Security Leftovers and Windows TCO

posted by Roy Schestowitz on Mar 23, 2024

• Applications

  • Tor ☛ New Release: Tor Browser 13.0.13

    Tor Browser 13.0.13 is now available from the Tor Browser download page and also from our distribution directory.

    This is an unscheduled emergency release with important security updates to Firefox for Desktop platforms. Android is unaffected.

• Confidentiality

  • Light Blue Touchpaper ☛ Owl, a new augmented password-authenticated key exchange protocol

    On 5 March 2024, I gave a presentation on Owl at Financial Cryptography and Data Security 2024 (FC’24) in Curacao. The purpose of this blog is to invite public scrunity of Owl. See the Owl paper and the FC slides for further details. An open-source Java program that shows how Owl works in an elliptic curve setting is freely available. We hope security researchers and developers will find Owl useful, especially in password-based client-server settings where a PKI is unavailable (hence TLS doesn’t apply). Same as J-PAKE, Owl is not patented and is free to use.

• Windows TCO

  • Federal News Network ☛ DoD’s approach to fix its computers is function over form

    A year after a scathing report from the Defense Business Board found general unhappiness with the user experience with technology across the Defense Department, the chief information officer’s office is taking a simple approach to fix the computers.

    A big part of this effort came earlier this year when DoD’s CIO created a customer experience office, led by Savanrith Kong, who now serves as the senior advisor for the user experience (UX) portfolio management office (PfMO).

    Leslie Beavers, the principal deputy CIO for DoD, said the overarching philosophy behind this improved CX approach is putting the user and their mission first.

  • Security Week ☛ Ransomware Group Takes Credit for Attack on Boat Dealer MarineMax

    The Rhysida ransomware group has taken credit for the recent cyberattack on boat dealer MarineMax and is offering to sell data allegedly stolen from the company for a significant amount of money.

    MarineMax is one of the world’s largest retailers of recreational boats and yachts. The company has over 125 locations worldwide and nearly 4,000 employees, and it reported a revenue of more than $500 million in the first fiscal quarter of 2024.

  • The Record ☛ Illinois county government, local college affected by ransomware attacks

    An Illinois county on the border with Iowa is the latest local government in the U.S. to fall victim to a ransomware attack.

    Henry County has been dealing with a wide-ranging cyberattack since March 18, Mat Schnepple, director of the Emergency Management (OEM) office in Henry County, confirmed to Recorded Future News.

• Integrity/Availability/Authenticity

  • Wired ☛ Photography Is No Longer Evidence of Anything

    The article was titled “Digital Retouching: The End of Photography as Evidence of Anything.” It opened with an imaginary courtroom scene where a lawyer argued that compromising photos should be excluded from a case, saying that due to its unreliability, "photography has no place in this or any other courtroom. For that matter, neither does film, videotape, or audiotape.”

  • Gizmodo ☛ X Continues to Break as Fraudsters Use Deceptive Links to Scam You

    Unfortunately, X is previewing the final destination, which allows users to be fooled. If you’re on a desktop, you can hover over links, and your browser will likely do a better job of previewing what you’re about to click on. If you’re on a mobile phone, there’s no real way to check if links on X are legit.

  • DomainTools ☛ We need an American Girl who bolsters cybersecurity

    A few initial indicators of possible malfeasance include the domain “USGirlShop” masquerading as AG (i.e. using the AG logo – a slightly older logo at that) along with verbiage claiming exclusivity on a coveted discontinued item. Other indicators include minor misspellings, odd spacing, and that ampersand code in the navigation bar. Personally, I wouldn’t feel comfortable sharing personally identifiable information (PII) or my credit card information with this website, and luckily the advice from others in this subreddit aligned with my feelings. I wanted to learn more, so I looked in Iris Investigate to see what else I could find.