megabite

 

Lumo - Proton

 

Cellebrite, copying cellphones

 

yeah, we use Defender

 

Absolutely horrible.

How many times did I hear: "yeah, we use Defender". Brother, which one?

Did you mean:
🛡️ Defender for Endpoint
🛡️ Defender for Office 365
🛡️ Defender for Identity
🛡️ Defender for Cloud Apps
🛡️ Defender for Cloud (completely different from Cloud Apps, obviously)
🛡️ Defender for IoT
🛡️ Defender Threat Intelligence
🛡️ Defender XDR

Or any of the flavors of Defender for Cloud, like:
🛡️ Defender for Servers
🛡️ Defender for Databases (with further subcategories)
🛡️ Defender for Containers
🛡️ Defender for App Service
🛡️ Defender for Storage
🛡️ Defender for API Management
🛡️ Defender for DNS
🛡️ Defender for KeyVault
🛡️ Defender for Resource Manager
🛡️ Defender for AI services
🛡️ Defender CSPM

But wait, there's more:
🛡️ Defender SmartScreen
🛡️ Defender AV
🛡️ Defender for Business (don’t worry, that one’s a license)
🛡️ Probably a bunch other Defenders I'm forgetting about

Now imagine explaining that to clients. You can just see them drift away after 4th Defender mention.

Would be good to have a tiny helper app to remind you which Defender does what. Call it Defender for Naming Convention or something.

accurate inventory the assets

 

Love Language -

 

Gandhi as Super Villain

 

Palo Alto Networks Applications and Threats Content Release Notes" for Version 8999

 

Details of this Update (Version 8999)

This update focuses heavily on App-ID expansions and refinements, along with new vulnerability and anti-spyware signatures. Key aspects include:

1. App-ID Enhancements (Final Reminders for August 19, 2025 Activation):

• Soti MobiControl: Expanding coverage for additional connections to Soti XSight server, currently identified as ssl.

• MS-RDP: Expanding coverage for RDP traffic from Microsoft Defender's Network Name Resolution, currently identified as ssl.

• Cortex-XDR: Activating enhanced coverage for global-content-profiles-policy.storage.googleapis.com traffic, currently identified as traps-management-service. (TSIDs for this were introduced in version 8990).

• GitHub-Base: Expanding coverage for github.dev traffic, currently identified as web-Browse and ssl.

• SaaS App-ID Risk Scores: Intention to update risk scores for many SaaS App-IDs, specifically those currently at '5'.

• SaaS Characteristic Update: Intention to update the 'SaaS' characteristic from 'no' to 'yes' for many App-IDs.

• New SaaS Characteristic "Uses GenAI to Generate Code": Introduction of a new characteristic to identify applications that use Generative AI for code creation. This will first be for Content App-IDs (scheduled for July 15, 2025), with corresponding Cloud App-IDs getting it on August 19, 2025.

• New ICS, IoT, and OT App-IDs: Introduction of TSIDs for several new industrial control system, IoT, and operational technology App-IDs (e.g., advantech-adam-ascii, capsule-mdip-axon, emerson-movicon, etc.), with activation planned for August 19, 2025.

• New App-IDs: General intent to release new App-IDs and encourages using TSIDs, "New App-ID" application filters, or "Web App Tag" application filters for adoption.

• Foundation-Fieldbus: Activation of this new ICS, IoT, and OT App-ID (TSIDs for this were released in version 8990).

• New IP Geolocation Region: Introduction of "XK" for Kosovo.

2. Signature Updates:

• New Vulnerability Signatures (11): Includes critical and high-severity vulnerabilities like:

  • TOTOLINK A3700R SetLanguageCfg Stack Overflow (CVE-2024-22660) - Critical

  • Sudo Heap Overflow (CVE-2021-3156) - High

  • Curl NSS CERTINFO Denial-of-Service (CVE-2022-27781) - High

  • Glibc getaddrinfo Buffer Overflow (CVE-2015-7547) - High

  • Apache Kafka Arbitrary File Read (CVE-2025-27817) - High

  • Google Chrome Type Confusion (CVE-2025-6554) - High

  • Mozilla Multiple Products Out-Of-Bounds Write (CVE-2025-4918) - High

  • NI FlexLogger usiReg URI File Parsing Directory Traversal (CVE-2025-2449) - High

• Modified Anti-Spyware Signatures (1): Improved detection logic for "Grandoreiro Command and Control Traffic Detection" (critical, 86302) to address a possible false positive issue.

• Modified Vulnerability Signatures - Detection Logic (4): Improved detection logic for vulnerabilities including:

  • Ivanti Endpoint Manager Mobile Remote Code Execution (CVE-2025-4427, CVE-2025-4428) - High (new exploit coverage)

  • Windows Command No-banner Shell Access (medium, possible false positive fix)

  • Microsoft Browser Information Disclosure (CVE-2016-3298) - Medium (new exploit coverage)

  • Pandora FMS chromiumpath and phantomjsbin Command Injection (CVE-2024-12971) - Medium (possible false positive fix)

Issues (Potential)

Based on the content of the update, here are some potential issues for administrators:

• Policy Impact from App-ID Changes:

  • "SaaS Characteristic" Changes: If you use Application Filters with the "SaaS" characteristic, updating this content will change how some applications are classified. This requires review before the update or a later content version to prevent unexpected policy enforcement or blocking.

  • New App-IDs: The introduction of many new App-IDs, especially for ICS, IoT, and OT, means traffic previously identified as generic (e.g., ssl, web-Browse, unknown) might now be specifically identified. If your security policies rely on broader classifications for this traffic, you might need to adjust rules to permit or block the newly identified applications.

  • Traffic Reclassification: The specific reclassification of ssl traffic to soti-mobicontrol, ms-rdp, github-base could cause issues if your policies were explicitly allowing or denying ssl for these services without considering the underlying application.

• UI Issues with ACE and GenAI Characteristic: Customers with ACE (Application Command Explorer) are highly recommended to install the July 15, 2025 content version (which introduces the GenAI characteristic for Content App-IDs) before the August 19, 2025 update to prevent a UI issue. This indicates a potential dependency or incompatibility if not followed.

• False Positives/Negatives (Temporary): While improvements are aimed at reducing false positives (e.g., Grandoreiro, Windows Command Shell Access, Pandora FMS), any change in signature logic always carries a small risk of temporary false positives or, less commonly, false negatives until the update settles in the environment.

• Performance Impact: A large number of new and modified signatures, especially for App-IDs, can sometimes have a minor, temporary performance impact during initial deployment or if the firewall is heavily loaded. This is generally mitigated by modern Palo Alto Networks devices.

• Compatibility: While the "Minimum PAN-OS Version" is listed for vulnerability signatures (e.g., 8.1.0, 11.1), it's crucial to ensure your PAN-OS version is compatible with this content update. Older PAN-OS versions might not fully support all new App-IDs or signature capabilities.

Prognosis

The overall prognosis for this content update is positive for security posture improvement, but it requires proactive management and review by administrators.

• Enhanced Visibility and Control: The expanded App-ID coverage, particularly for Soti, RDP, Cortex XDR, GitHub, and numerous ICS/IoT/OT protocols, will provide much finer-grained visibility into network traffic. This allows for more precise security policies, moving away from generic ssl or web-Browse rules.

• Improved Threat Detection: The significant number of new and modified vulnerability and anti-spyware signatures directly enhances the firewall's ability to detect and prevent known exploits and command-and-control activity. The fixes for false positives are also beneficial for reducing alert fatigue.

• Better SaaS Management: The risk score updates and the new "SaaS" characteristic will aid organizations in better understanding and managing their SaaS application usage from a security perspective. The "Uses GenAI to Generate Code" characteristic is forward-looking and will be increasingly valuable for governing AI-powered development tools.

• Planning is Key: Due to the "Final Reminder" nature, Palo Alto Networks is giving a clear signal that these changes are coming. This provides administrators with time to:

  • Review existing policies: Specifically, check application filters that use the "SaaS" characteristic.

  • Prepare for new App-IDs: Consider how newly identified applications (especially ICS/IoT/OT) will interact with your current security policies.

  • Prioritize updates: Given the critical and high-severity vulnerability fixes, deploying this update in a timely manner is important.

  • Adhere to the ACE recommendation: Ensure the July 15, 2025 content update is installed for ACE users before August 19, 2025.

In summary, Content Update 8999 is a substantial update that significantly enhances Palo Alto Networks' ability to identify applications and detect threats. The "Final Reminder" indicates a strong push towards these changes being live soon, necessitating careful planning and policy review to ensure a smooth transition and maximize security benefits.

Security Attacks to the Name Management Protocol in Vehicular Networks

https://www.ndss-symposium.org/wp-content/uploads/vehiclesec2024-4-paper.pdf

 [cite_start]The article "Security Attacks to the Name Management Protocol in Vehicular Networks" identifies 19 new vulnerabilities in the Name Management Protocol (NMP) of SAE J1939 networks, which are broadly adopted in Medium and Heavy Duty (MHD) vehicle communications. [cite: 3] [cite_start]This protocol is crucial for associating and managing source addresses with the primary functions of controller applications in trucks, a vital part of the transportation system where disruptions can have major social impacts. [cite: 1, 2]

[cite_start]The paper details various logical attacks exploiting these vulnerabilities, validated through formal methods and demonstrations on real trucks and bench setups. [cite: 3, 11] These attacks can lead to:

* [cite_start]Stealthily denying vehicle start-up. [cite: 4]

* [cite_start]Restraining critical vehicular device participation, including "dead beef attacks" that cause reflash failure. [cite: 5]

* [cite_start]Stealthy address exhaustion, preventing address-capable controller applications from network engagement. [cite: 6]

* [cite_start]Poisoning the controller application's source address-function association table, which can disable features like radar and Anti-Brake System (ABS), and trigger dashboard warnings for retarder braking torque. [cite: 7, 35]

* [cite_start]Denial of Service (DoS) on claim messages, prohibiting devices from participating in the network. [cite: 8]

* [cite_start]Impersonating a working set master to alter controller application source addresses, leading to "Bot-Net" attacks. [cite: 9]

* [cite_start]Executing "birthday attacks" (brute-force collision attacks) to command an invalid or existing name, causing undesired vehicle behavior. [cite: 10]

[cite_start]The research highlights that the SAE J1939 protocol was designed without security as a primary consideration, and current authentication defenses are lacking or not widely adopted[cite: 23, 24, 78, 80]. [cite_start]The paper also discusses how these vulnerabilities can be exploited via direct access to the CAN bus through public OBD ports or remotely via wireless interfaces. [cite: 101, 104]

[cite_start]The authors used Linear Temporal Logic (LTL)-based formal model checking to systematically analyze and validate these attacks, creating formal models of different NMP forms. [cite: 31, 32, 98] [cite_start]The findings have been responsibly disclosed to the standardization body, and the models and research artifacts are open-sourced[cite: 38, 39]. [cite_start]Mitigation strategies include implementing inter-CA authentication mechanisms, key agreement schemes, and replacing inadequate checksums with more robust authentication codes like MAC, CMAC, or HMAC. [cite: 116, 117, 132, 141, 148, 156, 163, 168]

From TCP/IP to Today - Vint Cerf in Conversation

 This video is an interview with Vint Cerf, one of the "fathers of the internet," conducted by Chris Greer at Sharkfest 2025 [00:00].

The interview covers several key topics:

• The Genesis of the Internet [01:04]: Vint Cerf explains that the internet's development stemmed from the ARPANET project, initiated by the Defense Department's Advanced Research Projects Agency (ARPA) to avoid technological surprises after Sputnik [01:16]. ARPA funded research at universities and, unable to buy supercomputers for all, decided to build a network for sharing resources using packet switching [02:05].

• Evolution of Protocols [02:31]: Bob Kahn, from ARPA, worked on mobile packet radio and satellite networks. In 1973, he approached Vint Cerf at Stanford with the problem of connecting these disparate networks [03:10]. This led to the development of TCP (Transmission Control Protocol) [03:34], which was later split into TCP/IP in 1976 to accommodate real-time applications like speech and video [03:53]. The internet officially became operational in 1983 [04:21].

• Early Applications and Growth [05:01]: Cerf discusses early applications like electronic mail (invented in 1971) [05:26], distribution lists (early social networking) [05:33], remote access, and file transfers [05:53]. The World Wide Web, announced by Tim Berners-Lee in 1991, and graphical user interfaces like Mosaic (1993) [06:01] ignited the internet's growth, leading to the dot-com boom [06:42].

• Artificial Intelligence (AI) [07:11]: Cerf touches upon the history of AI, from heuristic programming and expert systems to multi-layer neural networks and the current dramatic results with large language models and machine learning [07:40]. He provides examples of AI's practical applications, such as cooling data centers [09:10] and protein folding [09:43].

• Future of the Internet [10:33]: Looking ahead, Cerf discusses the use of cis-lunar space and low Earth orbiting satellites for communication [11:20], and significant investments in optical fiber networks [11:28]. He highlights the need for new protocols like Delay and Disruption Tolerant Networking (DTN) and the Bundle Protocol for deep space communication due to long delays and disruptions [11:53]. He mentions the ongoing project to build a solar system internet with collaboration from multiple space agencies [13:33].

• Wireshark's Relevance [15:04]: Cerf praises Wireshark as a "fabulous tool" for exposing what's happening on the network, aiding in debugging, improving performance, and understanding protocol interactions [15:27]. He emphasizes its continued relevance for anyone serious about networking or cybersecurity [17:07].

• Reflections and Advice [18:01]: When asked what he would tell his younger self, Cerf humorously states he would advise for 128 bits of address space instead of 32 bits [18:16]. He also mentions the importance of paying more attention to cryptography and security, acknowledging the limitations of early crypto and the later development of public key cryptography [18:58]. He also touches on the current threat of quantum computing to existing codes and the development of new quantum-resistant algorithms [20:13].

• Personal Anecdote [21:00]: Cerf shares a relatable story about troubleshooting a printer issue that turned out to be due to his laptop still being connected to a mobile hotspot network instead of his home network [21:11].

• Acknowledgements [22:23]: Cerf concludes by acknowledging the millions of people who have contributed to making the internet what it is today and who work to keep it running and secure [22:34].

You can watch the video at: http://www.youtube.com/watch?v=FKlqd_qr-nk