via Dave Lewis, well-known Information Security professional, founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast and a contributing writer at the DUO Decipher blog, tells a fascinating story of a lashup of his Lunch an Autonomous Automobile and the Law of Unintended Consequences. Rather than spill the beans - travel, if you will - via our beloved Interwebs, to the Decipher blog, and luxuriate in the Tale Told by Mr. Lewis! Certainly Today's Security Must Read!
Behold, Ladies and Gentlemen, an erudite paper detailing the notion of the eTerrorist, written by Professor Christina Schori Liang has made it's way into my my somestimes overloaded sphere of cogitatory field of vision. Well wrought, indeed! Professor Liang is leading The Terrorism and Organized Crime Cluster at the Geneva Centre for Security Policy and is a Visiting Professor at The Paris School of International Affairs.
In Public Sector or Private Sector, or simply interested in what very well may be the next evil surfactant in the Sea of Evil flotsam, jetsam, lagan, and derelict floating upon the Interwebs, pay attention and read Professor Liang's short, but enlightening work.
Kelby Ludwig - writing at Duo Lab's has just posted a fascinating blog entry detailing their recent discovery of SAML vulns potentially affecting a range of implementations and deployments. In this case, the vulnerability appears to be a zero knowledge scenario (of the attributes of the target's password). H/T
"This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. - via Duo Lab's Kelby Ludwig
Martyn Williams, writing at 38North, reports on the new North Korean Computer Center - ostensibly, an open library of Democratic People's Republic of Korea created (mostly modified) software. We strongly suggest caution when opening any files (eg., PDFs, DOCs, Binaries, et cetera and running any software from the library - especially with this caveat descendit onustus...:
"In publishing the PDF files, the team running the site had to strip out tracking code that had been inserted into the files by the Red Star OS. The software adds a hard-drive serial number to files when they are opened, potentially allowing the government the ability to determine all the computers on which a file has been viewed." - via Martyn Williams, writing at 38North
NIST's Computer Security Division and the Information Technology Laboratory (ITL) along with the NIST Cloud Computing Program has announced hosting of the 8th Cloud Computing Forum and Workshop. Registration Information, etc. can be viewed here. Included with the announcement is the Call for Abstracts, noted below:
- Abstract Submission Deadline: May 15, 2015
- Abstracts Review Deadline: June 1, 2015
- Presentation Submission Deadline: July 1, 2015
Once again, Kim Zetters' superlative prose details the astounding story of Stuxnet; this time, in a new book titled 'Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon' [published by Crown Publishing Group a division of Random House]. Apparently, like many other 'infections' the vector [in this case] is the order-of-the-day... This month's MustRead.
Evidently, seventeen thousand Apple Inc. (NasdaqGS: AAPL) MAC OS X machines (worldwide) have been corralled into a nefarious botnet. Discovered by a relative unknown in the burgeoning Russian anti-virus industry (nope, it wasn't Kapersky) this bot is probably the prettiest ever, eh Comrade? One bit of good news, Apple has released a new malware definitions update as of 11:00 AM yesterday.
Perhaps a good idea for the Nigerians. Nevertheless, it is doubtful the Nigerian spammers will be hampered by the newly implemented national ID system... The interesting news, of course was announced via a press release, is the assistance bestowed on the Federal Republic of Nigeria by MasterCard Incorporated (NYSE:MA) .
Via the erudite Dan Goodin at ArsTechnica comes the latest litany of ne'er do well personal privacy company LifeLock. Consisting, if you will, of the latest foul-up at the embattled firm, Mr. Goodins' screed has succeeded in the task assigned:
An excoriation of the ham-handedness in situ at LifeLock; describing in luxurious & excruciating detail the sorrowful tale of blatant incompetence rampant at the company. Simply, astonishing.