Security Leftovers, Especially Windows TCO
-
Windows TCO
-
The Washington Post ☛ U.S. Treasury says it was [breached] by China-backed actors
The U.S. Treasury Department said Monday that it was [breached] by a Chinese state-sponsored actor who gained access to government workstations and unclassified documents, according to a letter reviewed by The Washington Post.
The department was notified Dec. 8 by a third-party software provider, BeyondTrust, that a hacker had gained access to a security key, which allowed the intruder to override certain security protocols and access some Treasury Department office workstations and unclassified documents stored on them, according to the letter notifying the Senate Banking Committee leadership of the breach.
-
Federal News Network ☛ Treasury says Chinese [intruders] remotely accessed workstations, documents in ‘major’ cyber incident
The Treasury Department said it learned of the problem on Dec. 8, when a third-party software service provider, BeyondTrust, flagged that [intruders] had stolen a key “used by the vendor to secure a cloud-based service used to remotely provide technical support” to workers. That key helped the [intruders] override the service’s security and gain remote access to several employee workstations.
-
Deseret Media ☛ US Treasury says Chinese [intruders] stole documents in 'major incident'
The [attackers] compromised third-party cybersecurity service provider BeyondTrust and were able to access unclassified documents, the letter said.
According to the letter, [intruders] "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."
-
Federal News Network ☛ Rogue Two — Your IT sprawl is about to expand to space
Software developers, marketers and others across the enterprise would often bypass their own IT department to avoid standing in line for all those pesky compliance checks, budget approvals and the heap of IT purchase requests. All they had to do was use their corporate or personal card to access compute and storage on Amazon or another cloud provider and they were off and running with their new application. This was convenient for them, but wreaked havoc on the organization’s control, compliance and grasp on spend. This also resulted in cloud or “IT sprawl” in which various applications grow virally in department silos while lacking the ability to leverage data and functionality across the enterprise. These isolated islands of intellectual property and business insight can easily be under leveraged, misused, or worse, stolen.
-
-
Confidentiality
-
Filippo Valsorda ☛ Benchmarking RSA Key Generation
RSA key generation is both conceptually simple, and one of the worst implementation tasks of the field of cryptography engineering. Even benchmarking it is tricky, and involves some math: here’s how we generated a stable but representative “average case” instead of using the ordinary statistical approach.
-
-
Integrity/Availability/Authenticity
-
CCC ☛ Ten Years of Rowhammer: A Retrospect (and Path to the Future)
Now, in 2024, it is precisely 10 years after Rowhammer was discovered. Thus, we believe it is time to look back and reflect on the progress we have made. We have seen a seemingly endless cat-and-mouse security game with a constant stream of new attacks and new defenses. We will discuss the milestone works throughout the last 10 years, including various mitigations (making certain instructions illegal, ECC, doubled-refresh rate, pTRR, TRR) and how they have been bypassed. We show that new Rowhammer attacks pushed the boundaries further with each defense and challenge. While initial attacks required native code on Intel x86 with DDR3 memory, subsequent attacks have also been demonstrated on DDR4 and, more recently, DDR5. Attacks have also been demonstrated on mobile Arm processors and AMD x86 desktop processors. Furthermore, instead of native code, attacks from sandboxed JavaScript or even remote attacks via network have been demonstrated as well.
-
Ethan Rahn ☛ SPHINCS+ - Step by Step
This post features me discussing SPHINCS+, which is a PQC algorithm for digital signatures. It’s intended for use as a replacement for current signature schemes and is stateless (you don’t need to remember anything about prior signatures), tunable (you can make tradeoffs on signatures being fast to use vs smaller), and most importantly, based on present day hash algorithms. The final property, being based on hash algorithms, helps make it understandable without a good background in mathematics.
I’ll preface this with a small note about my credentials: Caveat emptor. I am not a cryptographer. Do not take anything here at face value. I have a bit over a decade of experience in product cybersecurity and am familiar with using various cryptographic algorithms. I have tried to include all of my source materials so that it is clear why I am saying something and you can do your own research. When reading this, assume I am a dummy trying hard with good intentions and will update anything I am emailed about.
-