Jump to content
Sign in to follow this  
taestell

Security and Privacy

Recommended Posts

From a few of my sources on the "other side", I'm not convinced of the effectiveness of these OS's

 

What are you implying? That if I go into my iOS settings and deny an app the ability to use my microphone, the app is figuring out some way to get around that restriction? If so, that would be a huge security vulnerability, and given how much people like to s**t on Apple any time they make a mistake, it would be front page news. I follow a lot of people in the information security field and have never heard anyone make an accusation like this.

 

No. I'm implying that such a feature can be rendered useless if someone else has access to and thereby control over your phone.

 

Phones are being hacked more rapidly than computers right now. And once the harmful malware is there, that hacker owns that phone.

Share this post


Link to post
Share on other sites

Are you saying that major tech companies like Facebook or Amazon are creating malware?  Or that someone else is creating malware, which is then exploited by FB or Amazon?

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

 

What about that new $350 speaker that Apple is selling?  It has a mic on it. 

 

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

 

I know a guy who (says he) can hack most phones from sufficient distance that you wouldn't think twice about him.  He would need to be relatively close though, like across the street.  If his methods are no good anymore, that's wonderful.  But I doubt security systems will even get too far ahead of hackers.  Security will never quite win the war because the hacker army is thousands of times bigger than theirs.  And because nefarious intent seems to breed a certain amount of creativity.

Share this post


Link to post
Share on other sites

So, quick brag...

 

My mom founded her own security company - Preferred Security. Since I was 13 I watched her work another job while starting this company from scratch.

 

Last night, a church in Wadsworth was robbed, and police found two young men hiding on top of a warehouse nearby. Police then used the cameras that my mom's company installed on the warehouse to review the prior night's activities. The police then realized that their was a third man in the church with them.

 

Upon discovering the man's identity, the police obtained a search warrant and entered his home. Inside, they found the wallet of a 98 year old woman who was murdered and shoved in her own closet.

 

Could not be more proud to see my mom's company having such a positive impact on Northeast Ohio.

Share this post


Link to post
Share on other sites

 


"Nearly every problem that we have in the USA -- unaffordable health care, prison overpopulation, hyper militarization, climate change, racism, gun violence, poverty, poor education, urban sprawl and others -- cannot be positively addressed because bribery and conflicts of interest are legal under campaign finance laws which protect the uber-wealthy and the narrow self-interests who grossly benefit from our afflictions."

 

Share this post


Link to post
Share on other sites

Brian Krebs, one of the most respected journalists covering cybersecurity issues, writes about how the extended government shutdown is hurting this country's cybersecurity:

 

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

 

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

 

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

 

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

Share this post


Link to post
Share on other sites

AG Barr to Facebook: We need 'lawful access' to users' digital messages to fight crime

Facebook acknowledges the needs of law enforcement but wants to protect its users from unwanted snooping.

https://www.nbcnews.com/tech/tech-news/ag-barr-facebook-we-need-lawful-access-users-digital-messages-n1062281


"Nearly every problem that we have in the USA -- unaffordable health care, prison overpopulation, hyper militarization, climate change, racism, gun violence, poverty, poor education, urban sprawl and others -- cannot be positively addressed because bribery and conflicts of interest are legal under campaign finance laws which protect the uber-wealthy and the narrow self-interests who grossly benefit from our afflictions."

 

Share this post


Link to post
Share on other sites

In other news, just being a friend... 

 

For those of you that work at mid to large market companies that have mailrooms, be careful. 

 

I'm currently working on matters wherein packages with a fake return address were sent to companies with MKT caps over $100 million... These packages would be addressed to a person who does not exist at that company. 

 

Amidst the confusion, the package would sit there for hours and sometimes day, unattended. Meanwhile, inside the package is a device that scans every endpoint within 50 feet in order to gain access to the network. 

Share this post


Link to post
Share on other sites
12 minutes ago, YABO713 said:

In other news, just being a friend... 

 

For those of you that work at mid to large market companies that have mailrooms, be careful. 

 

I'm currently working on matters wherein packages with a fake return address were sent to companies with MKT caps over $100 million... These packages would be addressed to a person who does not exist at that company. 

 

Amidst the confusion, the package would sit there for hours and sometimes day, unattended. Meanwhile, inside the package is a device that scans every endpoint within 50 feet in order to gain access to the network. 

 

That's CRAZY!!!


"Nearly every problem that we have in the USA -- unaffordable health care, prison overpopulation, hyper militarization, climate change, racism, gun violence, poverty, poor education, urban sprawl and others -- cannot be positively addressed because bribery and conflicts of interest are legal under campaign finance laws which protect the uber-wealthy and the narrow self-interests who grossly benefit from our afflictions."

 

Share this post


Link to post
Share on other sites

Took a trip to a client on the coast this week, on the trip I learned some of the most terrifying information of my career thus far. 

 

Here's a 30,000 foot view... 

 

Foreign actors (primarily Russian) attacks on controls to our power grids - specifically those in cold weather climates in population centers, like our three C's - have more than tripled on a yearly basis since 2012. That means the number is set to triple again next year. For reference, a power grid domain controller will face over 35,000 attacks an hour. 

 

What's more - the cold weather cities are targeted because they're particularly vulnerable to power outages in the winter, potentially leading to human casualties by freezing. These rolling blackouts by Russian operatives have already been tested in Ukraine (Kiev has suffered days long blackouts in its winter months on a few occasions since 2014) and also in Estonia. 

 

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us." 

 

This isn't a mere political issue, this is the type of thing that can cost lives if not properly resourced.

Edited by YABO713

Share this post


Link to post
Share on other sites
5 minutes ago, freefourur said:

^ but it might hurt Trump's fee fees if Russia are the bad guys. 

 

FWIW - read Sandworm. Best book on the current landscape of the Russian cyber threat and its accessible to people with all comprehension levels of cybersecurity

Share this post


Link to post
Share on other sites
4 minutes ago, YABO713 said:

 

FWIW - read Sandworm. Best book on the current landscape of the Russian cyber threat and its accessible to people with all comprehension levels of cybersecurity

 

I will check it out. It seems that our Congress is unconcerned with this stuff for some reason. 

Share this post


Link to post
Share on other sites
18 minutes ago, YABO713 said:

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us." 

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

Share this post


Link to post
Share on other sites
40 minutes ago, Gramarye said:

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

 

Perhaps I didn't state it well enough - sorry about that! 

 

Additional funding would be a de facto reaction against Russia, because they're responsible for over 85% of the attempted attacks against our critical infrastructure. Chinese hacks are more targeted at wealth transfers, i.e. IP theft. 

 

So while this certainly isn't uniformed, the DOHS and DOD moneys that would be allocated to critical infrastructure would, by and large, be a reaction against Russia. 

 

Again, being in the profession I am, it's impossible for me to see Russia as an ally or even cooperative partner. China isn't an ally, and is a threat to our ability to innovate and our wealth as a nation. Russia isn't an ally and wants to be a direct threat to American lives. 

Share this post


Link to post
Share on other sites
29 minutes ago, YABO713 said:

 

Perhaps I didn't state it well enough - sorry about that! 

 

Additional funding would be a de facto reaction against Russia, because they're responsible for over 85% of the attempted attacks against our critical infrastructure. Chinese hacks are more targeted at wealth transfers, i.e. IP theft. 

 

So while this certainly isn't uniformed, the DOHS and DOD moneys that would be allocated to critical infrastructure would, by and large, be a reaction against Russia. 

 

Again, being in the profession I am, it's impossible for me to see Russia as an ally or even cooperative partner. China isn't an ally, and is a threat to our ability to innovate and our wealth as a nation. Russia isn't an ally and wants to be a direct threat to American lives. 

Thank you for that explanation.  always enjoy your comments. And I appreciate that you keep it simple enough for me to understand. 

Share this post


Link to post
Share on other sites
2 hours ago, Gramarye said:

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

 

Donald Trump is definitely not a Russian asset who is intentionally trying to lower American defenses to Russian aggression yet again.

Share this post


Link to post
Share on other sites

Yabo, going back to our mobile security discussion from a while back, there are a few companies beginning to roll out Linux smartphones:

 

https://www.omgubuntu.co.uk/2019/11/pinephone-specs-price-release-date

 

https://www.omgubuntu.co.uk/2019/11/librem-5-birch-shipping

 

They offer several security enhancements, including physical kill switches for things like cameras/mikes.  Also, they are open source, which I like as it allows for open debate about the code, and thus makes hidden trackers highly unlikely to escape detection.  The build quality and software is still a bit rough, and the app selection is small.  But I expect it to get better.

 

Any thoughts on these?  Supposedly, they plan on making them able to run Android apps, which could bring some of the Android issues over, but I would think that the damage an app can do is a little bit more limited in a system that is overall more dedicated to privacy (and assuming a user diligent enough to watch their settings)

Share this post


Link to post
Share on other sites
2 hours ago, YABO713 said:

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us."

 

What is the budget, what has it been annually in the past, and what is proposed? I assumed most of the onus of meeting NERC CIP requirements falls on the utility, and thus rate payers. I know that since the 2003 blackout, utilities have been hardening their reliability systems significantly to prevent any sort of widespread, cascading failure - be it accidental as 2003 was or a deliberate attack.

 

All I could find in a 2 minute search of DHS's budget was funding for protection of government infrastructure, not utilities. Maybe I'm looking in the wrong place?

Share this post


Link to post
Share on other sites
1 hour ago, Ram23 said:

 

What is the budget, what has it been annually in the past, and what is proposed? I assumed most of the onus of meeting NERC CIP requirements falls on the utility, and thus rate payers. I know that since the 2003 blackout, utilities have been hardening their reliability systems significantly to prevent any sort of widespread, cascading failure - be it accidental as 2003 was or a deliberate attack.

 

All I could find in a 2 minute search of DHS's budget was funding for protection of government infrastructure, not utilities. Maybe I'm looking in the wrong place?


So I’m by no means an expert on the budgetary side of it do feel free to correct me if I’m wrong...

 

 But in my understanding, especially with DOD resources, the spending to supplement Cybersecurity for digital infrastructure isn’t subject to traditional budget review. The reason for that is because some of our “defensive” programs will actually have offensive capabilities wherein IP addresses and audit logs are forwarded on to Fort Meade for potential retaliatory actions. Since 2007/08, when our cyber command was established as a work around to NSA rules against offensive weaponry, this kind of budget maneuvering has been used to keep private our spending and, thereby, the level of concern that most Americans should have over our cybersecurity.

 

Having said that... a portion of control grid defense subsidies come from other sources, as you noted, and those SHOULD be available for public review, so far as I know. However, DOD is the heavy hitter when it comes to our critical infrastructure 

Share this post


Link to post
Share on other sites
1 hour ago, X said:

Yabo, going back to our mobile security discussion from a while back, there are a few companies beginning to roll out Linux smartphones:

 

https://www.omgubuntu.co.uk/2019/11/pinephone-specs-price-release-date

 

https://www.omgubuntu.co.uk/2019/11/librem-5-birch-shipping

 

They offer several security enhancements, including physical kill switches for things like cameras/mikes.  Also, they are open source, which I like as it allows for open debate about the code, and thus makes hidden trackers highly unlikely to escape detection.  The build quality and software is still a bit rough, and the app selection is small.  But I expect it to get better.

 

Any thoughts on these?  Supposedly, they plan on making them able to run Android apps, which could bring some of the Android issues over, but I would think that the damage an app can do is a little bit more limited in a system that is overall more dedicated to privacy (and assuming a user diligent enough to watch their settings)


Let me read these over after work. Sounds pretty cool!

Share this post


Link to post
Share on other sites

Again, can't say too much. But the threat from Russian state-sponsored groups is increasingly difficult to ignore. It's confirmed that the 2017 "NotPetya" attack was, in fact, caused by GRU actors. 

 

FWIW - I'm starting to get quotes to make our home solar sufficient or, at the very minimum, getting a generator backup. 

Share this post


Link to post
Share on other sites

If it's going to benefit Russia, then expect Trump to fire whoever tries to investigate and prosecute it....

 

 


"Nearly every problem that we have in the USA -- unaffordable health care, prison overpopulation, hyper militarization, climate change, racism, gun violence, poverty, poor education, urban sprawl and others -- cannot be positively addressed because bribery and conflicts of interest are legal under campaign finance laws which protect the uber-wealthy and the narrow self-interests who grossly benefit from our afflictions."

 

Share this post


Link to post
Share on other sites

FWIW... My cases paid out over $8 million (personal record) in ransomware this week, all but one traced to IP addresses in Russia

Share this post


Link to post
Share on other sites

The country is currently under a MASSIVE DDoS attack. Tmobile, Sprint, Verizon, Instagram, and Twitter all experiencing over 100x normal traffic

 

Some nation state is trying to send us a message - no rogue actor has the resources to accomplish something like this. 

Share this post


Link to post
Share on other sites
6 minutes ago, YABO713 said:

The country is currently under a MASSIVE DDoS attack. Tmobile, Sprint, Verizon, Instagram, and Twitter all experiencing over 100x normal traffic

 

Some nation state is trying to send us a message - no rogue actor has the resources to accomplish something like this. 

Is this why Tmobile service was completely down earlier today?

Share this post


Link to post
Share on other sites
1 hour ago, richNcincy said:

2020 is turning out to be quite the year. 

 

We're only half way too...


"You don't just walk into a bar and mix it up by calling a girl fat" - buildingcincinnati speaking about new forumers

Share this post


Link to post
Share on other sites

Massive foreign cyber attack on Australia. Was it China? 

 

Cyber attacks on our sovereignty

https://www.theaustralian.com.au/commentary/editorials/cyber-attacks-on-our-sovereignty/news-story/ff2d21c3299f61ae22b0d63d77e315ab


"Nearly every problem that we have in the USA -- unaffordable health care, prison overpopulation, hyper militarization, climate change, racism, gun violence, poverty, poor education, urban sprawl and others -- cannot be positively addressed because bribery and conflicts of interest are legal under campaign finance laws which protect the uber-wealthy and the narrow self-interests who grossly benefit from our afflictions."

 

Share this post


Link to post
Share on other sites

Senate Republicans Propose Law to Outlaw End-to-End Encryption

 

Many popular messaging apps/protocols like WhatsApp, SIGNAL, and iMessage are already designed to be end-to-end encrypted. That means that when Person A writes a message to Person B, the message is encrypted on Person A's phone so that it can only be decrypted on Person B's phone. There is no way that anyone else who intercepts the message in between the two parties will be able to decrypt it (short of using a supercomputer to brute-force "crack" the message, at tremendous time and expense).

 

What Senate Republicans are proposing here is to make this type of encryption illegal. These apps would have to be made intentionally weaker so that the maker of the app would also have the ability to decrypt the messages. The government could then force those companies to decrypt private communications on-demand. And, most likely, the "keys" would get into the hands of hackers, and the concept of encryption really just evaporates altogether.

 

I have a hard time believing that such a law would survive a basic test on First Amendment grounds. Any citizen's right to "free speech" should cover not just the actual content of the message, but their right to encrypt the message and transmit it securely to its intended recipient.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...