News of the week 2023-07-24

The Prepared Support - July 24, 2023

News

Make a top-level comment for a new story/topic. Discussions about the topic should be in the replies to the top-level comment. That way things stay organized and every main comment as you scroll down is a different piece of news.

13  

Greece: Thousands evacuated from Corfu as wildfires rage

“Authorities have evacuated some 2,500 people from the Greek island of Corfu as fires ravage the island. This comes after tens of thousands fled the island of Rhodes in an unprecedented operation amid a massive heat wave.”

https://www.dw.com/en/greece-thousands-evacuated-from-corfu-as-wildfires-rage/a-66326305?

 

The Prepared is having a 25% off “Choose Your Adventure” sale on all courses. I especially recommend the Austere First Aid course, which taught me how to handle a wide variety of medical emergencies. Some of the topics it covered overlapped with first aid situations I’d already experienced directly, and I still found that I had more to learn about them from this course.

https://lp.theprepared.com/choose-your-adventure-sale

 

TikTok is buzzing about a possible new Covid surge beginning in the US.

Japan is having a hard time with Covid hospitalizations right now with Okinawa being hit particularly hard.  Patrick on TikTok has been talking a lot about it in his channel and summarizes the latest news reports in this video: https://www.tiktok.com/t/ZT88SWUpF/

Japan has higher vaccination rates than the US and has been better about masking so this is concerning.

There’s an uptick in the waste water monitoring in the US.  Take a look at Biobot and click on “Last 6 months”.  The inflection point is June 21.

The FDA is recomending the booster coming in the fall target the XBB.1.5 variant but we live in a multi-variant world now and XBB.1.5 comprises only 1/3 of the infections in the US (see the same Biobot page under “Covid-19 Variant Trends over Time”).

I’m keeping my eye on all of this.

I’m also going to start digging into a report suggesting that getting a booster too soon after a Covid infection can cause harm and that it’s better to wait for an unclear period of time instead before getting another vaccine shot.  It’s possible that bloodwork post-Covid infection can help to inform a doctor about what this period of time should be.  I’d love it if someone else could do some digging on this topic too.

 

“better to wait for an unclear period of time instead before getting another vaccine shot”

I’m aware of two reasons that it’s better to wait 4-6 months after your most recent shot or infection. Both involve partially wasting that shot because your body was still reacting to the recent immune stimulation and doesn’t need more stimulation. Does taking that dose too soon also “cause harm”? Not that I’m aware of, but I’ve already got plenty of reason not to do it.

 

India, responsible for 40% of global rice exports, just blocked non-basmati rice exports, so that they’ll probably export half as much rice this year. Expect prices to rise for this staple food, affecting global food security.

https://www.reuters.com/markets/commodities/india-prohibits-export-non-basmati-white-rice-notice-2023-07-20/

 

U.S. Hunts Chinese Malware That Could Disrupt American Military Operations.

Chinese state hackers installed malware to allow them to sabotage many US utilities at once. A likely intent was to trigger the utility sabotage as a distraction early in an invasion of Taiwan, slowing down a US military response. While they seem to have failed this time, discovered before they pulled the trigger, we should be prepared for the possibility they succeed next time.

So what are we preparing for? I see three very different angles there.

1) If you have any involvement cyber security, software development, or system administration, take this as a wake up call to substantially improve your cybersecurity. The software system you are responsible for may already have been targeted.

2) Be prepared for a multi-day power outage. This was already an issue due to weather, but if it’s done by a state actor more of us will face the challenge in many regions all over the US and/or NATO.

3) Be prepared for that outage to be just the beginning of a larger challenge. If it’s really used to slow the reaction to an invasion of Taiwan, then we need to deal with the invasion next. Expect extreme supply shortages for 1-2 years, especially involving electronics.

 

I work in computer security and I can share missing context from this article.

This is a normal state of affairs.  There is nothing unusual happening here.  China (and other state actors) are constantly penetrating our networks and we’re constantly doing the same thing to them.  We’re even doing it to our allies, planting malware on their infrastructure.

Yes, it’s potentially serious, but it’s also been happening for decades.  It has nothing to do with Taiwan.

 

“This is a normal state of affairs.  There is nothing unusual happening here.”

This is the specific part that they’re saying is unusual:

“Now, Chinese cyberoperations seem to have taken a turn. The latest intrusions are different from those in the past because disruption, not surveillance, appears to be the objective, U.S. officials say.”

In previous examples of Chinese state cyberattacks that you have seen, were those attacks meant more for information gathering or for disrupting infrastructure?

 

All of the historical Chinese attacks I’m aware of have been about surveillance.  However, I know that the US has been planting disruptive malware for years and my impression is that the three major world empires (American, Chinese, and Russia) are all doing the same things to each other constantly.  We’re in constant cyber cold war and given the nature of technology, cyberwarfare is almost all offensive capability.  Our defenses suck.

I work in civilian defense.

 

“Our defenses suck. I work in civilian defense.”

Civilian cyber defense is a small but growing part of my role as well. What do you think is the best way to improve our cyber defense?

 

That’s a great question.  Cyber defense is challenging for three reasons:

1.  The interconnectedness and complexity of modern computer systems favor offense over defense—you have to get 100 things right to protect a system but only one thing right to compromise it.

2.  The economic incentives are misaligned.  This is the biggest of the problems.  Investing in defense doesn’t produce a visible ROI and it’s hard to assess results.  If you buy a three-legged stool and it’s missing a leg then the problem is obvious to all stakeholders.  Assessing the security of a system can be done only by experts and it’s not objective.

3.  The threat landscaping is constantly escalating.  Recently I advised a client to perform a high-stakes transaction over a video call rather than an audio call because audio calls can be spoofed (and there have been successful high-value attacks).  A few weeks after I delivered my report to the client I had to reach out to them again and tell them I saw my first live video call spoofing attack in the wild.

Back to your question of how to improve our defenses:  It depends on your threat model and I could offer specific suggestions if you tell me some details of yours, but in general:

1. Personal defense:  Choose a trustable ally for your TCB (Trusted Computing Base).  E.g., both Apple and Google spend astronomical amounts on getting security right and have deep talent pools.  As much as I like fiddling with open source, I trust those two companies to manage my TCB more than I trust myself.

2. Company defense:  It depends on the threat model of the company.

3. Societal defense:  This is a tricky one because of the economic incentives.  There are many companies that would rather pay the cost of cleaning up an attack rather than spending money to prevent it.  Unfortunately many of us suffer collateral damage if, e.g., said company is holding our personal data.  Government can play a role to identify critical infrastructure in the private sector and prod them to do the right thing but there hasn’t been a lot of success thus far.  If I were president I would split up the NSA into two separate organizations—one for offense and the other for defense.  It’s currently chartered with both missions but the majority of its focus seems to be on offense.

 

“Back to your question of how to improve our defenses:  It depends on your threat model and I could offer specific suggestions if you tell me some details of yours, but in general…”

Thanks, Hardened! Your general advice is already helpful. I’ve added some details below about my situation and concerns.

“Personal defense:  Choose a trustable ally for your TCB (Trusted Computing Base).  E.g., both Apple and Google spend astronomical amounts on getting security right and have deep talent pools.”

I read a bit about trusted computing base but am still not sure I understood this advice. Are you just saying to prefer Mac over Linux? Or does Apple have security software and guidelines we should be following?

For personal defense, I rely on MacOS/iOS, GMail, and 1password. I’m slowly adapting to using 2FA and considering a switch to Proton.

“Company defense:  It depends on the threat model of the company.”

I am responsible for software development and associated application security for some internal and public facing applications. My focus so far has been to follow my company’s extensive security policies and integrate recommended security tools. But I don’t really understand this problem from an attacker’s perspective, whether all these security features address the most important vulnerabilities. What’s a good approach for educating myself on this?

 

TCB just means the parts of the system that you have no choice but to trust.  The ideal system is trustless.

Yes, I mean prefer macOS over Linux.  As much as I love Linux (and used it for my main desktop OS for many years) it hasn’t kept pace with escalating threats as well as macOS has.

Apple silicon appears to be one of the best hardware choices at the moment, from a security standpoint.

An ex-housemate of mine got government security clearance so the NSA could brief him on how to make Gmail more secure, so yes that’s a good choice.  🙂  It won’t protect you from the NSA, of course.

2FA is important and hardware keys are the best.  I use YubiKeys.  If you buy one, buy it directly from the manufacturer instead of a reseller to avoid supply-chain attacks.

Use Signal for private communication and use the safety number verification feature.  As far as we can tell, Signal is the only communication system that’s secure.

I am responsible for software development and associated application security for some internal and public facing applications. … What’s a good approach for educating myself on this?

Again this depends on your company’s threat model and associated defense budget.  If you have the budget, hire an external company to do a penetration test of your applications and that will probably wake you up with cold water very quickly to potential problems.  External audits of source code can also be helpful.

In general, for software development:  If you haven’t already, recognize that complexity is the enemy of secure software.  Object Oriented Programming was a mistake and unnecessarily increases the complexity of software.  Adopt the Function Core/Imperative Shell model for writing software.  Adopt the principles of functional programming in your applications by composing small, pure functions.  Learn functional programming but stop before it gets into category theory because otherwise no one else will be able to read your code.  Educate your other developers to do the same.

If your software is a custodian of personal data, e.g., of customers, then treat every last bit of it as a liability and aggressively winnow it down.

Recognize that in the modern era every professional software developer needs have to have security skill and that skill must be updated constantly.  Read the Crypto-Gram Newsletter for keeping up-to-date with macro trends.  Find other specialized resources that are relevant to your line of work to keep educating yourself.