• CRYPTO-GRAM, September 15, 202 Part 2

    From Sean Rima@21:1/229.1 to All on Tuesday, October 01, 2024 21:52:06
    Unit 42 monitors ransomware and extortion leak sites closely to keep
    tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts.
    This averages to approximately 294 posts a month and almost 68 posts a
    week. Of the 53 ransomware groups whose leak sites we monitored, six of
    the groups accounted for more than half of the compromises observed.

    In February, we reported a 49% increase year-over-year in alleged
    victims posted on ransomware leak sites. So far, in 2024, comparing the
    first half of 2023 to the first half of 2024, we see an even further
    increase of 4.3%. The higher level of activity observed in 2023 was no
    fluke.

    Activity from groups like Ambitious Scorpius (distributors of
    BlackCat) and Flighty Scorpius (distributors of LockBit) has largely
    fallen off due to law enforcement operations. However, other threat groups
    we track such as Spoiled Scorpius (distributors of RansomHub) and Slippery Scorpius (distributors of DragonForce) have joined the fray to fill the
    void.

    ** *** ***** ******* *********** *************
    Hacking Wireless Bicycle Shifters

    [2024.08.20] This is yet another insecure Internet-of-things story, this
    one about wireless gear shifters for bicycles. These gear shifters are
    used in big-money professional bicycle races like the Tour de France,
    which provides an incentive to actually implement this attack.

    Research paper. Another news story.

    Slashdot thread.

    ** *** ***** ******* *********** *************
    Story of an Undercover CIA Officer who Penetrated Al Qaeda

    [2024.08.21] Rolling Stone has a long investigative story (non-paywalled version here) about a CIA officer who spent years posing as an Islamic radical.

    Unrelated, but also in the “real life spies” file: a fake Sudanese diving resort run by Mossad.

    ** *** ***** ******* *********** *************
    Surveillance Watch

    [2024.08.22] This is a fantastic project mapping the global surveillance industry.

    ** *** ***** ******* *********** *************
    Take a Selfie Using a NY Surveillance Camera

    [2024.08.23] This site will let you take a selfie with a New York City
    traffic surveillance camera.

    EDITED TO ADD: BoingBoing post.

    ** *** ***** ******* *********** *************
    US Federal Court Rules Against Geofence Warrants

    [2024.08.26] This is a big deal. A US Appeals Court ruled that geofence warrants -- these are general warrants demanding information about all
    people within a geographical boundary -- are unconstitutional.

    The decision seems obvious to me, but you can’t take anything for granted.

    ** *** ***** ******* *********** *************
    The Present and Future of TV Surveillance

    [2024.08.27] Ars Technica has a good article on what’s happening in the world of television surveillance. More than even I realized.

    ** *** ***** ******* *********** *************
    Matthew Green on Telegram’s Encryption

    [2024.08.28] Matthew Green wrote a really good blog post on what
    Telegram’s encryption is and is not.

    EDITED TO ADD (8/28): Another good explainer from Kaspersky.

    ** *** ***** ******* *********** *************
    Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published

    [2024.08.29] The “long lost lecture” by Adm. Grace Hopper has been published by the NSA. (Note that there are two parts.)

    It’s a wonderful talk: funny, engaging, wise, prescient. Remember that
    talk was given in 1982, less than a year before the ARPANET switched to
    TCP/IP and the internet went operational. She was a remarkable person.

    Listening to it, and thinking about the audience of NSA engineers, I
    wonder how much of what she’s talking about as the future of computing -- miniaturization, parallelization -- was being done in the present and in secret.

    ** *** ***** ******* *********** *************
    SQL Injection Attack on Airport Security

    [2024.09.02] Interesting vulnerability:

    ...a special lane at airport security called Known Crewmember (KCM).
    KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.

    The KCM process is fairly simple: the employee uses the dedicated lane
    and presents their KCM barcode or provides the TSA agent their employee
    number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening
    at all.

    A similar system also exists for cockpit access, called the Cockpit
    Access Security System (CASS). Most aircraft have at least one jumpseat
    inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate
    agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.

    [attack details omitted]
    ---
    * Origin: High Portable Tosser at my node (21:1/229.1)