Page 179
Motherboard is reporting that this week’s Twitter hack involved a bribed insider. Twitter has denied it.
I have been taking press calls all day about this. And while I know everyone wants to speculate about the details of the hack, we just don’t know—and probably won’t for a couple of weeks.
EDITED TO ADD (8/10): It was social engineering and not bribery.
The NSA’s Cybersecurity Directorate—that’s the part that’s supposed to work on defense—has released two documents (a full and an abridged version) on securing virtual private networks. Some of it is basic, but it contains good information.
Maintaining a secure VPN tunnel can be complex and requires regular maintenance. To maintain a secure VPN, network administrators should perform the following tasks on a regular basis:
- Reduce the VPN gateway attack surface
- Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
- Avoid using default VPN settings
- Remove unused or non-compliant cryptography suites
- Apply vendor-provided updates (i.e. patches) for VPN gateways and clients
A four-rotor Enigma machine—with rotors—is up for auction.
A personal account of someone who was paid to buy products on Amazon and leave fake reviews.
Fake reviews are one of the problems that everyone knows about, and no one knows what to do about—so we all try to pretend doesn’t exist.
China is prohibiting squid fishing in two areas—both in international waters—for two seasons, to give squid time to recover and reproduce.
This is the first time China has voluntarily imposed a closed season on the high seas. Some experts regard it as an important step forward in China’s management of distant-water fishing (DWF), and crucial for protecting the squid fishing industry. But others say the impact will be limited and that stronger oversight of fishing vessels is needed, or even a new fisheries management body specifically for squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
It’s the EFF’s 30th birthday, and the organization is having a celebratory livestream today from 3:00 to 10:00 pm PDT.
There are a lot of interesting discussions and things. I am having a fireside chat at 4:10 pm PDT to talk about the Crypto Wars and more.
Stop by. And thank you for supporting EFF.
EDITED TO ADD: This event is over, but you can watch a recorded version on YouTube.
A criminal group called Cosmic Lynx seems to be based in Russia:
Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles.
[…]
For example, rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they’re harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC and does reconnaissance to assess its targets’ specific system DMARC policies to most effectively circumvent them.
Cosmic Lynx also drafts unusually clean and credible-looking messages to deceive targets. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve “external legal counsel” to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, typically impersonating a real lawyer from a well-regarded law firm in the United Kingdom. The fake lawyer will email the same executive that the “CEO” wrote to, often in a new email thread, and share logistics about completing the transaction. Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean.
Interesting research on home security cameras with cloud storage. Basically, attackers can learn very basic information about what’s going on in front of the camera, and infer when there is someone home.
News article.
Slashdot thread.
It is amazing that this sort of thing can still happen:
…the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.
Telnet? Default passwords? In 2020?
We have a long way to go to secure the IoT.
EDITED TO ADD (7/14): Apologies, but I previously blogged this story in January.
The BSA—also known as the Software Alliance, formerly the Business Software Alliance (which explains the acronym)—is an industry lobbying group. They just published “Policy Principles for Building a Secure and Trustworthy Internet of Things.”
They call for:
As with pretty much everything else, you can assume that if an industry lobbying group is in favor of it, then it doesn’t go far enough.
And if you need more security and privacy principles for the IoT, here’s a list of over twenty.
Sidebar photo of Bruce Schneier by Joe MacInnis.