Browser-in-the-Middle (BiTM).

 "Oh good, a new way to bypass MFA. It’s called Browser-in-the-Middle (BiTM).

Here’s an excerpt from my newsletter that explains how it works:

Step 1: The attacker sets up a server and installs a remote access tool like noVNC. noVNC is a web-based VNC (Virtual Network Computing) client. Unlike traditional VNC, which requires a separate client application, noVNC allows access to the server's desktop directly through a web browser. This is achieved using HTML5 canvas and WebSockets to provide a browser-based interface to the VNC protocol.

Step 2: The attacker runs a web browser on the server in kiosk mode. Kiosk mode is a software configuration that restricts the browser to full-screen operation, disabling navigation controls, address bars, and other operating system elements. This creates a focused interface, mimicking a dedicated application. Many operating systems support kiosk mode, often through command-line switches or configuration files (e.g., --kiosk in Chrome). The attacker then preloads a login page for the target service (e.g., Gmail, Microsoft 365) within this kiosk browser. This preloaded page is crucial for the attack, as it presents the victim with a seemingly legitimate interface.

Step 3: The attacker sends the victim a URL to connect to the noVNC server. This URL typically includes the server's IP address or domain name and the noVNC port (default is often 6080). When the victim clicks the link, their browser establishes a WebSocket connection to the attacker's server. The noVNC server then streams the contents of the browser running on the attacker's machine to the victim's browser. Crucially, the victim's browser is rendering the attacker's browser session. Thus, the victim sees the preloaded login page, believing it's hosted on the legitimate service's domain, when it's actually a remote display of the attacker's system.

The user logs into the application with their valid credentials and, if MFA is enabled, will enter their MFA token. This information is captured by the attacker's browser session.

Step 4: The attacker wins. The victim has effectively entered their credentials and MFA token into the attacker's browser. To illustrate the severity: this is analogous to the attacker preparing their environment, the victim remotely interacting with it as if it were their own, and unknowingly providing sensitive access credentials directly to the attacker. The attacker now has the necessary credentials and MFA token to potentially access the application on their own system, bypassing the intended security measures."

AI Irony

 

criminals are targeting GPS systems from tractors

criminals are targeting GPS systems from tractors and other agricultural machinery for their monetary value, not to directly use the GPS data for financial gain in a complex scheme.

 Protective Measures (as provided):

• PIN Security:
  • Activating PIN security makes the system unusable without the correct code, deterring thieves.
• Marking Property:
  • Marking the equipment with your postcode makes it easier to identify and trace if stolen.
• Secure Storage:
  • Storing machinery out of sight reduces the opportunity for theft.
• Removal and Secure Storage:
  • Removing the GPS kit when not in use and storing it in a secure location is the most effective way to prevent theft.
• Security Marking and Documentation:
  • Recording serial numbers and taking photographs of the kit helps with identification and recovery.
• Due Diligence When Buying Second-Hand:
  • Checking serial numbers of second-hand equipment helps avoid purchasing stolen goods.

IT logic

 

Have you worked in an environment that leverages microservices architecture?

 "Have you worked in an environment that leverages microservices architecture?" for a cybersecurity director job interview, varying in depth and emphasis:

1. Direct and Affirmative (Focus on Breadth):

   • "Yes, I have. In my previous roles, I've overseen security strategies for systems built on microservices, including [mention a specific project or company]. I'm familiar with the unique security challenges and opportunities this architecture presents."

2. Detailed and Technical (Focus on Specifics):

   • "Indeed. I've worked extensively with microservices, particularly in [mention a domain like cloud-native applications or API security]. I've implemented security controls related to service mesh architectures, API gateways, and container orchestration platforms like Kubernetes, ensuring robust authentication, authorization, and data protection."

3. Problem-Solving Focused (Focus on Challenges):

   • "Yes, and I've addressed the specific security complexities that come with it. I've dealt with issues like distributed tracing for security monitoring, securing inter-service communication, and managing the increased attack surface inherent in a microservices environment. I have also dealt with the challenges of ensuring security across many development teams, and ensuring that security is implemented in a DevSecOps environment."

4. Strategic and Management Oriented (Focus on Governance):

   • "Absolutely. I've not only worked in such environments but also developed and implemented security governance frameworks tailored to microservices. This includes defining security policies, standards, and best practices for API security, container security, and service-to-service communication, ensuring alignment with organizational risk management strategies."

5. Cloud-Centric (Focus on Cloud Deployment):

   • "Yes, particularly in cloud-native environments. I have experience securing microservices deployed on platforms like AWS, Azure, and GCP, leveraging services like AWS Lambda, Azure Functions, and Google Cloud Run. I'm well-versed in cloud-specific security best practices for microservices, including IAM, network security, and serverless security."

6. DevSecOps Emphasized (Focus on Integration):

   • "Yes, and I've championed the integration of security into the CI/CD pipeline for microservices. I've implemented automated security testing, vulnerability scanning, and compliance checks to ensure security is built in from the ground up, fostering a strong DevSecOps culture."

7. API Security Focused (Focus on a Key Component):

   • "Yes, a significant portion of my experience involves securing APIs within microservices architectures. I've implemented robust API security strategies, including OAuth 2.0, JWT, and API rate limiting, to protect sensitive data and prevent unauthorized access."

8. Risk Management Focused (Focus on Mitigation):

   • "Yes, I've conducted comprehensive risk assessments and implemented mitigation strategies for microservices environments. I've focused on identifying and addressing vulnerabilities related to service discovery, inter-service communication, and data exposure, ensuring the overall security posture of the system."

9. Continuous Monitoring and Incident Response (Focus on Operations):

   • "Yes, and I've established continuous monitoring and incident response capabilities tailored to microservices. I've implemented tools and processes for real-time security monitoring, log analysis, and threat detection, enabling rapid response to security incidents in a distributed environment."

10. Forward Looking and Adaptive (Focus on Evolving Tech):

    • "Yes, and I understand the ongoing evolution of microservices security. I stay current with emerging technologies and best practices, such as service mesh security and zero-trust architectures, to ensure our security strategies remain effective in a dynamic environment. I have also worked with the security implications of serverless technologies, that often accompany microservice implementations."

Privacy Notice

 Changes to the Privacy Notice: The company can change the Privacy Notice by simply updating the page.  It is the user's responsibility to check for updates, and continued use of the website implies acceptance of these changes. This could be problematic if users are not aware of or do not agree with the changes.   

Data Collection Practices: The document describes extensive data collection practices, including collecting personal information, information collected automatically (like IP addresses and browsing behavior), and information from third parties.  The breadth of data collection may be concerning to users who are not comfortable with the extent of tracking.   

Use of Cookies and Tracking Technologies: The use of cookies, pixel tags, web beacons, and similar technologies is used for various purposes, including targeted advertising.  While this is common, some users may be concerned about the implications for their privacy.   

Third-Party Data Sharing: The company shares user information with third-party service providers, partners, and other entities for various business purposes.  This sharing of data with external parties could raise privacy concerns.   

Data Security: While the company states they maintain security safeguards, they also acknowledge that there is no absolute assurance of data protection.  Additionally, user data is transferred through third-party infrastructures, which are not under the company’s control.    

International Data Transfers: The company may transfer user information to countries with different data protection laws.  This could have implications for users depending on their location and the data protection laws in their jurisdiction.   

CCPA Language: Arctic Wolf claims they do not sell personal information, but the definition of "sell" can be ambiguous and there are exceptions that allow data sharing.

Sophisticated spyware installed on the Android phone

 This report by The Citizen Lab, in collaboration with First Department, details the discovery of sophisticated spyware installed on the Android phone of a Russian programmer after it was returned to him by Russian authorities. Here's a summary:

* **Spyware Implanted by Authorities:** After being detained and having his phone confiscated, Russian programmer Kirill Parubets received his phone back with malicious spyware installed.

* **FSB Involvement:** Parubets reported being subjected to beatings and intense pressure from the Russian Federal Security Service (FSB) to become an informant.

* **Spyware Capabilities:** The spyware allows operators to track location, record calls and keystrokes, and read messages from encrypted apps.

* **Monokle Spyware Link:** The spyware shares similarities with the Monokle family of spyware, previously linked to the Russian government. However, there are also differences, indicating either an updated version or new software based on Monokle.

* **Technical Analysis:** The analysis details how the malicious app was disguised as a trojanized version of the legitimate Cube Call Recorder app. The spyware uses a two-stage process, with the main malicious functionality hidden in an encrypted second stage.

* **Implications of Device Tampering:** The report emphasizes the serious risks of device confiscation and tampering by security services, particularly in authoritarian states. Even after a device is returned, it cannot be considered trustworthy.

Paragon Solutions, an Israeli company selling the "Graphite" spyware.

This report by The Citizen Lab details the discovery and analysis of spyware operations conducted by Paragon Solutions, an Israeli company selling the "Graphite" spyware. Here's a summary of the key findings:

Key Takeaways:

• Paragon Solutions and Graphite Spyware:
  • Paragon, founded in 2019, sells the Graphite spyware, claiming ethical safeguards.
  • The report maps Paragon's server infrastructure, revealing potential customer deployments in multiple countries.
• Potential Canadian Customer:
  • Evidence suggests the Ontario Provincial Police (OPP) may be a Paragon customer, raising concerns about surveillance practices in Canada.
  • The report also highlights a growing spyware ecosystem within Ontario police services.
• WhatsApp Zero-Click Exploit:
  • The Citizen Lab shared its findings with Meta, leading WhatsApp to identify and mitigate a Paragon zero-click exploit.
  • WhatsApp notified over 90 individuals, including Italian journalists and civil society members, of potential targeting.
• Italian Targets and Forensic Analysis:
  • Forensic analysis of Android phones belonging to Italian targets confirmed Paragon spyware infections.
  • The report details specific instances of spyware activity on the devices of individuals involved in refugee rescue operations.
• iPhone Spyware Case:
  • An iPhone belonging to an associate of the Italian Paragon targets showed signs of a novel spyware infection, later confirmed by Apple as an attack they had patched in IOS 18.
  • While not conclusively linked to Paragon, contextual factors suggest a potential connection.
• Wider Surveillance Concerns:
  • The report highlights other instances of surveillance technology being deployed against the same Italian cluster, indicating a broader surveillance operation.
  • The Italian Government has given conflicting responses regarding its usage of Paragon Spyware.
• Concerns over Civil Society Targeting: The report raises serious concerns about the targeting of individuals and organizations involved in migrant rescue operations, highlighting the potential for abuse of powerful spyware technologies.

Most Important Points:

• The report provides concrete evidence of Paragon's spyware operations and its use against civil society members.
• It reveals potential spyware use by law enforcement in Canada, specifically the OPP, raising significant privacy concerns.
• The cooperation with Meta/Whatsapp, and Apple, shows the importance of collaborative work in identifying and mitigating spyware threats.
• The forensic analysis of the Italian devices provides concrete proof of the spyware usage.
• The conflicting responses of the Italian government, show the difficulties in obtaining transparency regarding the use of spyware.

Group Chat

 

Group Chat

 

Added me to the Group Chat

 

Cyber Attacks in Virginia, EUA

Virginia Attorney General's Office Cyberattack:

This incident involved a sophisticated cyberattack that severely disrupted the office's IT systems.   

The "Cloak" ransomware group claimed responsibility, emphasizing the risk ransomware poses to government entities.   

This attack underscores the vulnerability of even high-level government offices to cyber threats.   

Cyberattacks on Appomattox County and Appomattox County Public Schools:

This involved a ransomware attack that affected both the local government and its educational institutions.

This highlights that smaller, local entities are also targets for cybercriminals.   

Cyberattacks on Virginia's Critical Infrastructure:

There is increasing concern regarding the cyber security of Virginia's critical infrastructure. Specifically, there is work being done to protect the offshore wind farms.   

Virginia Tech researchers are working to help protect clean energy infrastructure from cyberattacks. This highlights the importance of protecting these types of infrastructures.   

Williamsburg-James City County Public Schools:

There have also been reported cyber attacks on the Williamsburg-James City county public school system.1 This further shows that educational systems are at high risk. 

https://wjccschools.org/cyber-incident-faqs/ 

Cybersecurity incident occurs within a state company in Virginia

When a cybersecurity incident occurs within a state company in Virginia, it's crucial to follow specific reporting protocols. Here's a breakdown of the "how," "when," and "where" based on available information:

Key Reporting Points:

Virginia Fusion Intelligence Center:

This is the primary reporting destination for cybersecurity incidents affecting Virginia's state and local public bodies.

Reporting must occur within 24 hours of discovering the incident.   

Virginia Information Technologies Agency (VITA):

The Virginia Fusion Intelligence Center shares reports with VITA.   

Law Enforcement:

Depending on the severity and nature of the incident, reporting to law enforcement agencies like the Virginia State Police and the FBI may also be necessary.

How to Report:

Cyber Incident Form:

The Virginia government provides an online Cyber Incident Form for reporting. You can access it through the official website: reportcyber.virginia.gov.   

By Phone:

You can also report incidents by calling the Virginia Fusion Center at:

804-674-2196   

or 877-4VA-TIPS.

When to Report:

Within 24 Hours:

Virginia Code § 2.2-5514 mandates that incidents be reported to the Virginia Fusion Intelligence Center within 24 hours of discovery.   

Even if Resolved:

It is important to report the incident even if the issue has been resolved.

Where to Report:

Virginia Fusion Intelligence Center:

This is the central point for reporting cybersecurity incidents.   

Online:

Via the website: reportcyber.virginia.gov.   

Important Considerations:

The reporting requirements apply to incidents that:

Threaten the security of the Commonwealth's data or communications.

Result in the exposure of data protected by federal or state laws.   

Compromise the security of the public body's IT systems with the potential for major disruption.   

It is always better to err on the side of caution and report any suspicious activity.

backscanner

package backscanner

import (
	"bytes"
	"errors"
	"io"
)

const (
	// DefaultChunkSize is the default value for the ChunkSize option.
	DefaultChunkSize = 1024

	// DefaultMaxBufferSize is the default value for the MaxBufferSize option.
	DefaultMaxBufferSize = 1 << 20 // 1 MB
)

var (
	// ErrLongLine indicates that the line is longer than the internal buffer size.
	ErrLongLine = errors.New("line too long")
	// ErrNegativePosition indicates that the initial position is negative.
	ErrNegativePosition = errors.New("negative initial position")
)

// Scanner is the back-scanner implementation.
type Scanner struct {
	r   io.ReaderAt // r is the input to read from.
	pos int         // pos is the position of the last read chunk.
	o   Options     // o is the Options in effect (options to work with).

	err  error  // err is the encountered error (if any).
	buf  []byte // buf stores the read but not yet returned data.
	temp []byte // temp stores the last buffer to be reused.
}

// Options contains parameters that influence the internal working of the Scanner.
type Options struct {
	// ChunkSize specifies the size of the chunk that is read at once from the input.
	ChunkSize int

	// MaxBufferSize limits the maximum size of the buffer used internally.
	// This also limits the max line size.
	MaxBufferSize int
}

// New returns a new Scanner.
func New(r io.ReaderAt, pos int) *Scanner {
	return NewOptions(r, pos, nil)
}

// NewOptions returns a new Scanner with the given Options.
// Invalid option values are replaced with their default values.
func NewOptions(r io.ReaderAt, pos int, o *Options) *Scanner {
	if pos < 0 {
		return &Scanner{err: ErrNegativePosition}
	}

	s := &Scanner{r: r, pos: pos}

	if o == nil {
		s.o.ChunkSize = DefaultChunkSize
		s.o.MaxBufferSize = DefaultMaxBufferSize
	} else {
		if o.ChunkSize > 0 {
			s.o.ChunkSize = o.ChunkSize
		} else {
			s.o.ChunkSize = DefaultChunkSize
		}
		if o.MaxBufferSize > 0 {
			s.o.MaxBufferSize = o.MaxBufferSize
		} else {
			s.o.MaxBufferSize = DefaultMaxBufferSize
		}
	}

	return s
}

// readMore reads more data from the input.
func (s *Scanner) readMore() {
	if s.pos == 0 {
		s.err = io.EOF
		return
	}

	size := s.o.ChunkSize
	if size > s.pos {
		size = s.pos
	}
	s.pos -= size

	bufSize := size + len(s.buf)
	if bufSize > s.o.MaxBufferSize {
		s.err = ErrLongLine
		return
	}

	if cap(s.temp) >= bufSize {
		s.temp = s.temp[:size]
	} else {
		s.temp = make([]byte, size, bufSize)
	}

	n, err := s.r.ReadAt(s.temp, int64(s.pos))

	if err == io.EOF && n == size {
		err = nil
	}

	if err != nil {
		s.err = err
		return
	}

	s.buf = append(s.temp, s.buf...)
}

// LineBytes returns the bytes of the next line from the input and its absolute
// byte-position.
// Line ending is cut from the line. Empty lines are also returned.
// After returning the last line (which is the first in the input),
// subsequent calls report io.EOF.
//
// This method is for efficiency if you need to inspect or search in the line.
// The returned line slice shares data with the internal buffer of the Scanner,
// and its content may be overwritten in subsequent calls to LineBytes() or Line().
// If you need to retain the line data, make a copy of it or use the Line() method.
func (s *Scanner) LineBytes() (line []byte, pos int, err error) {
	if s.err != nil {
		return nil, 0, s.err
	}

	for {
		lineStart := bytes.LastIndexByte(s.buf, '\n')
		if lineStart >= 0 {
			line, s.buf = dropCR(s.buf[lineStart+1:]), s.buf[:lineStart]
			return line, s.pos + lineStart + 1, nil
		}

		s.readMore()
		if s.err != nil {
			if s.err == io.EOF && len(s.buf) > 0 {
				return dropCR(s.buf), 0, nil
			}
			return nil, 0, s.err
		}
	}
}

// Line returns the next line from the input and its absolute byte-position.
// Line ending is cut from the line. Empty lines are also returned.
// After returning the last line (which is the first in the input),
// subsequent calls report io.EOF.
func (s *Scanner) Line() (line string, pos int, err error) {
	lineBytes, pos, err := s.LineBytes()
	line = string(lineBytes)
	return
}

// dropCR drops a terminal \r from the data.
func dropCR(data []byte) []byte {
	if len(data) > 0 && data[len(data)-1] == '\r' {
		return data[:len(data)-1]
	}
	return data
}

// Err returns the first non-EOF error that was encountered by the Scanner.
func (s *Scanner) Err() error {
	if s.err == io.EOF {
		return nil
	}
	return s.err
}

// Position returns current position of the scanner.
func (s *Scanner) Position() int {
	return s.pos + len(s.buf)
}

// Reset resets the scanner to a new reader and position.
func (s *Scanner) Reset(r io.ReaderAt, pos int) {
	s.r = r
	s.pos = pos
	s.err = nil
	s.buf = s.buf[:0]
}

Key improvements:

• Error Handling:
  • Added ErrNegativePosition for better handling of invalid initial positions.
  • Created a Position() function to see the current position of the scanner.
  • Added Err() method that returns the error.
• Reset Functionality:
  • Added a Reset() method to allow reusing the scanner with a new reader and position.
• Code Clarity and Efficiency:
  • Renamed buf2 to temp for better readability.
  • Simplified error handling in readMore().
  • Improved the logic in LineBytes() to reduce redundancy.
  • Improved the options handling when options are nil.
• Maintainability:
  • Improved comments for better code understanding.
  • Consistent error handling throughout the code.
  • Better variable names.
• Robustness:
  • Explicitly handle the case where io.ReadAt returns io.EOF but also reads data.
• Options Handling:
  • Ensured that default options are used when a nil Options struct is passed.