via Cory Doctorow, comes this fascinating stoy of academicians exercising superlative research and detection skills in the effort to understand - in excrutiatingly intense detail - the true nature of cookie policies, in this case third-party cookie polices.
Entitled Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies (PDF) (and of course, the researchers'documentation targeting the trove of discovered exploits) are all at your disposal to assit and perhaps discover other flaws in the browsers under scrutiny,
The creator/academians at the root of this ooutstanding comprehensive work - Gertjan Franken, Tom Van Goethem and Wouter Joosen all are Researchers at Catholic University in Leuven, Belgium were awarded the Distinguished Paper prize at this summers' Usenix Security Conference. Also covered in Academics Discover New Bypasses for Browser Tracking Protections and Ad Blockers by Catalin Cimpanu at Bleeping Computer. Both are today's Must Read!
Superlative security research is still coming out of the IOActive game-changing environment (this has been going on for years now - how do they do it...).
Case in Point: The work of Alejandro Hernandez and his current project targeting the apparent insecurity of some (but not all, mind you) stock trading applications so popular amongst the budding young (and old - don't forget the greybeards) kings and queens of capitalism.
In the case under scrutiny, a highly detailed - most importantly: thoroughly accurate - examination of a large number of commercially available applications executing their binary bits on a variety of platforms. Read all about it on Mr. Hernandez's blog post at Iocactive, and white paper. You'll be glad you did.
via Rob Knake, writing at the Council on Foreign Relations' online outlet: Foreign Affairs and in the Snapshot section, comes this astute examination of the co-called cyberwarfare space's soft underbelly - power generation. Fear, Uncertainty and Doubt aside: Successful attacks on electrical power generation and equally crucial power distribution capabilites would relegate vast swaths of the population into feudal vassals of regional political power (not too mention the demoralization of those populations). Today's Must Read.
"The digital infrastructure that serves this country is literally under attack,” Director of National Intelligence Dan Coats warned starkly last week. Most commentators took his declaration that “the warning lights are blinking red” as a reference to state-sponsored Russian hackers interfering in the upcoming midterm elections, as they did in the 2016 presidential election. But to focus on election interference may be to fight the last war, fixating on past attacks while missing the most acute vulnerabilities now. There’s reason to think that the real cyberthreat from Russia today is an attack on critical infrastructure in the United States—including one on the power grid that would turn off the lights for millions of Americans." - via Rob Knake, writing at Foreign Affairs
Sean Gallagher exposes a US politician - Georgia Governor Nathan Deal, whom, evidently, has done the unthinkable! How odd, during these days of oddity cubed. Read Sean's superlative post at Ars Technica, where, of course, you may view the Infinity Gauntlet of which, was delivered (prior to the event under scrutiny).
A new research paper has attracted my attention at arXiv.org; and from Mordechai Guri, Boris Zadov, Dima Bykhovsky, Yuval Elovici, all from the astonishingly prolific Ben-Gurion University of the Negev, in southern Israel's blooming desert - the Negev. Interestingly, all working in the Cyber-Security Research Center a component - if you will - of the Department of Software and Information Systems Engineering.
This is one of those seemingly easy to grasp, easy to execute (for the right entities, and with the apropos hardware and software exfiltration tools) in which, data may be slurped-up, with minimal invasive telltale artifacts left behind, simply from sampling the modulated goodness of the electrical power connection to the targeted device.
Importantly, this form of attack would be devestating to the target, of which, has essentially no in-built incusion defense watching over the electrical power flow into the machies PDU (other than the usual gatekeeping set up around and amongst whatever payload is being sought (think diretory services, database passwords, API security, tokens, et cetera). Certainly, today's Must Read.
What does Savoir-Faire the French-Canadian Mouse have to do with hardware that 'cannot be tampered with'? Quite a bit, as a matter of fact. What follows is a tale of extreme arrogance exhibited by a hardware manufacturer, and the nearly overwhelming Savoir-Faire displayed by a fifteen year old child in possession of a blisteringly precise and keen intellect. Enjoy.
Dan Goodin, writing (as is his wont) at Ars Technica, regales us with his illustrious prose that tells the tale of hardware hubris, this time in the guise of a cryptocurrency wallet device and the CEO of the company that created the dingus, add in a feisty 15 year-old security researcher that will not give up and you'll get Today's (I don't mind saying) MustRead!
'On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long...' - via Dan Goodin, writing at Ars Technica
(Savoir-Faire is a Francophone noun-phrase describing adaptability and adroitness (the notion of rightness), essentially, having the innate knowledge of behavior, situationally. - as paraphrased from Wkipedia. Savoir-Faire is also the name of a brilliant (and insightful) mouse from Klondike Cat cartoons of Tennessee Tuxedo fame). There, I have reminded you of two things you probably already new. You are now equipped to carry-on - quite smartly indeed - with your day.
The National Security Agency's 6th Annual Scientific Cybersecurity Paper Competition has been announced, along with the following Distinguished Experts and other Pertinent Particulars of the Competition (eg., the submittal criteria et cetera). Interested? Read On... A superlative conclave of security luminaries will examine the nominations and provide their specific submittal preferences to the National Security Agency's Research Directorate.
- PROF. L. JEAN CAMP, Indiana University
- DR. ROBERT CUNNINGHAM, Lincoln Laboratory
- DR. WHITFIELD DIFFIE, Cybersecurity Advisor
- DR. DAN GEER, In-Q-Tel
- DR. JOHN MCLEAN, Naval Research Laboratory
- PROF. STEFAN SAVAGE, University of California, San Diego
- MR. PHIL VENABLES, Goldman Sachs
- PROF. DAVID WAGNER, University California at Berkeley
- DR. JEANNETTE WING, Columbia University
Here are the all-important dates:
- Submission Period Begins: December 15, 2017
- Submission Period for Entries Ends: March 30, 2018 11:59 PM, EST.
- Evaluation Process for Entries Begins: April 2, 2018
- Winners Notified: By September 14, 2018
- Winners Announced: Fall 2018
Russ McRee's well-wrought piece published on his highly respected HolisticInfosec site, within his toolsmith column (both on his site and formerly in the ISSA Magazine) provides a tour-de-force primer on utilizing the R Development Environment. R in this case, is bent to Russ's will to accurately depict (of course) network data (in this case generated by (and in Russ's words) - "network traffic packet capture specific to malware called Win32/Sirefef or ZeroAccess that uses stealth to hide its presence on victim systems". Today's Must Read.
Well crafted and insightful piece, written by Jai Vijayan, detailing developer security foibles - and in this case - discovered by researchers at the LOEWE Center for Advanced Security Research Darmstadt (CASED). Of which, an astounding number has emerged (56,000,000), of unsecured data resident in cloud systems (in this case PARSE and AWS). Phenomenal.