semiconductor industry issues but there are challenges on the horizon well beyond current supply chain and silicon manufacturing bottlenecks.


In light of recent incidents that impacted both information technology (IT) and operational technology (OT) environments, organizations are increasingly evaluating the risks associated with growing IT/OT convergence.


In this post, I want to go into more detail on how we use Suzieq to validate key aspects of the network, as well as Batfish, which we use for evaluating the validation process.


On the surface, ISO 27701 and GDPR are entirely different. The GDPR is a mandatory regulation for companies handling European data, and ISO 27701 is an extension of an optional certification, ISO 27001. Despite their differences, they contemplate many of the same considerations.


The Graviton family of Arm server chips designed by the Annapurna Labs division of Amazon Web Services is arguably the highest volume Arm server chips the datacenter market today, and they have precisely one – and only one – customer. Well, direct customer.


If you look at the past, patch management was not a cybersecurity issue; rather, it was an IT issue. And it wasn’t until the emergence of Code Red in 2001 when Microsoft started issuing patches to plug security vulnerabilities in its software.


Verizon and AT&T said on Monday that they have voluntarily agreed to further delay the rollout of their next-generation 5G wireless technology at the request of U.S. Transportation Secretary Pete Buttigieg.


During our 2021 Financial Institution Cyber Drill, 204 security professionals in 38 teams were given the task to act as ‘Incident Handlers’ and identify, investigate and provide recommendations to resolve these issues from the artifacts provided by BGD e-GOV CIRT.


Cybersecurity researchers have detailed a high severity flaw in KCodes NetUSB component that’s integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others.


Leichtman Research Group recently conducted a nationwide poll of 2,000 households asking about broadband usage.


Proving that whenever you buy something new, a better thing immediately comes out, the PCI-Sig Group announced the release of PCIe 6.0 on Tuesday, which will double the raw data rates of the PCIe 5.0 technology that only just debuted in Intel’s 12th-gen ‘Alder Lake’ Core processors.


Physicists from Lancaster University say that we might be close to combining them into a single piece of hardware, which they call UltraRAM.


Not every manufacturing node comes out perfectly and not every one comes out on time, but in the past decade and a half, Taiwan Semiconductor Manufacturing Co, the world’s largest and most technologically advanced etcher of chips in the world, has done far better than any of its few remaining peers to push the chip manufacturing envelope while also maintaining consistent and profitable production of older nodes.


The attacker starts with a legitimate URL for a sensitive profile page but appends an invalid path component disguised as a static file — a style sheet.


The first half of the year saw massive ransomware attacks that affected parts of critical infrastructure all around the world, as well as a vulnerability in IT management software. This vulnerability targeted the public sector, credit unions, schools, and other essential services.


But in more recent years, Wazawaka has focused on peddling access to organizations and to databases stolen from hacked companies.


Satellite broadband made the news again recently when the Chinese government said it had to adjust the orbits of the Chinese space station to avoid collisions with Starlink satellites. China claims it had to make adjustments in July and October of last year.


HTTPS was proposed to address this issue and has greatly improved security, protecting web traffic from eavesdropping and tampering. However, HTTPS doesn’t solve the problem of trust.


Despite the many benefits that public Wi-Fi has to offer, there are also some downsides that could be a reason to either avoid it altogether or take precautions to be safe when using it.

Weekend Reads 121721


Unfortunately, when engineers are entrusted with the task of delivering smooth video streaming to our users, we face numerous challenges from ‘last-mile’ wireless connections.


Exploit code has been released for a serious code-execution vulnerability in Log4j, an open source logging utility that’s used in countless apps, including those used by large enterprise organizations, several websites reported last Thursday.


The Tuesday outage at an Amazon Web Services data center affected services from several collaboration software vendors, highlighting how reliant companies have become on cloud providers for a variety of workplace tools.


Amazon.com Inc.’s ubiquitous cloud-computing network, the spine for a lot of digital communications and transactions across the U.S., went dark for several hours on Tuesday.


This is the hoarder’s mentality. “I can’t use this right now, but maybe I will some other time.”


More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities


So much for a quiet holiday season: CVE-2021-44228 (aka Log4Shell) may well be the most impactful vulnerability we’ve seen in years.


Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk of stealthy attacks.


In late 2021, the term Web3 began to increasingly appear in mainstream media outlets. This does not refer, however, to a sudden increase in interest in the Semantic Web as defined by Tim Berners-Lee, but rather to something entirely different.


It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.


At 10:30 p.m. PST on Oct. 6, Twitch released the following statement on its corporate blog: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”


The HDMI Licensing Administrator, the group that defines and licenses HDMI standards, has some confusing requirements around the HDMI 2.1 standard.


Intel issued a press release, unveiling various advancements in the fields of packaging, transistor, and quantum physics. The company has stated that these new findings were made in pursuit of Moore’s Law.

Controversial Reads 121021


In a highly anticipated decision, a judge of the United States International Trade Commission ruled in August that Google infringed five patents owned by speaker maker Sonos. The case charged Google with copying Sonos’ patented technology in its Google Home smart speakers.


If you’ve followed the news over the last few years, you’re probably convinced that we’re living in a golden age of conspiracy theories and disinformation.


Americans, and not just Americans, are well aware of how deep the dysfunction of the ruling factions runs. Many older ones remember the abuses of the Intelligence Community and the warnings against the Military-Industrial Complex; they have lived long enough to see the political resistance to the Community and the Complex shift, under pressure of deliberate policies, from the Left to the Right.


The rumors spread like wildfire: Muslims were secretly lacing a Sri Lankan village’s food with sterilization drugs. Soon, a video circulated that appeared to show a Muslim shopkeeper admitting to drugging his customers — he had misunderstood the question that was angrily put to him.


Antitrust has not had its moment since the 1911 breakup of Standard Oil. But this past year, policymakers and government leaders around the globe have been taking a hard look at the technology markets.


For well over a decade, I have been arguing that governments should create IT accident investigation boards for the exact same reasons they have done so for ships, railroads, planes, and in many cases, automobiles.


Yet risks remain, and once the genie is out of the bottle, they are often difficult to manage and contain—they range from unintended consequences and side effects to threats to privacy and loss or misdirection of control.


How can we change the field of computing so that ethics is as central a concern as growth, efficiency, and innovation? There is no one intervention to change an entire field: instead, broad change will take a combination of guidelines, governance, and advocacy.


Jerome Pesenti, Facebook’s VP of Artificial Intelligence, explains the changes to the face recognition system that have accompanied the very recent brand name change from Facebook to Meta…


The dominant regime of the electric age—“democracy” mediated and managed by corporate journalists, academics, experts—is being slowly eaten by a new cybernetic order, mediated by algorithm and increasingly not managed at all.


The metaverse is, as they say, happening. Mark Zuckerberg announced last month that Facebook’s parent company, now called Meta, will take the lead in building out an immersive, interactive, and ubiquitous network of virtual environments that he envisions as the next phase of the Internet.


When Google introduced Manifest V3 in 2019, web extension developers were alarmed at the amount of functionality that would be taken away for features they provide users. Especially features like blocking trackers and providing secure connections.


In preventing people like me from accessing Twitter despite plainly qualifying under their own terms of service — and in failing to provide the kind of communication Dorsey testified under oath occurs in situations like mine — Twitter is arguably engaging in fraud, telling the public one thing while engaging in the opposite.


Privacy law is manifested in practice as a litany of “Agree” buttons to consent to data collection and a series of long, convoluted statements of data collection practices that are supposed to give users enough notice about what companies do with our data to enable us to make informed decisions.


It’s been 24 hours since Jack’s resignation, and while I’m not really interested in the evolving loser drama surrounding the new CEO’s decade-old tweets, it is worth noting that Twitter has already updated its content policy in a manner that effectively makes citizen journalism impossible.


In one of the more unusual cybersecurity policing stories of the past year, the FBI announced in June that it had created its own company, called ANOM, to sell devices with a pre-installed encrypted messaging app to criminals.


In its response to Stossel’s defamation claim, Facebook responds on Page 2, Line 8 in the court document (download it below) that Facebook cannot be sued for defamation (which is making a false and harmful assertion) because its ‘fact checks’ are mere statements of opinion rather than factual assertions.


While GDPR has provided essential data protections for Europeans, it has also imposed substantial compliance costs on American companies seeking to do business in the bloc and forced many companies to cease their European operations.

Weekend Reads 121021


It is refreshing to find instances in the IT sector where competing groups with their own agendas work together for the common good and the improvement of systems everywhere. So it is with the absorption of the Gen-Z Consortium by the CXL Consortium.


What is open core? Is a project open core, or is a business open core? That’s debatable. Like open source, some view it as a development model, others view it as a business model.


From the recent writeup of the DNS work at the IETF its clear that there is a large amount of attention being focused on the DNS. It’s not just an IETF conversation, or a DNS OARC conversation, but a conversation that involves a considerable amount of research activity as well.


It seems like Antarctica’s McMurdo Station could be getting high-speed internet—a modern day luxury feature that could connect its remote laboratories (and seasonal tourist hub) to the rest of the world. The station is located on an island just off the northwestern part of the continent and is the largest US research hub on Antarctica.


“Your phone’s front camera is always securely looking for your face, even if you don’t touch it or raise to wake it.”


Organizations must improve their cybersecurity protocols to detect fraudulent identities and make sure they’re safeguarding their consumers’ personal information.


Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network.


Kubernetes Security is constantly evolving – keeping pace with enhanced functionality, usability and flexibility while also balancing the security needs of a wide and diverse set of use-cases.


Let’s say you’re tasked with selecting a strong authentication solution for your organisation. Where do you begin? This article is the first of a series that will explore authentication and authorisation technologies in the context of recent exploits and developing trends.


At the University of California, Riverside, we found the current design and implementation of modern OSes can lead to side-channel-based DNS cache poisoning attacks, namely SAD DNS (Side-channel AttackeD DNS).


If you’re looking for a rugged case for your phone or tablet, you’ve probably seen the terms MIL-SPEC or MIL-STD. But what do they mean? It’s a simple standard, but its appearance on product packaging is a complex topic.


Web 1.0 was from 1991 to 2004 when web users were consumers of content, and the web was a series of static websites. Web 2.0 emerged in 2004 as user-created content overtook static content. The big winners in this era have been the huge social media platforms that became some of the biggest companies on the planet.


Do-it-yourself is a great way to learn coding, but it’s a risky way to tackle complex application problems that have scant room for error, such as authentication and encryption.


Manifest V3, Google Chrome’s soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as “a step in the direction of privacy, security, and performance.”


At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.

Weekend Reads 120321


SpaceX had filed a new application with the Federal Communications Commission for a smaller dish, which just received approval yesterday.


Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads.


IBM unveiled a 127-qubit quantum computing chip called Eagle this week, showing off a new asset in the race to build the most powerful quantum computer.


Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home-working drove a surge in ransomware attacks that left them smarting from hefty payouts.


U.S. banking regulators on Thursday finalized a rule that directs banks to report any major cybersecurity incidents to the government within 36 hours of discovery.


After squandering its lead because of a half decade of problems modernizing its manufacturing, that’s where Intel has been headed.


General Motors (GM.N) aims to tackle the global semiconductor shortage with new designs built in North America, President Mark Reuss said on Thursday.


As telehealth and digital platforms cement their role in the post-pandemic future, it’s imperative for the digital health ecosystem to find ways of enhancing support networks, marking the transition from telehealth to tele-wellbeing.


There is currently no specific time frame during which banks must report to federal regulators that a security incident had occurred. A new notification rules changes that to 36 hours.


One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.


DDR5 has barely hit the shelves, but Samsung has confirmed it’s already working on the next generation of RAM.


Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks.


Alternatively, the unencrypted variants of these protocols can be upgraded to encrypted connections via a mechanism called STARTTLS.


Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control.


In the field of artificial intelligence (AI) research, this article posits that it is tooling which has played a disproportionately large role in deciding which ideas succeed and which fail.


Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.


A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.


No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.


To answer this, we at Waseda University have conducted a large-scale survey into the adoption of various DNS security mechanisms — DNSSEC, DNS Cookies, CAA, SPF, DMARC, MTA-STS, DANE, and TLSRPT — and in doing so identified what effects adoption rates.

Weekend Reads 111921


Kaspersky today publishes its Distributed Denial of Service (DDoS) Q3 2021 report, which found when compared to Q3 2020, the total number of DDoS attacks increased by nearly 24%, while the total number of smart attacks (advanced DDoS attacks that are often targeted) increased by 31% when compared to the same period last year.


IP fragmentation is a process that breaks large packets into smaller packets to allow them to more easily traverse a network. The process is common in the DNS, which is predominantly UDP based.


If you’ve been perusing cryptocurrency forums or video-game news recently—or spying everything from New York Times job listings to zany Twitter threads claiming that the traditional job interview is about to be replaced by blockchain-based “quests, adventures and courses to prove your worth”—you might have run into the term “Web3.”


When Facebook announced last month that it was rebranding as Meta, CEO Mark Zuckerberg enthusiastically described the metaverse his company would soon build, promising it would be a world “as detailed and convincing as this one” where “you’re going to be able to do almost anything you can imagine.”


In a previous blog, we shared how Paragon™ Pathfinder plays an important role in closed-loop automation by tuning the paths of RSVP or Segment-Routed Traffic Engineered LSPs according to changing conditions that it observes in the live network.


HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks.


Smishing messages usually include a link to a site that spoofs a popular bank and tries to siphon personal information. But increasingly, phishers are turning to a hybrid form of smishing — blasting out linkless text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text.


A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal.


The aviation industry told the White House on Tuesday it will take “significant time” to ensure it is safe for major U.S. wireless companies to use C-Band spectrum for 5G communications.


If you are responsible for a web server, you already use Transport Layer Security (TLS, the ‘S’ in ‘HTTPS’) to protect your users from man-in-the-middle attackers that could otherwise passively sniff website cookies or actively inject malicious JavaScript.


ECDSA is a digital signature algorithm that is based on Elliptical Curve Cryptography (ECC). This form of cryptography is based on the algebraic structure of elliptic curves over finite fields.


As many as 13 security vulnerabilities have been discovered in the Nucleus TCP/IP stack, a software library now maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, denial-of-service (DoS), and information leak.


A few months ago, Proofpoint, a leading vendor of data loss prevention software, filed a lawsuit against a former employee for stealing confidential sales-enablement data prior to leaving for Abnormal Security, a market rival.


On November 15, 1971, Intel publicly debuted the first commercial single-chip microprocessor, the Intel 4004, with an advertisement in Electronic News.

Weekend Reads 111221


We’ve had too many face-palm-worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket” or finding a supposedly “test” server exposed that had production data in it.


Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.


2021 has already been a banner year for cybercriminals — the record-largest ransomware payment of $40 million was made by an insurance company this year. And the attacks won’t stop.


In the 2021 Domain Security Report, we analyzed the trend of domain security adoption with respect to the type of domain registrar used, and found that 57% of Global 2000 organizations use consumer-grade registrars with limited protection against domain and DNS hijacking, distributed denial of service (DDoS), man-in-the-middle attacks (MitM), or DNS cache poisoning.


When it comes to cybersecurity, risks are omnipresent. Whether it is a bank dealing with financial transactions or medical providers handling the personal data of patients, cybersecurity threats are unavoidable. The only way to efficiently combat these threats is to understand them.


‘Functional, free and secure by default’, OpenBSD remains a crucial yet largely unacknowledged player in the open-source field.


A new multistage phishing campaign spoofs Amazon’s order notification page and includes a phony customer service voice number where the attackers request the victim’s credit card details to correct the errant “order.”


Traditional security gives value to where the user is coming from. It uses a lot of trust because the user’s location or IP address (perimeter model) is used to define the user to the system. In a zero-trust model, we assume zero units of trust before we grant you access to anything and verify a lot of other information before granting access.


Up to the second half of the 19th century —with the exception of the industrial power Great Britain—the protection of inventions was inadequate and strongly disputed.


Two senators have introduced bipartisan legislation that would make it harder for online tech giants to make acquisitions that “harm competition and eliminate consumer choice,” according to the office of Sen. Amy Klobuchar (D-Minn.), one of the bill’s co-sponsors.


A team of tech companies including Google, Salesforce, Slack, and Okta recently released the Minimum Viable Secure Product (MVSP) checklist, a vendor-neutral security baseline listing minimum acceptable security requirements for B2B software and business process outsourcing suppliers.


Are you looking to get a VPN subscription soon? Before you get a multi-year subscription, make sure the VPN you choose has these six crucial features.


Death, taxes, and spam. It’s constant, ever-present, and you likely have a few hundred of them sitting in your Spam folder as you read this.


For those who follow the issue of blocking illegal content from the Internet, there is an interesting development in relation to this issue here in Germany, and I will tell you a little about it.


Neal Stephenson’s foundational cyberpunk novel Snow Crash brought to the public the concept of a metaverse, a virtual reality in which people interact using avatars in a manufactured ecosystem, eschewing the limitations of human existence.