Verizon Will Fix Broadband Networks, Landlines To Resolve Investigation

Joel Hruska reports via ExtremeTech: Verizon has reached an agreement with the Communications Workers of America and the New York State Public Service Commission to begin repairing infrastructure and restoring service across New York State. The agreement requires Verizon to extend broadband service to tens of thousands of New York State households and to begin repairing facilities it has previously neglected. As in Pennsylvania, Verizon has been neglecting its fixed wired infrastructure in its bid to first sabotage copper service, then force customers to adopt alternative solutions. It’s also been mired in an ongoing lawsuit with the state of New York over its breach of a 2008 contract requiring it to provide fiber service within New York City.

This new agreement appears to settle these issues, provided it’s followed. Under its terms, Verizon will extend fiber to 10,000 to 12,000 households not currently served by it in Long Island and Verizon’s “Upstate Reporting Region” (these are Verizon-specific regions, not geographical areas, so “Long Island” may mean more than just the island). It will begin immediately replacing copper lines in certain specific NYC buildings with high failure rates and transitioning them to fiber optic cable, repairing operations within 50 upstate wireless centers with high failure rates, allow plant technicians to report plant failures and maintenance needs more accurately, and begin inspecting and replacing the batteries that provide critical connectivity in the event of a power outage when said batteries are deployed for specific customers (hospitals, police stations, and other emergency facilities). It will also begin removing so-called “double poles.” A double pole is when an old telephone pole is stapled (metaphorically speaking) to a newer one. Some examples of a double pole from PA are shown below; Verizon has been hauled into court to force it to do its job in more than one state.

Daily Dose of Violent Video Games Causes ‘No Significant Changes’ In Behavior, Study Finds

An anonymous reader quotes a report from Ars Technica: A new, longer-term study of video game play from the Max Planck Institute for Human Development and Germany’s University Clinic Hamburg-Eppendorf recently published in Molecular Psychiatry found that adults

showed “no significant changes” on a wide variety of behavioral measures after two straight months of daily violent game play

Patriots Rumors: Adrian Clayborn Plans Free-Agency Visit with New England

Kevin C. Cox/Getty Images

Entering his eighth season in the league, veteran defensive end Adrian Clayborn may finally play in a division other than the NFC South.

What It Was Like To Pretend To Be An Astronaut On The Day Stephen Hawking Died

As the faux space helmet was lowered gently onto my head on Wednesday, I thought about the day’s early morning hours, when the world learned that Stephen Hawking had passed away.

Rockwell Jawhorse RK9003 $101.80 online at Walmart and Amazon

Walmart has the Rockwell Jawhorse RK9003 on sale for $101.80. This is about $38 cheaper than the regular price.

Spotify will launch its IPO in April – CNET

Will Spotify’s IPO be a hit? We should find out in just a few weeks.

Walmart Jewelry Partner Exposes Personal Data Of 1.3M Customers

A misconfigured Amazon (S3) Simple Storage Service bucket, managed by a Walmart jewelry partner, left personal details and contact information of 1.3 million customers exposed to the public internet.

TROOPERS 18 Wrap-Up Day #2

Hello Readers, here is my wrap-up of the second day. Usually, the second day is harder in the morning due to the social events but, at TROOPERS, they organize the hacker run started at 06:45 for the most motivated of us. Today, the topic of the 3rd track switched from SAP to Active Directory. But I remained in track #1 and #2 to follow a mix of offensive vs defensive presentations. By the way, to have a good idea of the TROOPERS’ atmosphere here is their introduction video for 2018:  As usual, the second day started also with a keynote which was assigned to Rossella Mattioli, working at ENISA. She’s doing a lot of promotion for this European agency across multiple security conferences but it’s special with TROOPERS because their motto is the same: “Make the world (the Internet) a safer place”. ENISA’s rule is to remove the gap between industries, the security community and the EU Member States. Rossella reviewed the projects and initiatives promoted by ENISA like the development of papers for all types of industries (power, automation, public transports, etc). To demonstrate the fact that today, the security must be addressed at a global scale, she gave the following example: Think about your journey to come to TROOPERS and list all the actions that you performed with online systems. The list is quite long! Another role of ENISA is to make CSIRT’s work better together. Did you know that they are 272 different CSIRST’s in the European Union? And they don’t always communicate in an efficient way. That’s why ENISA is working on common taxonomies to help them. Their website has plenty of useful documents that are available for free, just have a look! After a short coffee break and interesting chats with peers, I move to the defensive track to follow Matt Graeber who presented “Subverting trust in Windows”. Matt warned that the talk was a “hands-on” edition of his complete research that is available online. Today’s presentation focuses more on live demos. First, what is “trust” in the context of software?
  • Is the software from a reputable vendor?
  • What is the intent of the software?
  • Can it be abused in any way?
  • What is the protection status of signing keys?
  • Is the certificate issuer reputable?
  • Is the OS validating signer origin and code integrity properly?
Trust maturity level can be matched with enforcement level: But what is the intent of code signing? To attest the origin and integrity of software.  It is NOT an attention of trust or intent! But, it can be used to enforce the mechanism for previously established trust. Some bad assumptions reported by Matt:
  • Signed == trusted
  • Non-robust signature verification
  • No warning/enforcement of known bad certs
One of the challenges is to detect malicious files and, across millions of events generated daily, how to take advantage of signed code? Signature can be valid but the patch suspicious C:\Windows\Tasks\notepad.exe) A bad approach is to just ignore because the file is signed… Matt’s demonstrated why! The first attack was based on the subject Interface package hijacks (attack the validation infrastructure). He manually added a signature to a non-signed PE file. Brilliant! The second attack scenario was to perform a certificate cloning and Root CA installation. Here again, very nice but it’s more touchy to achieve because the victim has to install the Root CA on his computer. The conclusion to the talk was that even signed binaries can’t be trusted… All the details of the attacks are available here: Then, I switched back to the offensive track to listen to Salvador Mendoza and Leigh-Anne Galloway who presented “NFC payments: The art of relay and replay attacks“. They started with a recap of the NFC technology. Payments via NFC are not new: The first implementation was in 1996 in Korea (public transports). In 2015, ApplePay was launched. And today, 40% of non-cash operations are performed over NFC! Such attacks are also interesting because the attacker can gain easily some money, banks are accepting the risk to lose a percentage of transactions, some limits on the amount are higher in other countries and finally, there is no additional card holder identification. The explained two types of attacks: the replay and relay. Both are based on RFC readers coupled with Raspberry devices. They tried to perform live demos but it failed (it’s always touchy to play live with NFC). Hopefully, they had pre-recorded videos. Demos are interesting but, in my opinion, there was a lack of details for people who don’t play with NFC every day, just like me! After the lunch, Matt Domko and Jordan Salyer started the last half-day with an interesting topic: “Blue team sprint: Let’s fix these 3 thinks on Monday”. Matt presented a nice tool last year, called Bropy. The idea was to automatically detect unusual traffic on your networks. This year, he came back with more stuff. The idea of the talk was: “What to do with a limited amount of resources but in a very effective way?“. Why? Many companies don’t have the time, the stuff and/or the budget to deploy commercial solutions. The first idea was to answer the following question: “What the hell is on my network?”. Based on a new version of his tool, rewritten in Python3 and now supported IPv6 (based on last year comments). The next question was: “Why are all my client systems mining bitcoin?”. Jordan explained how to deploy AppLocker from Microsoft to implement a white-list of applications that can be executed on a client computer.  Many examples were provided, many commands based on PowerShell. I recommend you to have a look at the slide when they will be available online. Finally, the 3rd question to be addressed was the management of logs based on an ELK stack… classic stuff! Here, Matt gave a very nice tip when you’re deploying a log management solution. Always split the storage of logs and the tools used to process them. This way, if you deploy a new tool in the future, you won’t have to reconfigure all your clients (ex: if you decide to move from ELK to Splunk because you got some budget). If Matt is using Bro (see above), the next speaker too. Joe Slowik presented “Mind the gap, Bro: using network monitoring to overcome lack of host visibility in ICS environments“. What does it mean? Monitoring of hosts and networks are mandatory but sometimes, it’s not easy to get a complete view of all the hosts present on a network. Environments can be completely different: a Microsoft Windows-based network does not have the behaviour of an ICS network. The idea is to implement Bro to collect data passing across the wire. Bro is very powerful to extract files from (clear-text) protocols. As said Joe: “If you can see it, Bro can read it“. Next to Bro, Joe deployed a set of YARA rules to analyze the files carved by Bro. This is quite powerful. Then, it presented some examples of malware impacting ICS networks and how to detect them with his solution (Trisis, Dymalloy and CrashOverride). The conclusion of the presentation was that reducing the response time can limit an infection. The last time slot for me was in the offensive track where Raphaël Vinot, from CIRCL.lu, presented “Ads networks are following you, follow them back”. Raphaël presented a tool he developed to better understand how many (to not say all) websites integrate components from multiple 3rd party providers. If the goal is often completely legit (and to gain some revenue), it has already been discovered that ads networks were compromized to distribute malicious content. Based on this, we can consider that any website is potentially dangerous. The situation today as described by Raphaël:
  • Some website homepages are very big (close to 10MB for some of them!)
  • The content is extremely dynamic
  • Dozen of 3rd party components are loaded
  • There was a lack of tools to analyze such website.

The result is “Lookyloo” that downloads the provided homepage and all its objects and present them in a tree. This kind of analyze of very important during the daily tasks of a CERT. The tool emulates completely the browser and stores data (HTML core, cookies, etc) in an HTML Archive (.har) that is processed to be displayed in a nice way. The tool is available online but a live demo is available here: lookyloo.circl.lu. This is very nice tool that must certainly be in your incident handling toolbox!

Mux is hiring engineers to build the world’s best video infrastructure

Mux is building the future of online video infrastructure.

OAIC received 31 notifications in the first three weeks of data breach scheme (ZDNet)

The Office of the Australian Information Commissioner (OAIC) has told ZDNet there has been 31 notifications provided to the office led by Timothy Pilgrim since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.

We’re Putin our foot down! DHS, FBI blame Russia for ongoing infrastructure hacks (The Register)

The US Department of Homeland Security and the Federal Bureau of Investigation on Thursday issued an alert warning of ongoing cyber-attacks against the West’s energy utilities and other critical infrastructure by individuals acting on behalf of the Russian government.

Beside The Points For Thursday, March 15, 2018

Things That Caught My Eye

This season’s University of Connecticut women’s basketball team was the very best of an already outstanding legacy of UConn teams. Of the five UConn teams since 2014 — all of whom were ranked #1 in adjusted offensive efficiency, adjusted defensive efficiency and adjusted net efficiency — this one stands out with the highest in every rating of all five teams. [FiveThirtyEight]

This City Just Passed the First Bitcoin Mining Ban in the US

On Thursday evening, the city council in Plattsburgh, New York unanimously voted to impose an 18-month moratorium on Bitcoin mining in the city.

The GDPR vs Australian Data Privacy Regulations

Data privacy and security have moved to the forefront of boardroom visibility in 2018. Constant focus on how we manage personally identifiable information (PII) and personal health information (PHI) is moving in a new direction. Not only are we concerned about what we’re storing and processing, but we now need to understand the “where, why, and how.” Data subjects are going to have a lot more control over their data very soon and companies need to understand where data lives and be able to manipulate it and comply with regulatory bodies.

US Power Company Fined $2.7M for Failing to Comply with Energy Industry Cyber Standards

A US-based power company has agreed to pay a $2.7 million penalty after inadvertently exposing sensitive data online and violating energy industry cybersecurity standards.

The Six Types of Cyberattacks

My textbook talks about attacks on computers and computer networks using specific categories. A successful attack goes through many phases. These categories focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Here are the categories I use right now:

Hackers continue to exploit hijacked MailChimp accounts in cybercrime campaigns

MailChimp, a service that millions of people around the world use to send out email newsletters, is being abused by hackers to spam out malware.

US Sounds Alarms Over Chinese Tech, IP Thefts (/r/Espionage)

a subreddit dedicated to hacking and hacking culture.