The mother of all breaches

SecurityDiscovery.com and Cybernews have jointly found the largest collection of hacked credentials ever discovered. Containing over 2,500 data breaches with 15 billion records, this is a new record. As it contains multiple breached one must assume there will by duplicates.  

This comes only a week after Techspot discovered over 71 million credentials and 25 million never-before-seen passwords.

Ethereum Block Chains “Hacked”

The February issue of MIT Technology Review reviews a 51% attack on Ethereum Classic. The article also covers similar attacks on lower value crypto currencies and its progress to now attacking top 20 currencies. Also covered (again) are the current issues with Smart Contracts.
These issues represent the Damocles sword of Crypto Currencies, the openness of its approach is also its biggest weakness.

Apple HW can still be hacked

As you may remember the introduction of Apple’s M1 CPU’s there was a lot of discussion on the inclusion of the T2 chip and its impacts on upgrades and 3rd party HW. As highlighted in the article on Tom’s hardware, with some effort the RAM and HD’s in the apple Mac Mini with M1 you can (with nerves of steel) desolder both and replace them without issues.
I wonder how long before Apple blocks this?

How safe is NFT?

The latest bit coin (actually Ethereum)  craze to emerge is Non-fungible token or NFT’s, Simply put its’s an digital ledger containing digital assets, mostly art as digital: I.E. a ledger where the “rights” to the content is owned by you as a transferable asset. Several high value transactions are in the news such as Beeple and DJ3LAU recently, NFT’s are not as straight forwards as people think. An interesting article shows the ins and outs of buying and owning (or not) of FCC’s on Motherboard highlights some of the problems with this.

MS ION: Decentralized Identifiers (DIDs)

Microsoft just made public the details on their DID implementation, ION, as their part of the drive towards decentralised Layre 2 authentication and control.

“We are excited to share that v1 of ION is complete and has been launched on Bitcoin mainnet. We have deployed an ION node to our production infrastructure and are working together with other companies and organizations to do so as well”

The increased use of Counterfeit Digital Certificates in Malware

The previous trend of using stolen certificates to digitally sign malware (to circumvent OS’s requirements for valid digital signatures om files to install SW) has been overtaken by black hats issuing counterfeit certificates pretending to be the institution the certificates are issued to. Social engineering to the next leve is one way of looking at this. Recorded Future has an analysis of the current market place, with a tracking of the 3 largest dark web merchants and their volumes over the last 5 years. Also a breakdown of the current offerings available. Note that the high-end  certs are Symantec Certs, the CA that got phased ut by the browser vendors after numerous issues, so the hope is that this will remove the EV certificates from this kind of use.

Machine Learning gone bad

I suppose every new technology will eventually be misused, and  this has now come to machine learning and facial recognition algorithms. As reported by Motherboard an app has been launched on reddit using NVIDA’s CUDA framework  to morph faces onto another body, to create realistic videos as an outcome. Of course (in an forum dominated by teenage boys) the initial activity is to use celebrity faces in porn scenes, but it raises another worry about trusting digital images and video files in a wider use of this technology.

Digital Identities – an distributed approach

Traditional Digital identity schemes,  such as the X509 certificate approach and similar, has always carried  substantial overhead and cost to reach non-repudiation. With the explosion of distributed ledgers in areas such as digital currencies and the current reluctance by consumers on using IOT solutions due to privacy and security issues there is a need for an alternative. The Sovrin foundation has taken this and have made an “Self-Sovereign” Identity solution. Based on open-source distributed ledger technology this approach has a lot of potential, in particular in the theoretical ability to self manage devices and their trust relationships. The illustration here shows how this works in the real world.