Notices by Taggart :donor: (mttaggart@infosec.town), page 2

To Recap

The British Library:

- used unsupported, unpatched software as critical infra
- used multiple IT vendors with varying levels of access
- lacked sufficient in-house staff to coordinate a proper security policy
- lacked resources (or leadership, probably) to appropriately fund an infrastructure refresh program
- launched remote access during COVID WITHOUT MFA

And although we cannot say for sure that the Terminal Server was the point of access, it's a good dang bet. Rhysida works smarter, not harder.

As usual, the reality of defense is not sexy malware research. It's not breathlessly shouting about patching 0-days. It's the quotidian work of getting the basics right, not taking shortcuts, and making security—across the CIA triad—a budget priority.

In cultural and educational institutions, it is very common to think of IT systems as an afterthought, or ancillary to the primary mission. These institutions maintain this mentality at their own considerable risk. This extends to the governments and organizations who fund these institutions.

You get that they're doing this because they know they'll be the corpocrats at the top of the food chain in the hellscape they're making, right? They know exactly what kind of future they're bringing about.

www.axios.com/2024/02/29/ai-robot-figure-nvidia-openai-jeff-bezos

So

If CISA has to step in and assign CVEs when the appropriate CNA (or MITRE) doesn't,

And

We have consistent issues with bogus CVEs because of the existing process

Hmmm

@0x58 @GossiTheDog Yeah this popped in my Discord and I reposted a bit too quickly.

Bad news: this appears to be real, corroborated by MS employees.

Good news: not much of concern in the leak, so it would seem. One exception might be API key/secrets reused elsewhere.

But Microsoft would never do that 🙃

www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen

@Sempf Is it though? cyberplace.social/@GossiTheDog/111960234526127930

So someone dumped a ton of internal Chinese gov't docs, and I'm working on translations here. From what I can tell, the company An Xun International has been dropping spyware in its products? More to come.

github.com/mttaggart/I-S00N/blob/main/README-en.md

@barubary @GossiTheDog I think this is a translation issue, as the article was written in German. I believe Kevin is correct that this is hypothetical.

@GossiTheDog Aw dang, thanks for sharing this. But the archive.is link doesn't actually let you read the story. It's obscured even in that form by other text.

There's a twinge of sadness every time I see a cool image that I know was model-generated. Part of the appreciation of art is for the talent, craft, and imagination of the artist. Model-generated art not only robs the artist of the opportunity, it robs us of the opportunity to appreciate those aspects.

@ainmosni @tante Yes. It's deranged that we are building machines to do all the joyful parts of life, leaving us to do the menial drudgery.

When the Director of CSIS calls for kinetic responses to cyberattacks, we should all sit up and take note. We should also all be very concerned. The proposed rules of engagement in this article include:The United States can and will use all elements of state power to effectively defend the homeland against any threat, in any domain. The Department of Defense stated a version of this policy in the context of integrated deterrence, but it is worth a high-level official saying it again. The official should point out that U.S. policy refuses to target civilian critical infrastructure, so a proportional response to a cyberattack on our critical infrastructure would be serious and likely include economic or military measures.The article directly calls out the challenges of attribution and understanding of intent, but defaults to a retaliatory stance for reasons that are, in my opinion, deeply hypothetical—especially the hand-wavy claim that "AI" is going to make these threats more dangerous. There is absolutely no evidence for that claim.

The cyberwar might be here, but every day the intelligence community and military make de-escalatory choices about how to respond to these attacks. I contend we're better off for them doing so.

www.lawfaremedia.org/article/the-united-states-needs-a-new-way-to-think-about-cyber

Good morning! Have a fairly gnarly RCE in #Jenkins: Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

#CVE_2024_23897

I predict that the next decade will see a profound weakening of intellectual property law as it is discovered just how much money there is in subverting it in the name of "technological progress," with regard to generative models.

Dying at this being the next thing up in my to-read list. I think maybe some folks at Microsoft should take a gander www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise

Nice: RagnarLocker site seized.

@CTI_FYI

It's been a minute, so here's your reminder that the claim that "quote posts are mostly toxic" is untrue and has been roundly debunked. absolutelymaybe.plos.org/2023/01/12/quote-tweeting-over-30-studies-dispel-some-myths/

Probably the most important habit of mind you can develop is aversion to simple explanations. Almost nothing is simple, even if it seems that way as an outsider.

But you must work against your brain in this, because your brain wants an easy-to-tell story. Your own sense-making mechanisms are working against your understanding of a complex reality, in favor of one that is easy to recount.

Embrace complexity.

Okay, listen up:

Mozilla is two different entities. The Mozilla Corporation and the Mozilla Foundation. The second one? That's the social good one you really want focused on important things.

The Mozilla Foundation, like all non-profits, publishes their Form 990 annually to disclose compensation. Here it is.

You'll see that the top earner there, Mitchell Baker, who is very handsomely rewarded, is actually paid by the Mozilla Corporation, not the Foundation. Put another way, the non-profit is not blowing its funding on a CEO.

And the corp, by the way, is a wholly-owned subsidiary of the Foundation. It exists to generate additional revenue for the Foundation. That's a good thing too, because donations alone won't cover operating expenses.

The annual report of the Foundation shows a pretty healthy financial situation, and increased investment in public good projects year-over-year.

I don't like everything they do either (e.g. that risible website generator), but I don't actually think they are suffering from a lack of focus. They're suffering from a mature market.

Do you think gas stoves are "better" for cooking?

Are you sure you know why you think that? www.npr.org/2023/10/17/1183551603/gas-stove-utility-tobacco