via the inimitable Rich Mogull, writing at TidBits, comes this interesting take on newly implemented user-land security operability problems in Apple Inc.'s. (Nasdaq: AAPL) desktop operating variant of Darwin (aka macOS X (10.14 Mojave). Typically, strict utilization of user-land intervention implementing security controls leads to insecure configurations. Today's Must Read (especially considering the mew macOS version is due for general release today!).
Quite likely one of the more entertaining CyberLaw Blog Podcast yet... In this case, the inimitable Bruce Schneier talks with Cyberlaw Blog podcast's eponymous Stewart Baker on the occasion of Bruce's latest publishing tour de force: 'Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World'. Today's Must Listen and certainly Must Read. Enjoy!
Incroyable! Massachusetts Institute of Technology researchers have developed what could very well be the 'holy grail' of submarine-to-surface communications. Monikered TARF, the system ostensibly converts SONAR to RADAR with no mid-processing steps required. Absolutely superb work, and today's Must Read.
Behold: A well crafted white paper, targeting security related white papers, that is apparently a blog post, and most importantly, dripping with the sweet, sweet wine of security sarcasm. Today's Must Read!
In which, Jonathan M. Gitlin, writing at Ars Technica, describes actions sinister, by electioneers in the State of Georgia... I contend this is further evidence of both a fast spiral of free and fair elections at the Stae and below levels, yet a slower spiral on the national scale. Today's Must Read.
"We've looked at poor voting security in the state previously. In 2017, a report by a Georgian security researcher revealed a shocking lack of security throughout the state's voting system. Later that year, we discovered that servers that were thought to be key evidence for the same federal lawsuit that has led to this week's news were wiped, then repeatedly degaussed." - via Jonathan M. Gitlin emendate scribere at Ars Technica
Superlative security research is still coming out of the IOActive game-changing environment (this has been going on for years now - how do they do it...).
Case in Point: The work of Alejandro Hernandez and his current project targeting the apparent insecurity of some (but not all, mind you) stock trading applications so popular amongst the budding young (and old - don't forget the greybeards) kings and queens of capitalism.
In the case under scrutiny, a highly detailed - most importantly: thoroughly accurate - examination of a large number of commercially available applications executing their binary bits on a variety of platforms. Read all about it on Mr. Hernandez's blog post at Iocactive, and white paper. You'll be glad you did.
Whom amongst our readers (including your's truly) would have thought that the Abdication of the Emperor of Japan (slated for mid-Spring, 2019) would have anything to do with time keeping issues - inclusive of calendaring problems, leading the island nation into it's own Y2K-like debacle? As a matter of course, the change in Epoch's also affects information security related processes and systems, including for example both role based access control and discreationary access control systems, identity management, incident logging and investigatory activities amongst others.
Now, via The Gaurdian's Alex Hern, comes word of what some might say as the coming crisis in Nipponese society due to the calendaring issues brought on by the Abdication of Emporer Akihito (the announced abdication to make way for Emperor Akihito’s son, Crown Prince Naruhito). For a country that bases it's time and date keeping functions on the Epoch which begins on the date a Crown Prince ascends the Chrysanthemum Throne as Emperor of Japan. This is not some mere disfunction of the calendar - it resonates in the very soul of the Emperor's subjects - the citizens of Japan, and their traditional method of marking the passing days, months and yeears. In regards to the Unicode debacle with the new Epoch, please read the post at The Guardian for additional details, as space is at a premium for this post. Certainly Today's MustRead!
“The magnitude of this event on computing systems using the Japanese Calendar may be similar to the Y2K event with the Gregorian Calendar,” said Microsoft Corporation Shawn Steele. “For the Y2K event, there was world-wide recognition of the upcoming change, resulting in governments and software vendors beginning to work on solutions for that problem several years before 1 Jan 2000. Even with that preparation many organisations encountered problems due to the millennial transition. - via Microsoft Corporation and MSDN's
In a well targeted and executed blog post by Dave Lewis, writing over at Forbes, Dave distills the essence of protective measures to be implement when valiantly serving as a defender of the Realm - in this case, the Information Security Principality. A highly recommended addition for your Summertime Reading Pleasure, and Today's Must Read.
'It was a cool morning as King Arthur and his party galloped through the forest on their way towards the castle. His trusty squire kept the beat with a two halves of a coconut in lieu of actual steeds to whisk them on their way. They approached the castle walls where they were met by an impertinent French soldier who hurled insults at them. An amusing analogy for the traditional perimeter IT security defense.' - via Dave Lewis, writing at Forbes.
via Ina Fried and David McCabe, writing at Axios, comes the latest revelation of feckless user data management at Facebook Inc. (Nasdaq: FB); this time, the event comes with smarmily justified sharing of Facebook Inc. user data (without user consent) to Chinese manufacturers' (including People's Republic of China's Peoples Liberation Army controlled Huawei and others) by Francisco Varela, Facebook, Inc. Vice President - Mobile Partnerships Varsela, also (apparently) is a shill ( here) for First Republic Bank. Enjoy today's Must Read and this! H/T
“Huawei is the third largest mobile manufacturer globally and its devices are used by people all around the world, including in the United States. Facebook along with many other U.S. tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones. Facebook's integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go — and we approved the Facebook experiences these companies built. Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei's servers.”' - Francisco Varela, Vice President - Mobile Partnerships, Facebook Inc.
News from over the weekend - via 9to5Mac writer Michael Potuck, focusing on Telegram; of which, the encrypted messaging iOS app has been permitted to publish the latest update to their bits - via Apple Inc. (Nasdaq: AAPL) iTunes App Store. This, despite the declaration of illegality by Kremlin Apparatchiki. Today's Must Read.
Unintended Consequences... via Alastair Paterson, writing as he often does at SecurityWeek, comes this commom sense post detailing issues with the European Union's General Data Protection Regulations (GDPR) as that regulation interfere's with what-may-seem-like-age-old-internetworking-tools - in this case Whois. Highly recommended and Today's MustRead!
via Zack Whittaker timely reportage for ZDNet's Zero Day group, his work provides insight to the tangled-web-we-weave in the ICS/SCADA world. This time - the ramifications of a particularly-pesky security flaw in a Schneider product (amongst thousands of other known bugs in hundreds of other software packages coupled with poor software management practices in the industrial control systems sector combine to make a very poor nap at the control boards, indeed. Just ask Homer! Today's Critical Must Read Choice.
"It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. " - via Zack Whittaker writing for ZDNet's Zero Day
via Tom Krazit, writing at GeekWire, details the need for security tooling assistance targeting the apparent shortcomings of customer security comprehension. Really? I chalk this up to customer facing security tooling, and enablement (Hows' that for Corporate DoubleSpeak?). Far be it for me to denigrate customer security understanding... Today's MustRead!