site: www.lightbluetouchpaper.org
Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.
https://www.lightbluetouchpaper.org/2020/05/28/three-paper-thursday-vulnerabilities-weve-got-vulnerabilities-here-see-nobody-cares/ [www.lightbluetouchpaper.org]
2020-05-28 16:21
tags:
ioshit
malware
networking
paper
security
Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.
The lifetime of an Android API vulnerability
https://www.lightbluetouchpaper.org/2019/07/10/the-lifetime-of-an-android-api-vulnerability/ [www.lightbluetouchpaper.org]
2019-07-10 19:00
tags:
android
bugfix
development
paper
security
When we published our paper in 2015, we predicted that this vulnerability would not be patched on 95% of devices in the Android ecosystem until January 2018 (plus or minus a standard deviation of 1.23 years). Since this date has now passed, we decided to check whether our prediction was correct.
The good news is that we found the operating system update requirements crossed the 95% threshold in May 2017, seven months earlier than our best estimate, and within one standard deviation of our prediction. The most recent data for May 2019 shows deployment has reached 98.2% of devices in use. Nevertheless, fixing this aspect of the vulnerability took well over 4 years to reach 95% of devices.
oof.
The two-time pad: midwife of information theory?
https://www.lightbluetouchpaper.org/2018/07/17/the-two-time-pad-midwife-of-information-theory/ [www.lightbluetouchpaper.org]
2018-07-17 18:39
tags:
crypto
history
security
The NSA has declassified a fascinating account by John Tiltman, one of Britain’s top cryptanalsysts during world war 2, of the work he did against Russian ciphers in the 1920s and 30s. In it, he reveals (first para, page 8) that from the the time the Russians first introduced one-time pads in 1928, they actually allowed these pads to be used twice.
1000 days of UDP amplification DDoS attacks
https://www.lightbluetouchpaper.org/2017/05/02/1000-days-of-ddos-attacks/ [www.lightbluetouchpaper.org]
2017-05-03 15:08
tags:
networking
paper
security
To measure the use of this strategy we analysed the results of running a network of honeypot UDP reflectors from July 2014 onwards. We explored the life cycle of attacks that use our honeypots, from the scanning phase used to detect our honeypot machines, through to their use in attacks.