Yeah, I will also say some of this is coming from self identified current and former employees online, could be total BS, but seems to fit with what little we do know
Yikes. That bit about the malicious actors stealing employee information to perform identity theft is particularly scary.
Once again, Information Security is every company's last priority - Until it suddenly becomes their first.
It's one of the trademarks of this particular actor and also just a general area where a lot of firms have weak processes. Directing more resources towards securing digital phishing rather than call based attacks combined with help desk metrics that prioritize quickly closing tickets with positive conclusions leaves you rather vulnerable in this area.
+1
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Using “metrics” as a primary motivator is usually a bad sign. They’re helpful to have when you need to investigate an anomaly but otherwise don’t promote good behaviour or service. They should try actually looking after and managing their teams.
Using “metrics” as a primary motivator is usually a bad sign. They’re helpful to have when you need to investigate an anomaly but otherwise don’t promote good behaviour or service. They should try actually looking after and managing their teams.
“When a measure becomes a target, it ceases to be a good measure”
Just remember that half the people you meet are below average intelligence.
Using “metrics” as a primary motivator is usually a bad sign. They’re helpful to have when you need to investigate an anomaly but otherwise don’t promote good behaviour or service. They should try actually looking after and managing their teams.
I mean, metrics are the only way to understand behavior at scale. That said, they should be tied to actions and practices as it's just meant as a shorthand proxy for other things.
Yikes. That bit about the malicious actors stealing employee information to perform identity theft is particularly scary.
Once again, Information Security is every company's last priority - Until it suddenly becomes their first.
Still one of my favorite strips
Also, make sure you're updating your browsers.... or literally anything that uses libwebp. There's a "heap buffer overflow" security vulnerability with webp files that can be used to run malicious code.
A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla, to expedite the release of updates to address the issue.
⚠️ Important: Let me make it perfectly clear that this vulnerability doesn't just affect web browsers, it affects any software that uses the libwebp library. This includes Electron-based applications, for example - Signal. Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE's and 100% of media reported this issue as "Chrome only", when it's not.
👉 Who uses libwebp? There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: Affinity (the design software), Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), ffmpeg, and many, many Android applications as well as cross-platform apps built with Flutter.
+2
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Stuff like this is why it'd be so much nicer if Electron worked like Tauri and just used the system webview widget instead of bundling an entire browser. Now I gotta got not one high priority update for the OS, but probably a dozen individual app updates. If the developers are on top of things. It's very inefficient.
Stuff like this is why it'd be so much nicer if Electron worked like Tauri and just used the system webview widget instead of bundling an entire browser. Now I gotta got not one high priority update for the OS, but probably a dozen individual app updates. If the developers are on top of things. It's very inefficient.
Stuff like this is why it'd be so much nicer if Electron worked like Tauri and just used the system webview widget instead of bundling an entire browser. Now I gotta got not one high priority update for the OS, but probably a dozen individual app updates. If the developers are on top of things. It's very inefficient.
So is this one of those situations like the xkcd comic where the entire infrastructure of the Internet is dependent on the same tiny library that some dude in Nebraska last updated in 2010?
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Here's a data security question for folks:
How can you best handle off-site backups in a manner that's secure? I know a lot of people use Backblaze or a similar service, but the cloud is famously nothing more than someone else's computer. There's a risk of compromise there, and beyond that, you need to run software that effectively siphons off files from your computer silently - Something I imagine can be hijacked pretty easily if an enterprising malefactor wants to put in the effort.
Is there any other option other than doing a manual backup and physically transporting it somewhere else?
I think part of the reason why cloud storage would be popular in this situation is not because it's secure or not but because it passes off liability to a third party.
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
In the case of Backblaze, I think they never have your encryption keys -- it's encrypted locally, so if you ever lose your key, you can't restore it.
It looks like maybe that step is extra/optional. They encrypt the data, but you can also set a personal passphrase to add to the encryption that only you would have.
That makes me feel better about the storage of data on the server side, if it's encrypted locally.
Isn't there some significant risk inherent to the software necessary, though? I imagine it'd be easy to hijack, or use as a backdoor.
Are you concerned about vendor supply chain compromise or just local compromise? If your local machine is compromised to the point they could compromise your backup app, they could already do anything they want with your data without bothering with that extra step of compromising the app.
Just remember that half the people you meet are below average intelligence.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
That makes me feel better about the storage of data on the server side, if it's encrypted locally.
Isn't there some significant risk inherent to the software necessary, though? I imagine it'd be easy to hijack, or use as a backdoor.
Are you concerned about vendor supply chain compromise or just local compromise? If your local machine is compromised to the point they could compromise your backup app, they could already do anything they want with your data without bothering with that extra step of compromising the app.
My concern is largely that there would be some manner of supply chain of command with the vendor, because that has become shockingly common these days.
The secondary concern is that a piece of software like this effectively widens the exposed attack surface of a local machine. Not so much "it was already compromised" so much as it is "an exploit in this software - which is constantly listening and constantly sending data - was leveraged to compromise the local machine". Security software don't much like these kinds of applications, and I presume it's for this reason.
If you want offsite backup but not the cloud, there's always the option of an encrypted external hard drive in a storage locker.
I suppose that IS the most secure option to take, all things considered. It requires diligence and upkeep, but it's by far the least risky way to do things.
So is this one of those situations like the xkcd comic where the entire infrastructure of the Internet is dependent on the same tiny library that some dude in Nebraska last updated in 2010?
Sorta? Pretty sure it's a Google maintained library and API but the library is present everywhere
If you want offsite backup but not the cloud, there's always the option of an encrypted external hard drive in a storage locker.
I suppose that IS the most secure option to take, all things considered. It requires diligence and upkeep, but it's by far the least risky way to do things.
I would not find that the least operationally risky. Everything is about acceptable risk. The risk there since it's a fully manual task is that it simply doesn't get done, gets forgotten about, or isn't done on a regular or frequent enough basis. The overall risk to your data and frequency of you needing to do a restore and not having a viable backup is going to be far greater than the low, but admittedly never zero, chance of a supply chain compromise of your backup vendor.
Just remember that half the people you meet are below average intelligence.
+3
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
A malicious campaign that researchers observed growing more complex over the past half year, has been planting on open-source platforms hundreds of info-stealing packages that counted about 75,000 downloads.
The campaign has been monitored since early April by analysts at Checkmarx's Supply Chain Security team, who discovered 272 packages with code for stealing sensitive data from targeted systems.
The attack has evolved significantly since it was first identified, with the package authors implementing increasingly more sophisticated obfuscation layers and detection evading techniques.
Once it launches, it targets the following information on the infected systems:
Antivirus tools running on the device.
Tasks list, Wi-Fi passwords, and system information.
Credentials, browsing history, cookies, and payment information stored on web browsers.
Data in cryptocurrency wallet apps like Atomic and Exodus.
Discord badges, phone numbers, email addresses, and nitro status.
Minecraft and Roblox user data.
Additionally, the malware can take screenshots and steal individual files from the compromised system such as the Desktop, Pictures, Documents, Music, Videos, and Downloads directories.
A reminder that just because something is open source, that doesn't mean it's safe.
A list of the malicious packages can be found here
+1
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
And a reminder that even if you avoided one of these packages, you'll need to make sure it's not transitively included in one of the packages you did include.
This CVE has been out for a couple of days but CISA just published an advisory on a pre-auth privesc 0-day in Confluence, evidence of ongoing exploitation and open source PoCs floating around. Just in case anyone manages confluence and missed it
I was browsing Reddit and someone asked about password security and a bunch of people mentioned using spaces on their passwords for increased security. When questioned on it they replied that only older, out of date systems would be unable to tolerate a space. Is that true? I have probably 30 or 40 password saved into my password manager and i don't think a single one of them allowed spaces. Am i just somehow missing that part of the Internet or were those people full of shit? Like i understand, loosely, why spaces were not allowed before, and obviously tech has come a long way since the early 2000's, but i didn't think that was one thing that had changed.
Posts
It's one of the trademarks of this particular actor and also just a general area where a lot of firms have weak processes. Directing more resources towards securing digital phishing rather than call based attacks combined with help desk metrics that prioritize quickly closing tickets with positive conclusions leaves you rather vulnerable in this area.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
“When a measure becomes a target, it ceases to be a good measure”
I mean, metrics are the only way to understand behavior at scale. That said, they should be tied to actions and practices as it's just meant as a shorthand proxy for other things.
Still one of my favorite strips
Also, make sure you're updating your browsers.... or literally anything that uses libwebp. There's a "heap buffer overflow" security vulnerability with webp files that can be used to run malicious code.
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
Probably.
*drag image from browser to desktop*
image.webp
Maybe Electron was a mistake
reject electron, return to quark soup
https://blog.isosceles.com/the-webp-0day/
How can you best handle off-site backups in a manner that's secure? I know a lot of people use Backblaze or a similar service, but the cloud is famously nothing more than someone else's computer. There's a risk of compromise there, and beyond that, you need to run software that effectively siphons off files from your computer silently - Something I imagine can be hijacked pretty easily if an enterprising malefactor wants to put in the effort.
Is there any other option other than doing a manual backup and physically transporting it somewhere else?
It looks like maybe that step is extra/optional. They encrypt the data, but you can also set a personal passphrase to add to the encryption that only you would have.
https://www.backblaze.com/cloud-backup/features/backup-encryption
Isn't there some significant risk inherent to the software necessary, though? I imagine it'd be easy to hijack, or use as a backdoor.
Are you concerned about vendor supply chain compromise or just local compromise? If your local machine is compromised to the point they could compromise your backup app, they could already do anything they want with your data without bothering with that extra step of compromising the app.
My concern is largely that there would be some manner of supply chain of command with the vendor, because that has become shockingly common these days.
The secondary concern is that a piece of software like this effectively widens the exposed attack surface of a local machine. Not so much "it was already compromised" so much as it is "an exploit in this software - which is constantly listening and constantly sending data - was leveraged to compromise the local machine". Security software don't much like these kinds of applications, and I presume it's for this reason.
I suppose that IS the most secure option to take, all things considered. It requires diligence and upkeep, but it's by far the least risky way to do things.
Sorta? Pretty sure it's a Google maintained library and API but the library is present everywhere
That Lastpass shade, though...
I would not find that the least operationally risky. Everything is about acceptable risk. The risk there since it's a fully manual task is that it simply doesn't get done, gets forgotten about, or isn't done on a regular or frequent enough basis. The overall risk to your data and frequency of you needing to do a restore and not having a viable backup is going to be far greater than the low, but admittedly never zero, chance of a supply chain compromise of your backup vendor.
Evergreen thread title.
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
This crashes:
A reminder that just because something is open source, that doesn't mean it's safe.
A list of the malicious packages can be found here
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
PSN:Furlion