‘All US forces must now assume their networks are compromised’ after Salt Typhoon breach | IT Pro https://share.google/r3Ys913UW0FTdrfz9

From the article:
“This data also included these networks’ administrator credentials and network diagrams — which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the DoD warned.

One more time: “This data also included these networks’ administrator credentials..."

Any advice, from any so-called authoritative source (including NIST), recommending that you no longer need to enforce a password change policy, is absolute folly.

Change your passwords.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

Integrated circuits, chips, and silicon... Yesterday I was on site at a client’s headquarters, and the owner asked me a question that took me completely by surprise. He asked, “How are ICs and chips related? What does one have to do with the other? And where does silicon fit in?”

As a college professor, through painful experience, I developed a concept I call the Common Body of Knowledge. The Common Body of Knowledge includes those things my students will already know when they attend class. I don’t have to teach these things. For example, when explaining this to my students, I’ll ask, “What is the name of the ocean on the east coast of the USA?” My students just sit there, and I have to encourage them by saying, “It’s not a trick question. The answer is as easy as you think it is. I’m trying to teach you a concept, and this illustration will help.” Finally, one or two brave souls will say, “The Atlantic.”

“Yes! That’s it! You see, that’s in the Common Body of Knowledge. Now, here’s the problem I run into as your instructor: sometimes, I’ve known something for so long that I just assume it’s in the Common Body of Knowledge. But it actually isn’t. Someone had to teach me this ‘thing,’ somewhere in my distant past. I’ve known it so long I don’t even remember learning it. Now, during class, I may casually mention something like everyone knows it, and I’ll just go on to the next thing. I’m counting on you to stop me. Raise your hand. Ask the question. Because if you don’t know what I just said, there’s a very good chance that some other people in the class don’t know, either.”

I look around the class, and make eye contact with as many students as possible. “I want you to be the brave one. Ask the question. That’s how I will learn that something I said is NOT in the Common Body of Knowledge, and I need to back up and add it to the class session.”

Now, back to the opening of this post. My client was hearing things in the news, and asked me to explain chips, ICs, and silicon. I had no idea this wasn’t in the Common Body of Knowledge, but it’s not. People have to learn it.

Here now, for you, is a brief explanation.

SILICON
Silicon is a special element with remarkable chemical properties. It doesn’t conduct electricity easily, like gold or copper. But it’s also not an insulator, like rubber or pure water. Silicon is a semiconductor. We can make it conduct electricity, or stop conducting electricity, by mixing silicon with other chemicals and applying various voltages to it. This is the heart of all electronic parts now. Conducting or not conducting. On or off. One and zero.

CHIP
Through a complex manufacturing process, we combine a bunch of these little on/off junctions on a very tiny piece of silicon. This piece of silicon is a flat “chip” of a silicon rock.

INTEGRATED CIRCUIT
Infinitesimal gold wires are attached to various points on the chip to apply voltages. The tiny gold wires then connect to larger metal pins that can be attached in various ways to a circuit board. The assembly of the chip, the gold wires, and the pins is enclosed in a plastic or ceramic housing. This package is rugged enough to be shipped and sold as an integrated circuit, or IC.

SLANG USAGE
The terms “chips” and “ICs” are used so interchangeably that you can now forget everything I said about a distinction between the two. The little piece of silicon is an integrated circuit. The entire package is a chip. There is no problem with using either term in common conversation.

SUPPLY CHAIN THREAT
Question: who controls the design and manufacture of the chips? It’s possible for a malicious manufacturer to put extra circuitry in the package to do whatever they want it to do. This is why the manufacture of silicon integrated circuits is so important. You should buy chips from “friendly” manufacturers you can trust.

I hope this helps you understand what you’re reading in the financial news about the sourcing and manufacturing of electronics parts.

#IntegratedCircuit #ASIC #Silicon #SupplyChain #IC #ChipManufacturing

(Q) How do cybercriminals beat SMS, authenticator apps, and passkeys?

(A) Website spoofing.

The site looks exactly like an online payment portal that you use all the time. Or at least, it’s so close to perfect that you don’t notice the difference.

Spoofed Website: “Enter the code from your authenticator app.”

User: Enters the code.

Spoofed Website: [Ignores the code as a useless random number input]: “Perfect! You may now pay your bill.”

OR...

Spoofed Website: “Perfect! Our database is undergoing maintenance right now, so we can’t display your account balance, but you can still make a payment. How much would you like to pay?”

OR...

Spoofed Website: “Perfect! Continue shopping. Add stuff to your cart. You can pay us when you’re done.”

THE LESSON
The authentication process can be spoofed. All authentication inputs are ignored. This means it’s up to you to make sure you’re really on the correct website. This is why you shouldn’t click on links in emails or text messages. You receive the notice that it’s time to pay your bill. Great. Now use the company’s app, or use your browser’s bookmark, to visit the site to make your payment.

To state the problem another way: authentication methods typically prove who you are. They don’t prove who you’re connecting to. There are exceptions, but in general, for the average user, this is a good statement. (“But Bob, the padlock in the browser’s address bar – the website certificate... you know, that stuff!”)

News flash: cybercriminals use spoofed sites with https and certificates. In other words, that padlock can be your assurance that you really are connected to the cybercriminal’s playground.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

Sunday afternoon fun... I have an old 3 Terabyte Network Attached Storage (NAS) drive that doesn’t work anymore, so I dissected it today. The housing is on the left. The only things inside the housing are the Hard Disk Drive (HDD, center) and the circuit board on the right. The drive plugs directly into the circuit board, no cables. The circuit board contains the disk controller, the Ethernet connection, and the USB connection.
Everything else in the picture is just my messy workbench. It’s actually pretty clean right now.

Later, I’ll plug the HDD into a drive adapter and connect it to a computer. If the problem was in the drive controller, the drive itself may still be good. I’ll find out, but not today.

For the one or two people who are following my Adobe saga: my trial software period is complete. Today I purchased the license for PDF-XChange Editor and uninstalled all Adobe products. Notice the difference in disk space (size).

Adobe Acrobat and Reader together use about 4.2GB of space, while PDF-XChange Editor does everything I need and is one fourth the size!

The obvious question is, “What is Adobe doing with the other 3GB of code in their product?”

What you need to know about messaging apps in case of a natural disaster, like the flash floods in Texas:

1) Carrier-based messaging apps generally don’t include location information directly in the message’s metadata. Include your location in your message text.
2) Internet-based messaging apps like WhatsApp may include location information in a couple of different ways: either in the metadata, or via a specific “share my location” option.
3) Both carrier-based and Internet-based apps have advantages and disadvantages in an emergency. For example, in some situations you may have a signal from the carrier’s network, but no useable Internet signal. In other situations you may have Internet access via Wi-Fi even if the carrier’s network is offline.
4) Messaging apps (either type) may work when signal quality is too weak to support voice calling. Even if you can’t get a call through, try to communicate with your messaging apps.
5) Maybe you have location sharing disabled on your phone right now. In an emergency or natural disaster, go into your phone settings and turn on all location sharing permissions.
6) When you establish communications with the 911 center or first responders, consider sending a picture with details about your location and surroundings. Help them be prepared.
7) Some 911 centers support text messaging, but it may not always be available in every location. Check the websites of your local emergency agencies to learn about your communications options, and add them to your phone’s contacts.
8) Some communities use emergency information systems like Everbridge. This is one-way communications, from the emergency management agency to you, but it’s a good idea to find out what’s available in your area and sign up now, before there’s an emergency.

#CallMeIfYouNeedMe #FIFONetworks