Spotted via HackerNews, Slashdot, /r/netsec, O’Reilly Security Newsletter, Twitter; via security bloggers including Krebs on Security, Troy Hunt; from classmates; and elsewhere.
Events and Conferences
RSA Conference videos are online.
Law and Politics
How to run a rogue government Twitter account, sounds like fun. A good primer on operational security.
Cybercrime Stories
From classmates.
That time the FBI operated a botnet.
“Friday Afternoon Fraud” and trying to raise lawyer’s awareness of cybersecurity.
Cybercriminals are hacking the email accounts of Irish solicitors in an attempt to steal tens of thousands of euro from unsuspecting home buyers, the Sunday Independent has learned.
Dubbed ‘Friday Afternoon Fraud’, the conveyancing scam has been known to take several forms, but generally occurs when the hackers intercept emails between home buyers or sellers, and their solicitors.
I had to look up conveyancing; in a real estate closing this is the transaction-clearing stage that often involves an escrow account.
In “Hackers behind bank attack campaign use Russian as decoy”, there seems to be a “false flag operation”. There’s some nice in-depth analysis in the source link. This drives home a point about cyber attacks: attribution is hard. More on this from Wired and Tenable.
Cryptography
The Security Impact of HTTPS Interception is available again.
[W]e assess the prevalence and impact of HTTPS interception by applying our heuristics to nearly eight billion connection handshakes. [W]e find differing rates of interception: 4.0% of Firefox update connections, 6.2% of e-commerce connections, and 10.9% of U.S. Cloudflare connections were intercepted. While these rates vary by vantage point, all are more than an order of magnitude higher than previous estimates.
There’s supposed to be a GitHub repo appearing soon.
SHA1 Collisions were announced by Google and CWI Amsterdam. We know enough crypto to talk about why this is a big deal. The “branded” attack is SHAttered. Arstechnica has more.
Application Security
Google’s Project Zero went full disclosure on Microsoft. This is unrelated to the other vulnerability that may have been actively exploited and were suppose to be fixed in the delayed February patches.
We haven’t covered CSRF yet, but new browser controls are starting to make an appearance that may ensure that CSRF is dead.
Other
Netflix announced a new security tool that, in part, involves users in the security process.
Dropbox also announced a security tool which similarly involves employees in triaging security events (should we talk about the possibility of insider threat here though?)