Very interesting and thoughtful blog post by Bruce Schneier. In the age of COVID-19 nobody cares anymore about privacy. It is indeed a sad truth that goverments worldwide are taking more and more intrusive measures to enforce containment like the ones done in South Korea. The key point to be understood here is that these measures should be enforced only for limited and "necessary and proportionate" cases instead of doing mass tracking of the whole population.
0 Comments
Here is an interesting presentation from Rémi Chipaux a former colleague from itrust consulting.
He is talking about his research work on setting up some honey pots for collecting malware samples. The idea is quiet simple, buy a Raspberry PI (it costs around 20-30 euros). Install in it a honeypot tool like Cowrie. Then, just wait for getting impacted by malwares spreading in the wild. It is pretty amazing indeed to see as he explains that it takes few minutes to get a malware uploaded to your host. Here is his talk: This is a really interesting talk from Prof. James Whittaker on the future of testing. He is talking about how testing changing and how it will be in the future and he is really right in this prediction done in 2008. As predicted, crowd testing companies (like utest.com) are becoming very successful nowadays. "The best way to predict the future is to invent it". Whittaker is definitely among those inventing the future of testing.
This is an interesting talk given by a notorious researcher in software testing, Prof. Jeff Offutt. It was given on 2010. However, it is still very insightful and really nice to watch:
He is really a brilliant researcher. He is demonstrating in this talk in a very nice way how useful and practical academic research can and should be. The US surveillance program PRISM is just something that have been known for years, as the french say a secret de polichinelle (open secret). You will find on the internet more information, comments, blog posts on this, like here, or here or here.
My view on this subject is that with the popularity of social networks, the cloud service, all private information that was few years ago almost impossible to get is freely available on the social networks websites or on cloud providers data centers. Take for instance, the location based services (for users of twitter, facebook, android, ios, windows phone) is really a gold mine for secret services, a dream come true. They are able to know location of millions of people around the work. As smartphones, social networks get more adopted by the world population (there is already one billion smartphone users and this stat is from last year!) , secret services will be able to monitor all these people on daily basis. A program like PRISM is in my opinion already outdated because there is much more to get easily from all the data available thanks to social networks and smartphones. The big issue is no more how to get this data but is how to sort it, how to find and locate the most relevant pieces among this huge amount of data. Finally, we have to admit that privacy is almost dead and it is getting difficult to protect your privacy. It made the news in almost all around the world. Apple maps is really badly tested, contains a lot of inaccurate maps/pictures. Many websites are making jokes and having fun showing a list of apple maps mistakes/bugs.
It is obvious this software was not tested right. It is really surprising because it seems that the basic concepts/methods of the software testing were not followed. The basic testing approach would be to get some end-user tester perform system testing. At least, trying and running the application, trying it with famous and known locations. This apple maps, I think will remain for a long time and the perfect example ever of what you should not do when testing an application. I came across this website. It is citing some real examples of funny, hilarious paper reviews. This is always done during scientific conferences peer-review process. Other researchers in the same research field are invited to review and evaluate the quality of papers submitted to conferences. They choose to accept or reject the publication of the paper.
In this website, there is a list of funny comments on submitted papers, read and judge by yourself:
A new malware is spreading right now. It is an important threat since this malware is very similar to the famous Stuxnet malware (an interesting talk about analysing stuxnet). It installs a keylogger that records all the keystrokes and the system configuration, then encrypt all this data and stores then in an image.
To detect and remove this threat, you can use this tool. A security company VUPEN claims that they were able to successfully perform an attack on Google chrome. According to them v11.0.696.68 and v12.0.742.30. Their attack bypasses the sandbox security mechanisms, and works on Windows 7, 64 bits which has the data execution prevention (DEP) and address space layout randomisation (ASLR) security features.
VUPEN does not give any details on the exploits. They did not even share it with google, which is very unusual. and surprising. They say that they are sharing the exploits with their goverment customers. This is not clear whetther they meant that they are sharing the exploit or the vulnerability and the way to protect from. This means that there is out there a 0dayvunerability that allows to hack into your system just by visiting a malicious website. The anonymous group succeeded to attack several targets among them visa, paypall and mastercard (they did this to support wikileaks).
These attacks used DDOS, quite simple, however they were able to attack the HBGary an important security company. This time it was a more sophisticated attack, they were able to find an sql injection vulnerability in the HBGary website, they used it, then they managed to get most of the company emails to make them public (torrent) and with social engineering they had access to the famous rootkit.com server. Lesson to learn from this attack, it is amazing to see that a security company like HBGary can become victim of this kind of attack (how difficult it is to protect against targeted attack from skilled hackers). The second lesson is on how important it is to secure the company emails. The information inside them can be very harmful if leaked. |
AuthorDr. Tejeddine Mouelhi Archives
April 2020
Categories
All
|