* Posts by A random security guy

385 publicly visible posts • joined 20 Apr 2019

Page:

Heart surgery device maker's security bypassed, data encrypted and stolen

A random security guy

$90m+/quarter revenue is ripe for ransomware

It is sheer negligence to not have a DRP. Maybe they had one but never tested it? Maybe it was just a show DRP?

Worker surveillance must comply with credit reporting rules

A random security guy

Background checks are extremely invasive

I never ran background checks on employees or future employees. But I did run checks on questionable people who were pretending to be executives in a company. The amount of material available online for free and much more from paid services is shocking. You can find CC payment issues, traffic violations, who lived with them at the same address, their internet presence, etc. You can track people's car license plates as people drive around and have their data slurped up by cameras everywhere. If you have access to Palantir, you can become even more invasive.

Now imagine my employer having access to that data.

Intel hits back at China's accusations it bakes in NSA backdoors

A random security guy

Intel does need to create backdoors for the NSA

Intel products have had security issues going back decades. Why does it need to create new ones. And I am being really serious; they have ignored warnings for a long time.

TSMC blows whistle on potential sanctions-busting shenanigans from Huawei

A random security guy

Sanctions are not binary tools; they are there to slow down activities. They are also a political tool. The US sanctioning China means that China is a pariah nation. Being snactioned also slows down trade. The long term impact is that countries would rather deal with a non-sanctioned country than one which is.

Ransomware gang Trinity joins pile of scumbags targeting healthcare

A random security guy

Re: Ban paying ransom.

Criminal negligence would be the better way to attack the problem: make CEOs liable for neglecting cybersecurity. If forensics reveals big gaps in cybersecurity implementation, the CEOs of the hacked company, the compliance company, and any vendor who lied about their service/product security would be made liable. Cyberinsurance companies wuld breathe a sigh of relief.

That way, passing SOC2 compliance would not be a rubber stamp.

Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing

A random security guy

Re: Why?

To most HW manufacturers, software is an afterthought. They probably got the lowest common denominator of UX designer, software implementor, and QA for the interface.

Texas sues GM for selling driver data to analytics, insurance companies

A random security guy

Bankruptcy is complicated, especially if exec compensation is pegged to or is partly in stock.

Execs are least likely to try save a company if their own stick goes to zero b

Russian man who sold logins to nearly 3,000 accounts gets 40 months in jail

A random security guy

Re: he's probably Georgian or South Cacusus something or the other

Amazing analysis. Do you have any data to support your logic. For example, do you have proof that there are criminal genes that passed on?

Or it is an infection?

Do explain.

Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others

A random security guy

Most (probably 90%) , can be caught using code analyzers. The rest is proper reviews, testing.

What you are seeing is probably the result of those efforts. Security fixes take time to implement and test.

One can implement processes that reduce defect counts.

Multiple flaws in Microsoft macOS apps unpatched despite potential risks

A random security guy

Re: "Only if it can be exploited" is a Very weak argument

Agree. And 2 people gave me a thumbs down. It is actually a good indication of why we have security bugs. The cavalier attitude to bad programming practices is the primary reason for security issues.

A random security guy

Microsoft is claiming that there is no reason to protect its products because others need to do their job. It was the same argument used by people who used perimeter defense as sufficient to protect infrastructure. That is the worst possible defense argument; depending on others... The whole principle of zero trust is based on every component doing its best to guard against someone attacking it.

A random security guy

Re: Is it ethical...

Yes, it is ethical. Most White Hat Hackers give a 30 day warning, sometimes more. The hackers mostly know about the vulnerabilities. There may be several reasons you don't see any exploits:

1. There are other exploits that are available

2. The hacking industry is working on creating an exploit.

3. They have already weaponized the exploit but are holding it back.

4. It is out there, but it hasn't hit you

5. You haven't noticed that you have been hacked

6. You are not worth it.

A random security guy

Re: 'plugins from third parties'

I used to write Office add-ins on Windows, which were among the most painful pieces of software I had to write. MS Office allows you to write software that can use Office APIs to create buttons,act on emails, etc. These are called Office add-ins/plugins. You can, for example, write a small program that reads an email from your boss, calls ChatGPT, creates a response, and sends it out. It seems that you can't do it on the MAC.

A random security guy

"Only if it can be exploited" is a Very weak argument

Oftentimes, I would get a pushback from a developer or a manager saying: I'll fix this buffer overflow or some other security bug only if you can show it can be exploited.

The basics of security revolve around building secure components. Writing exploits is a thankless job unless you are in the employ of some a nation state hacking organization or a hacker group. It can take hundreds of thousands of dollars to weaponize a vulnerability. Sometimes you can buy toolchains for known types of vulnerabilities.

Hacker groups can afford to do it because they can get the ROI by hacking and ransoming systems for millions of dollars. It is profitable for them.

Pointing out vulnerabilities is the right thing to do.

Microsoft not fixing their bugs is just business as usual.

China-linked cyber-spies infect Russian govt, IT sector

A random security guy

Agreed. I am always curious to know why people think BRICS would amount to anything.

China absolutely wants BRICs to a a vehicle to create a currency dominated by the Yuan.

India doesn’t want to have anything to do with the Yuan.

India’s primary sources of income are from the West.

India is quite happy with the dollar. They would want the Rupee to be a bit more popular, though.

Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew

A random security guy

There is no penalty

Data de-identification should be hard. These guys are not even trying.

Google takes shots at Microsoft for shoddy security record with enterprise apps

A random security guy

Google, android has 99% of mobile malware

Pretty much the entire Android app ecosystem lends itself to malware.

Something about people who live in glass houses comes to mind

CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'

A random security guy

Re: Fix the Level 8 Problem

Well, there are a large number of men falling for scam texts with beautiful images.

Most calls originate out of NK and the poor girls are kept captive and beaten.

I found women to be more careful about privacy than men.

Maybe you used a bad female hire as an example and not a generalization. If so, my apologies.

A random security guy

If they even let me run a static code analyzer

Except for 2 companies I worked with, every other company has resisted even a static code analyzer to be run on their code.

A famous modem company specifically stated and made it clear that under no circumstances could we run binary code analysis.

At one company I walked out of a lucrative contract because the security team reported to the engineering director for application software and they refused to run analyzers of any kind. Not even nmap.

It was specifically called out in the contract that security companies were not allowed to do certain things; all vulnerabilities had to be approved by engineering.

A Chinese crypto farm next to a nuclear missile base? Not on my watch, says Biden

A random security guy

Re: Umm...

Early warning: Adding to what you said, listening to patterns of ground noise, radio traffic, personnel movement, etc. can help you determine what is anomalous and then get an early warning even before the silo doors open.

The liquid fueled rockets need to be prepped and any hint of a first strike will give an extra minute or so for the Chinese govt leaders and military leaders to prepare.

Apple releases OpenELM, a slightly more accurate LLM

A random security guy

Re: Siri

The most underrated comment.

Fidelity customers' financial info feared stolen in suspected ransomware attack

A random security guy

Blames Infosys, hah!!!

You outsourced to an offshore company without tough security guardrails i.e. based on the commercial costs which did not include cybersecurity requirements.

You get what you pay for.

China's national security minister rates fake news among most pressing cyber threats

A random security guy

Re: Coming from the top

I am curious why you say the the governments in the west are no better.

Now Foxconn hopes to lure TSMC, Japan’s TMH into India chip fab pact – report

A random security guy

Re: Expansion

All of it is available; you are just using stereotypes. I have visited Cisco in Bangalore, and its offices are the same as the ones here in Milpitas/Sunnyvale. There were no issues with power, sanitation, water, food, etc. There are many other companies operating out of India.

The main issues revolve around the bureaucracy, and for the life of me, I can't get a deal done in India if the government is involved in any manner. So India funding even 100% will not work because the bureaucracy will mess it up. Things will take years.

I still remember the Indian govt. trying to buy the M777 ... they finally bought it, I believe, 13 years later. So, even though I fully applaud the Indian govt. push for putting together an attractive deal to get TSMC in, that is also the problem.

Police use of PayPal records under fire after raid on 'Cop City' protest fund trio

A random security guy

Re: Justification?

Still need a warrant.

British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

A random security guy

I expect the infiltration to spread to more than the payroll system they initially attacked. There is something else that happens when the number of victims is very large: the hackers have a hard time extracting information of value from all of them. I remember working with a company last year which had been potentially breached but we found that the hackers had merely probed but not gone further because there were far juicier targets to exploit.

So you may be safe (r). Depends on your specific situation ...

Update now: Google emits emergency fix for zero-day Chrome vulnerability

A random security guy

Re: Goodbye Chrome

Or learn Linux ...

Linux kernel logic allowed Spectre attack on 'major cloud provider'

A random security guy

Re: Did any such attack take place? Ever?

This is the usual pushback I get from developers who don't want to implement security: prove this bad practice (process separation, address isolation, unsalted hash, buffer overrun, double frees, integer overflow, etc.) can be hacked easily and show me the hack. Security is built in layers with the principle of zero trust applied liberally. Each and every component must do its security properly.

The goal is not have obvious flaws which can be exploited.

AWS itself probably protects its own secrets in a completely separate CPU+memory (simplifying it a bit here) but many companies run their VMSs/ (EC2s/K8s pods, lambdas) with all kinds of secrets and PII.

One can imagine a nation-state just deploying 1000's of EC2s and K8s pods scraping data for years, mining the data, and then giving it to their state-sponsored hackers.

Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging

A random security guy

200K for a law firm is peanuts

Having worked with law firms, a fine of $200K is not a fine.

Sick of smudges on your car's enormo touchscreen? GM patents potential cure

A random security guy

Re: Patents

Not all companies use patents for blocking. And then there are patent trolls. Patent portfolios are revenue generators too. Having seen some of patents get licensed by my former employers, I have come to respect that as a business angle.

Patents are also an independent way for others to understand what you have done instead of relying on your resume. No method is foolproof, however.

China's spy balloon barrage earns six of its companies a spot on US entity list

A random security guy

Weather balloons over 40 countries

China must really care about our sunny days vs. rainy days. Especially in the 40 countries we know of that have had these Chines weather apps.

Swatting suspects charged with subverting Ring doorbell cams and calling cops

A random security guy

Questions about security and privacy model

Two of my neighbors have Ring cameras. They have videos of a guy who breaks into our mailboxes. The police can't do anything.

I have a few Simple questions:

1. Is the username/password combo the only authentication required?

2. What is the data retention policy when the video is shared with the police?

3. Is there a right to be able to get a copy of the data?

4. Are the police or private companies mining the data?

Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

A random security guy

Re: Connected to ... what?

It is not a bug; it’s a feature.

A random security guy

Exchange nightmare

Having programmed modules for exchange and outlook, I’m still surprised that the thing actually works.

My IT admin in a previous company told me that a rule of thumb is 1 IT Engineer per Exchange server. I may be off, but I doubt by too much.

GSuite seems to work for most use cases.

What's Microsoft been up to? A quick tour of Windows 11 22H2's security features

A random security guy

So do we need windows too?

I have a zero-trust approach to Windows. I have no trust in it so it stays outside my house.

Samsung sued for gobbling up too much personal info that miscreants then stole

A random security guy

Any bets what Samsung will say?

A. We are sorry we violated the trust and will hire expert auditors to guide us.

B. Our security is exemplary and we have done no wrong. We will offer the impacted customers free credit monitoring for 6 months.

Convicted felon busted for 3D printing gun parts

A random security guy

Re: I'm pro-gun

Thanks for answering the question about the practical accuracy which was bothering me.

Machine guns take into account many items like recoil, change in balance due to the movement of cartridges, gas discharge, etc.

Question: could an automated pistol be used on a crowd of people? Sadly, I am less worried about militaries or regular criminals using it and more about mass shooters.

Twitter savaged by former security boss Mudge in whistleblower complaint

A random security guy

Re: Troubling info about the Indian government . . .

And a Twitter employee in the pay of the Saudi Government. I wonder how many Saudis were subject to bone saws.

A random security guy

Re: The timing raises questions

For all of us who have been in his position, you try to work with the system you have. And we probably have had CEOs who ignored even the basics. In this case, the CEO went one step further and fired the messenger. I doubt he had time to go to the SEC. They would not even let him give an honest report to the board and went around him. The report is pretty damning. And every claim in that report probably has many pieces of supporting evidence.

A random security guy

Re: CNN comes up with this?

That is all you got out of it? Using MSM, CNN, etc.? Mudge made a whistleblower complaint. That is the news. Twitter is in trouble because they shot the messenger. You are shooting the messenger too.

A random security guy

Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

Try writing a whistleblower complaint with evidence to back it up without showing it, ensuring that you don't give out proprietary information, only make claims that are obvious.

This is solid 6 months of work.

A random security guy

I realized that this was an intense piece of work for many reasons:

1. Mudge needed to keep proprietary information out.

2. Mudge needed to have attorneys go through every one of his claims and ensure that they were backed up by evidence he had or could ask for

3. This kind of filtering and wording takes time

4. One single false claim will cause him to lose credibility

5. He has stuck to claims which are easy to prove

6. He has used the complaint to go after a CEO who was a fool (bright technically but not in security, privacy, people skills, law, etc.)

The best thing for Twitter is to fire the CEO. Immediately.

Microsoft finds critical hole in operating system that for once isn't Windows

A random security guy

Surprised that strcpy still exists in any code base

Yes,I do know that strcpy CAN be used safely if all the input parameters are validated, but why tempt fate? Any static code analyzer should have flagged it. I read the MSFT report, and it wasn't clear how strcpy crept in. It should have been caught eons ago. I have known of hackers introducing specific bugs like this.

Zoom patches make-me-root security flaw, patches patch

A random security guy

Basic security principles were vehemently ignored

From the Verge

https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle

Patrick Wardle states

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

Microsoft trumps Google for 2021-22 bug bounty payouts

A random security guy

Just $13.7m?

Pretty low compared to the number of viruses floating around. Each virus is exploiting something in MS Windows.

National data privacy law for the US clears first hurdle

A random security guy

Re: The most nothing as possible!

A well armed militia in a battle of brains that are remotely located? Well, go ahead and shoot your monitor.

Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones

A random security guy

Re: Tee-Mo?

Maybe they do?

How to get Linux onto a non-approved laptop

A random security guy

Linux did not need dell’s certification

If I remember correctly, dell’s so called certification came decades after people had been running Linux on their hardware.

Huawei under investigation for having tech installed near US missile silos

A random security guy

Re: The US still trying to justify its anti-Huawei stance

So they can ask the us giver to give money to remove them.

Hive ransomware gang rapidly evolves with complex encryption, Rust code

A random security guy

Re: Making analysis more challenging

Automated AV scanners that rely on pure pattern matching will not be able to get anywhere if they don't decrypt the payload. That means the AV scanner first have to determine what kind of malware something is, decrypt the payload, then the strings in the payload, and then, finally, perform a pattern match. They might skip a level of encryption somewhere.

Should not be too hard but the AV scanners may be limited if the decryption and compression software is (slightly) proprietary, forcing you to run the malware for analysis

Page: