Cybersecurity And Much More Newsletter — Week 11 (2022)
Greetings, friends.
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
Enjoy!
What’s Happening
🚨 Strengthening Cybersecurity of SATCOM Network Providers and Customers
CISA and FBI strongly encourage critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity.
📰 Leaked Ransomware Docs Show Conti Helping Putin From the Shadows
FOR YEARS, RUSSIA’S cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks as long as they didn’t target Russian companies. Despite direct pressure on Vladimir Putin to tackle ransomware groups, they’re still intimately tied to Russia’s interests. A recent leak from one of the most notorious such groups provides a glimpse into the nature of those ties — and just how tenuous they may be.
A cache of 60,000 leaked chat messages and files from the notorious Conti ransomware group provides glimpses of how the criminal gang is well connected within Russia. The documents, reviewed by WIRED and first published online at the end of February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a daily basis and its crypto ambitions. They likely further reveal how Conti members have connections to the Federal Security Service (FSB) and an acute awareness of the operations of Russia’s government-backed military hackers.
🚔 Becker bill would restore public access to police radio communications
Police departments throughout California would be required to make their radio communications accessible to the press and the public under new legislation proposed by state Sen. Josh Becker.
Senate Bill 1000, also known as the “Public Right to Police Radio Communications Act,” responds to a recent trend among California’s law-enforcement agencies to encrypt their radio communications since early 2021, a move that prevents journalists, citizens watchdogs, and other residents from monitoring police activities.
👾 Microsoft releases open-source tool for checking MikroTik Routers compromise
Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections.
“This analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We published this tool to help customers ensure these IoT devices are not susceptible to these attacks.” reads the post published by Microsoft.
Recently Check Point researchers reported that the infamous TrickBot malware was employed in attacks against customers of 60 financial and technology companies with new anti-analysis features. The news wave of attacks aimed at cryptocurrency firms, most of them located in the U.S.
🎉 Announcing the Test-of-Time Award winners for 2022
The IACR Test-of-Time Award is given annually for each one of the three IACR General Conferences (Eurocrypt, Crypto, and Asiacrypt). An award will be given at a conference for a paper that has had a lasting impact on the field and was published 15 years prior. These were the awards for 2022:
From Asiacrypt 2007:
Faster Addition and Doubling on Elliptic Curves
For introducing efficient elliptic curve addition formulae in the context of Edwards forms of elliptic curves.
From Crypto 2007:
Deterministic and Efficiently Searchable Encryption
For placing searchable encryption on a rigorous footing, leading to a huge interest in this field in applications.
From Eurocrypt 2007:
An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries
For providing the first implementable protocol for actively secure variants of Yao’s protocol, and thus paving the way to more practical constructions.
🔐 Git Secret Scanning Tools🛠 for DevSecOps
In 2020 only, over 2 Million corporate secrets were leaked on public Git repositories. For sure prevention is the key, but it’s not easy either because it involves humans and most of the security problems are caused by human errors, yes we are the weakest link in cybersecurity. Secure SDLC and Developer Security Education are the cornerstones to mitigate most of the risk, but these scanning tools are also helpful when integrated with to your security programs.
- GitLeaks
- SpectralOps
- Git-Secrets
- Whispers
- GitHub Secret Scanning
- Gittyleaks
- Scan (Shift Left Scan)
- Git-all-secrets
- Detect-secrets
💉 Why Vaccine Cards Are So Easily Forged 😱
Proof of COVID-19 vaccination is recorded on a paper card. It is easy to print a blank form, fill it out, and add a photo. When you fly internationally, you have to show a negative COVID-19 test result. That, too, would be easy to fake. After all, there’s no standard format for test results; airlines accept anything that looks official.
🕵🏼 CIS Completes SOC 2 Type II Audit Using CIS Best Practices
System and Organization Controls (SOC) 2 is a reporting framework that sets benchmarks for managing customer and user data. It was created by the American Institute of Certified Public Accountants (AICPA) and is based on the institute’s five Trust Services Criteria — privacy, confidentiality, security, availability, and processing integrity. SOC 2 Type II compliance assures existing and potential customers that your organization has instituted the proper security, privacy, and compliance controls in place to manage its data.
My Favorites
🚀 NASA’S mega-rocket, the space launch system, rolls out to its launchpad
On Thursday, NASA’s new giant rocket, the Space Launch System, emerged out into the Florida air, embarking on a torturously slow 11-hour journey to its primary launchpad at Kennedy Space Center. It was a big moment for NASA, having spent more than a decade on the development of this rocket, with the goal of using the vehicle to send cargo and people into deep space.
🏎 Porsche says 80 percent of its cars will be electric by 2030
The company has said that it wants 80 percent of its sales to be “all-electric” by 2030, with an additional plan to be carbon-neutral at the same time. Part of that push will be led by a new version of the mid-engine 718, which will be released “exclusively in an all-electric form” at some point around 2025. Of course, it won’t be until we get an entirely electric 911 and Cayenne that we’ll see the real extent of Porsche’s commitment. But hopefully, the baby steps so far will translate into much faster action the closer we get to the end of this decade.
📝 Note — 🔐 Security — Zero Trust, What is the most simple way to understand this approach?
Most of the traditional networks are secured from external threats, but widely exposed to internal users. But with the increasing number of incidents and data breaches caused y internal actors (Insiders), Insider Threats became a reality, and the most effective way to protect the company’s crown jewels from it is to treat every device/user as a potential threat actor.
Zero Trust is an approach that will first assume that the network is compromised, then ask the users/devices to prove that they are trustworthy. In addition to this, it allows more granular control and respect of the least privilege principle.
According to the National Institute of Standards & Technology (NIST), these are the core principles of the zero-trust approach:
- User authentication is dynamic and strictly enforced before access is allowed.
- Systems’ secure configuration state should be aligned with the industry standards and maintained as such.
- Access to assets is determined by policy and behavior attributes.
- Access to assets is granted on a per-connection basis till the subjects are fully trusted.
- All data sources and computing resources are considered resources.
📝 Note — 📡 Telco/IoT Security — What is the difference between 1G, 2G, 3G, 4G, and 5G?
1G was☎️ the first generation of wireless cellular technologies starting in the 1980s, this analog technology was offering voice calls only and a maximum speed of 2.4 kbps.
Then in 1991📱 came the first upgrade, taking the world of wireless communications from analog to digital communications. 2G introduces SMS and MMS in addition to voice calls with a maximum speed of 50 kbps with GPRS (General Packet Radio Service).
You’ve probably heard of 2.5G and 2.75G, they were not proper standards like 2G and 3G but definitely took us from the voice to the data communication world.
It’s 1998, and Mobile video calling became a reality, I remember🤪 people in the early 2000s calling video calls, 3G calls, and cellphones 🤳🏼 with front cameras were seen as 3G cellphones by default. This was possible due to the higher speed that 3G offered, and similar to 2G, 2.5G, and 2,75G, they were upgrades of 3G like 3.5G and 3.75G. The maximum speed of 3G was 2 Mbps when in place, and 384 Kbps when moving (If your speed is less than 120 km/h).
4G sounds more familiar to most of us, since its release in 2008, it opened the door to a huge variety of services, especially streaming. With a speed of 100 Mbps to 1Gbps, we became addicted to those small rectangular pieces of glass 🧟♂️
Finally, 5G (the current standard) came to connect the world, from smart cities, to telemedicine, the speed, bandwidth, and latency issues became old stories to tell your grandkids. 20 Gbps everywhere, on your smartphone! Sounds like Sci-fi compared to 30 years ago.
However, with big powers comes big responsibilities. Now it is up to us (InfoSec Professionals) to make the internet a safer place with the billions of connected objects (insecure objects) floating freely in cyberspace.
📚 🤔 Books I’m Currently Reading
Title: Google Leaks
Author: Zack Vorhies
Overview: The madness of Google’s attempt to mold our reality into a version dictated by their corporate values has never been portrayed better than in this chilling account by Google whistleblower, Zach Vorhies. As a senior engineer at Zach watched in horror from the inside as the 2016 election of Donald Trump drove Google into a frenzy of censorship and political manipulation. The American ideal of an honest, hard-fought battle of ideas — when the contest is over, shaking hands and working together to solve problems — was replaced by a different, darker ethic alien to this country’s history as wave after of censorship destroyed free speech and entire market sectors.
📚 🤩 Books I Recommend Reading
Title: The 5 Love Languages
Author: Gary Chapman
Overview:
Falling in love is easy. Staying in love — that’s the challenge. How can you keep your relationship fresh and growing amid the demands, conflicts, and just plain boredom of everyday life?
In the #1 New York Times international bestseller The 5 Love Languages, you’ll discover the secret that has transformed millions of relationships worldwide. Whether your relationship is flourishing or failing, Dr. Gary Chapman’s proven approach to showing and receiving love will help you experience deeper and richer levels of intimacy with your partner — starting today.
The 5 Love Languages is as practical as it is insightful. Updated to reflect the complexities of relationships today, this new edition reveals intrinsic truths and applies relevant, actionable wisdom in ways that work.
Includes the Couple’s Personal Profile assessment so you can discover your love language and that of your loved one.
🎙 Podcast — Ep.112 Dirty Coms of the Darknet diaries Podcast we talk with a guy named “Drew” who gives us a rare peek into what some of the young hackers are up to today. From listening to Drew, we can see that times are changing for the motive behind the hacking. In the ’90s and ’00s, it was done for fun and curiosity. In the ’10s Anonymous showed us what Hacktivism is. And now, in the ’20s, the young hackers seem to be profit-driven.
🎥 Videos — Kobe Bryant’s Last Great Interview
Not Only the greatest player of all time, the highest scorer but also a bright mind. A lot of us miss Kobe playing, but losing him was a really sad thing to happen to all Basketball players around the world. I grew up watching Kobe playing, I tried his moves for hours and it helped me to get better. But when I grew up, he also became an inspiration to me in life not just on the court.
Quote of the Week
When you are curious, the world becomes your library to help c create your craft. — Kobe Bryant
