The Bruce Schneier Cryptogram March 2019

The Bruce Schneier Cryptogram March 2019

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is. In this issue:

  1. Cataloging IoT Vulnerabilities
  2. I Am Not Associated with Swift Recovery Ltd.
  3. Estonia’s Volunteer Cyber Militia
  4. Details on Recent DNS Hijacking
  5. Reverse Location Search Warrants
  6. Gen. Nakasone on US Cyber Command
  7. On the Security of Password Managers
  8. Attacking Soldiers on Social Media
  9. “Insider Threat” Detection Software
  10. Can Everybody Read the US Terrorist Watch List?
  11. Data Leakage from Encrypted Databases
  12. The Latest in Creepy Spyware
  13. Cybersecurity for the Public Interest
  14. Digital Signatures in PDFs Are Broken
  15. Letterlocking
  16. Detecting Shoplifting Behavior
  17. Cybersecurity Insurance Not Paying for NotPetya Losses
  18. Videos and Links from the Public-Interest Technology Track at the RSA Conference
  19. Russia Is Testing Online Voting
  20. On Surveillance in the Workplace
  21. Judging Facebook’s Privacy Shift
  22. DARPA Is Developing an Open-Source Voting System
  23. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.

The Bruce Schneier Cryptogram Oct 2018

The Bruce Schneier Cryptogram Oct 2018

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is.

In this issue:

  1. NSA Attacks Against Virtual Private Networks
  2. Public Shaming of Companies for Bad Security
  3. Pegasus Spyware Used in 45 Countries
  4. Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer
  5. AES Resulted in a $250-Billion Economic Benefit
  6. New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography
  7. New Variants of Cold-Boot Attack
  8. Evidence for the Security of PKCS #1 Digital Signatures
  9. Counting People through a Wall with Wi-Fi
  10. Yet Another IoT Cybersecurity Document
  11. Major Tech Companies Finally Endorse Federal Privacy Regulation
  12. More on the Five Eyes Statement on Encryption and Backdoors
  13. Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising
  14. Sophisticated Voice Phishing Scams
  15. Terahertz Millimeter-Wave Scanners
  16. The Effects of GDPR’s 72-Hour Notification Rule
  17. Helen Nissenbaum on Data Privacy and Consent
  18. Chinese Supply Chain Hardware Attack
  19. Conspiracy Theories around the “Presidential Alert”
  20. Detecting Credit Card Skimmers
  21. Defeating the “Deal or No Deal” Arcade Game
  22. The US National Cyber Strategy
  23. Access Now Is Looking for a Chief Security Officer
  24. Security Vulnerabilities in US Weapons Systems
  25. Another Bloomberg Story about Supply-Chain Hardware Attacks from China
  26. Security in a World of Physically Capable Computers
  27. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.

 

The Bruce Schneier Cryptogram Sept 2018

The Bruce Schneier Cryptogram Sept 2018

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is.

In this issue:

  1. New Book Announcement: Click Here to Kill Everybody
  2. Speculation Attack Against Intel’s SGX
  3. New Ways to Track Internet Browsing
  4. James Mickens on the Current State of Computer Security
  5. “Two Stage” BMW Theft Attempt
  6. Good Primer on Two-Factor Authentication Security
  7. John Mueller and Mark Stewart on the Risks of Terrorism
  8. Future Cyberwar
  9. NotPetya
  10. CIA Network Exposed through Insecure Communications System
  11. Cheating in Bird Racing
  12. Eavesdropping on Computer Screens through the Webcam Mic
  13. Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords
  14. Five-Eyes Intelligence Services Choose Surveillance Over Security
  15. Reddit AMA
  16. Using Hacked IoT Devices to Disrupt the Power Grid
  17. Security Vulnerability in Smart Electric Outlets
  18. Security Risks of Government Hacking
  19. Quantum Computing and Cryptography
  20. Click Here to Kill Everybody Reviews and Press Mentions
  21. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.

 

AssuranceData Meltdown/Spectre Security Alert

AssuranceData Meltdown/Spectre Security Alert

Spectre and Meltdown Overview and Mitigation Details

Overview: As of January 3rd, 2018, multiple vendors started publicly releasing patches for CRITICAL security flaws related to modern CPU architecture vulnerabilities “Spectre” and “Meltdown”.

  • Spectre: Exploits speculative (predictive) execution to allow user process to see Kernel memory
  • Meltdown: Exploits a Kernel process flaw that runs rogue data (out of order execution) when a process is faulted from a user process

Updates:

Windows has updates [MANUALLY DEPLOYED] in some cases.

The patches can conflict with certain Antivirus products and cause a blue screen. o To get the patches, a registry key must be set
Some AV vendors are setting the registry key automatically
Other hardware firmware updates are often required

Mitigations:

  1. Update Firmware on all devices when related patches are released
  2. Update all Operating systems when related patches are released
  3. Provide layered security protections, behavioral analytics, and data transmission monitoring and control
  4. Spectre/ Meltdown system health checks
  5. Spectre/ Meltdown exploit detection tools