One of the less fun aspects of moving countries is that you become a walking edge-case for many IT systems. You’ll encounter online forms which don’t accept international phone numbers, government “change of address” forms which don’t accept international addresses, services which completely block access from international IPs, or systems which outright break if your address contains non-ASCII characters.

Being an expat also means becoming intimately familiar with all of the differences in provision of government services.

I’ve covered the Swedish BankID identity and authentication system in a previous post:

BankID is ubiquitous in Sweden, and for most of the services you’ll encounter as a resident, there is no username and password. You login to services using your personnummer, and you authenticate using Mobile BankID on your phone. …


Image for post
Image for post
A Supermicro B1DRi board, showing the baseboard management controller (Source: Alibaba)

Bloomberg broke this story last week, and it’s an incredible read.

Citing 17 sources including six “current and former senior national security officials”, the story states that server motherboards manufactured by Supermicro have been shipped with hardware trojans installed, and had been discovered in datacentres owned by Amazon and Apple:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. …


To put it mildly, Facebook has had a bad week.

From Motherboard:

On Friday, Facebook revealed that hackers broke into the company’s servers and potentially stole the data of up to 50 million people.

The social network forced 90 million people — around 50 million victims plus an additional 40 million that may have been affected, according to the company — to log out and log back in again.

I’m not a fan of the “broke into the company’s servers” description, because it implies that the attackers got a shell on Facebook’s servers and then exfiltrated data. …


Image for post
Image for post

The book Building a Modern Security Program is co-written by Zane Lackey and Rebecca Huehls, and describes the lessons learned by Lackey during his time as the CISO for Etsy:

During the early days of the shift away from Waterfall development, I was incredibly fortunate to be in the position of building the security team at Etsy while it was one of the first companies pioneering DevOps. At the time, for most companies, production application changes were typically made every 6 to 18 months. However, as I learned on my first day as head of security, Etsy was making production code deployments 20 times per day and rising. …


Trade-offs occur everywhere in engineering. Take leverage for example:

Image for post
Image for post

Leverage allows us to amplify a small force, by applying it at the end of a long lever. This is extremely useful, because it means we can move very large objects with much less effort than if we applied the force directly.

This might seem like a free win, but the trade-off is that we need more space to work in: more space for the lever, and more space to move it. If you have plenty of space, this isn’t a problem. …


In my last email I mentioned Alex Stamos’ Twitter takedown of the ‘Digi-ID’ authentication solution. Buried in the exchange was a mention by Stamos of the Web Authentication standard, which is something you’ll be hearing a lot more about in coming months.

Web Authentication (or WebAuthn) is a method for using trusted devices such as smartphones or hardware tokens to authenticate users. The standard is an excellent piece of work, and it makes it realistically possible to get rid of passwords entirely.

Duo Security has an excellent explanation of the standard (which just so happens to use the example website “cat-facts.com”): …


This is a very simple trick for catching shells locally on a device which doesn’t have a public IP, such as a laptop sitting behind a NATted Wi-Fi network.

Image for post
Image for post

About a year ago I purchased a Hak5 Bash Bunny, and started using it for basic security demonstrations at work and university. For my demonstrations I wanted something a little more realistic than a VM with internal guest networking, including potentially injecting Powershell Empire payloads into arbitrary systems (with their owner’s permission, obviously).

I wanted my demonstration payloads to dial out through the local gateway to a public IP address just like a real payload would, but still be able to catch the connections (shells) on my laptop. The problem was that I was likely to be performing these demos from a university or corporate Wi-Fi network, and I couldn’t exactly ask someone to set up a port-forward for me so that I could catch a shell through their WAN connection. …

About

Mark Eldridge

Software and cyber security engineer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store