Red Team Journal, Read It Now
Mark Mateski, of Red Team Journal and the Department of Engineering Management and Systems Engineering at The George Washington University, continues to publish a superior blog focusing, of course, on Red Teaming, Planning and Devils Advocacy. Read it today.
Sunday Security Maxim →
If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- Richard Clarke, White House Cybersecurity Advisor
Excerpt From: “Security Sound Bites: Important Ideas About Security From Smart-Ass, Dumb-Ass, and Kick-Ass Quotations.” Roger Johnston.
Saturday Security Maxim →
“On two occasions I have been asked by members of Parliament, "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?" I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”
Excerpt From: “Security Sound Bites: Important Ideas About Security From Smart-Ass, Dumb-Ass, and Kick-Ass Quotations.” Roger Johnston.
Mastermind, The Paul Le Roux Saga
via Firewall Consultants' Trey Blalock, comes this superb telling of the Paul Le Roux story, written by Evan Ratliff, and published by The Atavist Magazine. Mr. Le Roux also happens to be the man behind TrueCrypt... Hat Tip to Mr. Blalock for this tale of intrigue.
Editors: Katia Bachko, Joel Lovell, Additional reporting: Natalie Lampert, Designer: Thomas Rhiel, Fact checkers: Queen Arsem-O’Malley, Riley Blanton, Research: Aurora Almendral, Daniel Estrin, Copy editor: Sean Cooper, Trailer: Paul Kamuf - credits via The Atavist Magazine
Project West Ford →
DROWN Attack, The Litany →
And now, Ladies and Gentlemen, DROWN has arrvived on the scene, with significant consequences... Read about it at DarkNet, or at the reserachers DrownAttack site (also available is the paper relevant to this attack written by researchers Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninge, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni,Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar and Yuval Shavitt).
95 Percentile →
Reported by Security Week, comes the revelation that 95% of all HTTPS servers do not possess HTTP Strict Transport Security (aka HSTS) deployments.
As Netcraft’s Paul Mutton explained in a recent blog post, these vulnerabilities can be exploited in phishing, pharming and man-in-the-middle (MiTM) attacks when a user unintentionally attempts to access a secure site via HTTP, meaning that the attacker does not have to spoof a valid TLS certificate to be successful. These attacks are easier to be carried out compared to those targeting TLS, such as the DROWN attack. - via SecurityWeek
USENIX Announces ENIGMA 2017 →
USENIX’s Enigma Conference is slated for January 30th through February 1st, 2017 at the Oakland, CA Marriott City Center. David Brumley and Parisa Tabriz also reprise their roles as Program Co-Chairs. Most certainly a Must Attend Conference in 2017.
NIST, Attackers Honing In On Teleworkers? →
The National Institute of Science and Technologies (NIST) has released two draft publications — Special Publication 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (Draft), and Special Publication 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security (Draft). Enjoy!
