Incroyable! Massachusetts Institute of Technology researchers have developed what could very well be the 'holy grail' of submarine-to-surface communications. Monikered TARF, the system ostensibly converts SONAR to RADAR with no mid-processing steps required. Absolutely superb work, and today's Must Read.
Behold: A well crafted white paper, targeting security related white papers, that is apparently a blog post, and most importantly, dripping with the sweet, sweet wine of security sarcasm. Today's Must Read!
In which, Jonathan M. Gitlin, writing at Ars Technica, describes actions sinister, by electioneers in the State of Georgia... I contend this is further evidence of both a fast spiral of free and fair elections at the Stae and below levels, yet a slower spiral on the national scale. Today's Must Read.
"We've looked at poor voting security in the state previously. In 2017, a report by a Georgian security researcher revealed a shocking lack of security throughout the state's voting system. Later that year, we discovered that servers that were thought to be key evidence for the same federal lawsuit that has led to this week's news were wiped, then repeatedly degaussed." - via Jonathan M. Gitlin emendate scribere at Ars Technica
Superlative security research is still coming out of the IOActive game-changing environment (this has been going on for years now - how do they do it...).
Case in Point: The work of Alejandro Hernandez and his current project targeting the apparent insecurity of some (but not all, mind you) stock trading applications so popular amongst the budding young (and old - don't forget the greybeards) kings and queens of capitalism.
In the case under scrutiny, a highly detailed - most importantly: thoroughly accurate - examination of a large number of commercially available applications executing their binary bits on a variety of platforms. Read all about it on Mr. Hernandez's blog post at Iocactive, and white paper. You'll be glad you did.
Whom amongst our readers (including your's truly) would have thought that the Abdication of the Emperor of Japan (slated for mid-Spring, 2019) would have anything to do with time keeping issues - inclusive of calendaring problems, leading the island nation into it's own Y2K-like debacle? As a matter of course, the change in Epoch's also affects information security related processes and systems, including for example both role based access control and discreationary access control systems, identity management, incident logging and investigatory activities amongst others.
Now, via The Gaurdian's Alex Hern, comes word of what some might say as the coming crisis in Nipponese society due to the calendaring issues brought on by the Abdication of Emporer Akihito (the announced abdication to make way for Emperor Akihito’s son, Crown Prince Naruhito). For a country that bases it's time and date keeping functions on the Epoch which begins on the date a Crown Prince ascends the Chrysanthemum Throne as Emperor of Japan. This is not some mere disfunction of the calendar - it resonates in the very soul of the Emperor's subjects - the citizens of Japan, and their traditional method of marking the passing days, months and yeears. In regards to the Unicode debacle with the new Epoch, please read the post at The Guardian for additional details, as space is at a premium for this post. Certainly Today's MustRead!
“The magnitude of this event on computing systems using the Japanese Calendar may be similar to the Y2K event with the Gregorian Calendar,” said Microsoft Corporation Shawn Steele. “For the Y2K event, there was world-wide recognition of the upcoming change, resulting in governments and software vendors beginning to work on solutions for that problem several years before 1 Jan 2000. Even with that preparation many organisations encountered problems due to the millennial transition. - via Microsoft Corporation and MSDN's
In a well targeted and executed blog post by Dave Lewis, writing over at Forbes, Dave distills the essence of protective measures to be implement when valiantly serving as a defender of the Realm - in this case, the Information Security Principality. A highly recommended addition for your Summertime Reading Pleasure, and Today's Must Read.
'It was a cool morning as King Arthur and his party galloped through the forest on their way towards the castle. His trusty squire kept the beat with a two halves of a coconut in lieu of actual steeds to whisk them on their way. They approached the castle walls where they were met by an impertinent French soldier who hurled insults at them. An amusing analogy for the traditional perimeter IT security defense.' - via Dave Lewis, writing at Forbes.
via Ina Fried and David McCabe, writing at Axios, comes the latest revelation of feckless user data management at Facebook Inc. (Nasdaq: FB); this time, the event comes with smarmily justified sharing of Facebook Inc. user data (without user consent) to Chinese manufacturers' (including People's Republic of China's Peoples Liberation Army controlled Huawei and others) by Francisco Varela, Facebook, Inc. Vice President - Mobile Partnerships Varsela, also (apparently) is a shill ( here) for First Republic Bank. Enjoy today's Must Read and this! H/T
“Huawei is the third largest mobile manufacturer globally and its devices are used by people all around the world, including in the United States. Facebook along with many other U.S. tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones. Facebook's integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go — and we approved the Facebook experiences these companies built. Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei's servers.”' - Francisco Varela, Vice President - Mobile Partnerships, Facebook Inc.
News from over the weekend - via 9to5Mac writer Michael Potuck, focusing on Telegram; of which, the encrypted messaging iOS app has been permitted to publish the latest update to their bits - via Apple Inc. (Nasdaq: AAPL) iTunes App Store. This, despite the declaration of illegality by Kremlin Apparatchiki. Today's Must Read.
Unintended Consequences... via Alastair Paterson, writing as he often does at SecurityWeek, comes this commom sense post detailing issues with the European Union's General Data Protection Regulations (GDPR) as that regulation interfere's with what-may-seem-like-age-old-internetworking-tools - in this case Whois. Highly recommended and Today's MustRead!
via Zack Whittaker timely reportage for ZDNet's Zero Day group, his work provides insight to the tangled-web-we-weave in the ICS/SCADA world. This time - the ramifications of a particularly-pesky security flaw in a Schneider product (amongst thousands of other known bugs in hundreds of other software packages coupled with poor software management practices in the industrial control systems sector combine to make a very poor nap at the control boards, indeed. Just ask Homer! Today's Critical Must Read Choice.
"It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. " - via Zack Whittaker writing for ZDNet's Zero Day
via Tom Krazit, writing at GeekWire, details the need for security tooling assistance targeting the apparent shortcomings of customer security comprehension. Really? I chalk this up to customer facing security tooling, and enablement (Hows' that for Corporate DoubleSpeak?). Far be it for me to denigrate customer security understanding... Today's MustRead!
A new research paper has attracted my attention at arXiv.org; and from Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici, all from the astonishingly prolific Ben-Gurion University of the Negev, in southern Israel's blooming desert - the Negev. Interestingly, all working in the Cyber-Security Research Center a component - if you will - of the Department of Software and Information Systems Engineering.
This is one of those seemingly easy to grasp, easy to execute (for the right entities, and with the apropos hardware and software exfiltration tools) in which, data may be slurped-up, with minimal invasive telltale artifacts left behind, simply from sampling the modulated goodness of the electrical power connection to the targeted device.
Importantly, this form of attack would be devestating to the target, of which, has essentially no in-built incusion defense watching over the electrical power flow into the machies PDU (other than the usual gatekeeping set up around and amongst whatever payload is being sought (think diretory services, database passwords, API security, tokens, et cetera). Certainly, today's Must Read.
Jérôme Segura writing at the Malwarebytes' blog, has an outstanding piece up on the site. In which, the details point to an interesting state of affairs with malicious cryptominer's use of cloud services and blacklisting. Inclusive of disposable cloud services (specifically) and the rising problematic effects that utility produces. Today's MustRead!
via the Institute of Electrical and Electronics Engineers Spectrum Magazine, and reporter Stephen Cass, comes a tale of the future, but firmly rooted in the present: The United States Army's new manga, published to educate both enlisted and officers alike in the dangers elicited by cyberwarfare. Entitled Dark Hammer - and written by Brian David Johnson Director of the Threatcasting Laboratory at Arizona State University - in partsnership with the Army Cyber Institute at West Point. The tome is ten pages of go-get-em-cyber-cyber-cyber.... Today's MustRead!