Thursday, April 11, 2024

Security is hard, vol CCLVI

Act the first: Web Security organization suffers data breach:

A misconfigured MediaWiki web server allowed digital snoops to access members' resumes containing their personal details at the Open Web Application Security Project (OWASP) Foundation.


"If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach," OWASP said in a Good Friday notification posted on its website.

"We recognize the significance of this breach, especially considering the OWASP Foundation's emphasis on cybersecurity," it added.

Yup.  This shows just how hard security is - OWASP is full to the brim with folks who (a) understand the importance of security, (b) know how to implement security (well, most of the time), and (c) have a lot of reputation at stake.  That reputation took a hit here.

Act the second: OPSEC is a bitch, even for secret squirrels:

Protecting your privacy online is hard. So hard, in fact, that even a top Israeli spy who managed to stay incognito for 20 years has found himself exposed after one basic error.

The spy is named Yossi Sariel allegedly heads Israel's Unit 8200 – a team of crack infosec experts comparable to the USA’s National Security Agency or the UK’s Government Communications Headquarters. Now he's been confirmed as the author of a 2021 book titled "The Human Machine Team" about the intelligence benefits of pairing human agents with advanced AI.

Sariel – who wrote the book under the oh-so-anonymous pen name “Brigadier General YS” – made a crucial mistake after an investigation by The Guardian which found an electronic copy of Sariel's book available on Amazon "included an anonymous email that can easily be traced to Sariel's name and Google account.”

Being outed after more than 20 years of anonymity isn't optimal for someone who's supposed to be a top spy

Yup.  And while it's tempting to roll your eyes and chorus Top. Men., remember that this is how they nabbed Ross Ulricht, a.k.a. The Dread Pirate Roberts from The Silk Road.

Yeah, OPSEC is a stone cold bitch of a problem.  You have to be right 100% of the time, and dropping that to 99.99% means that you lose.


Old NFO said...


HMS Defiant said...

I remember at SPAWAR finding that one of the ships our teams visited had somehow hooked up an ordinary NIPRnet machine to the SIPRNET and anybody could access it for years.

Richard said...

The problem is that security is defense only. As near as I can tell, there is some effort expended on offense on the part of the government but it is directed only at those perceived as geopolitical or domestic political enemies. I know of no attempt by anyone to go after the scam artists and those who just like to see the world burn.