"It's better to have a media strategy than a security strategy." Greg Ferro on Home Depot's paltry $19.5M settlement for their 2014 breach involving 40M credit cards.
"The hard bit of crypto isn't #crypto design. It's fighting the awful OpenSSL APIs which actively encourage serious crypto and memory bugs." @pwnallthethings
"You do background checks on your employees. Why not for the software you run?" Chris Wysopal
"In the eyes of most people, security’s job is to dream up hypothetical scenarios and then dictate rules based on them." James Wickett
"New malware variant so good at hiding itself, it thwarts own infection checks. ends up local dosing." Satoshi Nakamoto
"In the 44 days since we introduced [the red lock icon in gmail], the amount of inbound mail sent over an encrypted connection increased by 25%." Google Security Blog
NPM left-pad debacle
Techniques for combatting ransomware
As noted by FireEye and others, there has been a huge increase of ransomware recently, specifically Locky. To combat it, a few researchers have proposed solutions. In the post Proactively Reacting to Ransomware, the researcher proposes creating file canaries that can be monitored to see if something tries to encrypt them. A similar technique was proposed a few weeks ago with PoC driver code in the project ofercas/ransomware_begone.
Another post titled Abusing bugs in the Locky ransomware to create a vaccine showed direct attacks against Locky, for example, Locky will not attack Russian systems, so "It is therefore possible to set the system language to Russian to prevent from being infected but the system is likely to be hardly usable for many people :)". Other solutions include setting an ACL on the Locky registry key and some more technical tricks. I personally am hesitant to consider using these as real solutions to combatting ransomware, but it's good to see people considering new options.
- U.S. indicts Iranians for hacking dozens of banks, New York dam: Like we saw in May 2014, where the US indicted 5 Chinese military hackers, the US has now indicted 7 Iranian hackers. From the reuters article "U.S. officials largely completed the investigation more than a year ago, according to two sources familiar with the matter, but held off releasing the indictment so as to not jeopardize the landmark 2015 nuclear deal with Iran or a January prisoner swap." However, as was the case with the Chinese indictment in which nothing actually happened beyond the indictment, I do not expect anything will happen with these hackers either.
- FBI getting help to unlock terrorist's iPhone without Apple: Apple and the FBI have been caught up in a legal battle to unlock the iPhone of the San Bernardino shooter. The FBI has supposedly started working with a company called 'Cellebrite' to help unlock the phone without needing Apple to codesign special code.
Conference materials and publications
- Apple Updates: Apple put out new versions of iOS and OSX this week, finally fixing the SSH "No Roaming" vuln (CVE-2016-0777), that's been known since January.
- Using OS X FSEvents to Discover Deleted Malicious Artifacts: Post from Crowdstrike on using the OSX capability called FSEvents to record file system activity.
- On the Impending Crypto Monoculture: Peter Gutmann discusses how all crypto mechanisms are moving toward schmemes devised by Dan Bernstein (DJB), with the conclusion being that it's not so much that everything is moving toward his schemes, but rather that we're moving away from all the alternatives.
- Ukraine emerges as bogus BGP source: This article points out a couple of interesting BGP rerouting attacks, including one performed by a spammer, another against APRICOT which is a technical conference which focuses on topics like routing security, and more. Although BGP routing attacks have been known about for a long time (and unfortunately little can be done to stop them), they were previously viewed as likely only being in the domain of nations, however these incidents clearly show they can be accomplished with much fewer resources.