2018-11-19 15:15:38 -0500
We’re now an official 2018-19 FRC 5243 - Centreville Robotics Sponsor! Find our logo on the back of any Centreville Robotics shirt at the Haymarket, Centreville, South Lakes, and hopefully future competitions!
2018-05-02 11:57:38 -0400
As announced (not as a joke) on April 1st
Introducing the Project of the Month Did you create something good? Achieve something? Find a vulnerability? Bag an internship? Tie your own shoelaces? Not wet the bed? Are you receiving the appropriate amount of recognition for your accomplishment or just want to show off? Project of the Month could be right up your strasse. On the 8th of April submissions for project of the month will open. Now is the time to brag about what you’ve done. Don’t be shy, success begets success. Submissions will close on the 22nd and voting begin ready for an announcement of the Project of the Month on the 30th April. There may be prizes but they will need to be tailored to the project and won’t likely allow you to retire any time soon (think sub-$30). All projects will be showcased; the winner and runners up will receive glory in abundance. Start thinking about what you want to want to show off, for this first month we will consider projects done from January 2018 to date. Further information will be released soon. If you have any immediate questions you can reply to my link to this message in ~General here https://mm.netsecfocus.com/nsf/pl/ipyxk5opkibkugwxxndzg8ooah
After 55 votes, the results were in… thanks to everyone who voted for CVE-2018-7213!
2018-03-28 14:38:51 -0400
In a recent turn of events, a post has been made by @FCPS_NEWS on twitter about the discovery:
Centreville HS freshman Tyler Schroder turns passion for cybersecurity into a critical discovery for the field and a visit to GMU's digital forensics class. https://t.co/9krLXZW7yu— Fairfax Schools (@fcpsnews) April 5, 2018
In recent news, I’ve had the oppertunity to appear on the Volgenau School of Engineering’s Blog for my first CVE discovery!
2018-03-12 11:20:57 -0400
I had the chance this weekend by invitation (coordinated by GTA Jay Gala) to present to the Network Forensics course at the Volgenau School of Engineering, George Mason University. Bob Osgood, MS Director of the Digital Forensics & Cyber Analysis Program, is the professor for the course.
Below is a copy of my presentation. Please use the email on the slides or any of the other means listed on my blog page to contact me with questions.
If the following doesn’t load, please go here
2018-03-10 15:08:31 -0500
CVE Project Overview
Skip this section if you already understand the CVE Project.
Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities.
Use of CVE Entries, which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.
- One identifier for one vulnerability or exposure
- One standardized description for each vulnerability or exposure
- A dictionary rather than a database
- How disparate databases and tools can “speak” the same language
- The way to interoperability and better security coverage
- A basis for evaluation among services, tools, and databases
- Free for public download and use
- Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE
With & Without CVE
CVE was launched in 1999 when most cybersecurity tools used their own databases with their own names for security vulnerabilities. At that time there was significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.
CVE’s common, standardized identifiers provided the solution to these problems.
CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries — also called “CVEs,” “CVE IDs,” and “CVE numbers” by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Entries also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.
CVE ID number
(i.e., “CVE-1999-0067”, “CVE-2014-10001”, “CVE-2014-100001”).
The CVE Contains:
A brief Description of the security vulnerability or exposure. Any pertinent References (i.e., vulnerability reports and advisories).
The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Entry is added to the CVE List and posted on the CVE website by the CVE Team.
Topic: Abine Blur Password Manager Insecure Permissions
- Category: Abine Blur
- Module: Blur Web Extension
- Announced: 2018-03-10
- Credits: RS Tyler Schroder
- Affects: 7.8.242*
- Corrected: 2018-02-28
- CVE Name: CVE-2018-7213
Abine Blur is a password management suite combined with online anonymity tools
II. Problem Description
The Password Manager Extension in Abine Blur 7.8.242* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data.
Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.
Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data).
No workaround, as the vendor has issued a patch.
Update your browser plug-in per your browser vendor’s instructions. Firefox 5x.xx and Chrome 63.x are known to automaticlly update to the latest version.
VI. Timeline of Events
- 2018-02-13: Discovery of Vulnerability
- 2018-02-13: Vendor Contacted
- 2018-02-14: CERT/CC activated for vendor PGP coordination
- 2018-02-14: Vendor responds (PGP)
- 2018-02-15: CERT/CC [VU#714299] unable to assist further
- 2018-02-16: MITRE Contacted for CVE
- 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213)
- 2018-02-28: Patch Issued
- 2018-03-10: Public Disclosure.
2018-01-28 10:04:23 -0500
Recently, I had the chance to head on a skiing adventure with a local Boy Scout troop. One of the lessons they teach early on is the use of the buddy system (TL;DR Always have someone with you, especially during high-risk activities).
So In theory
In theory, this basic principle allows for improved safety, and the two may be able to prevent the other becoming a casualty, or rescue the other in a crisis. In Alpine conditions, where rescue could be delayed for a prolonged time, this system is critical to ensuring participant safety.
What Actually Hapens
When participants aren’t careful (think younger age groups), they end up splitting up. Groups want to do different things, they have people skiing at different ability levels and speeds, and forgetfulness often tries to negate the benefits.
How this came into play
I had spent the early morning skiing with my buddy (both of us with similar skill and speed), when we approached a S-turn where the Salamander (“Green”, Beginnger)trail merges with Off the Wall (“Double Black, Hardest) At that turn was a solo skier, who took the turn, but made three critical mistakes.
- Turned Too Fast: this turn is much tighter than the map leads to be, requiring skiers to slow down to turn properly.
- Improper Turn: the skier wasn’t fully aware about their abilities, and while at high speed, tried to turn, but ended up crossing their skis in the process, throwing them off balance.
- Improper Fall: this article goes into better detail about the correct way to fall (forwards), rather than sideways onto the side of the slope (and their body).
Buddy System to the Rescue
When this skier went down, my buddy and I both stopped to see what we could do. When I determined the injury was severe enough to warrant additional help, I was able to have my buddy go for help, while I stayed with the victim. We were never able to locate the solo skier’s buddy, even though they claimed to have two with them.
Aftermath & Lessons Learned
Eventually, ski patrol arrived, and were able to transport to the base of the mountain. A field diagnostic returned a possible Tibia fracture/break (much worse than the twisted ankle that was originally though).
The second man with me was critical to getting the skier off the mountain in time. By being able to stay with the skier, it was possible to prevent someone from running them over and/or additional damage to be caused, while still having help arrive on-scene in a timely manner. So don’t go it alone, bring a second with you. It may very well help save someone else, or even you.