News, of the latest crop of secondary school cyber-defense teams advancing into the finals of the CyberPatriot National Finals Competition. CyberPatriot has additional information for those of you that wish to attend the live National Finals Competition on March 13th through and inclusive of March 15th, 2015 in National Harbor, Maryland. Congratulations to All!
News, of planned public meetings - slated for February 16 and 17, 2015, in balmy Orlando, Florida - called by the Organization of Scientific Area Committees (OSAC). The Forensic OSAC acts as the coordinator of development of required standards and guidelines for the Forensic Science community. All, carefully crafted under the oversight of the National Institute of Standards and Technology (NIST),
In which, a new analysis line-of-sight for the detection of attack, whether covert or otherwise. Absolutely fascinating ancillary evidentiary channel, utilizing power consumption differentiation between and betwixt infected and uncompromised systems. Outstanding.
In a posting published by ProPublica, online advertising leviathan TURN is utilizing the dreaded zombie cookie, pioneered by those friendly folks at Verizon Wireless. ProPublica is also reporting that TURN's actions were originally discovered by Stanford University computer scientist and attorney Jonathan Mayer, and then tested by ProPublica staffers.
via Rapid7's HD Moore, comes news of the latest flaw in the Internet of Things realm, this time, focusing on the fueling infrastructure worldwide. Specifically, the gauges that meter and permit the dispensing of liquid and gaseous matériel... Evidently, these automated tank gauges (monikered ATGs) not only possess IP connectivity, but they also have tremendously flawed software componentry to boot. What Could Possibly Go Wrong.
Absolutely spot-on IPv6 security analysis by the Deploy360 section at ISOC, detailing security misconceptions - now full-blown myths - of IPv6 infrastructure. Along with the clarification efforts regarding IPv6 and the ramifications for what security componentry has been baked-in to the network protocol, comes the highly enhanced and approximate 3.4×10 to the 38th power addresses as compared to the measly 4.3 billion capability IPv4 address space.
Leaving the gargantuan IPv6 address space benefits for another discussion, the issue of security flaws resident within the protocols' structure must be managed effectively on such an old addressing specification. After all, the original Internet Engineering Task Force [RFC 2460], the “Internet Protocol, Version 6 (IPv6) Specification” possesses a date of December 1998...
"In order to make IPv6 as simple and interoperable as possible, it uses a minimalist standard packet header. In order to make IPv6 as extensible as possible, it allows “extension headers,” additional chunks of meta-data that can be strung behind the IP header to provide additional features and functionality. IPsec leverages the extension header mechanism to carry necessary authentication and encryption data, for one example. Unfortunately, having extension headers designed into the protocol for extensibility also means having security flaws designed in along with them." - via the ISOC Deploy360 Myth#2 Post
What, really? Apparently, GoDaddy security has failed to measure up, yet again. via Swati Khandelwal writing at HackerNews, comes the sorry tale of failed code (in the form of XSRF vulnerabilities), obvious failed quality control, and on top of all of that, no security checks pre-deployment. Astounding.
If you read anything today about cryptography today, read the work of Stanford University's Center for Internet and Society's Jeffrey Vagle, JD [Mr. Vagle is also a Lecturer in Law and the Executive Director of the Center for Technology, Innovation and Competition [CTIC] at the University of Pennsylvania Law School]; in which, Mr. Vagle examines the criminalization of cryptography [snippet of his work appears below].
'We've heard this story from governments before, of course, from the "crypto wars" of the early 1990s to recent claims by the FBI that encryption allows networks to "go dark," and prevent legitimate law enforcement efforts. But as the leaked security memo asserts, without strong crypto and secure networks, we're all put at greater risk. It is crucial that we keep this in perspective as the world's legislative bodies rush to do something--anything--in the face of these crises.' - via Jeffrey Vagle writing at the Center for Internet and Society, at Stanford University