Service As A Crime →
Seattles' all-a-buzz with a new and exciting Amazon service (no... it's not the new Amazon Spheres), dubbed AmazonCaaS [aka Amazon Crime as a Service]; via MG comes this terrific Medium blog post. Today's MustRead!
Quantum? Hardly. →
Mozilla Foundation: Bad marketing decisions at the highest levels of the Foundation, should be a wakeup call for a house cleaning at the non-profit organization, not to mention a reset as to expectations regarding user privacy (regardless of the Foundations' platitudes talking up privacy). Coupled with tremendously flawed architectural decisions targeting application, functionality, browser and network security behaviors adding up to anti-patterns rampant throughout the product. Just shameful, and then, there's this...
Updated: Here's Chris Hoffman's take on the de-evolution of Mozilla, for good measure... In which, the ongoing infamous browser data sharing between Mozilla Foundation and Cliqz in Germany.
Coinhive Effluvia →
Like a compromised sewage conduit, Coinhive's morally questionable Monero-mining scripted architecture (as evidenced by the successful DNS attack on the organization's site) is now poisoning the body politic with (both) the inherent evil of their product, and their apparent collective security stupidity. Witness the groups latest DNS breach explanatory blog post. Astounding... Where is Dr. Evil when we need him?
IRS 'Suspends' EQUIFAX Identity Verification Contract →
All Your Base Are Belong To Uber →
The Most Ridiculous Information Security Decsion I've Heard This Year
The single most egreious flawed information security decsion (Equifax comes to mind...) by a large company in 2017? Read Chris Davies superlative piece, on SlashGear, detailing the recent Google decision to segment security provisioning. Read it and Weep My Friends, for, it is by far, The Show that Never Ends.
"Google is readying special security tools for its high-profile users, reports claim, going beyond mere two-factor authentication. The development comes as investigations into the political impact of alleged Russian hacking during the US election in 2016 continue, alongside other high-profile attacks on data. However, according to insiders, Google plans to target its new system at a specific subset of users. Those, people familiar with Alphabet-owned Google’s plans tell Bloomberg Technology, are being described as “corporate executives, politicians and others with heightened security concerns.” It will build on the company’s existing USB Security Key support. Rolled out in 2014, the USB-based system demanded a physical dongle be plugged into a computer in addition to a password or secure code before access to a Google account was granted." via Chris Davies writing at SlashGear
EquiHax: Lifelock Enters Equifax Debacle, Reselling Equifax Services...
via Michael Hiltzik, writing at the Los Angeles Times, Lifelock (you remember Lifelock don't you...) now offers to protect you from the Equifax breach — by selling you services provided by Equifax...
Equifax Sending Victims of Data Theft to Phishing Site →
Evidence, reported by Dani Deahl and Ashley Carman, writing at The Verge of Equifax Customer Service representative's sending victims of the company's data loss to phishing sites. Apparently, extraordinary incompetence is nominal functionality at the company.
Monday's Feet of Clay →
via Mike Murphy, writing at Quartz, comes the truth regarding inherent tech industry rascism (evidenced by Facebook, Google, Bing and others). Monday's Feet of Clay report. Read it and weep.
Mozilla Foundation To Begin Collecting User Browsing Data
via gHacks author Martin Brinkmann, comes the astonishing tale of deeply flawed user data management at Mozilla Foundation. Along with the Foundation' Firefox browser Resource and Web Extension data leakage woes, now comes a highly user antagonistic decision to commence collecting user browsing data in an opt-out decision tree. Truly this weeks evidence that Blatant Stupidity still exists in the browser world.
"Mozilla's Georg Fritzsche published information on the plan to collect additional data yesterday on the Mozilla Governance group. In it, he describes the issue that Mozilla engineers face currently. While Firefox may collect the data when users opt-in, Mozilla believes that the data is biased and that only data collecting with opt-out would provide unbiased data that the engineers can work with. Questions that this data may help answer include "which top sites are users visiting", "which sites using Flash does a user encounter", and "which sites does a user see heavy Jank on" according to Fritzsche." excerpt via Martin Brinkmann writing at gHacks
Sverige + IBM = Cloud Data Leaks
News - via Rick Falkvinge, writing at Privacy News Online Blog (a blog run by Virtual Private Network company Private Internet Access), regales us with sorry tale of the Kingdom of Sweden's government-data-gone-wild, in this case, the wild is the IBM Cloud infrastructure.
Take heed, my friends in the 'digital transformation' world, do not weep for the Swedish Government and IBM (by the way - as of this writing, while the issues still exist, there is a way out for future efforts, and possibly the noted debacle):
For without the crucial components of attention to detail and truly effective security automation - coupled with meticulous security architecture and the all-important expert execution by competent security professionals, you might as well be hosting your data in the open for all to see - Just Like The Swedes. Simply Astounding. H/T
"At present, these databases are known to have been exposed, by moving them to “The Cloud” as if it were just a random buzzword: The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields); Names, photos, and home addresses of fighter pilots in the Air Force; Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified; Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams; Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons; Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;" via Rick Falkvinge, writing at Privacy News Online Blog
Low Skill Attack, The Siemens Method →
Apparently, systemic - and therefore - fundamental - security incompetence 'reigns' supreme' at Siemens... Witness the reported 'low skill' (aka 'no skill') vectored attacks targeting the company's Computed Tomography (CT) and Positron Emission Tomography (PET) Medical Scanners. Shameful.
Flush The Cruft
Cartoon by Rudy Lacovara at Angry .Net Developer
Code Failure, Again →
Meanwhile, in incompetent application security testing news, comes this astonishing example of blatant coding stupidity - Microsoft Corporation's (NasdaqGS: MSFT) crack team of questionable-capability-developers (have these people heard of fuzzers?) unleashed a deeply flawed Windows Defender product on millions of customers.
As luck would have it (if you believe in that sort of thing), the product was just patched months after the faulty codebase was wrapped-up-all-pretty-like. The flaw was discovered by security researcher Tavis Ormandy of Google Project Zero fame; his report (and closure of same) on 2017/06/23 is today's proof - at the very least - there are Security Researchers Doing The Right Thing.
Deep Root Analytics Twitter Account...
GOP Contractor Exposes 198 Million US Voter Records
Decisions. Deeply Rooted (apparently) in Incompetence
News, via El Reg staff reporter Shaun Nichols, detailing the deep security ignorance on part of Republican Part contractor research firm Deep Root Analytics. Storing nearly 200 million voter registration records in an unencrypted form, on an accessible S3 bucket certainly sets the bar to a new low in custodial security oversight, don't you think? Harsh you may ask? Read the El Reg post for the full details... H/T
Stockpiled →
via the eponymous Iain Thomson, whilst plying his trade at El Reg, comes this astonishing tale of the profoundly stupifying incompetence at Microsoft Corporation (NasdaqGS: MSFT) in regards to the Redmond, Washington software leveiathan's askew morality... This time, focused on the company's complaints targeting the National Security Agency's stockpiling of exploitation bits, yet also, dancing the stockpile two-step... Simply astounding.
"Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor" - via Iain Thomson writing at El Reg
All Intel Corporation Platforms At Risk, Remote Exploit Baked In →
via Charlie Demerjian, writing at SemiAccurate, tells the tale of probably the single most egregious flaw in Intel Corporation (Nasdaq: INTC) products discovered to date. Reportedly, all Intel Corporation products, from 2008 till the present (Nehalem to Kabylake) possess the remote and local exploitable flaw. Hat Tip Update: Now Fixed.