November 6, 2023

                            November 6, 2023

                November 6, 2023

                        November 6, 2023
Releasing the slides for our @ekoparty presentation “smashing the TLB for fun and profit” https://t.co/xApbcm4OQ9
— Daniel (@ergot86) November 4, 2023

1993: Bugtraq was created by Scott Chasin as a full disclosure vulnerability reporting mailing list at the dawn of the World Wide Web. Bugtraq had an enormous influence on how orgs responded to vuln disclosure and paved the way for a shift which led to bug bounty programs. pic.twitter.com/0a1sZkftWf
— Today In Infosec (@todayininfosec) November 5, 2023

There are two HTTP servers: One always tells the truth and one always lies https://t.co/CQtTclzIaT
— GonzoHacker (@GonzoHacker) November 6, 2023

Just found this HTTP response.

Status Code:

   200 - OK

Body:

{

   status: "success",

   response:

   {

      status: "error",

   }

}
— Davide Bellone (@BelloneDavide) November 5, 2023

Passive SSH Key Compromise via Lattices
https://eprint.iacr.org/2023/1711.pdf
Comment https://news.ycombinator.com/item?id=38161792

To give some easier explanation: This is an attack against faulty RSA implementations. There is a common optimization in RSA signature implementations that splits up an expensive mathematical operation into two smaller operations. If one of these throws out a bad result then you can break the key.
Why does this happen? Multiple reasons. Implementations of big number math can and does contain bugs. (I used to hunt for those via fuzzing, which turned up an amazing number of them.) Hardware failures. Other bugs that corrupt numbers in memory.
The basic attack is well known. Florian Weimer has demonstrated this against TLS in the wild: _{https://www.redhat.com/en/blog/factoring-rsa-keys-tls-perfec...}
The new thing this paper adds is applying this attack to SSH.
There is a countermeasure against this attack, and this is to verify the signature before revealing it. It works. As the paper says, openssh uses openssl's RSA implementation, and it has been doing that since forever (2001).
So in summary: Applying a well-known attack against RSA to its use in SSH. Only works if you have an RSA implementation that outputs results of flawed computations. Countermeasures exist, and RSA implementations should use them

Such as it is, it’s not bad. It’s not great, but given that it’s for a general audience it does include some relevant details. A couple of Russian operations are mentioned.

My colleague Neveen (lurking on here somewhere) has just published a new piece on intelligence R&P and the US response to the Rwandan genocide https://t.co/qm2RVIAVM5
— Steven B. Wagner (@StevenWagner85) November 6, 2023

"why did everyone sh*t on CTI teams?"

Spicy takes, real underlying issueshttps://t.co/0SdKfl6EX1
— Grace (@euphoricfall) November 5, 2023

This is why hiring is really tough in the commercial CTI space. Most folks who talk the talk are in the business of converting commercial intel, not producing their own
— Jeremy K (@thinkpoison) November 6, 2023

"the overnight shift consisted of security and an unaccompanied technician who had only been on the job for a week" - rough first week...

A cool post mortem on the recent cloudflare outage: https://t.co/KX0SmYT0PO
— visi stark ( @invisig0th.bsky.social ) (@invisig0th) November 6, 2023

I strongly, strongly recommend that if you're interested in cybersecurity concerns, especially at organizational and policy levels but even just re. technical security weaknesses, you read the SEC's complaint against Solarwinds and its-now CISO Brown. https://t.co/lR37JP4PZx
— Brian in Pittsburgh (@arekfurt) November 5, 2023

https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf

The Security Statement was materially misleading because it touted the Company's supposedly strong cybersecurity practices. For example, that statement asserted that SolarWinds created its software products in a “secure development lifecycle [that] follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments.” And the Security Statement claimed that SolarWinds' “password policy covers all applicable information systems, applications, and databases [and we] enforce the use of complex passwords.” It also stated that SolarWinds had “[a]ccess controls to sensitive data in our databases, systems, and environments [that are] set on a need-to know / least privilege necessary basis.” All those statements were materially false and misleading. 
The misleading Security Statement concealed from the public the Company's known poor cybersecurity practices throughout the Relevant Period. These poor cybersecurity practices included SolarWinds' (a) failure to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, (b) failure to enforce the use of strong passwords on all systems, and (c) failure to remedy access control problems that persisted for years

This is an incredibly low bar. An SDL, a password policy, and basic access controls. Of course, I’d venture to bet that many companies fail to meet these standards consistently across all systems… but still, it’s damning how trivial these issues are.
I wonder if this means that all those managers and executives that “accept the risk” for security issues will have to reveal those issues in their public statements. I’m also curious if revealing the security vulnerabilities in a company will improve that company’s resilience against cyber attack? Seems like a paradoxical problem, if you don’t declare your vulnerabilities you’re committing securities fraud, and if do declare them you’re posting an attack plan for malicious actors.
Maybe the safest option is: just don’t get caught

Attendees of Bored Ape conference said they “couldn’t see anymore,” woke up with searing eye pain, vision loss. Looks like they were burned with UV light from the stagehttps://t.co/JXQwDX7mW9 pic.twitter.com/NQP2ofv3Qc
— Joseph Cox (@josephfcox) November 6, 2023

New: authorities have arrested Hakan Ayik, a top tier drug trafficker turned “encryption king.” He was the guy who told cartels what encrypted phone to use. I spoke to multiple associates of his: they thought he was “untouchable.” https://t.co/2yTXuh8X3Z pic.twitter.com/bGIVabL91X
— Joseph Cox (@josephfcox) November 6, 2023

Criminals trusted what Ayik said about which phone to use. Recently that was Anom, a phone in the underworld with a ton of interesting features. Only later did the FBI reveal it was secretly running Anom; Ayik inadvertently made it popular across the world https://t.co/2yTXuh8X3Z pic.twitter.com/2YAYBnkK3W
— Joseph Cox (@josephfcox) November 6, 2023

                            Don't miss what's next. Subscribe to the grugq's newsletter: