Category: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

Google wants to disable Ad Blocking in Chrome, because it’s a business risk for them

This is interesting. Back to Firefox? Or will Google turn around? They have got a lot of shitstorms back, in advance – since this is not fully decided yet. But it shows a lot of the “Don’t be evil” attitude. Even Google is a business oriented enterprise, and thus wants to make money. What a surprise. I wonder what the security people say and think. A large part of successful attacks today utilize ads and ad-lookalikes…

Chrome to limit full ad blocking extensions to enterprise users – 9to5Google

The lead developer of uBlock Origin, Raymond Hill, has commented on the situation, both to The Register and on uBlock Origin’s GitHub, pointing out that allowing ad blockers goes completely against Google’s business model.

‘Google’s primary business is incompatible with unimpeded content blocking. Now that Google Chrome product has achieve high market share, the content blocking concerns as stated in its 10K filing are being tackled.’

Google themselves have even admitted as such in a recent SEC Form 10-K filing by Alphabet, uncovered by Hill, in which ad blocking extensions are labeled as a “risk factor” to Google’s revenues.

‘New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.’

The article also links to the interesting FCC risk assessment paper Google has to file. A nice read. 

 

Free GDPR Templates on Github … get involved!

Reality update: GitHub – good-lly/gdpr-documents: 🇪🇺 Your Right to be Informed and Erased. The General Data Protection Regulation (EU) 2016/679 (“GDPR”) documents for personal use. … :

After one of the Equifax data breaches & one year after feared GDPR came into force, a team of lawyers decided to explore the state of data protection of European banks & credit scoring entities. At first, we did a research of available GDPR requests but found next to nothing. The vast majority of information is advising companies on how to fend off personal data inquiries. This saddened us, as financial institutions gather massive amounts of detailed information about us. We expected that more people would want to execute their right to know. To shift this imbalance a little, we created our own request templates. Currently is available only “Data Access” request but stay tuned – Erase template is coming soon.

Quantum Terrorism…

How quantum terrorists could bring down the future internet – MIT Technology Review … :

These guys have worked out how quantum terrorists could bring the quantum internet to its knees almost instantly and without revealing their identity. More worrying still is that there is no obvious way to counter this new kind of attack.

(…)

“The first computer virus is widely thought to have been a program called Creeper that infected Apple II computers in the early 1980s. It was written by a 15-year-old high school student in 1981 as a prank. Since then, an entire class of malicious software and activities have emerged that can destroy data or eavesdrop on communication. Recommended for You A new chemical process could turn a quarter of our plastic waste into clean fuel Russia plans to temporarily disconnect the entire country from the internet This new fabric will automatically cool you down when you get hot and sweaty The real reason America is scared of Huawei: internet-connected everything This stunning view of the far side of the moon was taken by a Chinese satellite.”

Break up Facebook – as long as it is possible …!

#Toldyouso: Facebook co-founder Chris Hughes calls for the company to be broken up … :

Facebook isn’t afraid of a few more rules. It’s afraid of an antitrust case and of the kind of accountability that real government oversight would bring.” Hughes called the FTC’s decision to let Facebook acquire Instagram and WhatsApp in the first place the regulator’s “biggest mistake” and said the three entities should be broken into separate companies before Facebook weaves them together.

How to do Website Redesign… NOT: Hertz and Accenture….

 Accenture sued over website redesign so bad it Hertz: Car hire biz demands $32m+ for ‘defective’ cyber-revamp • The Register … :

On top of that, despite having specifically requested that the consultants provide a style guide in an interactive and updateable format – rather than a PDF – Accenture kept providing the guide in PDF format only, Hertz complained. When Hertz confronted the consultants about the PDF problem, guess what the response was? Yep, it wanted “hundreds of thousands of dollars in additional fees” to cover the cost.

TajMahal: No overlaps or code in common with other malware… weird… (German)

Reality update: Nach fünf Jahren unter dem Radar: Spionage-Malware “TajMahal” aufgetaucht | heise online … :

Außergewöhnlich sei laut Shulmin auch, dass der Programmcode keinerlei Gemeinsamkeiten oder gar überlappende Codefragmente mit bisher analysierten Advanced Persistent Threats (APT) aufweist. Das mache Rückschlüsse auf die Entwickler beziehungsweise Hintermänner quasi unmöglich.

Deutschlandfunk: Markus Feilner on the Radio (twice, in German)

Very nice, one of the major german NPR radio stations requested me as an expert for Hacking the Bundestag. Once Again, a radio interview. 🙂

Hackerangriffe auf den Bundestag – Die Verwundbarkeit der Politik

“Im Jahr 2015 sorgte ein Bundestagshack für großen Schrecken. Anfang dieses Jahres alarmierte ein Datenangriff auf Politiker die Sicherheitsbehörden. Inzwischen soll das Netz aktuellen Sicherheitsstandards genügen – doch es bleiben Schwachstellen.”

(Deutschlandfunk Kultur, Zeitfragen | Beitrag vom 25.03.2019, Hackerangriffe auf den Bundestag, Die Verwundbarkeit der Politik)

And here:

 Wahlmanipulation – Sicherheitslücken der Demokratie

“Mitte Mai 2015 bemerkte die IT-Abteilung des deutschen Bundestages: Hier stimmt etwas nicht. Was genau? Das ist bis heute nicht ganz klar, erklärt Markus Feilner. “Die Details sind nicht ganz geklärt und es wird sich wahrscheinlich auch nie klären lassen.” Der IT-Journalist Feilner hat versucht, den Hack 2015 nachzuzeichnen. Sicher ist, dass die Netzverwaltung des Bundestages, basierend auf dem System eines US-Konzerns, zumindest falsch konfiguriert war. So hatten mehr Mitarbeitende höchste Systemrechte im Netzwerk als nötig und gut war. Unter anderem über diese Schwachstelle konnten die Angreifenden in die Netze eindringen.  “Grundlegende Sicherheitsaspekte wurden nicht beachtet” Entsprechend lautet Feilners Fazit noch heute: “Der Bundestagshack war insofern besonders erschreckend, weil wir bei der Recherche feststellen mussten, dass grundlegende Sicherheitsaspekte nicht beachtet oder bedacht wurden.” 

(…)

“Die Situation ist gegenüber der letzten Bundestagswahl quasi unverändert. Was aus meiner Sicht eigentlich ein Skandal ist. Das heißt, es wird immer noch Software eingesetzt, die eigentlich nicht eingesetzt werden sollte und die anfällig ist.”

(DLF, Computer und Kommunikation | 30.03.2019 Wahlmanipulation, Sicherheitslücken der Demokratie) 

The Mobile Developers Guide to the Galaxy

Another one from my research… awesome work: The Mobile Developers Guide to the Galaxy | (now powered by Open-Xchange

“More than twenty writers from the mobile community share their know-how in dealing with topics such as accessibility in mobile apps, UX design, mobile analytics, prototyping, cross-platform development, native development, mobile web and app marketing.”

I love Wikipedia – Great Article on Messengers with lots of details

While I am writing on an article on COI (Chat over Imap), OpenXchange’s latest hot new stuff, I found a wonderful Wikipedia page: (German) Wikipedia has a great article about messenger services like Whatsapp, Threema, Signal and such. Although the article called “list of mobile instant messenger services” seems to be available only in German, its content is great. Here’s the huge table on functions that might explain why I like to stick with Snowden’s recommendation, Signal.:

Messengers and their Functions

By now, I am pretty sure COI will shake this chat world, the concept of using standard mail, mail servers and such as a basis looks very promising against the silos run by American data corporations.

Benjamin Delphy on Kekeo, successor to mimikatz. (Video)

BlueHat IL 2019 – Benjamin Delpy (@gentilkiwi) – You (dis)liked mimikatz? Wait for kekeo – YouTube

From the comments: 

“If you enjoyed playing with Kerberos, ASN1, security providers…, then you’ll love adopting this furry, sweet animal. From its birth with MS14-068 to cleartext passwords without local administrator rights, you’ll know everything about this animal. This talk will embed CredSSP and TSSP with cleartext credential, explore a little bit about PKINITMustiness and the RSA-on-the-fly for Kerberos with PKI!”