* Posts by A random security guy

359 publicly visible posts • joined 20 Apr 2019


Update now: Google emits emergency fix for zero-day Chrome vulnerability

A random security guy

Re: Goodbye Chrome

Or learn Linux ...

Linux kernel logic allowed Spectre attack on 'major cloud provider'

A random security guy

Re: Did any such attack take place? Ever?

This is the usual pushback I get from developers who don't want to implement security: prove this bad practice (process separation, address isolation, unsalted hash, buffer overrun, double frees, integer overflow, etc.) can be hacked easily and show me the hack. Security is built in layers with the principle of zero trust applied liberally. Each and every component must do its security properly.

The goal is not have obvious flaws which can be exploited.

AWS itself probably protects its own secrets in a completely separate CPU+memory (simplifying it a bit here) but many companies run their VMSs/ (EC2s/K8s pods, lambdas) with all kinds of secrets and PII.

One can imagine a nation-state just deploying 1000's of EC2s and K8s pods scraping data for years, mining the data, and then giving it to their state-sponsored hackers.

Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging

A random security guy

200K for a law firm is peanuts

Having worked with law firms, a fine of $200K is not a fine.

Sick of smudges on your car's enormo touchscreen? GM patents potential cure

A random security guy

Re: Patents

Not all companies use patents for blocking. And then there are patent trolls. Patent portfolios are revenue generators too. Having seen some of patents get licensed by my former employers, I have come to respect that as a business angle.

Patents are also an independent way for others to understand what you have done instead of relying on your resume. No method is foolproof, however.

China's spy balloon barrage earns six of its companies a spot on US entity list

A random security guy

Weather balloons over 40 countries

China must really care about our sunny days vs. rainy days. Especially in the 40 countries we know of that have had these Chines weather apps.

Swatting suspects charged with subverting Ring doorbell cams and calling cops

A random security guy

Questions about security and privacy model

Two of my neighbors have Ring cameras. They have videos of a guy who breaks into our mailboxes. The police can't do anything.

I have a few Simple questions:

1. Is the username/password combo the only authentication required?

2. What is the data retention policy when the video is shared with the police?

3. Is there a right to be able to get a copy of the data?

4. Are the police or private companies mining the data?

Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

A random security guy

Re: Connected to ... what?

It is not a bug; it’s a feature.

A random security guy

Exchange nightmare

Having programmed modules for exchange and outlook, I’m still surprised that the thing actually works.

My IT admin in a previous company told me that a rule of thumb is 1 IT Engineer per Exchange server. I may be off, but I doubt by too much.

GSuite seems to work for most use cases.

What's Microsoft been up to? A quick tour of Windows 11 22H2's security features

A random security guy

So do we need windows too?

I have a zero-trust approach to Windows. I have no trust in it so it stays outside my house.

Samsung sued for gobbling up too much personal info that miscreants then stole

A random security guy

Any bets what Samsung will say?

A. We are sorry we violated the trust and will hire expert auditors to guide us.

B. Our security is exemplary and we have done no wrong. We will offer the impacted customers free credit monitoring for 6 months.

Convicted felon busted for 3D printing gun parts

A random security guy

Re: I'm pro-gun

Thanks for answering the question about the practical accuracy which was bothering me.

Machine guns take into account many items like recoil, change in balance due to the movement of cartridges, gas discharge, etc.

Question: could an automated pistol be used on a crowd of people? Sadly, I am less worried about militaries or regular criminals using it and more about mass shooters.

Twitter savaged by former security boss Mudge in whistleblower complaint

A random security guy

Re: Troubling info about the Indian government . . .

And a Twitter employee in the pay of the Saudi Government. I wonder how many Saudis were subject to bone saws.

A random security guy

Re: The timing raises questions

For all of us who have been in his position, you try to work with the system you have. And we probably have had CEOs who ignored even the basics. In this case, the CEO went one step further and fired the messenger. I doubt he had time to go to the SEC. They would not even let him give an honest report to the board and went around him. The report is pretty damning. And every claim in that report probably has many pieces of supporting evidence.

A random security guy

Re: CNN comes up with this?

That is all you got out of it? Using MSM, CNN, etc.? Mudge made a whistleblower complaint. That is the news. Twitter is in trouble because they shot the messenger. You are shooting the messenger too.

A random security guy

Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

Try writing a whistleblower complaint with evidence to back it up without showing it, ensuring that you don't give out proprietary information, only make claims that are obvious.

This is solid 6 months of work.

A random security guy

I realized that this was an intense piece of work for many reasons:

1. Mudge needed to keep proprietary information out.

2. Mudge needed to have attorneys go through every one of his claims and ensure that they were backed up by evidence he had or could ask for

3. This kind of filtering and wording takes time

4. One single false claim will cause him to lose credibility

5. He has stuck to claims which are easy to prove

6. He has used the complaint to go after a CEO who was a fool (bright technically but not in security, privacy, people skills, law, etc.)

The best thing for Twitter is to fire the CEO. Immediately.

Microsoft finds critical hole in operating system that for once isn't Windows

A random security guy

Surprised that strcpy still exists in any code base

Yes,I do know that strcpy CAN be used safely if all the input parameters are validated, but why tempt fate? Any static code analyzer should have flagged it. I read the MSFT report, and it wasn't clear how strcpy crept in. It should have been caught eons ago. I have known of hackers introducing specific bugs like this.

Zoom patches make-me-root security flaw, patches patch

A random security guy

Basic security principles were vehemently ignored

From the Verge


Patrick Wardle states

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

Microsoft trumps Google for 2021-22 bug bounty payouts

A random security guy

Just $13.7m?

Pretty low compared to the number of viruses floating around. Each virus is exploiting something in MS Windows.

National data privacy law for the US clears first hurdle

A random security guy

Re: The most nothing as possible!

A well armed militia in a battle of brains that are remotely located? Well, go ahead and shoot your monitor.

Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones

A random security guy

Re: Tee-Mo?

Maybe they do?

How to get Linux onto a non-approved laptop

A random security guy

Linux did not need dell’s certification

If I remember correctly, dell’s so called certification came decades after people had been running Linux on their hardware.

Huawei under investigation for having tech installed near US missile silos

A random security guy

Re: The US still trying to justify its anti-Huawei stance

So they can ask the us giver to give money to remove them.

Hive ransomware gang rapidly evolves with complex encryption, Rust code

A random security guy

Re: Making analysis more challenging

Automated AV scanners that rely on pure pattern matching will not be able to get anywhere if they don't decrypt the payload. That means the AV scanner first have to determine what kind of malware something is, decrypt the payload, then the strings in the payload, and then, finally, perform a pattern match. They might skip a level of encryption somewhere.

Should not be too hard but the AV scanners may be limited if the decryption and compression software is (slightly) proprietary, forcing you to run the malware for analysis

Calls for bans on Chinese CCTV makers Hikvision, Dahua expand

A random security guy

All Chinese CCTV systems connect back to China

Have been tearing apart systems for years. Haven't seen a single system that doesn't connect back to the motherland. Plus the vulnerabilities are fairly simple to exploit. All that is needed is a registry in China for state hackers to use as a jumping-off point to download surveillance software.

Elasticsearch server with no password or encryption leaks a million records

A random security guy

Re: Burn the fuckers.

That is like stating that Johnson was responsible for the party in 10 Downing Street. Geez. He just lived there.

A random security guy

5 Eyes

The 5 Eyes of security: Australia, Canada, New Zealand, the United Kingdom, and the United States.

The 5 Eyes of Cyber Security: No password, no TLS, No Firewall, No Monitoring, No Remediation.

Microsoft warns partners to revoke unused authorizations that drive your software

A random security guy

Re: Those Shortsighted Savings Will Cost You Dearly

Partnerships are a reality. Collaborations are a reality. Two companies may need to work together on projects, account payments, approvals, etc. Many times a company will create separate groups: employees who deal with IBM and, separately, employees who deal with MSFT. It is normal for these employees to collaborate with their customers and vendors on a very close basis.

The best examples are employees of audit companies, which by the very nature of their tasks, can't be the audited company's employees.

Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first

A random security guy

The US has actually embraced cryptocurrency. There is an Executive Order doing just that.

A random security guy

Re: Mixer services

A public blockchain does not lend itself to any form of privacy. You may be able to muddy the waters a bit but you are left with a finite list of suspects. It is only when the numbers get to 2**128 that you have a semblance of privacy.

Cloudflare stomps huge DDoS attack on crypto platform

A random security guy

Wannabe pretentious pillocks.

Smart contract developers not really focused on security. Who knew?

A random security guy

Smart contracts are not required to be secure

After looking at the Decentralized finance apps for over a year, I have come to the conclusion that the code is about as buggy as any other application code.

Moreover, being decentralized is a boon to hackers.

Security practices don’t exist.

Reporting issues come back with: prove to that a bug can be exploited. The better approach is to ensure each block is secure and consistent.

The thing is that making this much money gets into the programmers head and they think they are Supermen.

Now Mandiant says 2021 was a record year for exploited zero-day security bugs

A random security guy

Re: Maths?

Not every exploit can be definitely attributable to a specific country.

Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

A random security guy

Re: The Key is...

WIth MSFT: Everyone's key is under their doormats and they are all the same.

Hackers remotely start, unlock Honda Civics with $300 tech

A random security guy

Re: Very quick way to fix this.

I work with insurance companies (not for) on security issues and, to tell the truth, they are not the bad guys. They are the people who are behind lots of the features like proximity sensors, lane assist/drift sensors, etc. They have number-crunchers who find patterns and force car companies to change their ways.

For example, their lawyers must already be talking to Honda, telling them that they will not absorb the cost of any theft. And Honda may quietly cover the cost.

Biden says Russia exploring revenge cyberattacks

A random security guy

Putin may have outsmarted himself

I do see state-sponsored attacks by Russia being attempted.

I also think Biden is giving a heads-up to the industry folks.

OTOH, what we don't know are the tools that NSA will use to block the attacks. In the industry, the going mantra is: state-sponsored cyber-attacks require the NSA to step in.

Putin never realized that democracies look splintered and slow but on the whole are much more powerful than dictatorships. He just handed the West the keys to Russia. They are going to grind him down and destroy the Russian army and the economy once and for all.

Android's Messages, Dialer apps quietly sent text, call info to Google

A random security guy

Gdpr 3% fine

I wonder if they will pay the standard rate or just a few dollars. Just a rhetorical question.

Samsung shipped '100 million' phones with flawed encryption

A random security guy

Re: Why leave implementation to the vendors ?

Most processor vendors do provide the tools. Android also comes with the tools. Time and again I have seen engineers neuter the systems as it is too hard to wrap their heads around the system. I see fixed keys all the time.

The additional problem is that Samsung is also the processor vendor.

A random security guy

Typical Samsung

This is the most basic of most encryption and they messed it up. AES-GCM is especially brittle to this attack IIRC. I guess the word "counter" did not register.

China's APT10 cyber-spies 'targeted Taiwanese financial firms'

A random security guy

Re: Clarification wrt Taiwan

This territorial fight is so useless given that the wealth of nations and people are tied to bits in ether. Earlier you conquered because you wanted land, slaves to till the the soils, and gold to fight more battles. Now, you don't need any of the 3.

Or am I being naive? That we humans are destined to kill each other ...

Top chipmakers ignore India's semiconductor factory subsidies

A random security guy

I wonder if their corrupt politicians can hide their money now

Given that there are all these anti-corruption laws that companies like ours have to comply with, I am surprised at the amount of corruption that the politicians engage in. They live in palaces, have private planes, etc.

I wonder where they are hiding their money ... probably somewhere around here as prime silicon valley property or other instruments.

Maybe the VPN interception will be a good thing? Maybe make the IP addresses public?

Spot the irony: India's Reserve Bank says outsourcing and offshoring are risky

A random security guy

Re: Indians too expensive ?

Indian teams are very expensive to run. I pay around 80% of what I would pay for a similar engineer here in the US. The good ones know their value. The bad ones? Don't hire them.

Ransomware crew dumps stolen Optionis files online

A random security guy

Re: I bet it all comes down to services!

Ah, that is how I should run my security services company. We charge top dollars but do everything we can to keep our customers safe.

Intel chases after Bitcoin miners with dedicated chip

A random security guy

Re: "Intel will start selling a chip to mine bitcoin"

Blockchain is the thing that will survive. It is just a good ledger system.

It should be a way to move money, not speculate.

A random security guy

Re: If it's that good

Merchants made more money selling spades to gold miners than actually mining for gold.

I am talking about the California gold rush.

Canadian Netwalker ransomware crook pleads guilty to million-dollar crimes

A random security guy

People still think BTCs are anonymous.

I'd rather be paid in gold.

Use Zoom on a Mac? You might want to check your microphone usage

A random security guy

Most of their Engineering still is

The last report said90% of engineering was in China. The other 10 % could be support engineers.

Privacy is not a concern in China.

So all those businesses talking to each other over zoom?

Guess what. Just the meta information of who is talking to whom at what frequency and time is good enough.

Ukraine shrugs off mass govt website defacement as world turns to stare at Russia

A random security guy

Salami tactics

The Russians are using salami tactics. First take a small part, something you will not start a war over. Then take another. Then another. Soon you have one tiny slice left. And that too is nothing to fight over.

Signal CEO Moxie Marlinspike resigns, leaves WhatsApp co-founder to run things until a successor is named

A random security guy

Re: Moxie Marlinspike.

Matthew Rosenfeld

WebSpec, a formal framework for browser security analysis, reveals new cookie attack

A random security guy

Re: Time For a Systemic Reconsideration

> Why run a script in the terminal…

Snappy, responsive, and easily modifiable user interface.

Also means more hackable, badly designed, I’ll-configured, badly implemented, etc.