News - New England Safety Partners, LLC

When Security Locks You Out of Everything

June 28, 2022 Cyber Security Ed Gardner 0

Thought experiment story of someone who lost everything in a house fire, and now can’t log into anything:

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.
I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

It’s a one-in-a-million story, and one that’s hard to take into account in system design.

This is where we reach the limits of the “Code Is Law” movement…

CISA Adds Eight Known Exploited Vulnerabilities to Catalog  

June 27, 2022 Ed Gardner 0

Original release date: June 27, 2022CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actor…

2022 Workshop on Economics and Information Security (WEIS)

June 27, 2022 Cyber Security Ed Gardner 0

I did not attend WEIS this year, but Ross Anderson was there and liveblogged all the talks.

Friday Squid Blogging: Squid Cubes

June 24, 2022 Cyber Security Ed Gardner 0

Researchers thaw squid frozen into a cube and often make interesting discoveries. (Okay, this is a weird story.)
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guid…

Citrix Releases Security Updates for Hypervisor

June 24, 2022 Ed Gardner 0

Original release date: June 24, 2022Citrix has released security updates to address vulnerabilities that could affect Hypervisor. An attacker could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and a…

Citrix Releases Security Updates for Hypervisor

June 24, 2022 Ed Gardner 0

CISA encourages users and a…

On the Dangers of Cryptocurrencies and the Uselessness of Blockchain

June 24, 2022 Cyber Security Ed Gardner 0

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response, Matthew Green has written—not really a rebuttal—but a “a general response to some of the more common spurious objections…people make to public blockchain systems.” In it, he makes several broad points:

Yes, current proof-of-work blockchains like bitcoin are terrible for the environment. But there are other modes like proof-of-stake that are not.
…

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

June 23, 2022 Ed Gardner 0

Original release date: June 23, 2022 CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persisten…

CISA Releases Cloud Security Technical Reference Architecture

June 23, 2022 Ed Gardner 0

Original release date: June 23, 2022CISA has released its Cloud Security (CS) Technical Reference Architecture (TRA) to guide federal civilian departments and agencies in securely migrating to the cloud. Co-authored by CISA, the United States Digital S…

On the Subversion of NIST by the NSA

June 23, 2022 Cyber Security Ed Gardner 0

Nadiya Kostyuk and Susan Landau wrote an interesting paper: “Dueling Over DUAL_EC_DRBG: The Consequences of Corrupting a Cryptographic Standardization Process“:

Abstract: In recent decades, the U.S. National Institute of Standards and Technology (NIST), which develops cryptographic standards for non-national security agencies of the U.S. government, has emerged as the de facto international source for cryptographic standards. But in 2013, Edward Snowden disclosed that the National Security Agency had subverted the integrity of a NIST cryptographic standardthe Dual_EC_DRBGenabling easy decryption of supposedly secured communications. This discovery reinforced the desire of some public and private entities to develop their own cryptographic standards instead of relying on a U.S. government process. Yet, a decade later, no credible alternative to NIST has emerged. NIST remains the only viable candidate for effectively developing internationally trusted cryptography standards…

« 1 … 53 54 55 56 57 … 233 »