Source: www.schneier.com – Author: Bruce Schneier
Comments
ResearcherZero •
‘http://www.fortiguard.com/psirt/FG-IR-23-074
“Security experts say CISA’s directive highlights the reality that cyberspies and ransomware gangs are making it increasingly risky for organizations to expose any devices to the public Internet, because these groups have strong incentives to probe such devices for previously unknown security vulnerabilities.”
Gray said the security industry had been focused on building the next generation of remote access tools that are more security-hardened, but when the pandemic hit organizations scrambled to cobble together whatever they could.
“In the years leading up to the pandemic, the push towards identity-aware proxies and zero trust everything and moving away from this type of equipment was gradual, but it was happening,” Gray said. “And then COVID-19 hit and everybody had to go work from home, and there really was one option to get going quickly — which was to deploy VPN concentrators with enterprise features.”
‘https://krebsonsecurity.com/2023/06/cisa-order-highlights-persistent-risk-at-network-edge/
“Sherman also laid out critical areas of focus for the department moving forward including the implementation of targeted zero-trust capabilities across the DOD enterprise by 2027.”
Further, in the set of entities selected for focused data exfiltration, shell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign Affairs (MFAs), as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong. In addition, the actors searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
ResearcherZero •
“The task was to divide material assets (in Ukraine),” he said.
“There was massive theft in the Donbas, but they wanted more.”
“The Defence Ministry is trying to deceive society and the president and tell us a story about how there was crazy aggression from Ukraine and that they were planning to attack us with the whole of NATO,” Mr Prigozhin said in a video clip released on Telegram by his press service, calling the official version “a beautiful story”.
“The special operation was started for different reasons,” he said.
‘https://www.abc.net.au/news/2023-06-24/wagner-boss-says-moscows-war-in-ukraine-based-on-lies/102519130
“Two agendas are forming—one on the ground, the other on the president’s table,” he said.
Some observers have suggested Prigozhin might be speaking with the tacit approval of the Kremlin, which may be looking to shift blame for the war from Putin by scapegoating other figures such as Shoigu.
Prigozhin did not directly attack Putin in the video, instead claiming the president was being deceived by his generals and other figures around him. In reality though, Putin—not Shoigu—has taken the lead in making the claims around Donbas and de-Nazification the central justifications of the war, reciting them in his speech declaring his “Special Military Operation.”
‘https://abcnews.go.com/International/stunning-rebuke-putin-wagner-chief-russias-invasion-ukraine/story?id=100335756
vas pup •
How do surveillance planes spot ocean submersibles?
https://www.bbc.com/future/article/20230621-titanic-sub-how-do-surveillance-planes-
detect-ocean-submersibles
“Hunting for submersibles is traditionally the exclusive job of some of the largest and most technologically-advanced aircraft in any air force. Often based on civilian
designs, these machines deploy a => suite of impressive-sounding sensors to locate
military submarines under the sea. It’s usually a cat-and-mouse game between aircraft and submarines that want to stay hidden. That’s not the case here.
The fact that these aerial hunters are packed with advanced new technology would seem to give them the advantage. Yet as the lost Titan sub shows, submersibles remain very difficult to find, especially at depths of 3.8km (12,400ft) where the wreck of the Titanic is found.
The aircraft heard the noise after dropping sonar buoys, which drifted on the surface, listening for sounds that nature would be unlikely to make. It picked up a regular banging noise at 30-minute intervals, something that experts suggest are a sign they are being made by human beings.
Acoustic noise travels far in water, so that is both good and bad news. You would need (at least) !!! three of those static buoys to be able to triangulate the sound source to get a position fix.”
The Lockheed P-3 Orion is also equipped with magnetic anomaly detectors, which detect tiny disturbances in the Earth’s magnetic field caused by metallic submarine hulls. If an aircraft equipped with the detectors flies over a large mass of metal within its detection range, then it will pick it up. The presence of a known wreckage of a large steel hulled vessel like the Titanic makes using this technique harder.
the P-3 is not the only aircraft involved in the search. Other planes scouring the
Atlantic include the C-130 Hercules and the relatively new Boeing P-8 Poseidon, known as the most advanced maritime patrol craft in the world.
Poseidon’s aircrew uses a grid pattern to work out where a submersible is not, and then closes in on where it might be. It does this by deploying one of the most effective ways of tracking a submarine: sonobuoy fields. Fired from a rotary launcher at a high altitude, air parachuted Multistatic Active Coherent (Mac) buoys generate multiple sonar pulses over time in order to last longer and extend their search range. The arrangement of buoys like these is the one of the most classified secrets of anti-submarine warfare. A single P-8 can deploy over 120 buoys.
!!!Along with these buoys, the Poseidon uses a whole suite of technology that includes its own acoustic sensor, synthetic aperture radar (Sar) to detect, classify and track surfaced submersibles and detect periscopes a long way off, an electro-optical/infrared turret that can identify submersible exhaust, Electronic Support Measure (ESM) as an electromagnetic sensor, particularly !!! useful in tracking the positions of radar
emitters, and even a hydrocarbon tracking system to “sniff” the presence of diesel
electric military submarines.
However, the Poseidon flies too high to use magnetic anomaly detection effectively, and instead UAVs (Unmanned Aerial Vehicles) equipped with these detectors are being developed !!! to launch from its sonobuoy tubes.
Perhaps one of the Poseidon’s most important capabilities – and one that distinguishes it from the Orion – is the ability to work as a communications hub, a “node” as it were, at the center of a network of ships, sensor-equipped UAVs, and Uncrewed Surface Vessels (USV) that will in effect multiply its power.
!!!Sonar pulses, for example, can face interference from different temperature and salinity layers in the water. A submersible can be hidden under these. Magnetic detection technology tends to have short range – detecting only submersibles that are close to the surface and near to the aircraft’s position. And submersibles can also avoid detection by staying hidden in the “ambient water noise” of the ocean.”
SpaceLifeForm •
Re: SolarWinds
‘https://www.reuters.com/technology/solarwinds-executives-receive-wells-notice-us-sec-2023-06-23/
Clive Robinson •
@ vas pup,
“How do surveillance planes spot ocean submersibles?”
Back in the 1980’s it was with super secret SQUID, which were not the organic but quantum kind 😉
But… back then submersibles were made of mostly iron in the form of steel presure vessles a hunded or more foot long[1]. So even with anti-magnetic mine degausing they could still be picked up by the way they distorted the earths magnetic field and created “anomalies[2].
As I understand it this submersable was made with a very poor choice of composit involving carbon fiber and titanium which has an exceptionaly short life. But also does not effect the earths magnetic field as much as several hundred tons of refined iron or with a few pinches of chromium etc added.
[1] The problem with submarines, as it is with space craft and high altitude air craft is the squishy organic bits… If you think about it what you only need is a few pounds of warm fat that is the human brain. But to keep that alive and functioning it’s encased in around 200lb of body that needs the equivalent of a hundred watts of power continuously when at rest. To keep that alive and functioning, the body is surrounded by an environment that needs a couple or tons of equipment to support as a minimum. With also deppending on length of operation the body needs four pounds of food and a US gallon of fluid every 24hours as a minimum. As someone once rueful noted,
“It all adds up to one heck of a load of ballast.”
Which is why “AI for Drones” is a hot research subject, as is the design of the drones to put them in. Oh and in low power down mode on the bottom it would need not much more than a couple of LiPo’s like you have in laptops even though in power up 3-10kW would probably be needed for a “general purpose” AI alone… But the speed things are changing it could quickly get down to maybe the 30W used by a laptop etc.
[2] Apparently the mile or more passive sonar arrays towed by some subs also cause magnetic anomalies as the conductive cables move in the earths magnetic field they act like a generator causing magnetic fields of their own. Thus having a very acurate chart of the earths magnetic field in the area of operation would be important, such that the submarine could reduce it’s profile by running a course along the lines not across them.
Clive Robinson •
@ ResearcherZero, ALL,
With regards to the quote you give of,
“Security experts say CISA’s directive highlights the reality that cyberspies and ransomware gangs are making it increasingly risky for organizations to expose any devices to the public Internet,”
You can probably hear my hollow laugh where ever you are.
For quite some time now almost the first question I ask is,
“What is the business case for that computer to be extetnally connected?”
And almost always there is neither a business case, or a business case with good reasoning in it.
As long term readers of this blog will know I do not believe in “connectivity” without good cause, I believe in “Segregation, segregation, segregation”. Which puts me at odds with most “MBA Types”…
But even ICTsec types that talk the talk on air-gapping but have not the first clue on what’s actually needed in this day and age of deeply embedded communications in “chip sets” on consumer and commercial equipment.
It’s why I talk about “energy-gapping” and how to go about it in practical terms…
Just another example of,
“What you can read on this blog being eight years or more ahead”.
If you get a self proclaimed “Security expert” in, check what they know about basic physics, and then ask them about what SDR is and how it effects security… You might find yourself going through a lot of “experts”…
MarkH •
re: Undersea Casualty
Not a security matter, but it seems to implicate the integrity of an engineering process. I’ve read reports (not yet objectively confirmed) that:
• most of the hull was made from CFRP, with properties not suited to the application
• the hemispheric titanium “end caps” were bonded to the CFRP cylinder with some kind of cement
• the viewport — about 60 cm in diameter — was rated for 1500 m depth, whereas the operator claimed 4000 m for the overall vessel, and had taken it to 3800 m
• the designer/owner/victim was heard to say that the raw CFRP was obtained from Boeing, who was scrapping it because it had exceeded shelf life (Boeing says they never had business with OceanGate)
MarkH •
continued:
My whole career has been in and around product engineering. End users often don’t have the technical depth to evaluate whether a product can dependably function as claimed; even when they do, they don’t have the detailed knowledge of product design, or the time to absorb and analyze it.
The people who use the products of engineering, must generally rely on the integrity of the work done by designers.
To be an engineering designer is to be in a role where some people are going to (at least implicitly) repose their trust in your work. It is a position of serious responsibility.
Clive Robinson •
@ MarkH,
Re : Undersea Casualty
The important point to note was that it was not even an “engineering prototype”.
By all accounts I’ve seen it was never “tested and approved” as you would expect for any “passenger service vehicle” before being put into use.
Other accounts indicate there are no current drawings, circuits, enginering calculations held by the company nor I suspect anyone else.
As for the “carbon fiber” from the little I’ve played with it in the past I suspect it’s a totally inappropriate material for presure vessels that undergo regular preasure changes as it has some delamination issues, thus weakens on every major preasure change cycle.
As for the video of the “games controler” with glued on bits, and what,looked like rusting pipe as balast, not something that inspires confidence.
But there are other “interior attachments” it’s not clear how they were actually attached… I got the impression the illuminated over head hand hold was one designed to be “screwed into” RV’s.
Oh and one of the casualties, lived two turns down the road from me and I’d actually met him at the BISoc some years back and we chated radio and dishes. As well we’d nodded in passing in shops a couple of times (I’m easily recognisable[1]). He was just “an ordinary bloke” I’d no idea his family is apparently the wealthiest in Pakistan.
[1] It’s why I never put my “thinking hinky” abilities in spotting flaws in systems to “a life of crime”. Back when I was young the Police would have had to search a very wide area to find others to make it a “fair line up”. I think I’ve only met some one taller than me less than ten times in my life, and none of them had anything close to my build… That said for as long as I can remember, I’ve had people who I’ve never met come up and talk to me as though I was someone they saw around[2]… And, apart from size, I do know of two entirely unrelated people to me who even people I know quite well (parents-in-law) thought was me (One was “The Secretary of the British Electric Bike Society”).
[2] I’ve put it down to the fact that when they get within polite social distance, all they can realy see looking up is a double chin and nostril hair… Hence the reason I grew a beard…
lurker •
@MarkH
I understand CFRP can have good tensile strength for some applications. When I heard it was being used for this device, the query light went on: what is its compressive strength on repetitive cycles? For an example of failure to understand repetitive stress cycling, q.v. Comet airliner.
MarkH •
@Clive, lurker:
I think you’re spot-on. I haven’t heard before of carbon fiber being used in such an application; reportedly, it’s both (comparatively) weak in compression, and liable to progressive failure under repeated overstress.
It does function as a pressure vessel in airplane fuselages, but there it works in tension, where CFRP excels … and the pressure is less than 0.1% of the claimed capacity of the annihilated submersible.
Clive Robinson •
@ lurker, MarkH, SpaceLifeForm,
Carbon fiber construction conceptually is not greatly disimilar to “Glass Reinforced Plastic”(GRP). Likewise like reinforced concrete or human bone.
They all tend to fail catastrophicaly with a tiny increase in strain. From Wikipedia,
“The fracture toughness of carbon fiber reinforced plastics is governed by the following mechanisms:
1) debonding between the carbon fiber and polymer matrix,
2) fiber pull-out, and
3) delamination between the CFRP sheets.Typical epoxy-based CFRPs exhibit virtually no plasticity, with less than 0.5% strain to failure.
Although CFRPs with epoxy have high strength and elastic modulus, the brittle fracture mechanics present unique challenges to engineers in failure detection since failure occurs catastrophically.”
As for delamination, what happens is dependent on the layering of the fibers, which can be a complex subject.
But think back to magic shows and the like where a magician holds a pack of cards lengthwise in a vice like grip in their hand. The pack bends then as the magician moves their fingers fractionally the cards fly out like a fountain.
Well all laminates usually have a matrix (glue epoxy etc) that if friable under stress will delaminate not just catastrophicaly but spectacularly.
But if I was to place a small bet on where things broke I would look at the cement between the carbon fiber and the titanium end pieces.
I can not think of any commercial cement to do this and I have looked when designing antenna systems. My concern was dishes have a very large sail area, but worse they also act like the edge of a wing thus generate lift away from the mount… The end result is they buffet alot which is why they are frequently built into “drum like structures”, that not just strengthan the dish, they also cut down on the buffeting.
To cut design costs and weight we were looking at pressing out dishes from thin sheet metal then gluing to a spiderweb reenforcing structure that brought it to an offset center mount for a standard 2″ or similar mounting pole. We did not find a cement that would survive the buffetting effect for very long so we had to go another way…
ResearcherZero •
Organizations that still utilize FortiNAC should apply these patches as soon as possible.
“Fortunately, not a lot of companies expose TCP ports 1050 or 5555 to the public Internet. However…”
‘https://frycos.github.io/vulns4free/2023/06/18/fortinac.html
ResearcherZero •
Prigozhin issued his first public address from the headquarters of the Southern Military District in Rostov-on-Don, a city with a population of 1.1 million, which Wagner PMC claims to be fully in control.
Rostov-on-Don is a critical command and control membrane for the Russian army, and any threats to the MoD’s presence are likely to have ramifications on some critical aspects of the war effort. Rostov-on-Don houses both the headquarters of the SMD, whose 58th Combined Arms Army is currently decisively engaged in defensive operations against Ukrainian counteroffensives in southern Ukraine, and the command center for the Russian Joint Group of Forces in Ukraine as a whole.
‘https://www.ibtimes.co.in/mutiny-russia-live-updates-wagner-army-takes-over-rostov-860220
Footage on channels based in Rostov-on-Don showed armed men in military uniform skirting the regional police headquarters in the city on foot, as well as tanks positioned outside the headquarters of the Southern Military District.
Reuters confirmed the locations shown but could not determine when the footage was shot.
‘https://www.abc.net.au/news/2023-06-24/prigozhin-military-sites-in-rostov-on-don-under-wagner-control/102520100
SpaceLifeForm •
@ Clive, lurker, MarkH
I knew it had imploded. I said ‘may have’ to leave hope.
But, I knew. Physics.
People need to understand, there are no bodies to recover.
They were disintegrated into molecules in less than a millisecond.
It should not have been named Titan, but Darwin Award.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2023/06/friday-squid-blogging-giggling-squid.html
Category & Tags: Uncategorized,squid – Uncategorized,squid
