May 20, 2022

Huge news. The Feds won’t use the CFAA to go after security researchers, pinky promise!

Zack Whittaker @zackwhittaker

Wow. DOJ has announced a significant policy shift in how it will bring computer hacking charges under CFAA in the future. "The policy for the first time directs that good-faith security research should not be charged." justice.gov/opa/pr/departm…

3:29 PM ∙ May 19, 2022

---

Very important caveat.

Blake E. Reid @blakereid

@thegrugq NB: this doesn't extend to civil liability, which is a major practical problem for many researchers.

6:16 PM ∙ May 19, 2022

---

The EFF is all over it.

Chris Wysopal @WeldPond

…it stops far short of requiring that a defendant defeat a technological restriction in order to exceed authorized access.

eff.orgDOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security ResearchersThe Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The...

2:59 AM ∙ May 20, 2022

---

---

https://arxiv.org/abs/2205.07759

There are so many problems with this paper I’m not sure where to start. I guess I’ll start with the conclusion: they are correct. Many APTs use public vulnerabilities rather than 0day.

A short summary of some problems with the paper. Their goal when writing this paper was to answer the question “does timely patch protect an enterprise against APT threats? If so, how timely?” Keep this in mind, they’re thinking about enterprises and patching.

So an early problem is that they assume APTs are an ontological unit. They are not. The term “APT” is a broad generalisation used to collectively refer to many different kinds of these actor.

Another issue is that they assume the reports from as far back as 2008 are reliable, which I am not sure is a safe assumption.

The paper uses APT clusters which are known to be flawed. For example, the WINTI group was more of an umbrella term for different people using the same tools from a particular vendor. Much like one could talk about the “REvil group” to collectively refer to everyone using that ransomware brand, the reality is that affiliates each have different threat profiles. What they use post exploitation says nothing about how they gain access.

These are more epistemology failures.

Understanding campaigns is complicated. Firstly, for a nation state the purpose of breaking into a computer is to do something after breaking in. Gaining access is just step 0. A chore that needs to be done before moving on to the scut work of cyber espionage.

They need to gain access, but they don’t have many concerns about *how* they gain access. Of course, cheaper is better, and faster is better, but those are just guidelines. There are many conditions which could change the calculus here, such as expediency, security, time pressure, resource constraints, procurement pipeline issues, and so on.

For the majority of cases though, they can use whatever works and just get on with the job. Not every operation is about disrupting an adversary before a deadline.

Catalin Cimpanu @campuscodi

A recent academic paper studied data from 86 APTs and 350 campaigns carried out from 2008 to 2020 and found that APTs rarely rely on zero-days and typically use public known vulnerabilities for their attacks arxiv.org/abs/2205.07759

5:21 PM ∙ May 19, 2022

---

---

Ukrainian Memes Forces @uamemesforces

8:30 PM ∙ May 19, 2022

---

---

The EU is intent on fucking up a critical thing for a theoretically noble reason in a very dumb way.

Matthew Green @matthew_d_green

Very clear explanation of how the EU’s anti-grooming law will affect end-to-end encrypted messaging.

educatedguesswork.orgEnd-to-End Encryption and the EU’s new proposed CSAM Regulation

8:56 PM ∙ May 19, 2022

---

---

Update your incident response handling to include better messaging to attackers.

Florian Roth ⚡️ @cyb3rops

🍆 bleepingcomputer.com/news/security/…

8:50 PM ∙ May 18, 2022

---

---

Twitter is on the case for Ukraine disinformation

PsyWar.Org 🇺🇦🌻 @psywarorg

Twitter steps up Ukraine misinformation fight

bbc.co.ukTwitter steps up Ukraine misinformation fightThe social media platform says it will put false claims from official accounts behind warning notices.

8:55 PM ∙ May 19, 2022

---

---

If Halvar has seen further it is because he is a giant. Possibly standing on his own shoulders.

Halvar Flake @halvarflake

Some thoughts on startups, Figmaization, and AI: 1) I strongly believe that every heavyweight desktop application that still exists will be replaced by a SaaS-y in-browser collaborative version. Docs, Figma were the start, and the few things that remain (CAD? EDA?) will be next.

12:56 PM ∙ May 19, 2022

---

-

Window Snyder @window

Attention aged exploit writers: If you were a ninja in the late 90s-early 00s, turn your attention to embedded devices, bootloaders and firmware. All your old skills are new again.

10:30 PM ∙ May 18, 2022

---

---

Here’s a PDF book (short) on The Trust, an incredibly effective counterintelligence operation run by the Cheka (earliest incarnation of the KGB).

https://jmw.typepad.com/files/simpkins---the-trust-security-intelligence-foundation.pdf

Here’s another document on the same topic, because it is really an awesome op.

https://www.centerforintelligencestudies.org/the-trust.html

-

Reviews from the front lines on what matters in equipment,

Rob Lee @RALee85

Some gear reviews from RAZVEDOS. He says that VSS and AS Val rifles haven't proven themselves during the war. Both require a lot of cleaning and maintenance. He also said they lack enough penetration, but Russia lacks enough suppressors for AKs. vk.com/public21006822…

10:58 AM ∙ May 20, 2022

---

-

ESET finding more Russian malware

ESET research @ESETresearch

#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware @_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6

6:08 AM ∙ May 20, 2022

---

-

Supply chain attacks. Trust is the root of all compromise…

Daniel Cuthbert @dcuthbert

We've heard a lot about supply chain risks but rarely do we see actual solid attacks. @SentinelOne has investigated one targeting the Rust dev community and it's pretty interesting, to me at least

sentinelone.comCrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go MalwareSoftware developers using GitLab CI are being targeted with malware through a typosquatting attack, putting downstream users at risk.

10:52 AM ∙ May 20, 2022

---

-

The future is kinda crazy. Costa Rica is at war with Conti.

https://www.bbc.co.uk/news/technology-61323402

-

Russian offensive cyber supply chain

PJ⌨🖱🏋🏻‍♂️🥃🗺🌎🌻🇺🇦 @PJ47596176

👀👀🇷🇺companies InformInvestGroup and software company ODT (Zer0day) LLC created Froton for FSB. Fronton is a system developed for coordinated inauthentic behavior on a massive scale - not just DDoS. nisos.com/blog/fronton-b…

nisos.comFronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic BehaviorMay 2022 Investigative Report Release: Nisos analysts determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale. Read more.

9:18 AM ∙ May 20, 2022

---

-

Strongmen regimes and military blunders.

https://warontherocks.com/2022/05/when-strongmen-invade-they-bring-their-pathologies-with-them/