Archive

This weekend I had two interesting experiences that got my nerd spirit boil hot: I brought my 6yo son to his first cyber-security conference (NoHat 2021 on Sat) and this morning I visited an IBM abandoned facility.

Only if you’re a father or a geek, or both, you can imagine the feelings and fully appreciate these moments. It was just amazing.

BTW, if you’re curious how to maintain a news digest like this one with only a few minutes a day, I documented my semi-automated workflow.

Oh, and I’m experimenting baking panettone (I screwed up with the timing so I’ll have to wake up at 2am to prepare the last round of dough): Winter Hols are getting closer and closer!

Greetings! 👋

Just back from Black Hat Europe, which was great as it's been more than 2 years without an on-site conference (at least for me). Was a very nice get-together among those review-board members who could attend, who haven't been meeting for what seemed to be forever.

Unfortunately, due to capacity and travel restriction, the event felt a bit emptier than usual, but we're all looking forward to Black Hat USA 2022!

I jotted down some notes from my favorite session, the Locknote (vs Keynote), with Daniel Cuthbert, Meadow Ellis, James Kettle, Marina Krotofil, and Thomas Brandstetter. I "live" tweeted some notes in this thread, but since I'm far from being a professional tweeter, I revised them here, along with some comments.

Oh oh oh!

I guess I’m a little early this year, but after having spent the Halloween weekend at home with no adequate trick or treating because of the rain, I’m really looking forward to the upcoming holiday season!

I don’t know about you, but I changed my business travel plans to make sure I’m back home to watch Home Sweet Home Alone with the family. I guess it’s a little too much 😂

Greetings! 🎃

Interesting week in Europe, right? It's interesting to see the parallel between (1) the social protests happening in Italy about the regulations that require all workers to possess a valid EU Digital COVID Certificate (a.k.a., "GreenPass") and (2) the incident at one (potentially more) cert-issuance sites, which have been found to be exposed on the public Internet without protection. Of course, in a matter of hours, there was an explosion of Telegram groups selling generated certificates.

At the beginning, it didn't seem like a big deal, because the EU Digital COVID Certificate system has this scenario figured out already. But, as more clearly forged but accepted passes have started to circulate (archived), more details bubbled up, revealing what seems to be a larger "compromise" of the certificate issuing infrastructure. Technically, nothing has been actively compromised: It's just some unwanted service exposure.

Just scroll down and you'll find more details.

Hello! 👋

I should have never skipped last week's CyberFacts Weekly, because...guess what, now I had to process twice the load! 🥵

But last week was definitely too packed with prepping for Black Hat Europe and I had to prioritize that! By the way, consider attending Black Hat Europe, which is taking place both on site (at the London ExCeL) and virtually.

Despite being overwhelmed, I finally found the time to use Zotero to manage this digest. Here's the workflow:

I think this week's featured image by the @archillect AI is very appropriate, given the 3 massive leaks that happened (plus FB/IG/WA downtime, although not due to a security compromise):

• Twitch (128GB)
• The Telegraph (10TB)
• Pandora Papers (11.9M documents)

Plus some leaky Apache Airflow servers exposing credentials of popular services, and iOS 15 decompiled source code dumped online.

On the bright side, The Linux Foundation and Google (which sponsored $1B worth of rewards) has launched a pilot program to reward developers who help open source projects score better (e.g., by contributing fixes, fuzzing harnesses); Apache has released a fix for CVE-2021-42773 (currently exploited in the wild); and LeakIX has announced a game-changing (although a bit controversial) transparent breach-disclosure framework to track unwanted exposed services leaking data, and "pressure" service operators to close or secure them.

Hello ☺️

The second issue of CyberFacts Weekly is out and I have to say that I'm quite happy to see a (slowly) growing interest around both this weekly digest and the live feed (available via Twitter and RSS).

It's been quite a packed week: It wasn't easy to keep track of all the interesting events. Also, I decided to open each weekly issue with the image Tweeted by the @archillect AI at the time of writing.

Towards the end of this digest, I took some room for a reflection about the current state of conferences, and what I foresee for their future.

Hello 👋

And welcome to the first issue of the CyberFacts Weekly 🥳

I've started to systematically keep an archive of my readings since early 2021. There are already many good cyber-security newsletters (e.g., tl;dr sec), so by no means I'm trying to compete with them.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.