Friday, December 30, 2022

Ask your lawyer if being lazy is right for you

from here and here

Well, this is an interesting development. Albanian IT staff get charged with negligence after a (supposedly) preventable cyberattack that they failed to prevent. Now, if it was really management's fault that things weren't kept up to date then I hope that comes out at trial and that the people who were really responsible are held accountable. This kind of legal action, combined with the uncertain future of cyber-insurance might just force businesses and organizations to finally start ponying up the funds to do security right. Or the decision-makers will find some other way to avoid accountability for not paying what should be the cost of doing business.

Never underestimate your adversaries

found on I Heart Cats

You don't expect this behaviour from a cat, usually it's the other way around, however I have known a cat that terrorized the neighborhood dogs such that their owners would pick them up and carry them past the cat owner's house when walking their dogs, so I know sometimes it happens.

Thursday, December 29, 2022

Don't try this at home

from here and here (image source)

One school of thought says that we should make things safe so that people can do what comes naturally to them with no ill effect. 

I maintain that it's just not feasible to child-proof everything and at least some of the time it's better (or even necessary) to teach people to use good judgement and be cautious instead. Sometimes the correct answer is "don't do the thing" not "we'll make the thing safe".

Attribution is hard


Watch on YouTube

This may be staged, but it still demonstrates the point that attackers will take advantage of any opportunity to pretend someone else is responsible for the attack.

Wednesday, December 28, 2022

A victim of some security marketing joker

from here and here

Years ago the catchphrase Antivirus Is Dead gained some popularity in security circles, despite my best efforts to fight it. Apparently it ultimately lead to the rebranding of the technology, so in a way the phrase became true, but only in the sense that the terminology isn't used anymore. What's more, the upstarts who started the whole thing failed to take market dominance away from the incumbents (as anyone could have predicted), so I figured why not rub their noses in it with this subtle modification to their own catch phrase. "Antivirus" Is Dead. Two little quotation marks can drastically change the meaning.

Assault with a silent but deadly weapon

found on Dump A Day

Now I'm not saying you shouldn't be punished for launching a gas attack like some malodorous squid squirting out ink, but just that if you do toot, maybe don't make it look intentional

Tuesday, December 27, 2022

Did it for the lulz

from here and here

Generally speaking, when criminals don't want to get caught they try their best to not get noticed. These guys took a completely different path and got a completely predictable (and arguably well deserved, considering the swatting involved) outcome.

You Clicked That Link Didn't You backpack

Product Page

No matter where you go, you will probably find someone who can answer "Yes" to that question

Monday, December 26, 2022

Wishful thinking

from here and here

The sellers are telling Twitter to buy their data back before someone else does. A ransom by any other name would smell as dirty, but I can't help but think these cybercrime chuckleheads are barking up the wrong tree. Twitter might not even be around long enough for the European Union to find them guilty of a GDPR violation over this. 

Do you know who I am?

found on Know Your Meme

Modern Windows systems will tell you this even when you're logged in as the administrator account. It's not enough to just be logged in as an administrator, you have to "run as administrator" too, because system designers would rather build systems that second guess the user than to teach the user how to follow the principle of least privilege.

Friday, December 23, 2022

The last straw for LastPass

from here and here

How does a password management company make such a grave error as not protecting URLs? Knowing you have an account on a questionable website is sensitive in and of itself, without giving away the username or password, and by sensitive I mean it can get folks killed in some places.

This metadata will also be useful for phishing attacks, so if you're a LastPass user, you might see an increase in phishing emails. However, since the breach itself was months ago, the increase might have already happened.

Password managers are still good, of course, but maybe not this particular one, and maybe not online ones. Online password managers are incredibly valuable targets, while each of us individually is  generally not. An offline password manager would require someone getting through your own defenses to compromise you instead of compromising millions of users at once. 

Anything for pancakes

found on eBaum's World

We give out our passwords for candy bars so why not give up our privacy for pancakes, right?

I don't know about you, but that doesn't really sound like a fair trade to me. Maybe it's just because I already know how to make my own pancakes.

Thursday, December 22, 2022

Encrypting an encryption key

from here and here (image source)

Whether you lock or encrypt a key, you'll need a key to unlock or decrypt it, so how do you protect that secondary key? You either get into an infinite loop of keys and locks/encryption or you accept that a less secure key unlocks the thing you're ultimately trying to protect.

In the case above, however, you could just break the glass, which is exactly the kind of backdoor authorities would love to see in encryption, but which would make us all less secure, just as this key is less secure because of the glass.

How to unlock a car with tape


Watch on YouTube

I've never tried this exact method, however I do recall being able to widen an existing opening with my bare hands so it seems plausible. That was a long time ago, though, and apparently this may be a little more damaging with modern motorized windows. Your mileage may vary.

Wednesday, December 21, 2022

Beware of shoulder surfing from orbit

from here and here (image source)

Size definitely matters for passwords, but not like that. You're looking for more characters, not bigger keys.

Hang them up for all to see?

found on Izismile

I'm not against comparing passwords to underwear, but then you should be more careful about what underwear imagery you use. Don't promote the comparison while demonstrating where the comparison falls flat.

Tuesday, December 20, 2022

Maybe later

from here and here

I think the people who make updates need to put more thought into the user experience of applying updates. Otherwise the updates are just going to get delayed over and over again.

Someone Figured Out My Password, Now I Have To Rename My Dog pin

Product Page

Show off a little information security flare at your next hacker conference, or just wear it anywhere and make people think twice about using such awful passwords.

Monday, December 19, 2022

Turning a $44B social media site into FakeAV

from here and here

Fraudulently reporting sites as malware seems like the kind of scam that should be obviously illegal. I'm not sure how the consequences of his actions haven't caught up to him yet.

There's no perfect privacy

found on Reddit

You can keep things private from the people you live with or maybe even the sites that you visit, but not the company that makes your browser. Just something to think about while you use a browser made by an advertising company

Friday, December 16, 2022

The Philosophy of Zuck

from here and here (image source)

When your a rich tech entrepreneur like Mark Zuckerberg, a creepy surveillance-enabled portrait where the eyes literally follow you seems very on brand.

Human porcupine

found on Acid Cow

As an anti-hugging defense it's fine, but it would be better if it could defend you against a real threat like a mugger.

I am somewhat curious how police would handle it, though. Gonna be hard for a bunch of cops to hold Spikey McSpikerson (Machine Gun Kelly, apparently) down.

Thursday, December 15, 2022

Jumping on the bandwagon

from here and here

There's a lot of attention being paid to artificial intelligence apps like Stable Diffusion or ChatGPT which seem to have (simulated) understanding of natural language, and for good reason because that's actually a really impressive feat. What cybersecurity technology does is not nearly as impressive - not because it's not technical enough but simply because classifying samples isn't the kind of activity that implies the system has any kind of understanding of those sample.

But that's not going to stop marketing people from hyping up their company's technology. Really, there's very little that can stop marketing people.

Gift Card Scam


Watch on YouTube

This gift card scam warning video got a lot of attention recently, presumably because the upcoming holiday season means that more people are out buying gift cards right now.

It even has a 2nd part

Watch on YouTube

And the person appeared on the news to spread the warning even further 
Watch on YouTube

Wednesday, December 14, 2022

Never underestimate your adversary

from here and here (image source)

I don't know, maybe if the gate was on the other side of the door the dog might not have been able to tear the door apart. Another possiblity might be one of those metal kick plates for the far side of the door, since the dog probably started tearing at the bottom and the metal should help prevent that. The key point, though, is to be aware of what kind of attack your defenses are likely to face, evaluate them on whether they are up to the task, and add additional layers to address weaknesses.

Delete My Browser History bracelet

Product Page

Now you too can wear the items that appear in memes. I've said before that private browsing/incognito mode renders deleting browser history unnecessary, but maybe with this thing on your wrist you'll actually remember to use the privacy preserving features of your devices and won't actually need your history deleted. Too bad it doesn't just say "Use Private Browsing". Alternatively, if you're trying to remind yourself, you could just write it directly on your hand.

Tuesday, December 13, 2022

Should have called it "Homework"

from here and here

A 14 year old would do a better job at hiding their porn stash than FTX did at hiding their covert criminal communications. The complete failure of imagination is mind boggling. No wonder they got caught.

In case of emergency, preserve privacy

found on Izismile

When people finally figure out they can just use the private browsing feature of their browser instead of worrying about deleting their browser history all the time, things like this will become unnecessary. But until then...

Monday, December 12, 2022

Are you focused on the right things?

from here and here

One of the problems that can occur in security (among other things) is that the human fascination with novelty can get the best of those in charge of security. Attention can get turned towards threats that are shiny and new (and relatively esoteric) before the fundamentals have been properly addressed, and security suffers as a result. Keep your eyes on the prize and don't get distracted by the woman in the red dress, Neo.

Always listening

found on Memedroid

Just because you "muted" the microphone doesn't mean it's not still listening. It's ALWAYS listening. At best, muting the microphone just stops it from responding to your commands.

Friday, December 9, 2022

Microsoft's IE, they put that shit in everything

from here and here

Thanks to Microsoft's misguided efforts to make their inferior browser an integral part of the Windows platform, the IE rendering engine was stuck into all sorts of things - and now, even though the browser has long since been deprecated, governmental hackers are still using IE exploits to break into systems because IE is embedded into MS Office products. Thanks for nothing, Microsoft.

Maybe try putting that foil around your phone instead

found on Izismile

Maybe it's just me, but I think turning your head into a big antenna would be less productive than putting your phone in a signal-blocking container, if you're worried about your phone spying on you. Even the container may be limited in it's effectiveness, but I feel confident it would still be more effective than Hershey's Head Shielding.

Thursday, December 8, 2022

Merry Encryptmas

from here and here

Christmas came early for iPhone users who care about security and privacy. They're getting a bunch more end-to-end encryption, and the government can suck it.

Enjoy it while it lasts, of course. Tech companies usually give you less of those things, not more.

Packin' the K


Watch on YouTube

This cringy parody music video anti-malware ad from Kaspersky Labs is enough to make me wonder if maybe John McAfee wasn't the only security luminary on drugs.

Wednesday, December 7, 2022

Half-assed ransomware

from here and here

If you've ever paid to get your data back and it worked, count yourself lucky. Not every ransomware is that well made, which means some people get ransomware that can't give their files back even after they pay.

Nobody here but us branches

found on eBaum's World


Camouflage is a countermeasure that works both for defense and attack. Predators can't find you and prey don't see you until it's too late and they've walked right into your ambush.

Tuesday, December 6, 2022

We could use happy endings like that more often

from here and here

Gotta love malware that doesn't validate its own inputs. Especially when it goes out of it's way to be non-persistent, so that when it crashes it's effectively gone and the previously infected machines are now clean until someone comes along to reinfect them.

Your Smart Toaster Is In My Botnet case

Product Page

Smart devices are notorious for being susceptible to this sort of thing, so why not remind people of it where ever you happen to take your laptop?

Monday, December 5, 2022

The gift that keeps on taking

from here and here

Log4j is still out there after an entire year. It's hardly the first time a vulnerability has been left unpatched within the online world, but an easy to exploit vulnerability with the highest severity possible still being unpatched after a year? That's not a good precedent to set.

Don't leave unfinished business behind

found on Dump A Day

You don't have to worry about your browser history if you just use incognito mode instead. That way the browser history doesn't get saved in the first place.

Friday, December 2, 2022

It's more "secure"

from here and here

There are some scenarios where I can see fingerprint biometrics providing a lot of additional security, but phones and laptops aren't among them. It's like a combination lock with the combination written on it. They do provide convenience, and maybe that's what we should be caring about, but we shouldn't try to pretend it's for security

Forage on the enemy

found on Acid Cow

The criminals thought if they had a car faster than the police cars then they would be able to get away, but now that car is a cop car and Texas criminals will be even less likely to get away now that their own strategy is being used against them.

Thursday, December 1, 2022

Who's driving this thing?

from here and here

The Parkerian Hexad includes Control for a good reason. Police-controlled murderbots aren't going to seem like such a great idea when the police lose control of them, and of course there will be ways for adversaries to take over control of the robots. 

Steve Mould : I Hacked Into My Own Car


Watch on YouTube

I think one of the really interesting things about this video is that it shows someone taking a basic principle like the replay attack and figuring out how to make it work in the real world. It didn't work at first, and he went through a number of attempts and refinements before it finally did. This is an essential skill because you can't always just follow someone else's instructions, especially when you're dealing with something new and there are no instructions to follow yet.