Here’s what CISA — the Cybersecurity and Infrastructure Security Agency — has to say about Russia. This is from their Russia Cyber Threat Overview and Advisories page, which was on their website at the time of writing, but it might not be for much longer:
Friends in the cybersecurity industry — prepare a lot of headaches in the near future.
The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
Not only do the DOGEbags lack forensic accountants, it seems that they’re short on people with even the most basic cybersecurity chops.
In all my years, I’ve failed it only once. But I’m certain that actually experiencing that failure ensured that the lesson would “stick.”
I happened a few years back. I was being diligent and getting all my tax stuff ready to send to my accountant in early February, around the time when my then-employer was sending employees their primary tax document, the dreaded Form W-2. (For those of you outside the U.S., it’s the wage and tax document provided by your employer; for example, the Canadian equivalent is the “T4 Slip”.)
I was doing a search through my company inbox to find the download location for my W-2 information, having forgotten that it was available through Workday. One of the search results was one of those phishing email tests, disguised to look like an official email with a link to my tax info. Since I was reading the email as search results and not as email, I was not in my usual email security mindset, clicked the link in the email, and boom:
I got the usual “Your manager will be notified and you’ll have to undergo mandatory security re-education” message afterward. Surprisingly, my manager never brought it up, and I was never scheduled for the “Don’t do it again, dumbass” remedial course, but believe me: I learned my lesson that day.
Here it is — the video of my presentation, xz made EZ, which covers the security incident with the xz utils utility on Unix-y systems, which I gave at BSides Tampa 2024 on April 6th:
The details of the xz vulnerability were made public mere days before the BSides Tampa 2024 cybersecurity conference, and on a whim, I emailed the organizers and asked if I could do a lightning talk on the topic.
They quickly got back to me and let me know that they’d had a last-minute speaker cancellation and gave me a full slot in which to do my presentation.
The moral of the story? It never hurts to ask, and it can lead to opportunities!
What’s this xz thing, anyway?
Let me answer with this slide from my presentation:
xz is short for xz Utils, a compression utility that you’ll find in Unix-y operating systems, including:
Linux distributions
macOS
It’s usually used by Unix greybeards who generally use it in combination with tar.
What happened with xz?
xz was one of those open source projects that had a vulnerability best illustrated by this xkcd comic:
xz was like that project pointed out in the comic, except that the “random person” doing the maintaining was Lass Collin, a developer based in Finland, who was experiencing burnout. As a result, xz was languishing.
In what appeared to be a stroke of good fortune, a developer who went by the handle of “Jia Tan” on GitHub came to the rescue and started submitting patches to xz.
At about the same time, there were a number of complaints about xz’s lack of apparent maintenance. In hindsight, it looks like a clever two-pronged campaign:
A group of people loudly clamoring for someone else to take the reins of the xz project, and
A friendly developer who swoops in at the right time, making patches to the xz project…
…all while a burned-out Lasse Collin was facing a lot of stress.
On November 30, 2022, Lasse changed the email address for xz bug reports to an alias that redirected to both his email address as well as Jia Tan’s. At that point, Jia Tan, the apparently helpful developer who appeared at just the right time, was now an official co-maintainer.
Not long after, Lasse releases his last version of xz, and soon after Jia Tan, now the sole maintainer of the project, releases their own version.
With full control of the project, Jia Tan starts making changes — all the while, carefully disguising them — that create a “back door” within the xz application.
On any system that had Jia Tan’s tainted version of xz installed, an unauthorized user with the right private key could SSH into that system with root-level access. By becoming the maintainer of a trusted application used by many Linux versions, Jia Tan managed to create a vulnerability by what could have been one of the most devastating supply-chain attacks ever.
It’s back! The 11th edition of BSides Tampa, Tampa Bay’s community-led cybersercurity conference, happens Saturday, April 6th at Marshall Student Center at USF.
You’ll want to attend BSides if:
You work in cybersecurity, because your peers — some of whom you might not know — will be there.
You’re looking for a cybersecurity job. You’ll get to network with people in the field, and you’ll find the conference’s Career track helpful.
You’re curious about cybersecurity. What do cybersecurity people do? They test systems for vulnerabilities (go to the talks in the Offense / Red Team track), they protect systems from attackers (go to the talks in the Defense / Blue Team track), and they create processes to enhance security (go to the talks in the Governance track).
You’re into intelligence — human and artificial. There’s an AI / Defense track that covers these topics.
You want to learn. I can’t think of a BSides where I didn’t learn at least three important things.
You want to know what the Tampa security scene is like. Tampa has an underappreciated security scene, and you’ll get to see what it’s like at BSides Tampa!
BSides Tampa is sponsored by the Tampa Bay chapter of (ISC)², which is clever and mathematically-correct shorthand for “International Information System Security Certification Consortium”. (ISC)² is a non-profit specializing in training and certifying information security professionals.
BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content.
Here’s the origin story: When the 2009 Black Hat conference in Las Vegas received more presentation submissions than they could take on. There were many presenters whose talks weren’t accepted, but were still very good — there just wasn’t enough room for them at Balck Hat.
So they banded together and made their own parallel conference that ran in parallel to Black Hat — it’s from that event that we get BSides.
BSides conferences are community events, and unlike a lot of tech conferences, they’re inexpensive. BSides Tampa 2024 costs $45 to attend — the same price as last year — and that gets you:
Access to all conference tracks
Access to Discord server
Access to the exhibition area, villages, and sponsorship area
According to cybersecurity news site The Record (they’re pretty good; you should bookmark them), newly-appointed U.S. Defense Secretary (and former FOX News host, philanderer, and raging alcoholic with a track record that “falls short of military standards”) ordered U.S. Cyber Command to stand down from all planning against Russia last week.
Here’s what CISA — the Cybersecurity and Infrastructure Security Agency — has to say about Russia. This is from their Russia Cyber Threat Overview and Advisories page, which was on their website at the time of writing, but it might not be for much longer:
Friends in the cybersecurity industry — prepare a lot of headaches in the near future.
