Bureau Releases Additional Evidence of DPRK Complicity
Ah, news outlets are reporting evidence release by the United States Department of Justice's Federal Bureau of Investigation; in this case detailing DPRK complicit activity in the now infamous SONY hack...
Hard, Network Security Is...
Today's MustRead: Well crafted thought piece via LightCyber's Uriel Maimon on the multitude of failures in the network protection racket, and why - evidently - security and network professionals are unable to protect their at-risk network infrastructures.
Defectum Securitas →
via VentureBeat's Evan Schuman, comes the sorry tale of enterprise security failures, and importantly, the continued failures of both security implementation and deployment in the recently high profile retail security snafus of last year [eg. Target's gargantuan credit and debit card breach] Astonishing...
Physical Access Not Required →
Physikalisch Zugriff Nicht Erforderlich
More interesting security slap and tickle at the Chaos Computer Club confab in Germany... This time, apparently the lack of physical access was not an impediment in the second well publicized defeat of Apple Inc.'s [NasdaqGS: AAPL] TouchID. Jan Krissler, holding forth at the conference has detailed the steps taken to overcome the vaunted security of TouchID via a presentation entitled 'Gefahren von Kameras für (biometrische) Authentifizierungsverfahren [31c3] '.
'Krissler said he used commercially available software called VeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.' - via Emil Protalinski writing at VentureBeat
Digital Weaponry, Vectored
Once again, Kim Zetters' superlative prose details the astounding story of Stuxnet; this time, in a new book titled 'Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon' [published by Crown Publishing Group a division of Random House]. Apparently, like many other 'infections' the vector [in this case] is the order-of-the-day... This month's MustRead.
Vitae Tacitum, Litaniae ex Signum →
Fascinating piece on the notion of passwords, written by Ian Urbina at the New York Times Magazine; with an exceedingly tight focus on the true meaning of the so-called password object...
Exactly →
In a tour de force screed, published at InfosecIsland, Steve Martino, details exactly what is required for data classification to succeed, and the impact of that classification effort on an organization's information security posture. (Mr. Martino is CISCO Systems, Inc. (NasdaqGS: CSCO) CISO and VP of Information Security.)
Department of State, The Breach →
Astonishing proof, in the form of breaking news, of questionable competence within the network security realm, at the United States Department of State... The successful thwarting of States' Maginot Line was revealed in news published by the New York Times. Remarkable...
Concept, Proof of
Bad news for Network Attached Storage users, as a newly devised POC now exists. Should you be concerned? Probably.
Spotlight Privacy Fail
In a privacy reversal, Apple Inc.'s (NasdaqGS:AAPL) Spotlight search utility now mingles your search queries with millions of others, and forwards those sweet, sweet nuggets of data to Microsoft Corporations' (NasdaqGS: MSFT) Bing search engine.
While, on the surface, this data collection does not appear to violate any of http://www.apple.com/privacy, it is quite simply a terrible decision, and certainly muddies the waters for MAC OS X users world wide.. Simply astonishing...
Apple's statement, culled from the Spotlight application on Yosemite, otherwise known as Apple Mac OS X 10.10:
About Spotlight Suggestions & Privacy
When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft's Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services.If you do not want your Spotlight search queries and Spotlight Suggestions usage data sent to Apple, you can turn off Spotlight Suggestions. Simply deselect the checkboxes for both Spotlight Suggestions and Bing Web Searches in the Search Results tab in the Spotlight preference pane found within System Preferences on your Mac. If you turn off Spotlight Suggestions and Bing Web Searches, Spotlight will search the contents of only your Mac.
You can turn off Location Services for Spotlight Suggestions in the Privacy pane of System Preferences on your Mac by clicking on “Details” next to System Services and then deselecting “Spotlight Suggestions”. If you turn off Location Services on your Mac, your precise location will not be sent to Apple. To deliver relevant search suggestions, Apple may use the IP address of your Internet connection to approximate your location by matching it to a geographic region.
Information collected by Apple will be treated in accordance with Apple’s Privacy Policy, which can be found at www.apple.com/privacy.
Malvert-ized →
News [via Lucian Constantin writing at PCWorld] of the latest compromised advertising networks... In this case, Right Media (now Yahoo Ad Exchange), The Rubicon Project, and OpenX - all three broadcasting their nasty bits, now infecting unknown numbers of clients... Hence the necessity of proactive ad-blocking with browser extensions such as AdBlock.
NSA's CSfC Recognizes Knox →
News, via John Ribeiro, writing for PCWorld, of the acceptance of Samsung Electronics Co. Ltd.'s (SSNLF) KNOX device product line within the National Security Agency's Commercial Solutions for Classified program.
Fleishman's Cloud →
Glenn Fleishman, writing at MacWorld, regales us with a sort of iCloud Omnibus; in which, the Good Mr. Fleishman tells of Cupertino's take on the security of the remote storage behemoth's infrastructure (also known as Apple Inc.'s (NasdaqGS: AAPL) iCloud).
Inside DHS Security Investigations Forensics Laboratories →
Astonished to find this well-written investigative piece by Vince Lattanzio, writing for NBC 10, in Bala Cynwyd, Pennsylvania [covering Philadelphia and the NBC affiliate in the City of Brotherly Love]. In an effort to detail the the Department of Homeland Security's Forensics Investigation Laboratory many of the tricks of the trade - so to speak- are illustrated for all, including an EMF blocker container to examine miscreant-owned mobile devices without the possibility of remote data destruction.
Bletchley Park, The History →
Readers who have examined this weblog during the thirteen years plus of it's publication, know of my Interest in Matters Turing and Bletchley; Alan Turning & Bletchley Park, that is... With those Foci in mind, here is a fascinating serial scrutinizing the history of Bletchley Park, the nearly seventy-year-old locale of the United Kingdom of Great Britain and Northern Ireland's Government Code and Cypher School (GC&CS) (now known as GCHQ). Today's MustRead.
Input Validation, du Jour →
Not to be undone by the well reported Bourne Again Shell vulnerability of two weeks past, now, via, Robert Lemos, writing at ArsTechnica, comes this sordid tale of poor punctuation coupled with input validation issues. In which, the vulnerability at hand, opens up a logical path within the Microsoft Corporation (NasdaqGS: MSFT) Windows in-built shell, where all the badness is vectored...
iWorm
Evidently, seventeen thousand Apple Inc. (NasdaqGS: AAPL) MAC OS X machines (worldwide) have been corralled into a nefarious botnet. Discovered by a relative unknown in the burgeoning Russian anti-virus industry (nope, it wasn't Kapersky) this bot is probably the prettiest ever, eh Comrade? One bit of good news, Apple has released a new malware definitions update as of 11:00 AM yesterday.
Zdziarski's 8 →
iOS 8, that is... Apparently, Apple Inc.'s (NasdaqGS: AAPL) soon-to-be-released iOS 8, shows' evidence of significant attack surface minimization (e.g., File Relay, also known as com.apple.mobile.file_relay - the service that permits data egress via WiFi is now protected from, at least, easy attacks) . Jonathan Zdziarski's white paper informs us of the necessity to curtail iOS paths of data exfiltration, and such. Today's Must Read.
"File Relay (com.apple.mobile.file_relay) was the service responsible to causing the biggest potential privacy threat, by dumping large amounts of personal data from the device and bypassing the user’s backup encryption password. The file relay service is now guarded. While the service still exists, all attempts to extract data from it will fail with a permission denied error" -via the Jonathan Zdziarski Blog