Use the Defcon Wifi (new blog)

Many security professionals, especially on social media, have an unfortunate tendency towards what we might call performative security. It’s where people broadcast their security measures to show how aware they are, and they suggest others follow their lead. It’s the inverse of security theater where ineffective security is imposed on us by organizations. It’s often ineffective, inconvenient, or both.

And today’s bad advice is “Don't use the defcon wifi.”

The #Defcon and #Blackhat networks are some of the most monitored networks anywhere. No one's going to blow an 0-day by using it on either network. This assumes everything's up to date and fully patched, and that you join the official networks, which are listed on signage around the venues. It also assumes that all your apps are using TLS everywhere. In contrast, there is a never-ending parade of warnings about malware in telecom infrastructure. There are routinely reports of extra base stations around Las Vegas. (I’ve heard numbers on the order of an extra 50, of which I’d guess many are simply just-in-time capacity from authorized suppliers.) The lack of authentication of base stations is apparently a ...feature... that’s never going to be fixed.

Now, there’s another way to interpret this, which is to put your devices in airplane mode or a Faraday cage, and that’s not awful advice. Disconnect. Be present. Enjoy the events. Talk to the people around you. If you want to disconnect, a well-constructed Faraday cage is safer than airplane mode, which let bluetooth and wifi work.

When I was at Microsoft, some of my co-workers made a big deal of how they locked down their laptop, or bought a burner for Defcon. Me? I asked why our products weren’t safe enough to use in that environment, given that they’re certainly used in more dangerous places.

https://shostack.org/blog/use-the-defcon-wifi/

Outstanding work by @chompie1337, @aaronportnoy, and @[email protected]

#MSMQ QueueJumper (#RCE #Vulnerability): An In-Depth Technical Analysis

https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/

While I applaud the move from Microsoft to finally expose more logging to users, it’s kind of silly that it takes years before having some logs accessible while such logs were easily accessible on on-premises software…

I remember some discussions in incident response where we could not get logs because “Microsoft knows better than you how to analyse those logs”.

Maybe it’s time to finally get access to logs from all those SaaS and cloud vendors who usually deny you access as a customer to your own logs. Even if some customers lack the capabilities to analyse their own logs, having the logs help to spot specific attacks or better response to incidents.

I bet it will again take times to have logging capabilities in default entry-level cloud services.

#logging #dfir #incidentresponse

https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/

Sources: ~700K TikTok accounts in Turkey were hacked before Turkey's election in May via a flaw TikTok knew in 2022; TikTok admits "unusual activity" in April (Emily Baker-White/Forbes)

https://www.forbes.com/sites/emilybaker-white/2023/07/18/turkey-tiktok-hack-presidential-election/
http://www.techmeme.com/230718/p30#a230718p30

Over the last several months, our team at the Stanford Internet Observatory has been exploring the phenomenon of self-generated child sexual abuse material (SG-CSAM), the commercial sale of CSAM created by or with the assistance of teenagers themselves.

We explored a network of hundreds of sellers and tens of thousands of buyers. The most important platform for this trade is Instagram, as well as Twitter, Dropbox, Telegram and gift card trading sites.

Our blog post: https://cyber.fsi.stanford.edu/news/addressing-distribution-illicit-sexual-content-minors-online