Recent Comments


Note: new comments may take a few minutes to appear on this page.

May 5, 2016 4:21 PM

Nick P on Credential Stealing as an Attack Vector:

@ Jeroen

Wait a sec. I knew he conned his way into VMS systems. But he actually obtained its source code, too? And published that code... where? ;)

May 5, 2016 4:03 PM

ianf on Friday Squid Blogging: My Little Cephalopod:


@ Dirk Praet wrote on April 28, 2016 7:20 PM

[…] “most of the Paris-Brussels attackers fit the typical profile of good-for-nothing douchebag losers aspiring to be Hollywood gangstas but who would have failed life - and even petty crime - in any society. The only difference being that in the countries their fathers came from they would have been incarcerated a long time ago instead of being allowed to develop impressive rap sheets before eventually being recruited by Da'esh.

Read this analysis of (probable but neither proven nor unequivocal) existence of an undetected wide bandwidth ISIS.eu back channel to Syria for relay of—NO JOKE—one Khalid's Dreams of Jihad. I can't make heads or tails out of it, but apparently @thegrugq could.

Source: http://boredjihadi.tumblr.com/post/142889314077/three-dreams-of-a-brussels-bomber

May 5, 2016 3:58 PM

albert on Credential Stealing as an Attack Vector:

@Clive,

"...better paid work outside of the academic environment..."

The Devil you say!

College administrators are vastly overpaid. Six figures (seven for CEOs) in big schools, and just like their Corporate Counterparts, they are adopting the CCs greed as well.

. .. . .. --- ....

May 5, 2016 3:45 PM

ianf on Friday Squid Blogging: My Little Cephalopod:


[I'm clearing up the backlog, some of it way past its sell-by-date, so it's mostly FYI & Having Me Say]

@ Clive Robinson said:

[…] “Due to the security policy put in place in the 1980's by Margaret Thatcher, the actual truth about the bomba/bombe diffrences did not come out [until post-1989, nor was it helped] by historians who had no actual contact with either the Polish or British cryptanalysis of the Enigma.

Given grave sins of Thatcher, I don't think we need to burden her slate with instituting a harsher security policy than that blanket atmosphere of secrecy over Britain's hidden wartime doings that's been in force since the war ("Loose lips sink ships" etc.). And if she expanded upon that, then in all probability mostly codified what up to then were consensual old-boys' club agreements. The Cold War, unmasking of Klaus Fuchs, the "missile gap," Soviet expansionism and other such events all played their "motivational" rôle.

It is not my intention to "outbid" your experience of ill effects of the Official Secrets Act etc., but I suspect that for each D-noticed news item about Bletchley Park, there was a veritable black hole (or, better yet: blanket ignorance of its mere existence, ergo absence of) in regard to prewar Polish work on the Enigma. I first heard of it from an expat star programmer who actually studied it for his mid-70s math dissertation, but then I thought little of it. Forward ~20 years, and I'm writing a piece on mystery airplane crashes, one of them the 1943 RAF Liberator lost on take off from Gibraltar. For that I interview a couple of white-haired ex-Polish WWII army gents in Sussex. That's when the Enigma, and other uncredited Polish contributions to the war effort, makes A BIG SPLASH in their narrative alongside umpteen crash conspiracy theories that they espouse. Nobody ever asked for their opinion on any of these matters, so now I'm the designated slush pile-keeper of the flame. I try to get some confirmation, not less from @sciencemuseum that had an exhibit on wartime comms technology, but draw mostly nil about it (the embassy's cultural attaché sends me to their military attaché who interrogates me for the "behind" reasons of my interest… then I discovered that the position was "vacant"). Took me another decade to find out the extent of it… but that's another story.

Where topic “releasing poor quality code as [company or management] policy” is concerned, there are NO BIGGER CRIMINALS than Bill Gates and Paul Allen, who turned shoddy software into the norm of the budding microcomputer industry. All the way from acquiring on the sly the QDOS (=Quick and Dirty OS from another Seattle company, Q and D standing for "untested outside the range of narrowly defined, known command parameters"), rebranding it and delivering to the client as the MSDOS 1.0 for its IBM PC. And it's been downhill from there.

    Every time I see BG on TV promoting his New! Benevolent Philantropist's Strategies, I SHOUT "you are whitewashing your crimes with the cash, sweat, and stress of the myriads of Microsoft's victims.” The money should be refunded and he should be put away for life.

More on that your conversation about releasing poor quality code as a policy found among the comments to the referenced piece Have Software Developers Given Up?:

http://www.hanselman.com/blog/EverythingsBrokenAndNobodysUpset.aspx

May 5, 2016 3:15 PM

ianf on Credential Stealing as an Attack Vector:


You're quite right, Clive, I mixed things up. It was a serial interface, a DB9 plug the way I remember it, which I somehow confused with the (more common in printers) Centronics interface. I learned that direct PS input technique at a MacWorld conference in SF 1987?, though it may have been access to a built-in test/demo routine, rather than to the rendering engine.

May 5, 2016 3:01 PM

Curious on I'm Writing a Book on Security:

@ianf

I already indicated how "idiocy" as a word would be interpreted as derogatory, or rather, as an insult I should have written instead, so I don't understand your point here.

Besides, I am sure that "idiot" and "idiocy" does NOT have an unequivocal meaning in an English milleu public setting. Pretty sure "idiot" and "idiocy" is an old form of psychiatric diagnosis, probably related to having so called low IQ.

May 5, 2016 2:52 PM

ianf on Friday Squid Blogging: Global Squid Shortage:


Here's a competition in the spirit of Alan Turing's Imitation Game that goes beyond mere Turing Test, and poses a question "what if algorithms went beyond their jobs as mediators of human culture and started to create culture themselves?"

    More specifically, what if piece of code/ custom algorithms were able to make a dance music mix (out of a given set of tracks and sound modifying techniques); write a sonnet; or a short story (either seeded with a word or a short phrase), and end them being judged as statistically indistinguishable from such created by a human?

What if this https://goo.gl/QBgPtj was a reality?

We'll find that out on/after the 18th of May when the submissions will be evaluated and judged.

More at: http://bregman.dartmouth.edu/turingtests/node/1

and

https://theconversation.com/looking-for-art-in-artificial-intelligence-56335

May 5, 2016 2:38 PM

Jeroen on Credential Stealing as an Attack Vector:

Currently reading Ghost in the Wires. Can highly recommend the book, but I did not read The Art Of books so I cannot compare.

From what I gathered, Mitnick received the Powerbook G4 from Woz 3 years after he got out of jail (2003 and 2000 respectively) when "his ban from electronic devices" ended.

And yeah, its rather relevant in discussions like these. He never caused financial harm, but he was good at phreaking and especially social engineering. He used phreaking and social engineering to obtain the source code of SunOS, NetWare, VMS, and firmware for cellphones so he could modify them. He also used those techniques to stay ahead of the Feds.

May 5, 2016 1:50 PM

Who? on Own a Pair of Clipper Chips:

Is the clipper chip weak yet? Perhaps no one at the NSA remembers right now how its backdoor works!

May 5, 2016 12:50 PM

Brandon on Julian Sanchez on the Feinstein-Burr Bill:

It's such a badly written bill that I wonder if it's just there to anchor us to an extreme, so we're relieved when the actual bill comes along.

That's what happened, with SOPA, right? I seem to recall a bill was very quietly passed about a week after SOPA was defeated, which did basically the exact same thing everybody had been protesting about.

May 5, 2016 12:46 PM

Brad on Own a Pair of Clipper Chips:

I guess everyone knows Marcus Ranum is using a buggy version of the Lastpass extension give the weird lastpass javascript appended to the auction description.

May 5, 2016 10:49 AM

Clive Robinson on Credential Stealing as an Attack Vector:

@ ianf,

I used to astound onlookers at trade fairs by hooking up a VT100 terminal to an LW's parallel port, interactively type in a string of Postcript instructions to its onboard interpreter...

You may be getting a bit confused here or not saying things correctly.

Postscript is a "Forth like" stack based language, early post script printers had bidirectional serial interfaces such that error messages could be sent back to the print control program. The problem with parallel interfaces is that data wise they are one way. So later printers had both a parallel interface for speed and a bidirectiona serial interface for error messages and the like.

The VT100 range of terminals were serial in nature and some (DEC) had a local printer port as well. From what I remember of the DEC printer ports they were serial as v
Well, and you had to fit a loopback interface onto the bidirectional serial line interface to be able to type reliably to the printer interface.

It is something like a third of a century since I messed around with Postscript (certainly it was before it became Level 1 when Level 2 came out in the early 90's) what I was trying to do was upgrade a "Cambridge Ring" box I had designed to talk to the IEEE instrument interface so that it could dump vector graph plots to the postscript printer without having to clog the network up. A few people showed interest but not enough so it died when I went to find better paid work outside of the academic environment.

May 5, 2016 10:42 AM

z on Own a Pair of Clipper Chips:

The ironic thing is that as bad as the Clipper chip was, it was probably better than our current default of no voice encryption at all. Sure the gov could eavesdrop on the Clipper chip, but now they don't even have to demand an escrow key.

Sigh.

May 5, 2016 10:36 AM

Renato Golin on Own a Pair of Clipper Chips:

+Paul, if the device has a back-door, then he also has the decryption wrong. :)

May 5, 2016 9:48 AM

Nick P on Friday Squid Blogging: Global Squid Shortage:

@ Wael

"Why don't you help my memory with a link to this atrocious subject matter? "

Oh yeah, so you can merge the shittiest discussions on the blog into one huge, cross-linked pile. I think not.

"I don't usually enjoy the long-form fluff pieces like this, but you hooked me stink-line-and-sinker with the refined skill that's usually reserved for semi-professional fishing boats! ;-)"

Well, that's where those reading skills I mention come in handy of skimming, going to conclusion first, and so on. In this case, conclusion is quite rewarding. Makes me want to do some statistically-significant replications with control groups. Might find a cure for my own stomach problems. Everyone's getting a blood test for HIV and shit first, though. ;)

"The best tidbit of information I gleaned from this article is the assumed fact that the Argonne National Laboratory will sequence genome samples for anyone at a price under $60USD!!"

Blew my mind, too.

@ Clive Robinson

"Whilst not totaly faux/psudo science. I personaly think it is like some of the more recent bio-metrics that get over hyped in the reliability / unvariability side."

Three biometrics that you won't see me use are sticking my tongue into anything (already exists), my shit (might be in motion), or sticking my dick in something. These are just asking for the worst, denial-of-service attacks you can imagine. Plus the worst someone else can imagine. Plus, I'm sure I can make a formal proof of non-recoverability for some of them.

May 5, 2016 9:40 AM

Nick P on Credential Stealing as an Attack Vector:

@ tyr

Oh yeah, that must have irritated the hell out of the Feds. Didn't know about Woz giving him a welcome back present. That's pretty cool. Aside from his book, only thing I saw on him was a show he did with TechTV's Leo Laporte right after release. He seemed like a fun guy to be around. I think he was on probation from computers for some time but directed others to do hacking for security consultations. Haha.

May 5, 2016 7:05 AM

Paul Renault on Own a Pair of Clipper Chips:

"Marcus Ranum is selling a pair on eBay. He has the decryption wrong, though."

Uh, I think that it's the Clipper chip which has the decryption wrong. What Marcus has, I'm guessing, is the description wrong. ;->

May 5, 2016 7:03 AM

Clive Robinson on I'm Writing a Book on Security:

@ ianf, Curious,

Playing lexicon redefinition games seldom pays off.

It can also bring you a world of hurt.

There was news a few days ago of a judge deciding that someone describing themselves as a "hacker" was obviously a criminal, thus signed of on a warrant...

With that level of "idiocy" in the judiciary no wonder democracy is going to hell in a handcart, as fast as though it was pushed of a cliff edge (with the same expected outcome).

May 5, 2016 7:03 AM

ianf on Credential Stealing as an Attack Vector:


@ tyr's fave moment when Woz gave Mitnick a shiny new Apple top product as a getting out of jail present.

One of us misremembers things, could be me. As I recall—it's been a while, and, anyway, I might have conflated things—part of KM's conditions for release from prison was him keeping away from computers for some additional years. So what was it that Woz could have given him… a LaserWriter?

Nah, couldn't have been that either, as for a time around then-Mitnick fame, it was the most powerful and memory-laden Apple product. In fact, I used to astound onlookers at trade fairs by hooking up a VT100 terminal to an LW's parallel port, interactively type in a string of Postcript instructions to its onboard interpreter concluded by the 'showpage' command, and have it spit out a page with e.g. black square followed by an onlooker's first name █… Cheap Thrills City.

May 5, 2016 6:58 AM

Dirk Praet on Documenting the Chilling Effects of NSA Surveillance:

@ Rolf Weber

I just gave some examples that responsible politicians and courts actually distinguish between "mass collection" and "mass surveillance".

Err, no. Privacy Shield is probably the best example of desperate politicians and lobbyists trying to introduce artificial distinctions to strike a political agreement on the core of an issue that most probably will not even pass the smelling test in court. It's on par with banning reincarnation and outlawing global warning.

You realize that the topic here is the alleged "chilly effects" caused by the 702 programs?

Unlike you, most other people here are actually looking at the bigger picture.

All with the help and consent of local authorities, and all (with the exception of the "playground" Bahamas) are/were in crisis areas.

Ah! Consent of local authorities does not make mass surveillance mass surveillance. Interesting point.

Germany's G10-Kommission is comparable to FISC. But the G10-Kommission is not even a court

Exactly my point. I was asking for something that actually pretends to be a court. Like the FISC does. Not an entity that inception-wise looks more like a parliamentary equivalent of Obama's executive Disposition Matrix Committee. As to their decision ratio, it's kinda hard to assume anything since - contrary to the FISC -there are no data available whatsoever.

First you said that the USG argued *post-Snowden* solely with terrorism, and now you come with *pre-Snowden* law amendments.

Please try to read my comments correctly. I said that much, if not most, of the legislation the NSA programs are based on was sold to parliament(s) as counter-terrorism. Post-Snowden, when media and general public started to ask questions about these programs they were blissfully unaware of, they were told the same.

What you claim is that said laws and programs were never just about terrorism. Which is actually what we've been saying all along, despite all the "terrorism" spin and lies by government and IC officials. So who is actually waking up to the smell of napalm here?

I'm largely offline the next couple of days, so don't expect any timely responses

Feel free to take a couple of years to think things through.

May 5, 2016 6:50 AM

Democratic Front for the Reunification of the Fatherland on Credential Stealing as an Attack Vector:

This is equally true on a macro societal scale. The secret police don't just steal passwords and certs from your boxes. They also steal the credentials for legitimate government authority: your elections.

http://www.madcowprod.com/2016/04/28/the-rigged-democratic-primary-in-new-york/

http://www.madcowprod.com/2016/04/28/election-company-in-ny-primary-has-arm-long-rap-sheet/

Just look at the crooked mobbed-up cesspool that is your electoral process. The system is shot through with technical and procedural overrides installed by organized crime, beltway bandits, NOCs - all the traditional CIA cutouts. Your democracy is fake.

May 5, 2016 6:32 AM

ianf on I'm Writing a Book on Security:


@ Curious,
                 whatever may be your private definition of idiocy, better get used to the fact that, in English millieu public settings, it unequivocally means extreme, overt and/or intentional stupidity on the part of its "practitioner(s)." Playing lexicon redefinition games seldom pays off.

May 5, 2016 4:21 AM

Curious on I'm Writing a Book on Security:

For anyone interested in language, I highly recommend watching all of Prof. Paul Fry's lecture videos on youtube (US Yale University iirc), about "introduction to theory of literature". The two first parts (the introduction) and the last part alone should be interesting to anyone that doesn't have the time to watch it all.

The perhaps most interesting aspect of these videos imo, is the very idea of making use of critical thinking, in basically recognizing that knowledge is not easily communicated.

Ofc, I should perhap flag myself as being an agnostic (a person who does not believe or is unsure of something), so true knowledge as such is not something I believe in.

https://www.youtube.com/watch?v=4YY4CTSQ8nY&list=PLD00D35CBC75941BD

May 5, 2016 4:02 AM

Curious on I'm Writing a Book on Security:

To add to what I wrote:

When I use words like "idiocy" or "idiot", I never use them as a negative derogative term. To me, idiocy only means something 'idiosyncratic'. Idiosyncratic, in turn, I have always interpreted as being 'by power of oneself'.

So I hope people here don't get weirded out by me using such words. It isn't really meant by me to be thought of as demeaning or anything.

May 5, 2016 3:59 AM

Curious on I'm Writing a Book on Security:

@Jon K

As I see it, "trust" is something utterly vague and nonsensical if not having been specified, as in someone stating verbally for example "I trust that tomorrow if there aren't any cloulds in the sky, I will see the sun shining at daytime". And then, after a second, he might add "Assuming of course, that I am free to be out in the open and at some place that doesn't have obstacle obstructing my view to see the sky where the sun might be." And then, adding, "And also, that I am wide awake, and at my full senses, with my eyes not being obstructed from seeing the sky and the sun."

And so, trying to express any kind of personal opinion, belief or statement that would be required to be interpreted as something personal, as if something subjective, that is not easy, if the language sense is based on generalizations,or pure idiocy (something idiosyncratic, like making a point about making a point about some topic).

Afaik, it is only meaningful to talk about "trust", if 'trust' as such is something very specific, and more importantly, not being something metaphorical, as for example, when talking about the trust about a group of people you perhaps have not even seen or spoken to, or heard from. So imo, any kind of idea based on implied trust (the vague stuff), only makes sense if portrayed that way, but then again, that kind of "trust" isn't 'trust' as such, but only in name as a single word.

May 5, 2016 3:55 AM

David on Credential Stealing as an Attack Vector:

Reading the comments it's clear that the debate between 'sexy infiltration' and 'non-sexy infiltration' is as prevalent as ever. Seems to me that as long as the human remains the weakest link in the chain (and that's not going to change any time soon) obtaining credentials through social engineering will be the easiest way to get into any system. It has the advantage that you know the credentials are valid, you can target credentials that get you into the parts of the system you want, and by definition, no detection system looking for unauthorised access is going to be triggered by a valid user. Plus of course, all the encryption in the world is no defence if the 'person' accessing the data is allowed to read it.
Of course you have to patch and detect, but until we go back to basics and educate and support the users we've lost at least half of the battle.

May 5, 2016 3:51 AM

tyr on Friday Squid Blogging: Global Squid Shortage:


That gives new meaning to two factor biometric
authentications. With a comp record of your diet
for the appropriate proceeding period, all you
have to do is present a stool sample to authenticate
the youness of your stool biometric. while gaining
access to your authentication port becomes a lot
more difficult in practice for those who aren't
cleared by you.

May 5, 2016 3:40 AM

tyr on Credential Stealing as an Attack Vector:


@Nick P.

My favourite Mitnick moment was when Woz gave him
a shiny new Apple top product as a getting out of
jail present. It was like seeing Billy the Kid grinning
after recieving a Tommy Gun for his birthday.

I imagined the Feds cringing since they never caught
him, he was turned in by an associate. He's a pretty
good hacker with a great social engineering skillset.

May 5, 2016 3:21 AM

Drone on Credential Stealing as an Attack Vector:

So... The NSA's Chief Hacker publicly says that the easiest way in is credential theft. Considering the source, you now know the exact opposite is true.

May 5, 2016 2:25 AM

Wael on Friday Squid Blogging: Global Squid Shortage:

@somebody_else,

but you hooked me stink-line-and-sinker...

Good! Better than swallowing it hook, line, and stinker ;)

Argonne National Laboratory will sequence genome samples for anyone at a price under $60USD!!

Save your money! It'll be free public information before you know it. Patience my friend, patience. Or you can visit Kuwait, they'll do it for free! Kuwait, by the way, had the best chocolate cake (gâteau, actually) that I ever had in my life. Nothing in the US, Europe, or Asia came close.

May 5, 2016 1:50 AM

Wael on $7 Million Social Media Privacy Mistake:

Hard to explain a picture with "bong and smoke", and that's doubly true if your name sounds like "tonsil", because that means you definitely inhaled it! People who judged him know how to explain it when they're caught - pure hypocrisy. He should have stuck with the spiked chocolates! Oh well, poor OPSEC workmanship is dreadfully costly!

Life is like a box of chocolates... Some make you more hungry, and some make you fat. (With warm regards to Forrest Gump's mother)

May 5, 2016 1:49 AM

somebody_else on Friday Squid Blogging: Global Squid Shortage:

@Wael

Why don't you help my memory with a link to this atrocious subject matter?
It may be because @Nick P chose... poorly (with regards to the attribution of you).
Or perhaps that was deliberate -- In which case, hey Nick! I haven't forgotten about you.

I don't usually enjoy the long-form fluff pieces like this, but you hooked me stink-line-and-sinker with the refined skill that's usually reserved for semi-professional fishing boats! ;-)

I did spot a number of holes in the editing, experimental procedures, reporting, and qualified medical advice, although this was particularly interesting to me:

As a result, he was putting himself at risk for hepatitis, rotavirus, and a whole slew of other pathogens and parasites.
...
"Less than 3 percent of all of the donors that we screen end up qualifying as donors."
Now, I'm really wondering who these supposed 'pathogen-free' 3-percenters are...

A decade or two follow-up would be pretty interesting, I think. Will Zayner trade in his (punk?) Wu-Tang Clan T-shirt for a Jim Morrison or Justin Beiber one? What is 'Michael' like?? Is it possible to scientifically disentangle the 'placebo-effect' when the 'best-practice' guidelines probably involve seeking cohabitational or familial donors???

The best tidbit of information I gleaned from this article is the assumed fact that the Argonne National Laboratory will sequence genome samples for anyone at a price under $60USD!!

May 5, 2016 1:37 AM

SoWhatDidYouExpect on $7 Million Social Media Privacy Mistake:

He wasn't under contract yet so there can be no contractual requirement that he be on Twitter. Further, from the alleged video, there is no proof that he was behind the mask. The notion that these targets ...ah, potential draft picks... must use social media, could be a contrived convenience (of someone) to create this type of issue for some purpose (gee, maybe changing the draft pick order or even producing a situation that brings down the price).

This will all change when people stop buying tickets to those games or taxpayers reject financing stadiums for the already super-rich.

May 5, 2016 1:23 AM

Drone on $7 Million Social Media Privacy Mistake:

Punished for smoking weed by a professional sports organization that is riddled with illegal and harmful performance enhancing drugs. That's rich...

May 5, 2016 1:17 AM

Wael on Friday Squid Blogging: Global Squid Shortage:

@Clive Robinson, @Nick P,

bio-metrics that get over hyped in the reliability / unvariability side.

Biometrics are currently about convenience. When coupled with an appropriate network of security controls, they provide an adequate and acceptable security posture for several use cases that would otherwise present unnecessary "user friction". I anticipate that Biometrics will play more prominent roles in the not too distant future. As for ID by flora... Perhaps it has a use case in forensics, same applies to other forms of "invasive" Biometric techniques...

May 5, 2016 12:39 AM

Wael on Documenting the Chilling Effects of NSA Surveillance:

@Rolf Weber,

I'm largely offline the next couple of days, so don't expect any timely responses

Ten-four, coded message understood! I hear they® conduct meetings in an air-gapped environment. So how's the BND bootcamp going? Tell me, tell me!

May 5, 2016 12:33 AM

Clive Robinson on Friday Squid Blogging: Global Squid Shortage:

@ Nick P,

Yet, there's been a trend to try to use them for health purposes.

On the health side I think there is little doubt that they "can" work, the problem is knowing what is safe and what is not (see history of blood transfusions as to the problems). Doctors are risk averse for various reasons, and Big Phama has no interest in investigating anything they can not patent (it's one of the reasons we are in the anti-biotic trap).

But the "ID by flora" is something I have been keeping my eye on. Whilst not totaly faux/psudo science. I personaly think it is like some of the more recent bio-metrics that get over hyped in the reliability / unvariability side.

As I've mentioned before I've a life long interest in beating supposadly "gold standard" evidence / identification systems because I've found that thay are mostly bogus as are much of the forensic measures beloved of the likes of the FBI... And I realy don't like the idea of people being subject to incarceration simply because it's a convenient step on somebody elses career or share options.

May 5, 2016 12:21 AM

Wael on Friday Squid Blogging: Global Squid Shortage:

@Nick P,

I recall you two were talking fecal transplants one night.

It's not wise to talk sh*t about me and @Clive Robinson in one sentence ;) Why don't you help my memory with a link to this atrocious subject matter?

May 5, 2016 12:16 AM

Wael on Julian Sanchez on the Feinstein-Burr Bill:

@ianf,

No need to respond with a 7kb parable.

Phorgive me for jumping in, but I need to comfort you a little. I wouldn't worry too much about it. A 7kb parable is significantly more formidable than the 57 character one that challenged the living day lights out of your wits ;)

Besides, I like reading Clive's notes! If you remember, these are the inverse of Cliff's notes!. Say! You got these book series in ummmmm ... Italy?

May 5, 2016 12:07 AM

Josh B on $7 Million Social Media Privacy Mistake:

Was expecting hookers and a rape boat, but got... pot smoking? If that's all it was, then his potential #1 pick was wildly optimistic and hardly affected. The NFL has covered up for much larger than that.

May 5, 2016 12:03 AM

Wael on Friday Squid Blogging: Replicating Reflecting Squid Tissue:

@Nick P,

You need to finish it because the Good ...

Got a chance to read some more of it. Make it easy for me and tell me what you liked about it. It's a good story, I like the methodical thinking, but I don't see anything we don't know now.

May 4, 2016 11:48 PM

Nick P on Friday Squid Blogging: Global Squid Shortage:

@ Wael, Clive

I recall you two were talking fecal transplants one night. I stayed out of that one. Yet, there's been a trend to try to use them for health purposes. On Slashdot, one person doing self-experimentation was an interesting, case study.

May 4, 2016 8:41 PM

Nick P on Credential Stealing as an Attack Vector:

re Mitnick

He conned people out of credentials repeatedly to gain access to systems. That's the significance. The Art of Deception was a fun read, too, with nice examples for real-world attacks on the weakest link.

May 4, 2016 7:50 PM

ianf on Friday Squid Blogging: Global Squid Shortage:


> From the UhOh Dept.

See the top two-liner on this cover: http://goo.gl/ASAEEK

… then reflect on the mad trend to promote even yet unfinished product – not at all unlike premature releases of still—if ever somewhat fully—debugged software.

As for the book itself, judging by its description in The Guardian's Bookshop, "the way we die now" seems to be an ambitious long essay with little, if any, analogous semblance to Jessica Mitford's famous 1953 exposé of the thoroughly commercialized "American Way of Death".

    […] “Seamus O'Mahoney's thoughtful, moving and unforgettable book on the western way of death. Dying has never been more public, with celebrities writing detailed memoirs of their illness, but in private we have done our best to banish all thought of dying and made a good death increasingly difficult to achieve.

May 4, 2016 7:44 PM

ego on Credential Stealing as an Attack Vector:

Millions of email accounts compromised in massive data breach that includes Google and Yahoo
http://www.telegraph.co.uk/news/2016/05/04/millions-of-email-accounts-compromised--in-massive-data-breach-t/

Millions of users of the Google, Yahoo, and Microsoft email platforms have also had their data stored in one of the largest databases of stolen credentials ever discovered, Mr Holden told Reuters.

Hold Security, his firm, found the trove of stolen data after a teenage Russian hacker boasted in an online forum that he had access to millions of stolen credentials.

May 4, 2016 7:29 PM

Thoth on Friday Squid Blogging: Global Squid Shortage:

@ianf
Do note that not all countries are capable of manufacturing and being self sufficient in their own capabilities.

If your nation uses equipment from another nation or if you produce your equipment using the building blocks from another nation, it is already compromised.

I thin the long time discussion about security designs like Castle and Prisons makes it rather clear that theae topics are applicable on a national cybercom security level.

We all know a ton of FPGAs and chips out there with only a handful of manufacturers like Xilinx, Intel and a few others mostly from USA. Whether these black box chips contain backdooe is unknown but researches have found backdoors in security chips. If you are going to build your own military comms or electronics equipment, it would be ideal you have your own national foundries and build your own chips and stuff but the fact is investing into your own foundries is very expensive and a huge effort not all nations are capable of.

The world's foundries are very limited (e.g. IBM foundries, Infineon, NXP, Samsung, Foxconn...). Similarly, military comms and electronics firms using building blocks from other bigger players are susceptible to backdoors. Just a note that Thales have a Nordic division there and they develop interesting high security commsec equipment but alas they are still part of the French corporation called Thales (and thus susceptible to French policies).

May 4, 2016 7:14 PM

Nick P on Credential Stealing as an Attack Vector:

@ GreenSquirrel

You're vastly oversimplifying it. Remember what DSD said for Australia as it applies everywhere: whitelisting and fast patching countered 75% of so-called APT's. The whitelisting is especially helpful in stopping employees from being conned into running malicious executables. That's 75% of all hacks that were going on had nothing to do with 0-days. Matter of fact, quality can be so bad that one could in theory use a 3,207 day attack on LDAP if submitter was correct. ;) Add misconfiguration, esp default credentials, to that along with stuff running in network that's not documented. Especially add web attacks as many high-profile attacks start with hitting insecure, web apps connected to sensitive stuff. And then there's 0-days.

So, I think the TAO head was right in saying 0-days importance is overstated. I mean, we should also make the distinction of *where* the 0-days are. In web, specific types of problems are so common we often think of them differently from 0-days even though they technically are. Whereas, a 0-day in Linux is harder to both find and use. A 0-day in Windows kernel is increasingly rare given all the QA they did due to other thousand 0-days. So, we should differentiate but still many other attacks exist.

May 4, 2016 7:03 PM

albert on Credential Stealing as an Attack Vector:

@z,

Indeed. Every company/organization act like theirs is the only web page you'll ever use. Certainly, one would expect some security for online purchases, and draconian security for banking, but I have to sign up to see things for free, or participate in discussions and forums. Particularly irksome are product support sites/pages. All are guilty, include FOSS companies.

On my list of things that need to go: Flash, Java, and websites with a plethora of scripts. My bank uses nothing, nada, zip, it's a professional looking site that's fast and easy to navigate.

. .. . .. --- ....

May 4, 2016 7:03 PM

ianf on Friday Squid Blogging: Global Squid Shortage:


Engrossing panel discussion on "Muckraking journalists in cooperation for the Panama documents" [46 minutes, in English]. Posted on UR, the educational (C-SPAN-like) site of the Swedish Public Television SVT.

http://urplay.se/program/195325-ur-samtiden-grav-2016-gravande-samarbete-i-panamadokumenten

UR Samtiden - "Dig(?) 2016"
Download [46:12] http://pod.ur.se/media/195000-195999/195325-15.mp4

Available online until 15 October 2016

    370 journalists from 78 countries worked together for over eight months to review the 11 million of [what subsequently became known as] "Panama documents." In a world where money, companies and individuals operate globally, also investigative reporters must act like this. Here some of those journalists [talk about] how that work was done. Participants: Mar Cabra (ICIJ), Helena Bengtsson (The Guardian), Joachim Dyfvermark and John Kristjansson (SVT) Moderator: Fredrik Laurin.

Recorded April 9, 2016 at the Swedish Exhibition Centre, Gothenburg. Organizer: Association of investigative journalists. [imperfectly modified non-idiomatic mechanical translation; the three Swedes apparently also previously worked with the Snowden/ Greenwald data trove.]

RELATED from the SVT main site:

Read all NSA related articles in English

    All articles published by Uppdrag granskning relating to the Snowden documents will be published in English under this headline [documents dealing with hitherto unknown cooperation between the NSA and their Swedish counterpart(?) FRA and/or security services deemed of interest to Swedish public].

Last updated: 11 December 2015

http://www.svt.se/ug/read-all-articles-in-english

May 4, 2016 6:41 PM

albert on $7 Million Social Media Privacy Mistake:

@Clive,
"...In some professions the use of twitter is made a requirment by advertisers and the like, who expect you to bring followers into their sphere of influence...."

It's a conundrum. People are incredibly stupid regarding all things Internet. From CEOs to backwoods goobers. It's gonna stay that way as long as folks continue to believe everything they read. The future belongs to the Judas goats, as it always has.

Folks have suffered a lot worse than Tunsil, so no crocodile tears for him.

This is nothing more than a tempest in a teapot; a $7M teapot, but a teapot nonetheless.

OTOH, teams could save a whole of money on draft picks if they ______ _______ ______ _____ ________.

. .. . .. --- ....

May 4, 2016 6:18 PM

ianf on Friday Squid Blogging: Global Squid Shortage:


@ Thoth

re: Aren't we heading to WW3 already?
        […]

We have to consider not all countries have "TRUE" Cyber Commands.…

[Googletranslatingly] speaking of which: Sweden gets new military cyber command. (apt sarcastic comment THE WORLD TREMBLES deemed inappropriate in the circumstances).

    I presume that means that there now will be a Swedish CyberCommand Recruiting Booth at DefCon and similar Black/ GreyHat conferences, complete with cured-reindeer-meatballs-on-toothpick appetizers and imported sparkling Ramlosa mineral water, the latter said to cure mumps and gout, all-free to qualified callers!

May 4, 2016 5:31 PM

AdBlocker Override on $7 Million Social Media Privacy Mistake:

Laremy Tunsil Loses More Than $7 Million In Salary During 2016 NFL Draft Plummet

Laremy Tunsil will forever be remembered for teaching a generation a valuable less on the pitfalls of social media.

After a video of Tunsil was posted on his verified Twitter account, which appeared to show the Ole Miss offensive tackle wearing a gas mask and smoking a substance through a bong, Tunsil’s draft stock plummeted. At one point considered a likely No. 1 overall pick, Tunsil fell all the way to No. 13 and the Miami Dolphins.

While it is unlikely that Tunsil would have been taken during the first two picks, he was the Baltimore Raven’s top target at No. 5. Two offensive tackles were selected before Tunsil (Ronnie Stanley at No. 6 by the Ravens and No. 8 Jack Conklin picked by the Tennessee Titans). Had Tunsil been chosen in place of Stanely, his maximum projected salary would have been approximately $20.4 million, compared to the $12.4 million he will receive from the Dolphins – a drop of more than $7 million! That includes a drop in guaranteed signing bonus from $13.1 million at No. 6 to $7.2 million at No. 13.

Tunsil’s agent Jimmy Sexton of CAA earlier stated that ”It is B.S. Somebody hacked into his account.” On the other side, Dolphins general manager Chris Grier, talking after the team had chosen Tunsil, said: “We’re very comfortable with all the information we have on the situation. We had heard rumors and we had done our [research].”

Regardless of whether the individual in the video was indeed Tunsil smoking marijuana, and regardless of who posted it, the mere appearance of impropriety has cost Laremy Tunsil millions.

Jason Belzer, Esq. is Founder of GAME, Inc. and a Professor of Organizational Behavior and Sports Law at Rutgers University. Follow him on Twitter @JasonBelzer.

May 4, 2016 5:29 PM

ianf on Julian Sanchez on the Feinstein-Burr Bill:


@ Clive […] “If the EU has any sense…”

Could you settle for plenty of nonsense instead?

Just asking. No need to respond with a 7kb parable.

May 4, 2016 4:53 PM

Nate on Credential Stealing as an Attack Vector:

The potential for silent, bulk credential stealing is what worries me most about compute clouds.

It seems to me that it would be pretty trivial for a large cloud compute company hosting millions of Windows or Linux images to quietly add some traps to the hypervisor to dump known contents of RAM that contain system login credentials and certificates, and quietly save this information on the backplane of the cloud infrastructure to a database for later use.

This information would be relatively low-volume and easy to copy and store.

It would also be of EXTREMELY high value for the sorts of agencies whose mission is to 'get root login access to every system in the world'.

This information, being stored in RAM, bypasses every kind of encryption. It's not 'data in transit' or 'data at rest'. It's 'data in the VM RAM' and we currently have no viable encryption model for this.

And the extraction of this information would be utterly silent and invisible to both the VM user, and to most employees of the cloud company itself, since they usually implement very strict internal security protocols that don't allow employees to view or audit the hypervisor code. It could be automated and done routinely in bulk, 'just in case we ever need a back door'.

The major cloud compute firms do in fact have working relationships with the intelligence agencies. Amazon, for instance, runs classified clouds for the CIA. I'd be surprise if IBM and Microsoft don't also also have defense customers for their clouds.

ISIS is probably using cheap throwaway cloud servers for some of their activity, so there must surely be some kind of internal corporate mechanism at all of these companies for 'this server is doing suspected terrorist/illegal activity, gain access to it - and the credentials of its users - by any means necessary'. There would in fact be huge governmental pressure to provide such means of access from all the agencies from FBI on up to CSA/NSA.

We also know that although hypervisors are often open source projects (to which the NSA among others contribute, so know the systems intimately), the cloud companies don't use stock hypervisors, but modify them in unknown ways. They don't release their hypervisor source code for audit, in fact they keep it as a secret crown jewel of their enterprise. They often require security clearances for hypervisor engineers.

So there's motive, method, opportunity, premade test cases, a vast payoff if successful, governmental incentive to do this and in fact pressure at the National Security Letter level to keep such a mechanism hidden, and a very low chance of being observed doing it. The only way we'd ever find out would be if a hypervisor engineer leaked exactly what their _running_ hypervisor code did.

The logical response from a cloud company would be to implement such a backdoor mechanism and do it in such a way that it was silent, and could either be switched on and off for individual servers, or just done in bulk.

If done in bulk, there would also be management elements of these companies who realise that they are occasionally competing directly with their customers, and it would be _very_ commercially useful if they could sometimes read what a potential competitor was doing. That would of course be violating at least the spirit of their customer contract (but perhaps not even its letter - some cloud contracts state that the company can read your data if it might cause economic loss for them... )

I'm wondering when the shoe will drop and people will notice that we've built the ultimate panopticon here. Cloud hypervisor sees everything, including your passwords and private keys in cleartext. Therefore, your passwords and keys on all your clod nodes are _gone_. Burned. That's it. Game over.

But for some reason nobody sees this as a problem?

May 4, 2016 4:52 PM

Clive Robinson on $7 Million Social Media Privacy Mistake:

@ SoWhatDidYouExpect,

And, he didn't have to be on or use twitter.

In some professions the use of twitter is made a requirment by advertisers and the like, who expect you to bring followers into their sphere of influence...

Thus not having a twitter account can not just effect your bank balance, but your career prospects as well.

But there is another side as some people have found, if they don't grab their own name etc on Twitter then somebody else will, and depending who it is that can have disastrous consequences that the laws of fraud, harrisment, stalking etc just don't address...

So much as I do not like saying it, not having social media accounts is increasingly not an option for some these days...

As for the video etc, I have not seen it nor even heard of this person before. The drug mentioned is not called "dope" without good reason and it's very easy to test for use months afterwards. It is also an internationaly band substance for athletes and is routinely tested for. So as he has gained employment, it suggests that he is "clean" of actually smoking the drug.

Finally I will note that some people do not use what many here would consider adequate authentication security, and have in the past have paid the price for that. Not that some social media sites --like linkedin-- have used adiquate security in the past on how their users passwords are stored or kept from unauthorised access...

May 4, 2016 3:54 PM

Jesse Thompson on Credential Stealing as an Attack Vector:

I have to side with Green Squirrel on this one.

It's easy to say that use of stolen credentials and stolen login channels are the primary way to safely hack something (and in turn to clarify that detecting these specific shenanigans are the low point in most people's security profiles which need to be raised) but IT IS NOT kosher to claim that this should be THE PRIMARY security concern.

Why? Because nobody can use a stolen credential or abuse a login channel without first employing some kind of vulnerability to initially get their hands on the credential!

So, somebody uses my password to log into an asset somewhere. Question: where did they get my password? Somebody hijacks my login channel. Question: how did they gain access to my login channel in order to hijack it?

It's fine if you want to claim that credentials are secrets and secrets simply can't be kept forever anyway, or that the attack surface is so large and the credential such a small and valuable target to use for escalation that how they get it begins to lose relevance (be it software exploit or social engineering or spearphishing or brute forcing the weakest link, etc), but I am saying that this is a fight you literally cannot give up without ultimately rendering the credential obsolete from the get go.

If it really doesn't matter how the credential gets stolen, then that immediately means that the credential cannot be made secure, which in turn means that the login system becomes utterly inappropriate. You want to try to strengthen it with an added factor? I'm sorry, but the first factor stopped mattering.

For example: want to use a smartphone for 2 factor? Smartphones are much easier to hack than any moderately carefully used PC. I've got this problem with Steam right now: they expect me to use their mobile app for 2 factor login, use my mobile app to confirm every time I take a piss to prevent somehow getting my valuable TF2 hats stoled: but all of the *first* factor issues can be initiated from the phone as well. So? All somebody has to do is hack my phone and they can pilfer all of my shit, and that's easier to hack than my PC. So what am I squinting and poking at this tiny 6" touchscreen for again?!

Want to use a dedicated hardware fob for 2 factor? Great: you get to trust that neither the NSA nor your firmware designer nor your Chinese hardware manufacturer didn't backstab the RNG in a way that tomorrows thieves don't figure out how to exploit, and you get to trust that your X509 chain to receive firmware updates never gets janked.

Not to mention carrying around a janitor's keychain of fobs to get anything done, and good luck getting dedicated keyfobs to access resources secured by any company worth less than a $Billion.

What I'm getting at is that perhaps a better way to approach this, especially for the public or for employees at a mid-sized or above company, would be: today, Lastpass.. tomorrow, hopefully some open-source alternative that offers the same services as Lastpass via completely open sourced software but you get to either run the vault server or else your client software just abuses dropbox or something to get that job securely done.

And if your main concern is preferring time-sensitive or use-sensitive credentials (like the second factor in yubi-key or Google Auth) over the replayable nature of passwords, then Lastpass or it's successor could conceivably handle that right on your PC instead of requiring a second, cumbersome device to get that job done, too.

Both passwords and one-time-use credentials can be automatically input via browser extension so that not even keyboard or clipboard monitoring malware could eavesdrop, from a vault which is stored encrypted on disk and only decrypted in RAM so that disk-stealing malware are at a disadvantage.. not that I'd recommend trying to use any of your credentials on a compromised machine, but again just so that a single, thin layer of undetected compromise still isn't enough to easily penetrate your single-pc auth scheme.

To address "z"'s concern about poor server-side hashing, this method also encourages non-reused passwords (so that a compromise of one account with un-hashed passwords doesn't leak to other accounts you hold at other places of business) with high entropy (so that even accounts with unsalted, unstretched, MD5 or worse hashing still have to be brute forced for ages upon ages to be cracked, which even then only gains them access to the one account). So, it's nice not to fret too much how secure "every password database you ever interact with" is.

May 4, 2016 3:46 PM

SoWhatDidYouExpect on $7 Million Social Media Privacy Mistake:

Some guy claims (or has it claimed for him) that he lost millions in potential salary due to a "mistake" that he (someone) made.

And here, we talk about the fact that the URL is blocked.

Its not our millions.

And, he didn't have to be on or use twitter. Loose lips sink ships (old war axiom, the intent still holds).

May 4, 2016 3:31 PM

Bytopia on Friday Squid Blogging: Global Squid Shortage:

A number of vulnerabilities has been found in ImageMagick:

http://www.openwall.com/lists/oss-security/2016/05/03/18
http://openwall.com/lists/oss-security/2016/05/03/13

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

A number of image processing plugins depend on the ImageMagick
library, including, but not limited to, PHP's imagick, Ruby's rmagick
and paperclip, and nodejs's imagemagick.

May 4, 2016 1:56 PM

Clive Robinson on Julian Sanchez on the Feinstein-Burr Bill:

@ ,

So unless everything belongs to the US now, I don't see how this will prevent the use of open-source software, hardware etc.

It will happen due to "inventory cost".

If you think back, only the US said mobile phones had to have GPS --trackers-- in them for "safety reasons".

Even if you are not in the US trying to buy a smart phone without a US GPS tracker hardware in it is not an easy task.

The reason is the cost of manufacturing two different phones one with and one without the US GPS tracker hardware and the "inventory costs" arising is way more expensive than making just one phone. So everybody gets the US GPS tracker hardware.

The same logic unless the EU produces counter legislation will apply to all "Fast Moving Consumer Equipment (FMCE) comming out of the Far East. That is the way of the world and the TTIP negotiations show considerable "bad will" on behalf of the US in areas where they can manipulate the trade process to get such "backdoored" products forced into every national market that has signed on of Obama's Trade Treaties, they are without doubt a poisend chalice.

If the EU has any sense they will shout "Non Non Non" or "Nein Nein Nein" not what that walkover Cameron had said "Yes Yes Oh Yes" (same as he does any time pork gets mentioned).

May 4, 2016 1:55 PM

z on Credential Stealing as an Attack Vector:

The worst part is that most of the time login credentials aren't even necessary. The "Create an account" culture has got to stop. Forcing people to create accounts just to buy $9 worth of stuff one time is just begging for an exploit that steals those credentials. People have to create so many accounts these days that they A.) inevitably pick crappy passwords since they have to enter them constantly, and B.) use the same ones everywhere. Thus, even if the account contents themselves don't give an attacker anything interesting, the password itself is worth the effort to steal.

This might be kinda sorta okay if passwords were stored properly, but we still can't get that right even after 20 years of people banging the table in opposition to unsalted MD5 as a password hashing scheme. We still can't secure databases either. We're forcing people to create accounts, encouraging them to pick the worst password they can think of, encouraging them to use it everywhere, and then botching the storage of it. What could go wrong?

The most hilarious thing about it is that customers hate creating accounts. They really really hate them. Making people create an account is famously a $300 million dollar mistake: https://www.fastcompany.com/1147825/300-million-continue-button

May 4, 2016 1:52 PM

Miguel on Credential Stealing as an Attack Vector:

@George Humphrey

I agree there is likely deception in the statement.


This article comes across more like an attempt to move the spotlight away from


I doubt they have compromised major foreign governmental networks simply from phishing.

The likely motive here, and he wouldn't feel so much like he is lying. Because most people listening to him, what he stated would apply. Even if he knows in the most valuable cases, the game is entirely changed.

May 4, 2016 1:48 PM

Jacob on Friday Squid Blogging: Global Squid Shortage:

Just in - the best tweet so far this year:

----------------------------
Jeffrey Goldberg (@JeffreyGoldberg)
May 4, 2016

Tomorrow, Obama national security team will begin debating plan to arm moderate Republican rebels.
-------------------------------------------------

May 4, 2016 1:10 PM

Green Squirrel on Credential Stealing as an Attack Vector:

I am a bit meh about this.

Yes, credential stealing is the easy way in but it is rarely the only part of an attack. As mentioned above the fantastic write up of the Hacking Team breach showed that the 0day was used to get access so mimikatz could do its magic.

With lots of breaches, having a set of credentials can assist the attacker but they need to both be able to get the credentials (malware? phishing?) and then once in, the merciless pivoting has to take place.

When it comes to big ticket breaches, there is often an 0day somewhere in the attack path/kill chain (or whatever phrase du jour you like). As others have mentioned - stuxnet was a bit bathtub of 0days, target (once the attack was underway) needed 0days and so on.

Added to which, companies are absolutely rubbish at patching. I visited a client site last week where Bruce's new employers manage services and they have pushed the client to a contract saying patches will be applied within 180 days of release with a 95% SLA target. This means most 0days are 0days for months and months and months and months............

May 4, 2016 12:07 PM

r on Julian Sanchez on the Feinstein-Burr Bill:

So, it's a placeholder for a real bill?

Since the daft fellow who drafted this was using billable hours financed by tax payer dollars can we petition for redress?

May 4, 2016 11:20 AM

paul on Julian Sanchez on the Feinstein-Burr Bill:

any person who provides a product or method to facilitate a communication or to process or store data.

So all code on Github must be modified with a backdoor. Whee.

This actually bears a certain resemblance to early versions of what became CALEA, where in theory anyone who had a LAN -- or possibly anyone who ran an externally attached disk drive would have been required to provide government access to their data streams (and somehow in a way that would have prevented anyone from knowing when the data streams were being tapped, or which streams).

May 4, 2016 11:08 AM

paul on Credential Stealing as an Attack Vector:

Does it matter for this discussion which credentials are actively stolen (e.g. intercepting a connection or getting someone to enter the credential in the wrong place or installing a keylogger or finding a password file) versus those that are discovered by brute force? Some of the attack surfaces may be different, but they're all a problem.

Also, what does this say about finer-grained access controls? Could some privilege-escalation steps be slowed down by keeping better track of what people (especially outside vendors or lusers of some kind) are doing?

May 4, 2016 10:45 AM

Miguel on Credential Stealing as an Attack Vector:


Email the most porous border. Social media channels gaining traction.

There is practically blind attacks, which can be pretty loud and compromise the malware and email.

And there are extremely studied attacks where they have a specific target of value in mind, maybe a handful, and have performed the research necessary to know how to get their trust. Where social media can be the mined field. :-)


There are other commonalities to these attacks, however. One is if they do use custom malware/"zero day malware"/"previously unseen malware". There are a wide number of systems today designed to detect that with very high detection rates.

A number of these are systems that are good at that, and good at detecting non-malware usage intrusions.

There are very strong micro/segmentation systems at play, today, as well.


So, I do believe heuristic like systems are at play for these attacks. The same sort of systems that tend to be good at protecting against zero day.


But, zero day guard should not be down. It does depend on the target. Zero day can do a lot of things you can never do with phishing and social engineering alone.

We should not forget some of those catastrophes from the past three decades.


Watering hole/drive by zero day really diminishes the overhead for research on targets. If properly handled, extremely low risk for discovery. And they can get anyone they want if they have it in a major system.

Instead of clicking on "yes, run this despite that it could compromise my entire company's network", they just receive an email, sms, phone call that never even rings.

They walk by the wrong place with bluetooth or wifi turned on.

They have joined the wrong online social group.


Software vendors have to improve their products against zero day in their products. Very many companies, of course, have at the least, their own written web applications. Nobody wants to end up like what happened with chipotle. Headline news. Your flagship application was used to hack millions of systems in a devastating...


Some critical networks require zero day for thorough penetration.


May 4, 2016 10:44 AM

Frankenstein-Barf Bill on Julian Sanchez on the Feinstein-Burr Bill:

This is interesting regarding the intended backdooring:

device manufacturers, software manufacturers, electronic communication services, remote communication services, providers of wire or electronic communication services, providers of remote communication services, or any person who provides a product or method to facilitate a communication or to process or store data.

That's all well and good, but not every device manufacturer, software company, electronic communication service or general provider is American?

So unless everything belongs to the US now, I don't see how this will prevent the use of open-source software, hardware etc. that is not back-doored from the point of creation from being used by poor sods living in the Police States of America?

For instance, lets say that Open Whisper Systems (Signal) decided to move their base of operations to an overseas jurisdiction prior to the passage of this fascist bill and didn't operate a single server for messages and calls in the United Stasi? Seems that wizened hag Frankenstein bill would be dead in its tracks. Further, other O/S groups could simply develop systems piggybacking off the code outside the US?

Still, a very depressing trajectory the hyper-power is on.

All we need is for that buffoon Trump to win the next election (dead raccoon on his head and all) and the country is gone (for all of his self-started bullshit, he’s basically Jaden Smith with a comb over). ;-)

May 4, 2016 10:29 AM

AverageSecGuy on Credential Stealing as an Attack Vector:

it's so embarrassing that most admins and even security guys still don't know how credentials are stored in microsoft environment, don't know SSO consequences, not aware to mimikatz and still focus on their job security and buying security products from the compliance check-list :-(

May 4, 2016 10:12 AM

Rick Taggard on Friday Squid Blogging: My Little Cephalopod:

@Figureitout

They were in their unannounced test phase a couple years ago, then it comes out in news my area was one of the test zones. The night that really did me in, I couldn't believe what I was seeing.

And, so "flightaware". Google it. I built my own box before they offered instructables on how to do so. It is incredibly easy, and there are a lot of tools you can use with it.

Simplest version is get a usb dongle, a rtl sdr, and connect to android, then download the apps focused on aircraft traffic.

So, you can always carry it around with you and see whomever is above your head.

The advantage of feeding into the flightaware network is simply that you can have free high memberships, which includes the capability to go over the archives. Who was that who flew over me on Monday, July 1st, a few years ago? You can look it up.

You do not have to feed into their network, if you are paranoid this might hurt your privacy, somehow. There are other apps on either platform, and you can turn off that functionality on the flightaware mobile app.

How does this help really find the covert surveillance drones and planes and copters? I mentioned "this was how they found those fbi surveillance planes", believing you probably recall the articles.

But,


https://www.google.com/webhp?q=fbi%20surveillance%20plane%20flightaware

Or use those search terms in whatever your favorite search engine is.


Drone,copter, plane. They all have to use this plain text protocol to continously give their idenification and positioning.

Does not mean the bad ones will say "FBI Surveillance Van #2" on them.

But, they really suck at coming up with realistic identification information, as the article explains, and you might imagine.

I do not think this is because they are stupid, though plenty of places and things with horrible names.

But, really, what else can they do? Buy a major airliner?

And remaining would still be the incredibly suspicious flight patterns they are usually forced to adhere to.

Otherwise, read the articles, at a very wide variety of sources, surely you can find one there you can trust. Probably Bruce posted about it, when it happened.


May 4, 2016 10:11 AM

Unkown on Credential Stealing as an Attack Vector:

nobody wondered what SAI messages over SS7 can be used for? Or AIR diameter for that matter. Then over the air interception implications hold suddenly also not only for 2G.

May 4, 2016 10:09 AM

George Humphrey on Credential Stealing as an Attack Vector:

Stuxnet leveraged multiple zero days, and hundreds of millions of botnet zombies currently exfiltrating data all over the globe attest to the efficacy of flawed software.

This article comes across more like an attempt to move the spotlight away from companies and their secret collusion with spies (thank you Ed Snowden). It's not a bug, it's a [spy] feature. Did the Snowden documents not make this obvious?

And anyone who caters to the "good guy" narrative of the tech industry billionaires will be celebrated and showered with speaking engagements, awards, and news coverage.

May 4, 2016 10:06 AM

Nick P on Credential Stealing as an Attack Vector:

@ Bruce Schneier

I'll add that this attack vector was a known issue going back to Orange and Red Books. The Orange Book required a trusted path for entering credentials that was immune to interception by apps or spoofing. They also required private data like credentials or encryption keys to be specifically labeled as such with OS checking any access against a subject's security level or something.

The CMW's with watered down assurance that were produced for more industry adoption still had these features. Over time, even these were dropped due to no demand outside a few sectors. Argus Pitbull and Trusted Extensions for Solaris 10 still serve such customers. One in Korea too.

Old, old requirement people ignored to their peril.

May 4, 2016 10:04 AM

GrowingUpInTech on Credential Stealing as an Attack Vector:

Lets be honest, computer nerds like me might have strong passwords, but I don't think society does, and when we do, what about password reuse.

We still have passwords like abc123 and asdfghj

May 4, 2016 9:42 AM

Clive Robinson on Credential Stealing as an Attack Vector:

With regards,

As Joyce said, stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day.

Or the "seed" of an RNG used in a token such as the RSA fob, or the master key of a key generator (used in some smart cards) or knowing how to break a weakly implemented crypto / authentication system that a user (subscriber) has know knowledge of or ability to change (DES badly implemented in SIMs and payment cards). Or how about creating PKI certs because various CA's to save cost did not protect the process so it could be easily hacked...

The attack surface is so large that even trying to manipulate humans via social engineering is to risky.

As always unless you are very knowledgeable and do it all yourself you are open to others foibles and thus their failings become yours...

And offten the root of all this is money, or more correctly short sighted cost cutting by those who realy do not care about security but next quaters profits...

May 4, 2016 9:36 AM

Satan's Advocate on Friday Squid Blogging: Global Squid Shortage:

@Lotta BS on Friday Squid Blogging: Global Squid Shortage:

[^^ Cute. And revealing.]


Satans Advocate wrote: Human beings are incredibly complex, and predicting the next big thing from distantly analyzing human beings data is just not going to happen.


@Lotta BS wrote: The only logical explanation for deploying this is a controlled environment, what research scientists do, by managing input and observing output variables, which must be well-defined. As in the chicken'n'eggs dilemma, predicting the next thing is a rather pointless circular analogy, so it's more useful as a shaping or training exercise.


Hah.


Researchers: So, if we get enough data consistently coming in, and have the capacity to archive as much of it as possible, we are quite sure we can come up with numerous very impressive, low false positive systems. Which systems, over time, will provide highly accurate results under found "good contexts". We believe we can find many very meaningful "good contexts" at a predictably progressive rate, so there will be good results over the next 3, 5, 10 years, and further on.

Management: Huh, what? Plain english.

Researchers: It might help us stop the next 911.

Management: What? Great?! Why didn't you say so! We are going to go to bat for you on this!

Just, first?

What is the dumbed down version the general public and politicians will understand?

Researchers:

Media: The government thinks if they are able to get all the data of the world, they can stop the next 911. Makes sense.

Public: Yes, yes! Trust everyone!

Other Public/Some Media: WTF! That is impossible. They are lying! I don't want to give them *my* data. [Godwin's Law automagically fires.]

May 4, 2016 9:18 AM

Bruce on Credential Stealing as an Attack Vector:

"And the hacktivist that broke into the cyber-arms manufacturer Hacking Team and published pretty much every proprietary document from that company used stolen credentials."

From the English version of Phineas Fisher's document:

"A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. [...] I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device."

May 4, 2016 7:46 AM

Clive Robinson on Documenting the Chilling Effects of NSA Surveillance:

@ Dirk Praet,

As we can see from the above,

    I don't want to discuss the Privacy Shield here with you.

You have the --fantasist?-- Rolf on the run against his own --conspirital?-- world view...

Even though he denies it,

    This is surely true I will never become a good conspiracy theorist.

He is still more than happy to say of others,

    I know that this is your religious belief. But no belief is 100%, not even religious.

But fails to see the irony of such a comment...

Interestingly though, not only does he appear to be on the run, he also appears to be hoping that you will not continue to press him in his retreat,

    I'm largely offline the next couple of days, so don't expect any timely responses.

Thus the question arises about what he is hoping the time will get him...

Ho hum, I guess it gives us the time to get in more popcorn for the next round whenever he pops up again (which might be ill advised for him to do).

But as I know from previous encounters, he --like many a fanatic,-- ignores sensible advice and plows on with almost religious zeal denying then ignoring anything contra to his world view. Ever digging an ever deeper hole for himself, despite the very real future dangers such behaviour puts him in... I guess it's his (LSD) schilling, let him expend it foolishly, and count the loss in the future.

May 4, 2016 7:32 AM

Jim on Julian Sanchez on the Feinstein-Burr Bill:

When toilets are outlawed, only outlaws will have toilets. What next, matches and lighters, because you'd be able to burn the sought-after documents? How about magnifying glasses or two sticks you can rub together, for those who have the skills to start a fire that way? This is getting absolutely ludicrous.

How about this - we'll give you (the government) unfettered access to everything of ours when you give us (the public) unfettered access to all of your stuff. That means no more classified information, secret White House meetings, and all bills in Congress are to be vetted by the public completely and openly for 30 days or more before being put to a vote. Ha! Like that will ever happen!

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.