Saturday Security Brief

Topics: Attack Surface Management, Active iMessage exploit targetting journalists, Academic research on unique EM attack vectors for air-gapped systems.

Any feedback or thoughts on the experience of receiving and discussing news through this brief or in general are welcome. I'm curious about this form of staying informed so I want to experiment. (Thanks again for the suggestion to post the topics as comments.)

Attack Surface Management

This concept is about ensuring that your network is equipped to handle the many issues that arise from accommodating various "Servers, IoT devices, old VPSs, forgotten environments, misconfigured services and unknown exposed assets" with an enterprise environment. Some of the wisdom here can be applied better think about protecting our personal networks as well. Outdated phones, computers, wifi extenders, and more can be a foothold for outside attackers to retain persistant access. Consider taking steps to migigate and avoid potential harm from untamed devices.

Consider putting certain devices on the guest network if your router supports doing so and has extra rules for devices on that network so they can't cause damage to your other devices directly.

"A report from 2016 predicted that 30% of all data breaches by 2020 will be the result of shadow IT resources: systems, devices, software, apps and services that aren’t approved, and in use without the organization’s security team’s knowledge. But shadow IT isn’t the only area where security and IT teams face issues with tracking and visibility."

Attack Surface Management: You Can’t Secure What You Can’t See ~ Security Trails

Multiple Journalists Hacked with ‘Zero-Click’ iMessage Exploit

Mobile spyware is continuing to evolve and tend towards professional solutions. Recently this technology has been abused to conduct espionage on journalists of major networks. Where once these exploits typically required some mistaken click from the user, new developments are allowing their activities without any trace or requiring interaction from the target.

"NSO Group’s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses."

"In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked."

"The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates."

"More recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces."

The Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit ~ Citizen Lab

Security researchers exfiltrate data from air-gapped systems by measuring the vibrations made by PC fans.

Besides this potential exploit the article mentions past research done by Guri and his team which is worth checking out, like:

• LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED

• AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data

• MAGNETO & ODINI - steal data from Faraday cage-protected systems

• PowerHammer - steal data from air-gapped systems using power lines

• BRIGHTNESS - steal data from air-gapped systems using screen brightness variations

"Academics from an Israeli university have proven the feasibility of using fans installed inside a computer to create controlled vibrations that can be used to steal data from air-gapped systems."

Academics steal data from air-gapped systems using PC fan vibrations ~ Zdnet

Good Practices

"Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident."

Turn on MFA Before Crooks Do It For You ~ Krebs on Security

Flash is gonna die for good in a few days (dec 31st) so I felt this is a good time to ask this question. (Although obviously, there have been large efforts to preserve these when the developers did not. And even then, HTML5 means browser games will continue to exist, even though mobile games have mostly replaced browser games anyway.)

Mine personally were (taking away some of the more well-known ones):

Gravitee 2

Basically a game of celestial golfball. Had a level editor, which was quite fun.

Bonk.io (although this one has a sequel that's not in flash)

Pretty popular for a flash game made in 2016. Basically a game where balls need to "bonk" eachother out of the playing field.

Effing meteors (Definitely one of the games that I probably remember being better than it is.)

Basically a game where you clump up small meteors into bigger meteors to destroy stuff.

Ribbit

A game where a rabbit and frog are fused together and need to bounce like a pogo to the end.

Frost bite

A mountain climbing platforming game.

Sushi cat

A game where you need to eat sushis quickly. Also has cutscenes.

Flash cat

An aesthetic racing game? Not entirely sure.

Chisel

A game where you drill through the planet enough times to move to the next level (man, I had some weird gameplay preferences.)

Dillo hills

A game where you need to time your descents to pick up speed in the hills and fly.

Dino run

An 8 bit game where you as a dinosaur need to outrun extinction.

Raccoon racing

A power-up racing game I remember playing quite a bit. Definitely designed for children, even if that's not very surprising.

As part of a weekly series, these topics are a place for users to casually discuss the things they did — or didn't do — during their week. Did you accomplish any goals? Suffer a failure? Do nothing at all? Tell us about it!

Friday Security Brief

This release is trial for a weekly security brief compiled from trusted sources that encourage a general awareness of cyber security issues. I'm still not sure about how to do this so any thoughts or feedback will be appreciated.

Brexit deal mandates a limit to security standards

"In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:"

Brexit Deal Mandates Old Insecure Crypto Algorithms ~ Schneier on Security

FBI Warns of Hijacked Security Devices being exploited for Swatting

"Stolen email passwords are being used to hijack smart home security systems to “swat” unsuspecting users, the Federal Bureau of Investigation warned this week. The announcement comes after concerned device manufacturers alerted law enforcement about the issue."

FBI Warn Hackers are Using Hijacked Home Security Devices for Swatting ~ Threatpost

A look back at some email attacks of 2020

"In 2020, our spam folders bulged with malware-laced emails, phishing lures linking to ransomware schemes, impersonation attacks, spoofed brand and fake domain missives, and dubious requests from legit-sounding companies. So, what defined 2020 in spam?"

Inbox Attacks: The Miserable Year (2020) That Was ~ Threatpost

SolarWinds hackers accessed Microsoft source code

"The hackers behind the SolarWinds supply chain attack managed to escalate access inside Microsoft's internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories, the company said on Thursday."

SolarWinds hackers accessed Microsoft source code ~ Zdnet

CISA updates SolarWinds guidance

"The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack.

In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year."

CISA updates SolarWinds guidance, tells US govt agencies to update right away

I do, and my personal go-to is the SOG Key Knife. Small, fits perfectly on my keychain, usable for most daily tasks, and not made in China, despite being inexpensive. I also tend to keep an old folding Buck my dad gave me in my bag for heavier duties.

Edit: added a photo of the SOG.

Second edit: Don’t get a knife for self-defense, they require significant training to properly use without getting hurt, and put you closer to your assailant. Learn situational awareness first and foremost, then if you still would like, pick up some pepper spray or a firearm.

What have you been listening to this week? You don't need to do a 6000 word review if you don't want to, but please write something! If you've just picked up some music, please update on that as well, we'd love to see your hauls :)

Feel free to give recs or discuss anything about each others' listening habits.

You can make a chart if you use last.fm:

http://www.tapmusic.net/lastfm/

Remember that linking directly to your image will update with your future listening, make sure to reupload to somewhere like imgur if you'd like it to remain what you have at the time of posting.

What have you been watching and reading this week? You don't need to give us a whole essay if you don't want to, but please write something! Feel free to talk about something you saw that was cool, something that was bad, ask for recommendations, or anything else you can think of.

If you want to, feel free to find the thing you're talking about and link to its pages on Anilist, MAL, or any other database you use!

Do we have any statistics on how many users have been banned and why they’ve been banned? What information should be or remain public? Some forum sites let you see the banned users post and comment history from prior to their ban; is there any value in that?

Unrelated; how many Tildes-ers are we up to now?

Thats all the languages I know. Please expand! I wish you all a happy new years and that next year is gonna be (even) better ;-)

I'm really greatful to be part of this community, one of the brigtest spots of friendlyness and respect in the wide internet :-) thank you all!

Someone posted this on the privacy subreddit. I also ended up finding this and this after doing a bit of searching. As someone who isn’t in the CS/IT spheres (chemical engineering is my background), Firefox has been my go-to browser for awhile, although I’m being made aware of the flaws of Firefox (most of which go over my head) and behavior of Mozilla. What can be done to fix this, especially considering that Firefox is the only FOSS browser with a significant user base?

Today's problem description: https://adventofcode.com/2020/day/19

Join the Tildes private leaderboard! You can do that on this page, by entering join code 730956-de85ce0c.

Please post your solutions in your own top-level comment. Here's a template you can copy-paste into your comment to format it nicely, with the code collapsed by default inside an expandable section with syntax highlighting (you can replace python with any of the "short names" listed in this page of supported languages):

<details>
<summary>Part 1</summary>

```python
Your code here.
```

</details>