Thanks to Snowden: “Security, Safety and fair market: Access by Openness and Control of the supply chain.” By KIT

KIT (Karlsruhe Institute of Technology, Institut für Technikfolgenabschätzung und Systemanalyse) has published a great study that I haven’t read completely, but though it’s worth sharing: KIT – ITAS – Research – Project overview – Quattro S: Security, Safety, Sovereignty, Social Product … Especially regarding:

This project will provide solutions for multiple problems. The first one is the security of information technology. The range of issues addressed includes zero-day exploits (e.g., WannaCry ransomware), denial of service attacks (e.g., Mirai), hardware attacks (e.g. based on the Meltdown and Spectre CPU flaws) up to novel types of hardware Trojans. The possibilities for these attacks originate from weaknesses in the long IT supply chains and threaten the confidentiality, integrity and availability of systems. The second problem is that these attacks can also threaten the safety of products, e.g., in energy infrastructures or in the automotive industry. The third problem consists of a loss of value added because of a migration of production and competences towards competing economies (e.g. US and China). Sovereignty would mean to have full control of the characteristics of information technology, to be sure that no hidden features are implemented, that no business secrets can be stolen, and to benefit economically from such control.

Two-Factor-Crap: Mobile TANs are security theater

 It’s been already six years that I wrote the Linux-Magazin article about hacking Android for banking data “Googles Smartphone-Linux ist ein einfaches Opfer für Angreifer“, and even a little more since me and Gunnar Porada met at Cortal Consors Bank. He was presenting, I was invited as a journalist.

And the weird thing was: Cortal Consors, a big bank that in the past had specialized on trading stocks and stuff, had invited Gunnar to show us why SMS-TAN (Mobile TAN) and similar smartphone-based “Two-Factor-Auth” mechanisms are merely security theater, like every trick that includes the smartphone. Nevertheless, they said, they’d still recommend to use it, since “it is not actively being hacked”. Well, that has changed for sure in the last years. 🙁

Albeit this article is merely available in German, it’s a good read – have Google translate it. The following quote says basically that it’s less effort to hack both Windows PC and Android device (since they will be in the same Wifi sometime) than it takes to find out two devices belong together. I just realized that again, I had written about some topic that didn’t have a name then: CDT (Cross Device Tracking).

If you feel fine with Security by Obscurity, then SMS-TAN or Photo-TAN or Face recognition might be enough for you. It’s not for me. 

„Technisch ist das gar nicht so aufregend, die Angriffsmöglichkeiten sind bekannt. Das Schwierigste für den Angreifer ist eher herauszufinden, welches Handy zu einem infizierten PC gehört“, erklärt der Ex-Hacker, der gerade 100 000 Euro vom Konto eines Konzerns zu einer gemeinnützigen Organisation transferiert hat, mit gefälschten Accounts und Webseiten, auf die er den Demo-Rechner vorher per DNS-Spoofing umgeleitet hat – natürlich nur als Demo fürs Publikum.

Live hacking – a demonstration for military and politicians

… recently, at the german military’s reservist’s club VdRBw :
Veranstalter: Kreisgruppe Oberpfalz-Süd

Thema: Sicheres Surfen durchs Internet

Wie ich meinen PC besser schützen kann

Bedrohung und Abwehrstrategien für den heimischen Rechner mit Live-Demonstration typischer AngriffeIm Rahmen der Freiwilligen Reservistenarbeit führt die Kreisgruppe Oberpfalz-Süd in Zusammenarbeit mit der Friedrich-Ebert-Stiftung und dem Markt Donaustauf eine Sicherheitspolitische Veranstaltung in Donaustauf als Verbandsveranstaltung in UTE durch.
Anzug: Dienstanzug gem ZDv 37/10 oder gedecktes Zivil

Sir! Yes, Sir!

Facebook: The AI-powered dystopia. Time to realize!

Zeynep Tufekci: We’re building a dystopia just to make people click on ads | TED Talk

“We’re building an artificial intelligence-powered dystopia, one click at a time, says techno-sociologist Zeynep Tufekci. In an eye-opening talk, she details how the same algorithms companies like Facebook, Google and Amazon use to get you to click on ads are also used to organize your access to political and social information. And the machines aren’t even the real threat. What we need to understand is how the powerful might use AI to control us — and what we can do in response.”

Does your server mine Minero? Well… it might have been hacked…

Reality update: Cryptocurrency mining malware uses five-year old vulnerability to mine Monero on Linux servers | ZDNet … but hey, it is only PHP/Cacti:

The cryptojacking campaign exploits CVE-2013-2618, an old vulnerability in Cacti’s Network Weathermap plug-in, an open source tool which is used by network administrators to visualise network activity.

I’m still waiting for the first Linux Virus to hit the streets. Send it to me, please, if you have one. No, not the manual ones. They are boring.

Kaspersky won’t play with the US anymore…

Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence operation – CyberScoop
Hehehe: Kaspersky recently exposed US Intelligence Malware

“The U.S. government and Russian cybersecurity giant Kaspersky Lab are currently in the throes of a nasty legal fight that comes on top of a long-running feud over how the company has conducted itself with regard to U.S. intelligence-gathering operations.
A recent Kaspersky discovery may keep the feud alive for years to come.
CyberScoop has learned that Kaspersky research recently exposed an active, U.S.-led counterterrorism cyber-espionage operation. According to current and former U.S. intelligence officials, the operation was used to target ISIS and al-Qaeda members.”

(Thanks to Fefe)

Hundreds of millions of years missing – the great unconformity

Interesting article, news in the media, too: The Great Unconformity … :

It is fitting that the Grand Canyon should contain some of the best exposures of The Great Unconformity — the gap in the rock record between Cambrian times (~550 m.y. ago) and the pre-Cambrian (anything earlier). An unconformity is a surface in the rock record, in the stratigraphic column, representing a time from which no rocks are preserved. It could represent a time when no rocks were formed, or a time when rocks were formed but then eroded away.

How Facebook is killing democracy – all the facts so far has a nice overview of the Facebook/Cambridge story so far. This story is full of links to the first-hand sources: How Facebook is killing democracy … :

A Cambridge Analytica executive explained: “There are two fundamental human drivers … hopes and fears … and many of those are unspoken and even unconscious. You didn’t know that was a fear until you saw something that evoked that reaction from you. Our job is … to understand those really deep-seated underlying fears, concerns. It’s no good fighting an election campaign on the facts because actually it’s all about emotion.”

Apple: Siri talks too much and reveals secret content (German/Spanish)

Reality update: Sicherheitsproblem: Siri verrät Inhalte gesperrter Benachrichtigungen – … :

Solange Apple den Fehler nicht korrigiert hat, lässt sich das Problem nur beheben, indem Sperrbildschirmbenachrichtigungen für sensible Anwendungen deaktiviert werden.(…) Das Problem ist auch in der aktuellen Betaversion von iOS 11.3 vorhanden.

(Only mitigation is to deactivate messages on the lock screen, also iOS 11.3 Beta is affected.) 

If you understand Spanish, here’s the link to MacMagazine that discovered the flaw

Open Source. Security Theater. Leadership. Journalism.