Weekend Reads 041522

Quantum computing startups are all the rage, but it’s unclear if they’ll be able to produce anything of use in the near future.

A few years ago, Ken Crum started getting uncomfortable with how much of his life seemed to be online. The long-time computer programmer was particularly concerned by what companies appeared to know about him.

In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software.

The classic line “I have a bad feeling about this” is repeated in every Star Wars movie. It’s become a meme for that uneasy feeling that as bad as things are now, they are about to get much worse. That’s an accurate portrayal of how many of us feel about cybersecurity.

Wouldn’t it be funny if Google ends up being the stalwart supporter of the X86 architecture among the hyperscalers and cloud builders?

In 2019, the US Government Accountability Office (GAO) released a report highlighting the ten most critical legacy systems that needed modernisation.

The gold standard for retailers and financial organizations when it comes to protecting sensitive cardholder data, PCI DSS v4.0 shifts the standard’s focus to outcome-based requirements.

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

Artificial intelligence is an oxymoron. Despite all the incredible things computers can do, they are still not intelligent in any meaningful sense of the word.

The same qualities that make QR codes so valuable make them a legitimate threat to enterprise (and personal) cybersecurity.

A new report, which surveyed 1200 IT security professionals in 17 countries around the world, has shone a light on a dramatic rise in the number of organisations willing to pay ransoms to extortionists.

We’ve noticed lot of samples of Android malware in the tor-hydra family have surfaced, masquerading as banking apps to lure unsuspecting customers into installing them. In this post, we will take an example of one such sample and analyze it using open-source tools available to anyone.

When there aren’t enough developers to go around, what can a company like Apple do to try and fix the problem? Two things, really – invest in global education in coding skills, and make its existing environments easier to use.

Here’s my interview with Brian Kernighan, co-author (with Dennis Ritchie) of The C Programming Language book, to discuss the C programming language and its 50-year history.

Weekend Reads 040822

These guidelines are not about finding a perfectly secure solution but about practical, immediate possible actions with respect to email, instant messaging, voice and video chats, and other important security measures to consider.

The governance of an IXP can deeply affect its development. The difficulty of stating a clear management policy for IXP is the main challenge that limits the growth, sustainability and success of IXPs. In the past years, there have not been enough initiatives that support creating such policies for IXP management.

European telecommunication service providers are being pushed to pick up the pace regarding 5G adoption. However, the next-gen technology requires immense data capacity and transmission speeds, thus setting up the new infrastructure is no easy task for telcos.

With businesses around the globe—especially in the United States, Canada, and Western Europe—bracing for potential cyber-attacks orchestrated by Russia or its hackers, a leading cyber security firm is warning most software upgrades are not adequately addressing the most vulnerable component of the “modern cyber-attack surface.”

Now, a new lawsuit is giving consumers an unprecedented peek into this opaque world, and illuminating just how easily a data broker can lose control of the user information it collects.

Sure, a standard membrane keyboard will get the job done, but the long-lasting keys and trademark tactile responsiveness of mechanical keyboards offer a premium experience that many people swear by. If you’ve ever remarked with dismay about a keyboard’s “mushiness,” a mechanical keyboard might be just the thing you need.

But none of these digital payment options are really like cash. Unlike paper money, they require both an internet connection and a bank account to use. Above all, they lack what has long made cash the preferred medium of civil libertarians, dissidents, and criminals alike: privacy. The only kind of money that leaves no paper trail is paper.

Verizon and AT&T’s recent 5G rollout could put them in a better position to compete with T-Mobile, which has had similar tech rolled out for years, according to data from Opensignal.

One tool in particular is the NIST Cybersecurity Framework, which is a free resource developed and provided by the U.S. government. Let’s dive in.

Back in 2018, NotSoSecure published an Out of Band Exploitation (OOB) CheatSheet. In that document, they cover methods by which you can exfiltrate data. One of these uses files written to disk and multiple DNS queries to send large chunks of data.

In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

Data exfiltration is a technique used by malicious actors to carry out an unauthorized data transfer from a computer resource. Data exfiltration can be done remotely or locally and can be difficult to detect from normal network traffic.

Remember when only a couple of variations of processors were available for servers in any given generation of server CPUs? There might have been dozens of vendors, but they didn’t give a lot of choice, Today, we have a handful of server CPU designers and only a few foundries to do the etching, but the variety of compute engines is staggering.

While the global economy faced the challenges caused by the pandemic and society embraced new trends, the domain industry continued to expand thanks to the ongoing push toward digitalization.

The connected, embedded sensors and devices that make up the Internet of Things (IoT) contain software that provides these systems with their “intelligence.” All software contains millions of lines of code, and these inevitably contain some mistakes.

But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

DNS over QUIC (DoQ) is currently being standardized within the DNS PRIVate Exchange IETF working group. The design goal is to provide DNS privacy with minimum latency, for which DoQ uses QUIC as the underlying transport protocol.

An independent security researcher has shared what’s a detailed timeline of events that transpired as the notorious LAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January 2022.

Vodafone is among the private sector’s latest victims to the damaging reputational impact of cybercrime — and it won’t be the last.

Whether it’s PCI-DSS, SSDLC, or GDPR, the criteria that security standards expect businesses to uphold are neither realistic or feasible.

So the shortage isn’t just affecting the availability of current gadgets. The lack of chips is already fueling changes in the design of future products, delaying the next generations of devices, and forcing engineers to come up with all manner of Plan Bs, according to a new survey from Avnet.

Weekend Reads 040122

An FBI intelligence memo from March 18 obtained by CBS has revealed that currently 140 or more Russian–based IP addresses are conducting “abnormal scanning activity” of companies in the U.S. energy sector.

In this second part, I lay out a set of recommendations for ways to help ensure that these entanglements of industry and academia don’t grant companies undue influence over the conditions of knowledge creation and exchange.

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

NVIDIA today unveiled powerful new hardware to serve as the key building blocks for its vision to transform data centers into “AI factories,” unleashing new frontiers in technical computing.

More recently, there’s been a growing trend across government and regulatory bodies in the United States towards shorter timeframes for reporting of cybersecurity incidents. Here’s a brief rundown of the recent activity.

Artificial intelligence is an oxymoron. Despite all the incredible things computers can do, they are still not intelligent in any meaningful sense of the word.

The technique for adding 3D vertical L3 cache to the processor complex is very interesting, and gives us a preview into how chip real estate might be better utilized in the near future in all kinds of chips.

One of the main challenges of OT security is the problem of compatibility. OT components often differ significantly from each other in terms of age and sophistication as well as software and communication protocols.

But rather than a few large security-focused companies driving consolidation, the acquisition activity suggests that the big winners will be large cloud companies that better integrate cybersecurity into their services and offer new products and services based on their expertise.

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

However, there is a fundamental question of when it is appropriate to act at the DNS level and the evaluation of whether the alleged abuse meets a sufficient threshold for action at the DNS level.

In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – version 1.1.

Victims of ransomware attacks face the excruciating choice of either paying off their attackers or risking considerable disruption in attempting to restore encrypted data on their own or — as is often the case — with the help of an incident response firm.

As major businesses feel a growing sense of urgency to dramatically cut carbon emissions, opinions are starting to shift in favor of nuclear power, which is not classed as clean, but is a near-zero carbon energy source.

Our realization was that since there are far fewer bad guys than systems we want to defend, stopping the bad guys, rather than defending each system, provides a scalable solution.

Binding arbitration seems like a sensible path to choose between two companies doing business. I’ve assisted in several binding arbitration complaints between carriers, and it’s faster, more efficient, and less costly for companies than wading into the court system.

Weekend Reads 032522

A Chinese national was recently caught entering China with 160 Intel processors strapped to his body, an act that customs officials amount to smuggling.

In 2022, Facebook has 2.91 billion active users, making it the most-used social media platform. But to me, it will always pale in comparison to early MySpace.

As a CSIRT consultant, I cannot overemphasize the importance of effectively managing the first hour in a critical incident.

A few weeks ago, $3.6 billion in bitcoin was seized from a Manhattan couple who were arrested and charged with money laundering in connection with a 2016 hack on the Hong Kong cryptocurrency exchange Bitfinex. It was the largest financial seizure in the Justice Department’s history.

In a low-light Culver City control room, Lily Shaw is getting her pilot mood on.

This is not the first war in the digital age. But the role played by digital technologies and tech companies in the conflict is in many ways unprecedented.

Economic Denial of Sustainability (EDoS) is a cybersecurity threat targeting cloud environments. EDoS attacks exploit the elasticity of clouds, particularly auto-scaling capabilities, to inflate the billing of a cloud user until the account reaches bankruptcy or large-scale service withdrawal.

I believe there is a significant lesson learned in how we approach our supply chain in the data center market moving forward, and that is increased visibility for all parties involved.

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

For example, we are still living in a golden AI summer with ever-increasing publications, the AI job market is still global, and there’s still a disconcerting gap between corporate recognition of AI risks and attempts to mitigate said risks.

It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple.

When thinking about computer security, you probably consider your PC and phone first and foremost. But there’s a lot of hardware between you and the nebulous malefactors of the internet, and it’s important to make sure all of it is secure.

Whenever demand exceeds supply, inflation is inevitable. And it is not at all surprising to find that in certain sectors of the networking space, the cost of bandwidth is flattening out instead of decreasing and in some cases is on the rise.

Cyber-insurance policies typically have “war exclusion” or “hostile act exclusion” language built into them. This language essentially says that insurers cannot defend against acts of war.

First surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone.

Controversial Reads 031922

If you work in advertising or marketing, you’re probably aware of Apple’s privacy efforts over the last year. Apple now requires apps ask customers if they want to ‘opt-in’ to allow behavioral data tracking.

Among gamers and parents and even within the medical community, there’s disagreement about whether gaming addiction is real.

When discussing our relationship with technology, for whatever reason—whether it’s due to aimless maximum engagement algorithms, the ruthless economic incentive structure of the global market, or just our own sheer inability to think critically in the face of incessant propaganda—we’re led to believe that there are only two possible paths from here: 1. Integration with Technology or 2. Luddism.

I was struck by how easily he assumes that large doses of data, math, and computing power make computers smarter than humans. He is hardly alone, but he is badly mistaken.

When Shiri Melumad was working on her doctorate in 2012, she found herself reaching for her smartphone during moments of stress, before a tough exam, for example. She didn’t always use it, she just held it. It was comforting.

There is an estimated $12 billion market of companies that buy and sell location data collected from your cellphone. And the trade is entirely legal in the U.S.

In contrast, what is the conservative solution when approaching a problem of corporate excess? Unfortunately, that is the problem conservatives now confront with Big Tech, the enormous corporations that control what Americans can do and see online with almost no government oversight.

One side argued that Millegan’s personal beliefs had nothing to do with his role at ENS, and besides, cancel culture is a web2 thing, not a web3 thing. The other side took the “Well why should we support and work with an asshole” stance.

We do know the roughly 40-foot-long piece was part of a rocket that went up five years ago to carry the National Oceanic and Atmospheric Administration’s Deep Space Climate Observatory more than 600,000 miles into space.

All three cases were eventually dropped, but in Parks’ case, that took almost a year, including 10 days in jail. The cases shared some commonalities.

As the debate about how to rein in Big Tech and its anti-competitive practices continues, news publishers and telecommunications providers are increasingly calling for large pay-outs from major platforms. However, these proposals risk restricting users into ever-smaller walled gardens and cementing the dominance of a few big players.

Research about the influence of computing technologies, such as artificial intelligence (AI), on society relies heavily upon the financial support of the very companies that produce those technologies.

Sanctions that affect Internet traffic have been under-discussed for a long time. As a result, it’s as yet unclear to what extent sanctions might affect Content Delivery Networks (CDNs) and traffic destined for or coming from Russia.

With the troubling news of the recent invasion of Ukraine by Russia, the specter of a cyberattack by a nation-state on the US looms as a threat yet again. However, this time may be different, especially if the US and its allies respond with any kinetic, real-world attacks or resources.

Weekend Reads 031722

We should instead be choosing authentication processes that appropriately match site risks; using a password should be the last thing you want to rely on.

Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission (SEC) on Wednesday takes effect.

Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm, and stage speculative execution attacks such as Spectre to leak sensitive information from host memory.

The directive was accompanied by a catalog of known exploited vulnerabilities maintained by CISA that includes mandatory remediation deadlines. Essentially, it means “fix these fast or else” for applicable agencies and organizations.

Just being aware of surveillance has chilling effects in how we exercise speech, which is often under attack by all sorts of actors from criminals to our own governments.

Threat actors have been observed abusing a high-impact reflection/amplification method to stage sustained distributed denial-of-service (DDoS) attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1.

Since its birth, Yara has become a common ground to exchange threat signatures between cybersecurity researchers. It is quintessential for identifying known or related malware, as well as hunting for malware artifacts.

Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.

Companies in Europe and beyond are vying for control of the crown jewels of the connected car era: your vehicle’s data.

We joked around, the board voted yes, and we emailed the file to an in-house legal team. A little more than a year later, our application for carbon footprint tracker was published.

Weekend Reads 031122

The big ISPs all lobbied hard against the net neutrality rules, but the CEO of every big ISP was on the record at least once saying that the net neutrality rules were not a big deal and that they could live with net neutrality. So why did the big carriers lobby so hard about what the FCC was doing?

VESA, which makes the DisplayPort spec, today announced a certification program aimed at helping consumers understand if a DisplayPort 2.0 cable, monitor, or video source can support the max refresh rates and resolutions the spec claims.

Over the past week, the Akamai researchers said, they have detected multiple DDoSes that used middleboxes precisely the way the academic researchers predicted. The attacks peaked at 11Gbps and 1.5 million packets per second.

The metaverse, as Microsoft Corp. and Facebook parent Meta Platforms Inc. would have us call it, raises a remarkable prospect: For the first time, all of the technology giants are going to compete over the same turf.

A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated what they say is the “first side-channel attack” on homomorphic encryption that could be exploited to leak data as the encryption process is underway.

In a little-noticed report, the US Patent and Trademark Office (USPTO) concluded that after a multifaceted analysis, it is clear that “no single firm is ‘winning’ the 5G technology race.”

For several years, many within ICANN circles have raised concerns about the escalating nature of domain name system (DNS) abuse.

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue.

A broad range of industry stalwarts, like Intel, AMD, Arm, TSMC, and Samsung, among others, introduced the new Universal Chiplet Interconnect Express (UCIe) consortium today with the goal of standardizing die-to-die interconnects between chiplets with an open-source design, thus reducing costs and fostering a broader ecosystem of validated chiplets.

The launch of AMD’s upcoming Ryzen 7 5800X3D processors is close, but a new leak tells us that it might be just a couple of weeks away.

AT&T recently announced multi-gigabit broadband plans on its fiber connections. The company has priced 2-Gbps broadband at $110 per month and 5-Gbps broadband at $180.

There is another kind of spyware that is more prevalent and much more likely to affect the average person: the consumer-grade spyware apps that are controlled by everyday people.

Organizations leaked more than 6 million passwords, API keys, and other sensitive data — collectively known as development “secrets” — in 2021, doubling the number from the previous year, according to a new GitGuardian report published today.

FPGAs can be customized to accelerate key workloads and enable design engineers to adapt to emerging standards or changing requirements. They contain an array of programmable logic blocks, as well as a hierarchy of reconfigurable interconnects that allow blocks to be wired together to process specific functions.

Bootstrapping a DNSSEC delegation therefore requires that the parent has authenticated knowledge of these parameters. However, no standard for authenticated sharing of these parameters has emerged so far. This lack of protocol is a major obstacle for the widespread adoption of DNSSEC.