As someone who has spent essentially their entire professional career trying to avoid accruing industry certs, I do so love a good gripe about the CISSP.
The whole “certification” system in IT in general and INFOSEC in particular is so laughably corrupt and, worse, has so little relation to actual job skill that the whole damn thing really just needs to be burnt to the ground.
Denise has a pretty good write-up of the LiveJournal password breach over at Dreamwidth.
Specifically:
We’ve seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we’ve learned from our users who we’ve spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn’t use it for several years, but we can’t say for certain. Because of that uncertainty, it’s best if you treat any password you’ve ever used on LiveJournal in the past as compromised, since we can’t tell for certain when the alleged breach happened.
(It’s worth noting Firefox, for example, leans towards the 2017 date. Regardless, assume compromise.)
Also, LiveJournal’s official response—specifically the claim the data are “falsified”—is… interesting. More specifically specifically, what they seem to be claiming is that someone has taken account details from other breaches and attributed them to LiveJournal. Given that I know I, personally, use a LiveJournal-specific email address and I still got a breach noticed from Have I Been Pwned? this is, to put it bluntly, full of shit.
Anyway, tl;dr:
Tl;dr the NSA put out a formal warning late last year about the widespread use of TLS inspection.
You know how everyone tells you the “little padlock” means your “browsing is safe”? Yeah, nah.
Interesting look at how Google’s “auto-delete” feature is essentially useless for protecting user privacy.
(Spoiler alert: it’s got to do with the value of user data over time. Basically, by the time Google allows you to auto-delete data from its services, it’s already extracted most of the value from those data.)
Turns out the passwords of oldskool nerds were pretty shitty…
As someone who’s spent the entirety of their working life in white collar work which is both paradoxically quite “free” but also heavily surveilled, this report was… eye-opening.
Have you ever been in that situation where you kii-ii-ii-inda know your password, but not exactly? Like, you know it’s probably the name of a Naruto character but you can’t remember exactly which one, and that it’s got some 1337-speak in it but you can’t remember exactly where?
Well. There’s now an app (script) for that.
Of course the actual real-world use of this script will be password hacking based on recon about a target’s life. So if you know someone has three kids and a wife—or that they love Naruto—and you know their names and birthdays and anniversaries, you plug those values into this and… bam. Quicker than rainbow tables.
(And this is why you never base your passwords on things like your pets, hobbies, and/or family members, kids!)
Before the Internet revolution, military-grade electronics were different from consumer-grade. Military contracts drove innovation in many areas, and those sectors got the cool new stuff first. That started to change in the 1980s, when consumer electronics started to become the place where innovation happened. The military responded by creating a category of military hardware called COTS: commercial off-the-shelf technology. More consumer products became approved for military applications. Today, pretty much everything that doesn’t have to be hardened for battle is COTS and is the exact same product purchased by consumers. And a lot of battle-hardened technologies are the same computer hardware and software products as the commercial items, but in sturdier packaging.
Through the mid-1990s, there was a difference between military-grade encryption and consumer-grade encryption. Laws regulated encryption as a munition and limited what could legally be exported only to key lengths that were easily breakable. That changed with the rise of Internet commerce, because the needs of commercial applications more closely mirrored the needs of the military. Today, the predominant encryption algorithm for commercial applications — Advanced Encryption Standard (AES) — is approved by the National Security Agency (NSA) to secure information up to the level of Top Secret. The Department of Defense’s classified analogs of the Internet — Secret Internet Protocol Router Network (SIPRNet), Joint Worldwide Intelligence Communications System (JWICS) and probably others whose names aren’t yet public — use the same Internet protocols, software, and hardware that the rest of the world does, albeit with additional physical controls. And the NSA routinely assists in securing business and consumer systems, including helping Google defend itself from Chinese hackers in 2010.
Bruce Schneier on encryption.
Some of you may recall that one of my Minor Fic Bugbears is any mention of “military grade encryption” because, well. This.
Also see: Any time any politician starts talking about adding in things like key escrow of backdoors into “consumer-grade” encryption (which is what Schneier’s full article is about). In the most generous interpretation, they want to take everyone back to Cold War-era export restrictions on encryption technology. Which… ye-ee-eah. Probably not gonna happen, hey.
Breakdown of the opsec failures that lead to the closing of the Silk Road…
As an aside, I keep reading the “in the Tor Hidden Service” part of this article headline as “in the Tom Hiddleston” which… uh…
Robert Graham from Errata Security gives a basic walk-through of just how easy it (potentially) is to “hack” people’s accounts.
“Hack” is in scare quotes here because there’s no actual hacking going on; Graham is just cross-referencing data sets, specifically looking for a target’s email address in the Have I Been Pwned database. HIBP doesn’t display hacked passwords/hashes directly, but it does provide details of which datasets an email is found it. Anyone with access to the original dataset—and they’re not that difficult to obtain, for someone motivated to look—basically then has a user’s password1 and can potentially use it to breach someone’s other accounts.
The point of this, incidentally, is to point out how trivial this stuff is, and to stress the importance of tactics such as enabling multi-factor authentication and not reusing passwords2 across websites. Nothing is foolproof, but the low-hanging-fruit here is very low hanging, so… y’know. Go do something about that, maybe?
