Marshall Sutherland

Thu, 10 Oct 2024 13:01:47 -0400

dwatney@hub.farthinghalearms.com

So, about that argument that government back doors are safe and secure...

#^Chinese hackers breached US court wiretap systems, WSJ reports

Chinese hackers accessed the networks of U.S. broadband providers and obtained information from systems the federal government uses for court-authorized wiretapping, the Wall Street Journal reported on Saturday.

Verizon Communications, AT&T, and Lumen Technologies are among the telecoms companies whose networks were breached by the recently discovered intrusion, the newspaper said, citing people familiar with the matter.

The hackers might have held access for months to network infrastructure used by the companies to cooperate with court-authorized U.S. requests for communications data, the Journal said. It said the hackers had also accessed other tranches of internet traffic.

#surveillance #security

surveillance security

Sat, 21 Sep 2024 21:57:39 -0400

Marshall Sutherland

dwatney@hub.farthinghalearms.com

#^I Hacked My Friend's Phone to Show How Easy It Is

Can you trust your phone?

#video #security #privacy

video security privacy

Mon, 09 Sep 2024 12:51:36 -0400

Marshall Sutherland

dwatney@hub.farthinghalearms.com

#^Australia Threatens to Force Companies to Break Encryption - Schneier on Security

Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.

Certainly, these governmental dingleberries aren't sofa king ignorant that they actually still believe their constant refrain of this BS after all these years?

#crypto #security

crypto security

Thu, 07 Mar 2024 20:04:14 -0500

Marshall Sutherland

dwatney@hub.farthinghalearms.com

A few weeks back, I'm in a meeting with a vendor and they are trying to calm any security concerns by saying they use "banking-grade security."

This week, I'm trying to move a banking vendor from our old sftp server with software that went end-of-life last year to our new sftp server. It turns out that their server and our new server have no key exchange protocols in common. "client offered: [ssh-rsa ssh-dss]"

How 'bout that "banking-grade security."

It makes me wonder... Are there still Windows XP-based ATMs out there?

#security #work

security work

Fri, 08 Mar 2024 09:53:20 -0500 last edited: Fri, 08 Mar 2024 09:59:13 -0500

Scott M. Stolz

scott@biztechtonics.net

I used to work for a bank in their data center, and I can tell you that they used technology as long as they possibly could. Mind you, this was decades ago, but we had some interesting setups.

We had dumb terminals (green screens) controlling tape silos with robotic arms that grabbed tape cassettes. We had Windows 3.11 systems that had the Terminal app in full screen mode, to emulate a dumb terminal. To put that further in context, Windows 95, Windows 98, and Windows NT were the latest systems. We transferred data from one system to another using reels of tape. We were still using a mainframe when most of the world had already switched to Linux servers. All of these technologies, except the multi-million dollar tape silos, were outdated technology.

Basically, if it was still functional, we still used it.

Tue, 05 Mar 2024 18:52:27 -0500

Marshall Sutherland

dwatney@hub.farthinghalearms.com

These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway.

The devices are also sold by Walmart, Sears, and other retailers—and big platforms have faced few consequences for shipping flawed products

On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.

What does Consumer Reports suggest if you have one of these flawed systems?

If you own one of these doorbells, Consumer Reports recommends that you disconnect it from your home WiFi and remove it from your door.

#security #privacy

security privacy

show all 5 comments

Wed, 06 Mar 2024 14:41:15 -0500

Jason Cook

jason@hub.inktada.com

Haakon, much of your assumption is based off of the person being home at the time of exploitation.

It's easy to make sure you are out of view of the camera at the time.

Wed, 06 Mar 2024 15:09:08 -0500

Haakon Meland Eriksen (Parlementum)

parlehaakon@hub.volse.no

I know, but the risk of someone doing all this with the doorbell rather something much more effective is really small.

Wed, 06 Mar 2024 15:15:51 -0500

Haakon Meland Eriksen (Parlementum)

parlehaakon@hub.volse.no

If you are not at home, is not the point of the doorbell's service connection to send an alert to the app of the owner?

Any way, I think I got annoyed at the article for being really long and scary, while not taking into account the low number or occurances given the volume of doorbells sold.

Thu, 18 Jan 2024 12:55:54 -0500 last edited: Thu, 18 Jan 2024 12:55:50 -0500

Marshall Sutherland

dwatney@hub.farthinghalearms.com

Now I want to know what kind of phones these are!

Police must return phones after 175 million passcode guesses, judge says

How many times should forensic investigators be allowed to guess the password of a locked cellphone belonging to a suspected pedophile?

That was the question that confronted an Ottawa judge recently when he was asked to rule on an application by the Ottawa Police Service to retain three cellphones from the suspect for two more years.

The police seized the phones in October 2022 with a warrant obtained based on information about a Google account user uploading images of child pornography. The contents of the three phones were all protected by complex, alpha-numeric passcodes.

Ontario Superior Court Justice Ian Carter heard that police investigators tried about 175 million passcodes in an effort to break into the phones during the past year.

#privacy #security

privacy security

Wed, 08 Nov 2023 19:57:02 -0500

Marshall Sutherland

dwatney@hub.farthinghalearms.com

Article 45 Will Roll Back Web Security by 12 Years

The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government. Which CAs? Specifically the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government. That means cryptographic keys under one government’s control could be used to intercept HTTPS communication throughout the EU and beyond.

#security #surveillance #privacy

security privacy surveillance

Thu, 09 Nov 2023 08:57:44 -0500

Jason Cook

jason@hub.inktada.com

Sounds super safe<--sarcasm. What could possibly go wrong with a government's ability to decode & access everything? I seem to remember the world switched to https once they found about some government collecting all data...

In addition, government agencies have been proven to be super secure<--sarcasm. What could possibly go wrong from a data leak standpoint compromising PII, PHI, bank, credit cards, passwords, etc.?

Thu, 09 Nov 2023 12:35:22 -0500

Marshall Sutherland

dwatney@hub.farthinghalearms.com

How dare you question the government's intentions or competency, comrade! The government is filled with only those of unimpeachable character and competence!

:rofl

Fri, 29 Sep 2023 20:39:44 -0400

Marshall Sutherland

dwatney@hub.farthinghalearms.com

Millions of Exim mail servers exposed to zero-day RCE attacks

A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.

Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.

While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.

#security

security

Mon, 28 Aug 2023 12:50:45 -0400

Marshall Sutherland

dwatney@hub.farthinghalearms.com

The Cheap Radio Hack That Disrupted Poland’s Railway System

The sabotage of more than 20 trains in Poland by apparent supporters of Russia was carried out with a simple “radio-stop” command anyone could broadcast with $30 in equipment.

#security

security

Tue, 18 Jul 2023 13:04:55 -0400

Marshall Sutherland

dwatney@hub.farthinghalearms.com

At work, we apparently have some FedGov contracts on the line and need to find a way to implement this policy. Will it mean requiring company-issued phones (something we don't currently have) to access company resources on the go because we can't prevent people from using TikTok on their personal phones? We shall see.

TikTok Ban Issued for Federal Government Contractors

A new Federal Acquisition Regulation clause prohibits contractors from “having or using” TikTok on any devices used to conduct official business.

The new FAR clause, published on June 2, builds on February White House instructions to federal agencies to eliminate TikTok from official networks and requires federal contractors to amend their policies to comply with the interim rule by July 3.

Dismas Locaria, a government contracts attorney at Venable LLP, said June 23 that the new FAR clause applies to any and all devices used by federal contractors to conduct official business, regardless of whether they are owned by the government, the contractor or the contractor’s employees, meaning it can extend to include personal devices.

“It doesn't matter whether that device is owned by a contractor or by the employee of a contractor, so it absolutely would cover personal devices,” Locaria said. “This [ban] is a type of thing that could cause people to go back to having multiple devices specifically for work. You can have a more secure device that you use for government contracts, and you only have work-approved apps. And you can also have a personal device where you can have your personal apps.”

#security #regulation #work

security regulation work