Joe Engle, the Last Living X-15 Pilot, Passed Away July 10 At the Age of 91
Later, he entered the Apollo program and eventually commanded the STS-2 flight of the Space Shuttle.
Here is an interview from 2004. I thought it was interesting that they used the F-104 as the chase plane and for training because the flight characteristics were so similar, which says a lot about the F-104.
Anyway, the X-15 project was a big deal for us science/geek types back when I was a kid. I wonder if it’s something today’s generation is even aware of.
Read more of this story at Slashdot.
After Criticism, Signal Agrees to Secure Plain-Text Encryption Keys for Users’ Message Databases
When BleepingComputer contacted Signal about the flaw in 2018, we never received a response. Instead, a Signal Support Manager responded to a user’s concerns in the Signal forum, stating that the security of its database was never something it claimed to provide. “The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide,” responded the Signal employee…
[L]ast week, mobile security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc warned on X not to use Signal Desktop because of the same security weakness we reported on in 2018… In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API “…to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS,” Plant explained in the merge request… When used, encryption keys are generated and stored using an operating system’s cryptography system and secure key stores. For example, on Macs, the encryption key would be stored in the Keychain, and on Linux, it would use the windows manager’s secret store, such as kwallet, kwallet5, kwallet6, and gnome-libsecret… While the solution would provide additional security for all Signal desktop users, the request lay dormant until last week’s X drama.
Two days ago, a Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version. While the new safeStorage implementation is tested, Signal also included a fallback mechanism that allows the program to decrypt the database using the legacy database decryption key…
Signal says that the legacy key will be removed once the new feature is tested.
“To be fair to Signal, encrypting local databases without a user-supplied password is a problem for all applications…” the article acknowledges.
“However, as a company that prides itself on its security and privacy, it was strange that the organization dismissed the issue and did not attempt to provide a solution…”
Read more of this story at Slashdot.
YouTube Investigators Say MSI Exposed 600K+ Warranty Records Via an Open Server
Friday the hardware review site Gamers Nexus filed a YouTube video report alleging some serious claims: that PC component manufacturer MSI left their internal warranty and RMA processing web site accessible to the open Internet, with no authentication. Virtually the entire history of MSI warranty claims going back to at least 2017 were searchable and accessible for the browsing, including customer names, email addresses, phone numbers, and serial numbers of MSI devices.
This event follows closely on the heels of a video report just a few days earlier alleging PC component manufacturer Zotac left their warranty/RMA and B2B records server open to indexing by Google.
Gamers Nexus posted their reports after informing Zotac and MSI of their open servers and verifying they were no longer accessible. However, the data from MSI’s server could have been fully scraped at this point, giving scammers a gold mine of data permitting them to impersonate MSI personnel and defraud customers. Anyone who’s filed a warranty or RMA claim with MSI in the past seven years should exercise caution when receiving unsolicited emails or phone calls purporting to be from MSI.
Read more of this story at Slashdot.
CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months
After gaining access to the Solaris enclave, the red team discovered they couldn’t pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. “None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network,” CISA said.
CISA described this as a “full domain compromise” that gave the attackers access to tier zero assets — the most highly privileged systems. “The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts,” the report reads. “With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. “They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).” From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA’s team then pivoted into using the access they already had.
The team “kerberoasted” one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn’t able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA’s Federal Attack Surface Testing (FAST) pentesting program to operate. It’s crucial that these avenues are able to be explored in such exercises because they’re routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.
Read more of this story at Slashdot.