Dwa dni temu @to3k stwierdził, że "Wprowadzenie domen .zip i .mov to dramat od strony cyberbezpieczeństwa...", no i miał rację - oto dobry przykład, jak takie domeny mogą zostać wykorzystane przez atakujących:
The Platformer's recent article about Twitter claims that Twitter's encrypted DMs are not end-to-end encrypted:
"These messages are not encrypted end to end, making them vulnerable to so-called man-in-the-middle attacks."
This is wrong. Twitter's encrypted DMs truly are end-to-end encrypted. That is, no one other than the sender and recipient can decrypt the messages. However, Twitter does not provide a mechanism for users to verify the public key of other contacts. And this makes the design vulnerable to man-in-the-middle attacks.
Users negotiate a shared key to start an encrypted conversation using their public keys. After the negotiation phase, both the sender and recipient agree on a shared key to encrypt/decrypt messages in the conversation. Thus, every user has to trust that Twitter delivers the correct public key of the DM counterpart. Otherwise, an attacker can intercept the communication between one user and Twitter and act on behalf of the victim to negotiate the shared key with the DM counterpart. In the end, the attacker obtains the shared key and can decrypt [also alter and re-encrypt] the messages in the encrypted DM.
This major flaw does not disqualify the communication from being end-to-end encrypted. Twitter can easily overcome this flaw by letting users view the fingerprint of their own public keys.
A security vulnerability in the Wemo Smart Plug Mini V2 could allow hackers to take control of the device, but Belkin has said it will not be fixed because the device is at the end of its life.
Beyond knowing technology and cybersecurity, CISOs also need to excel at situational awareness, business alignment, and persuasion: https://zeltser.com/cisos-and-collaboration/
I'm very happy to share with you all my latest research #blogpost along with my awesome team mate Reuven Yakar. Reuven and I found a critical vulnerability in the popular Wemo smart electrical socket by Belkin. This research had all the fun stuff - software AND hardware hacking and reverse engineering and I'm super excited to finally be able to share it. Note that Belkin WILL NOT be releasing a patch to this vulnerability: https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/
@arstechnica yes, password-protected zip files are just an illusion of privacy.
In fact, these researchers were not using them for privacy, but as a way of sending malware samples to each-other without being stopped by the malware scanners.
What I don't understand is why so many banks and financial institutions are so fond of them. They keep sending sensitive information via email on password-protected zip files where the password is your ID or your birthday... 🙄
Proper end-to-end encryption has been around for decades. 🤷♂️
@AAKL Of course, something allowed the #ransomware into your system to begin with, and you also need to plug that hole or you're likely to just end up having to go through the ordeal again after restoring that #backup. To say nothing of the risk of having your data exposed.
Sometimes the simplest things, like promptly installing updates as they become available, can be all that's needed. In other words, basic #security hygiene.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #19/2023 is out! It includes, but not only:
‣ New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing #Phishing Pages
‣ #Netgear Routers' Flaws Expose Users to #Malware, Remote Attacks, and Surveillance
‣ 🇮🇹 🏎️ #WordPress Plugin Vulnerability Exposed #Ferrari Website to Hackers
‣ 🇯🇵 🚗 #Toyota Japan exposed data on millions of vehicles for a decade
‣ 📨 #Microsoft patches bypass for recently fixed Outlook zero-click bug
‣ 🇺🇸 🇺🇦 IRS gives #Ukraine tools to expose Russian oligarchs hiding riches in #crypto exchanges
‣ 🇨🇭 Multinational tech firm #ABB hit by Black Basta #ransomware attack
‣ 🐥 #Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified Users
‣ 🇺🇸 Cybersecurity firm #Dragos discloses cybersecurity incident, extortion attempt
‣ 🇰🇵 North Korean hackers breached major hospital in Seoul to steal data
‣ 🇺🇸 #Google Now Lets US Users Search #DarkWeb for Their Gmail ID
‣ 🇺🇸 #IBM Delivers Roadmap for Transition to Quantum-safe #Cryptography
‣ 🇪🇸 Spanish police dismantle phishing operation linked to crime ring
‣ 🇺🇸 Microsoft #PatchTuesday: 40 Vulnerabilities, 2 Zero-Days
‣ 🇺🇸 🇷🇺 Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by #Russia's Federal Security Service
‣ 🇺🇸 Feds seize 13 more DDoS-for-hire platforms in ongoing international crackdown
‣ #MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
‣ 🇮🇷 Microsoft: Iranian hacking groups join #Papercut attack spree
📚 This week's recommended reading is: "The Pentester BluePrint: Starting a Career as an Ethical Hacker" by @phillipwylie and @crowgirl
The Register should actually read the draft of #CyberResilienceAct , which clearly makes that distinction in item 10 of the preamble:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.[^1]
The fact that you see companies such as Microsoft (through GitHub) speaking against CRA is quite telling: because if FOSS volunteers aren’t legally responsible for software #security under CRA, then who will be? Well, of course the Microsofts, Amazons and RedHats of the world, who take free software and sell products based on it as well as support contracts for #FOSS packages. This is precisely why they started this “grassroots” disinformation campaign, just like Google did with “ACTA2”, having even Python Software Foundation confused to repeat the nonsense:
The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users.^2
After reading the three The Register articles[^1]^2 on the #CyberResilienceAct I have an impression that British press is again doing exactly what they have done on #Brexit - taking EU ideas their sponsors don’t like and intentionally distorting them to create an utterly absurd picture of “Brussels idiots”, while perfectly realising they’re lying. Just read this:
But the EU commissioners don’t have a clue about how open source software works. Or, frankly, what it is. They think that open source is the same as proprietary software with a single company behind it that’s responsible for the work and then monetizes it. Nope.[^1]
Note this is not written by some Daily Mail intern who doesn’t distinguish “directive” from “regulation”, this is written by an IT journalist who clearly has read the CRA draft. He perfectly understands what he’s writing about, he knows how the software market works. And then he writes this:
The CRA’s underlying assumption is that you can just add security to software, like adding a new color option to your car’s paint job. We wish! Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard. The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is in Europe (it’s in Belgium). They can’t afford to secure their software to meet EU specifications.[^1]
I have spent quite large part of my professional life in software #securityand I do #FOSS, so let me correct this misleading paragraph:
“Notional open source developer in Nebraska” may not have resources for user support and security, but doesn’t have, because CRA clearly excludes him from the regulation (preamble, item 10)
Because large companies still want to use the Nebraska library, and because large companies like to have “software support contracts”, they do pay for the latter to “software support companies” whose names we all know.
Majority of the “software support company” job is to repackage the original FOSS library and cash “support contract” payment. This is exactly how we ended with OpenSSL library being placed literally everywhere for decades until someone decided to have a look and found tons of vulnerabilities.
Could these vulnerabilities have been found earlier? Of course: the software (SAST, DAST, IAST etc) to do it is widely available. There’s just one problem: it’s bloody expensive.
Of course, Nebraska dev won’t spend 10^5 USD annual cost of a decent SAST scanner just for peace of mind. Otherwise, if someone sends a merge request with a fix, he or she will likely happily merge it.
But hey, maybe there’s someone in the food chain who is already casually cashing a lot of money for repackaging the Nebraska free software that could possibly spend a fraction of it for that kind of maintenance? 🤔
Make your own mind about who might be the most impacted by CRA here…