Lawrence’s List 071516

Lawrence Hoffman //

Lawrence HoffmanHey, I’m back! Vacation was great. I spent part of last week on an Island so I was unable to scratch the keep-up-with-the-media itch. Now that I’m back I put aside a little time to try and catch up, and get a list gathered together of stuff I saw this week.

The printer watering hole attack. If you have twitter, and follow any security folks at all you’ve probably heard of this attack. Essentially people want to be able to access printers without needing to contact a systems administrator. For this reason there is an exception to policy which allows installation of printer specific drivers as system without any warnings. This is hacker paydirt. Read about it here: http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack

MIT had a great writeup on Riffle this week along with the research paper describing the protocol. We’ve seen several times that TOR has some weaknesses (as does every system, that’s important to remember) and MIT has a possible alternative. The approach is centered around a concept of shuffling the traffic in a way that’s mathematically provable to the receiving client. Without breaking into pure mathematics let’s put it like this: as long as one server in the “mixnet” remains uncompromised the users remain anonymous. http://news.mit.edu/2016/stay-anonymous-online-0711

AWS security is something I’ve been looking after for a while now as I have some future work planned in the “cloud” (I managed to type that without cursing) and to that end there’s this neat series of articles about persistence in a hacked AWS account.

https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594#.pfrt7rbc4

https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39#.ns0wk01r4

https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9#.5ws8kwr8o

BSides Philly Call for Papers. So… this isn’t so much news, the CFPs for BSides happen all the time, because there are a lot of BSides conferences. Why am I mentioning it here? Because I’ve now been to a few BSides conferences and can give my stamp of approval. I really like the way that a BSides conference works. They happen all over, so you can catch one close to you, the talks at the BSides I’ve been to have been outstanding. I also think it’s a great place to start if you’re interested in giving a talk about something you’ve been researching, there’s a much better chance you’ll get in with a BSides than with many of the other conferences. http://www.bsidesphilly.org/cfp

Linus is in the news for cursing again. I’m a programmer, I get it, things like the format of comments and the way we name our variables are something most of us hold very strong opinions about. To offer another perspective to those who believe that Linux is just being abusive here think of it like this: when someone writes code for the Linux Kernel it has to be reviewed, sometimes by dozens of people. It will also have to be maintained, sometimes for decades. It may also have to one day be abstracted, extended, replicated, or generalized. When writing code we know that the compiler doesn’t care what the comments look like, we write those for the dozens of people who are stuck reading that code. Linus spends lots of time reading others code. For those of you who must read the rant: http://lkml.iu.edu/hypermail/linux/kernel/1607.1/00627.html