Tuesday, November 10, 2020

Any experienced hacker looks at all the simple/obvious failures as a matter of course. I suspect Russia, China, North Korea and Iran knew about this almost as soon as it went into use. It’s the kind of job you assign to your trainee hackers.

https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/#ftag=RSSbaffb68

Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug

The US Department of Defense has fixed a severe vulnerability impacting its internal network that would have allowed threat actors to hijack DOD accounts just by modifying a few parameters in web requests sent to DOD servers.

The issue received a severity rating of "Critical (9 ~ 10)" because the bug required minimal technical skills to exploit and hijack any DOD account of the attacker's choosing.

While some details about the bug have been disclosed earlier today, a full report won't be fully available; to protect the security of the DOD network.

According to this summary report, the bug was categorized as an Insecure Direct Object References (IDOR ) vulnerability, a bug where security checks are missing from an application, allowing hackers to modify a few parameters without any additional identity checks.

In the DOD's case, the bug would have allowed an attacker to take a legitimate web request sent to a DOD website, modify the user ID and username parameters, and the DOD site would have allowed the attacker to change any user's DOD account password — which would have allowed hackers to hijack accounts and later breach the DOD's network.





I told you these guys are good…

https://www.theregister.com/2020/11/09/gchq_hacks_russia_vaccine_disinfo/

Somebody's Russian to meddle with UK coronavirus vaccine efforts, but GCHQ won't take it lying down

British eavesdropping agency GCHQ is actively hacking Russian attempts to undermine coronavirus vaccine efforts, according to The Times.

Tactics deployed against the Russia-backed actors are said to include "encrypting" the operators' data, mildly suggestive of ransomware – albeit without the ransom.





Comes with a major loophole…

https://www.technologyreview.com/2020/11/09/1011837/europe-is-adopting-stricter-rules-on-surveillance-tech/

Europe is adopting stricter rules on surveillance tech

The goal is to make sales of technologies like spyware and facial recognition more transparent in Europe first, and then worldwide.

The European Union has agreed to stricter rules on the sale and export of cyber-surveillance technologies like facial recognition and spyware. After years of negotiations, the new regulation will be announced today in Brussels. Details of the plan were reported in Politico last month.

The regulation requires companies to get a government license to sell technology with military applications; calls for more due diligence on such sales to assess the possible human rights risks; and requires governments to publicly share details of the licenses they grant. These sales are typically cloaked in secrecy, meaning that multibillion-dollar technology is bought and sold with little public scrutiny.

The main thing the new regulation achieves, according to its backers, is more transparency. Governments must either disclose the destination, items, value, and licensing decisions for cyber-surveillance exports or make public the decision not to disclose those details.





Why I don’t like teaching online, volume 2. Are all online students criminals?

https://www.vice.com/en/article/88anxg/students-have-to-jump-through-absurd-hoops-to-use-exam-monitoring-software

Students Have To Jump Through Absurd Hoops To Use Exam Monitoring Software

Using hand mirrors and making 3D room scans are among the bizarre instructions students must follow while using software like ProctorU and Respondus.





Many views always beat one view.

https://www.huntonprivacyblog.com/2020/11/09/webinar-on-the-california-privacy-rights-act/

Webinar on the California Privacy Rights Act

On November 19, 2020, Hunton Andrews Kurth will host a webinar examining the recently approved California Privacy Rights Act (“CPRA”) and how it revises the California Consumer Privacy Act of 2018 (“CCPA”).





The consulting world changes…

https://www.databreaches.net/cyber-consulting-firms-get-tied-up-in-post-breach-lawsuits/

Cyber Consulting Firms Get Tied Up in Post-Breach Lawsuits

Jake Holland and Andrea Vittorio report:

Cybersecurity consultants could be on the hook for data breaches at companies they contract with after two recent court rulings in consumer class actions.
Accenture Plc’s U.S. unit in October failed to escape claims made against the consultant in a consumer lawsuit over a hack of Marriott International Inc.’s hotel reservations database. The decision came after Capital One Financial Corp. was forced to turn over cybersecurity firm Mandiant’s report on a cloud hack in another case.
The cases raise questions about whether a consultant’s work should be considered fair game for class action lawyers gathering evidence on a cyber incident to try to hold the consulting firms responsible for fallout from breaches.

Read more on Bloomberg Law.





A problem common to all industries with record keeping regulations. Can you imagine asking any head of state for a copy of a phone conversation transcript? “Why yes, the President promised to sell us Hawaii for $24.”

https://www.bespacific.com/biden-may-have-trouble-unearthing-trumps-national-security-secrets/

Biden may have trouble unearthing Trump’s national security secrets

Politico: “From tearing up documents and hiding transcripts of calls with foreign leaders to using encrypted messaging apps and personal email accounts for government business, the Trump White House’s skirting of records preservation rules could limit the incoming Biden administration’s visibility into highly sensitive foreign policy and national security secrets… The Presidential Records Act, which requires a sitting president to preserve and ultimately make public all records relating to the performance of their official duties, was passed 42 years ago in response to President Richard Nixon’s attempts to hide the White House tapes that led to his downfall. The law makes presidential records available to the public via the Freedom of Information Act beginning five years after the end of an administration. But it has no real enforcement mechanism and relies on the president’s good faith compliance, said Kel McClanahan, the executive director of the law firm National Security Counselors.

Out of respect for the institution and the separation of powers, when Congress passed the PRA, they gave the White House the right to decide what constitutes a presidential record,” McClanahan said. “They never envisioned a president who would come in and just start shredding stuff.”…





There were no headlines like this for the Apple II. Perhaps there should have been.

https://www.cnet.com/news/apple-new-macs-could-change-computers-as-we-know-them-one-more-thing-event-new-chips/

Apple's new Macs could change computers as we know them

Apple's expected to announce the first computers powered using chips that are more like an iPhone than a typical PC. That alone is exciting to the techies, but it's also a sign of what's possible to come, whether you buy a Mac or not. The iPhone maker's said it's going to change the brains of its computers over the next couple years. Starting with the computers it's expected to announce Tuesday, Apple's going to throw its weight behind its own self-made chips.

By combining all its devices under the same chips and common code, Apple will be able to offer an experience that truly spans its desktops, laptops, phones and watches. Apple's already said app developers will be able to create one app and send it to all devices, with adjustments for keyboard and mouse vs finger touch and gestures.

What's likely to change more than anything is on the outside of the laptop and desktop. Apple's iPhones and iPads don't have fans to keep their chips cool. Analysts are betting that if Apple can pull off that same trick with its computers, the fans that take up space and force the laptop to be thicker might disappear.



(Related)

https://www.makeuseof.com/samsung-passes-apple-number-one-smartphone-brand-us/

Samsung Passes Apple as Number One Smartphone Brand in the US

According to market researcher Strategy Analytics (h/t the Korea Herald ), Samsung has slid its way into the number one spot for most smartphones sold in the US for the third quarter of 2020.

During the July-September period, Samsung accounted for 33.7 percent in the US smartphone market. That's an impressive 6.7 percent increase over the same period in 2019.

While Apple may not be number one anymore, the company still moved plenty of smartphones, accounting for 30.2 percent of the market.





Free learning for shut-ins.

https://www.techrepublic.com/article/free-ibm-developer-conference-on-ai-and-data-science-includes-300-in-credits-for-coursera-class/

Free IBM developer conference on AI and data science includes Coursera certification

Developers and business leaders can learn about the latest trends in artificial intelligence (AI) at IBM's free Data & AI digital conference on Nov. 10 starting at 2 pm GMT. The sessions will focus on operations, ethics, and cloud computing. IBM is running the conference again on Nov. 24 for India and the Asia Pacific region.

People who register for the conference get $300 in credits to spend on any services in the IBM Cloud Catalog. Attendees who completes the course in Track 3 earn an AI and Data Essentials badge. Participants also can get select Coursera specializations and certifications for free, including:

Most of the sessions will be pre-recorded and available as soon as the conference opens.



No comments: