May 20, 2022

                        May 20, 2022

            May 20, 2022

        Huge news. The Feds won’t use the CFAA to go after security researchers, pinky promise!
Zack Whittaker @zackwhittakerWow. DOJ has announced a significant policy shift in how it will bring computer hacking charges under CFAA in the future. 

"The policy for the first time directs that good-faith security research should not be charged."

justice.gov/opa/pr/departm…3:29 PM ∙ May 19, 2022
606Likes207RetweetsVery important caveat.
Blake E. Reid @blakereid
@thegrugq NB: this doesn't extend to civil liability, which is a major practical problem for many researchers.6:16 PM ∙ May 19, 2022
4Likes1Retweet
The EFF is all over it. 
Chris Wysopal @WeldPond
…it stops far short of requiring that a defendant defeat a technological restriction in order to exceed authorized access. eff.orgDOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security ResearchersThe Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The...2:59 AM ∙ May 20, 2022
4Likes3Retweets

https://arxiv.org/abs/2205.07759

There are so many problems with this paper I’m not sure where to start. I guess I’ll start with the conclusion: they are correct. Many APTs use public vulnerabilities rather than 0day. 
A short summary of some problems with the paper. Their goal when writing this paper was to answer the question “does timely patch protect an enterprise against APT threats? If so, how timely?” Keep this in mind, they’re thinking about enterprises and patching. 
So an early problem is that they assume APTs are an ontological unit. They are not. The term “APT” is a broad generalisation used to collectively refer to many different kinds of these actor. 
Another issue is that they assume the reports from as far back as 2008 are reliable, which I am not sure is a safe assumption. 
The paper uses APT clusters which are known to be flawed. For example, the WINTI group was more of an umbrella term for different people using the same tools from a particular vendor. Much like one could talk about the “REvil group” to collectively refer to everyone using that ransomware brand, the reality is that affiliates each have different threat profiles. What they use post exploitation says nothing about how they gain access.
These are more epistemology failures. 
Understanding campaigns is complicated. Firstly, for a nation state the purpose of breaking into a computer is to do something after breaking in. Gaining access is just step 0. A chore that needs to be done before moving on to the scut work of cyber espionage. 
They need to gain access, but they don’t have many concerns about *how* they gain access. Of course, cheaper is better, and faster is better, but those are just guidelines. There are many conditions which could change the calculus here, such as expediency, security, time pressure, resource constraints, procurement pipeline issues, and so on. 
For the majority of cases though, they can use whatever works and just get on with the job. Not every operation is about disrupting an adversary before a deadline. 
Catalin Cimpanu @campuscodi
A recent academic paper studied data from 86 APTs and 350 campaigns carried out from 2008 to 2020 and found that APTs rarely rely on zero-days and typically use public known vulnerabilities for their attacks

arxiv.org/abs/2205.07759 
5:21 PM ∙ May 19, 2022
374Likes161Retweets

Ukrainian Memes Forces @uamemesforces
8:30 PM ∙ May 19, 2022
11,319Likes1,115Retweets

The EU is intent on fucking up a critical thing for a theoretically noble reason in a very dumb way. 
Matthew Green @matthew_d_green
Very clear explanation of how the EU’s anti-grooming law will affect end-to-end encrypted messaging. educatedguesswork.orgEnd-to-End Encryption and the EU’s new proposed CSAM Regulation8:56 PM ∙ May 19, 2022
51Likes26Retweets

Update your incident response handling to include better messaging to attackers.
Florian Roth ⚡️ @cyb3rops🍆
bleepingcomputer.com/news/security/… 
8:50 PM ∙ May 18, 2022
428Likes129Retweets

Twitter is on the case for Ukraine disinformation 
PsyWar.Org 🇺🇦🌻 @psywarorg
Twitter steps up Ukraine misinformation fight bbc.co.ukTwitter steps up Ukraine misinformation fightThe social media platform says it will put false claims from official accounts behind warning notices.8:55 PM ∙ May 19, 2022
3Likes4Retweets

If Halvar has seen further it is because he is a giant. Possibly standing on his own shoulders.
Halvar Flake @halvarflakeSome thoughts on startups, Figmaization, and AI:

1) I strongly believe that every heavyweight desktop application that still exists will be replaced by a SaaS-y in-browser collaborative version. Docs, Figma were the start, and the few things that remain (CAD? EDA?) will be next.12:56 PM ∙ May 19, 2022
78Likes7Retweets-
Window Snyder @window
Attention aged exploit writers: If you were a ninja in the late 90s-early 00s, turn your attention to embedded devices, bootloaders and firmware.  All your old skills are new again.10:30 PM ∙ May 18, 2022
591Likes123Retweets
Here’s a PDF book (short) on The Trust, an incredibly effective counterintelligence operation run by the Cheka (earliest incarnation of the KGB). 

https://jmw.typepad.com/files/simpkins---the-trust-security-intelligence-foundation.pdf

Here’s another document on the same topic, because it is really an awesome op.

https://www.centerforintelligencestudies.org/the-trust.html

-
Reviews from the front lines on what matters in equipment,
Rob Lee @RALee85Some gear reviews from RAZVEDOS. He says that VSS and AS Val rifles haven't proven themselves during the war. Both require a lot of cleaning and maintenance. He also said they lack enough penetration, but Russia lacks enough suppressors for AKs.
vk.com/public21006822… 
10:58 AM ∙ May 20, 2022
862Likes115Retweets
-
ESET finding more Russian malware
ESET research @ESETresearch
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware 
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper.  #WarInUkraine 1/6 
6:08 AM ∙ May 20, 2022
170Likes110Retweets
-
Supply chain attacks. Trust is the root of all compromise…
Daniel Cuthbert @dcuthbert
We've heard a lot about supply chain risks but rarely do we see actual solid attacks. @SentinelOne has investigated one targeting the Rust dev community and it's pretty interesting, to me at least

sentinelone.comCrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go MalwareSoftware developers using GitLab CI are being targeted with malware through a typosquatting attack, putting downstream users at risk.10:52 AM ∙ May 20, 2022
7Likes7Retweets-
The future is kinda crazy. Costa Rica is at war with Conti.

https://www.bbc.co.uk/news/technology-61323402

-
Russian offensive cyber supply chain
PJ⌨🖱🏋🏻‍♂️🥃🗺🌎🌻🇺🇦 @PJ47596176👀👀🇷🇺companies InformInvestGroup and software company ODT (Zer0day) LLC created Froton for FSB. Fronton is a system developed for coordinated inauthentic behavior on a massive scale - not just DDoS. nisos.com/blog/fronton-b…
nisos.comFronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic BehaviorMay 2022 Investigative Report Release: Nisos analysts determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale. Read more.9:18 AM ∙ May 20, 2022
3Likes1Retweet
-
Strongmen regimes and military blunders.

https://warontherocks.com/2022/05/when-strongmen-invade-they-bring-their-pathologies-with-them/

                        Don't miss what's next. Subscribe to the grugq's newsletter:

          Start the conversation:

            Be the first to share your thoughts