It’s been one of the busiest weeks in InfoSec as thousands descended upon Las Vegas to attend BSidesLV, Blackhat, and Defcon.
But that doesn’t stop the world of InfoSec or lessen the impact of the latest security developments on day to day businesses, so let's take a look at what's been happening.
Brute Forcing AWS S3
This little Ruby script, which helps brute force for AWS S3 buckets using different permutations, caught my eye.
However, is such a tool really needed when there are so many misconfigured AWS storage servers out there leaking data publicly? It’s like shooting fish in a barrel. It’s not Amazon’s fault that people assume, “secure because it's Amazon” because they do have a well-published shared responsibility model.
CSO online has a good video discussing cloud security responsibility.
- Experts warn too often AWS S3 buckers are misconfigured, leak data
- Yet another misconfigured Amazon S3 bucket exposes Dow Jones Customer Data
Densely Connected Convolutional Networks
I won’t even pretend to say I fully understand this research paper, but it looks interesting.
Recent work has shown that convolutional networks can be substantially deeper, more accurate, and efficient to train if they contain shorter connections between layers close to the input and those close to the output. In this paper, we embrace this observation and introduce the Dense Convolutional Network (DenseNet), which connects each layer to every other layer in a feed-forward fashion. Whereas traditional convolutional networks with L layers have L connections—one between each layer and its subsequent layer—our network has L(L+1) 2 direct connections. For each layer, the feature-maps of all preceding layers are used as inputs, and its own feature-maps are used as inputs into all subsequent layers. DenseNets have several compelling advantages: they alleviate the vanishing-gradient problem, strengthen feature propagation, encourage feature reuse, and substantially reduce the number of parameters. We evaluate our proposed architecture on four highly competitive object recognition benchmark tasks (CIFAR-10, CIFAR-100, SVHN, and ImageNet). DenseNets obtain significant improvements over the state-of-the-art on most of them, whilst requiring less computation to achieve high performance.
Be a Fake Cop to Get Real Weapons
Apparently there’s a surplus of military weapons that the Pentagon is trying to offload to local law enforcement. But weapons are dangerous things, so you’d hope there would be plenty of checks and balances in place to prevent them falling into the wrong hands.
Unfortunately, this is actually not the case. The Government Accountability Office (GAO) created a fake law enforcement agency, a fake website, and a bogus address that traced back to an empty lot and applied for military-grade equipment from the DoD.
And they were able to obtain $1.2 million in weapons in a week!
Shocking, right? However, it’s worth bearing in mind that these kind of attacks don’t only work to acquire military grade weapons. Many companies are targeted by similar attacks and coerced into shipping products and goods by claiming to be a business partner or customer. It’s important to bear in mind the value of making sure your supply chain is secure and that you have ways to authenticate the identity of a buyer or supplier before completing a transaction.
- How Fake Cops Got $1.2 Million in Real Weapons
- Pentagon tried to give $1.2 million in guns and bombs to a fake police department
AI, Automation, and the Economy
It is uncertain how long it will take for driverless trucks and cars to take over the roads. For now, any so-called autonomous vehicle will require a driver, albeit one who can be mostly passive. However, the potential loss of millions of jobs due to automation technology is Exhibit A in a report issued by the outgoing U.S. administration in late December. Written by President Obama’s top economic and science advisors, “Artificial Intelligence, Automation, and the Economy” is a clear-eyed look at how fast-developing AI and automation technologies are affecting jobs, and it offers a litany of suggestions for how to deal with the upheaval.
- AI, automation, and the economy
- The Relentless Pace of Automation
- Manufacturing jobs aren’t coming back
- Who will own the robots?
Wisconsin-based Three Square Market is offering microchip implants to its employees. The chips would allow employees to clock-in with their arm rather than carrying a swipe card or ID badge.
Chief Executive, Todd Westby said that the chip would not track employees and did not have GPS positioning. I'm sure this must be a relief to privacy advocates (sarcasm).
- Technology company microchips staff so they can clock in without IDs
- US tech company offers to turn employees into cyborgs with microchip implants
- Would you let your boss microchip you?
- Wisconsin company Three Square Market to microchip employees
Hacker Admits to Mirai Attack Against Deutsche Telekom
A hacker that goes by the name “BestBuy” admitted to a German court on Friday that he was behind an attack last year that knocked close to 1 million customers of German ISP Deutsche Telekom offline.
The suspect is a 29-year old British man who is only identified as “Daniel K.” He was arrested Feb. 22 by the British National Crime Agency at the request of Germany’s Federal Criminal Police Office. Daniel K. pleaded guilty to masterminding the attacks that used Mirai malware to hijack routers, surveillance cameras and baby monitors and carry out denial of service attacks.
- Hacker admits to Mirai attack
- Mirai Botmaster behind Deutsche Telekom router hijack pleads guilty
- Briton pleads guilty to Mirai attacks in German court
Murder, Data Privacy, and the Internet of Things
I stumbled across this blog from January by David Horrigan, who is an attorney and e-discovery expert. I also used to work with him in my previous job at 451 research and always found his legal perspectives and how they apply to information security fascinating.
When James Bates, Owen McDonald, and Victor Collins began an evening of football, drinking, and hot tubbing on November 21, 2015, they probably had no idea they were on the verge of making new law in the expanding specialty of data discovery.
However, by the following morning, Collins was dead and Bates was in the crosshairs of a police investigation. The Bates home being somewhat typical in the era of the Internet of Things, it included a device known as an electronic home assistant. Thus, a fundamental legal question soon arose: is it lawful for police to seize and examine data from an Amazon Echo?
Reported a Bug? We’ll Arrest You
In todays day and age where many companies are open to bug bounties and responsible disclosure, you’d imagine that nearly all companies would welcome any reports of vulnerabilities in their software.
It wasn’t quite the case when an 18-year-old discovered and reported a flaw in the website of Budapest transport authority that allowed manipulation of ticket prices, as he was rewarded with detectives turning up at his doorstep to arrest him.
- Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested
- Don’t shoot the messenger: Teenager arrested for showing security flaw in Hungarian transport system
- A teenager told the Budapest Transport Authority its website had a security flaw, so the agency had him arrested
Hackers’ Own Tools Are Full of Vulnerabilities
Great piece by Joseph Cox on how there’s the potential for a victim to strike back against their attacker due to flaws in the hackers own tools.
It goes to show, one of the fundamental problems to solve is how to create software that has little or no vulnerabilities. No-one seems to be able to get that part right, not even hardened criminals.
Religion and Passwords
Religion and passwords are two topics I try to avoid. They end up generating circular arguments, no-one agrees, and everyone goes home vowing to avoid the ‘ignorant’ people at the next family get together.
But Troy Hunt found a way to eloquently describe the dilemmas and challenges of passwords and how authentication needs to adapt to the modern day. It's a worthwhile read.