Blog

Hunter Biden Laptop Controversy In October 2020, a controver…

Hunter Biden Laptop Controversy In October 2020, a controversy arose involving data from a laptop that belonged to Hunter Biden. The owner of a Delaware computer shop, John Paul Mac Isaac, said the laptop had been left by a man who identified himself as Hunter Biden. Mac Isaac also stated that he is legally blind and could not be sure whether the man was Hunter Biden. Three weeks before the 2020 United States presidential election, the New York Post published a front-page story that presented emails from the laptop, alleging they showed corruption by Joe Biden, the Democratic presidential nominee and Hunter Biden’s father. According to the Post, the story was based on information provided to Rudy Giuliani, the personal attorney of incumbent president and candidate Donald Trump, by Mac Isaac. Forensic analysis later authenticated some of the emails from the laptop, including one of the two emails used by the Post in their initial reporting. Shortly after the Post story broke, social media companies blocked its links. At the same time, other news outlets declined to publish the story due to concerns about provenance and suspicions of Russian disinformation. By May 2023, no evidence had publicly surfaced to support suspicions that the laptop was part of a Russian disinformation scheme. The Hunter Biden laptop controversy involved allegations of unauthorized access to personal data and the subsequent public disclosure of potentially sensitive information. Examining whether this constitutes a false allegation of privacy violation requires addressing the elements of privacy violations and the case’s specifics. Using the assumption that the previous information is entirely TRUE, why could this case not be considered a privacy violation? Justify your answer. Can it be considered a security case if it is not a violation? If yes, define in the MITRE ATT&CK which goal(s) the malicious agent seeks to achieve. Justify your answer.   Rubric Criteria Points Understanding of Privacy Violation (5 points) 5 points: Clearly explains why the case does not meet the legal or ethical criteria for a privacy violation, referencing definitions of privacy.3-4 points: Partially explain the criteria or reasoning behind why the case may or may not be a privacy violation. 0-2 points: Minimal or no explanation of privacy violation criteria or relevance to the case. Security Classification Justification (5 points) 5 points: Provides a clear argument for why the case could or could not be classified as security, with strong evidence and reasoning. 3-4 points: Offers some reasoning for classifying the case as a security case but lacks depth or clear justification. 0-2 points: Fails to address whether the case can be considered a security case or provides weak reasoning. Application of MITRE ATT&CK Goals (5 points) 5 points: Identifies specific MITRE ATT&CK goals (e.g., Credential Access, Collection, Exfiltration) and justifies with strong connections to the scenario. 3-4 points: Mentions applicable ATT&CK goals but with limited connection to the scenario details.               0-2 points: Fails to identify relevant ATT&CK goals or justify their relevance.        

Hunter Biden Laptop Controversy In October 2020, a controver…

Hunter Biden Laptop Controversy In October 2020, a controversy arose involving data from a laptop that belonged to Hunter Biden. The owner of a Delaware computer shop, John Paul Mac Isaac, said the laptop had been left by a man who identified himself as Hunter Biden. Mac Isaac also stated that he is legally blind and could not be sure whether the man was Hunter Biden. Three weeks before the 2020 United States presidential election, the New York Post published a front-page story that presented emails from the laptop, alleging they showed corruption by Joe Biden, the Democratic presidential nominee and Hunter Biden’s father. According to the Post, the story was based on information provided to Rudy Giuliani, the personal attorney of incumbent president and candidate Donald Trump, by Mac Isaac. Forensic analysis later authenticated some of the emails from the laptop, including one of the two emails used by the Post in their initial reporting. Shortly after the Post story broke, social media companies blocked its links. At the same time, other news outlets declined to publish the story due to concerns about provenance and suspicions of Russian disinformation. By May 2023, no evidence had publicly surfaced to support suspicions that the laptop was part of a Russian disinformation scheme. The Hunter Biden laptop controversy involved allegations of unauthorized access to personal data and the subsequent public disclosure of potentially sensitive information. Examining whether this constitutes a false allegation of privacy violation requires addressing the elements of privacy violations and the case’s specifics. Using the assumption that the previous information is entirely TRUE, why could this case not be considered a privacy violation? Justify your answer. Can it be considered a security case if it is not a violation? If yes, define in the MITRE ATT&CK which goal(s) the malicious agent seeks to achieve. Justify your answer.   Rubric Criteria Points Understanding of Privacy Violation (5 points) 5 points: Clearly explains why the case does not meet the legal or ethical criteria for a privacy violation, referencing definitions of privacy.3-4 points: Partially explain the criteria or reasoning behind why the case may or may not be a privacy violation. 0-2 points: Minimal or no explanation of privacy violation criteria or relevance to the case. Security Classification Justification (5 points) 5 points: Provides a clear argument for why the case could or could not be classified as security, with strong evidence and reasoning. 3-4 points: Offers some reasoning for classifying the case as a security case but lacks depth or clear justification. 0-2 points: Fails to address whether the case can be considered a security case or provides weak reasoning. Application of MITRE ATT&CK Goals (5 points) 5 points: Identifies specific MITRE ATT&CK goals (e.g., Credential Access, Collection, Exfiltration) and justifies with strong connections to the scenario. 3-4 points: Mentions applicable ATT&CK goals but with limited connection to the scenario details.               0-2 points: Fails to identify relevant ATT&CK goals or justify their relevance.        

Throwback Attack: Chinese hackers steal plans for the F-35 f…

Throwback Attack: Chinese hackers steal plans for the F-35 fighter in a supply chain heist As cyberattacks on national critical infrastructure and private industry increase, the U.S. Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices for defense contractors. This process is critical, as demonstrated by China’s 2007 theft of sensitive F-35 Lightning II documents, which was confirmed by Edward Snowden’s 2015 leak. Snowden’s documents revealed that a Lockheed Martin subcontractor data breach allowed China to access F-35 designs, contributing to the development of their J-31 stealth fighter. Supply chain attacks like this are becoming more frequent and damaging, as seen in high-profile cases such as the SolarWinds and Kaseya attacks. According to Ryan Heidorn, co-founder of Steel Root, adversaries are stealing intellectual property at an alarming rate, targeting large primes like Lockheed Martin and smaller suppliers that may lack sophisticated cybersecurity. The CMMC aims to curb this issue by ensuring DoD contractors implement strict cybersecurity practices. While many companies already face these requirements, CMMC enforces compliance through assessments and certification, making it a critical mechanism to prevent the loss of sensitive information. The goal is to protect valuable defense technology, like the F-35, from further theft as adversaries like China continue to target critical U.S. systems. In the context of the 2007 theft of sensitive F-35 Lightning II technical documents and other similar supply chain attacks, how could the PASTA (Process for Attack Simulation and Threat Analysis) methodology enhance defense contractors’ and DoD vendors’ overall security process to prevent future data breaches?

Single-factor One-time Passwords (OTPs) Single-factor One-t…

Single-factor One-time Passwords (OTPs) Single-factor One-time Passwords (OTPs) are physical or soft tokens that display a continually changing pseudo-random one-time challenge. These devices make phishing (impersonation) difficult but not impossible. This type of authenticator is considered “something you have”. Multi-factor tokens are similar to single-factor OTPs but require a valid PIN code, biometric unlocking, USB insertion, NFC pairing, or some additional value (such as transaction signing calculators) to be entered to create the final OTP. OTPs are essential for several reasons, significantly enhancing security in authentication processes. Here’s why they are significant: Temporary and Unique: OTPs are temporary and generated for a single use, so even if someone intercepts the OTP, it cannot be reused. This limits the window of opportunity for attackers. Mitigating Password-Related Risks: OTPs reduce the risks associated with traditional passwords, such as password theft, reuse, or brute-force attacks. Since OTPs are time-sensitive and unique, they add an extra layer of protection beyond a static password. Easy to Implement: OTPs are relatively simple to implement in systems, often requiring just a phone number or email address for delivery. This makes them an accessible option for improving authentication security. User-Friendly: OTPs do not require complex knowledge from users, as they are often delivered via text message, email, or an authenticator app. This ease of use increases their adoption of security protocols. Cost-Effective Security: OTPs balance security and cost-effectiveness for many systems, as they don’t require expensive hardware tokens or complex infrastructure. Adds an Extra Layer: Even in single-factor authentication (generally less secure than multi-factor authentication), OTPs offer an added layer of security over static passwords. This makes it more difficult for attackers to gain unauthorized access. While One-time Password (OTP) systems provide an added layer of security, they also have several potential issues and limitations, which makes today’s use integrated with other techniques like MFA. Given these challenges, OWASP Application Security Verification Standard 4.0.3 defines requirements for implementing an OTP system. # Description CWE 2.8.1 Verify that time-based OTPs have a defined lifetime before expiring. 613 2.8.2 Verify that the symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system-based key storage. 320 2.8.3 Verify that approved cryptographic algorithms are used to generate, seed, and verify OTPs. 326 2.8.4 Verify that time-based OTP can be used only once within the validity period. 287 2.8.5 Verify that if a time-based multi-factor OTP token is re-used during the validity period, it is logged and rejected, and secure notifications are sent to the device holder. 287 2.8.6 Verify that the physical single-factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged-in sessions, regardless of location. 613 2.8.7 Verify that biometric authenticators are limited to use only as secondary factors in conjunction with something you have or know. 308   During the vulnerability analysis (stage 5 of PASTA), we identified several vulnerabilities that could affect the security of the system’s operation. The previous report describes these vulnerabilities. Create the required misuse cases diagram and design the flaw analysis using the abuse cases to define the required mitigations (at least one for each misuse case). Submission Directions: Submit the complete UML Misuse Case diagram compounded by the use cases to the system, the misuse cases, and the required mitigations. The diagram must be made using the Visual Paradigm[1]. You must create misuse cases that cover at least two threats of the system and one mitigation for each one of the misuse cases. The background of the misuse cases must be painted black. The background of the mitigation must be painted green. Submitting any diagram other than a Misuse Case will result in the question receiving zero points. Submitting handwritten diagrams will result in the student receiving zero points.  [1] https://online.visual-paradigm.com/   Rubric Criteria Description Points Identification of Use Cases (5 points) Correctly identifies the key use cases (e.g., Request OTP, Submit OTP, Verify OTP, Revoke OTP Generator). Each use case should be relevant to the OTP flow. 5 points: All key use cases are identified with clear descriptions. 2-3 points: Most key use cases were identified, but some were missing or unclear. 0-1 points: Many key use cases are missing or incorrect. Identification of Misuse Cases (7 points) Identifies relevant misuse cases based on the vulnerabilities of OTP systems. 7 points: All major misuse cases identified and correctly linked to vulnerabilities. 2-6 points: Most misuse cases were identified but with minor issues. 0-1 points: Many misuse cases are missing or incorrect. Mitigations (7 points) Provides reasonable and effective mitigations for each identified misuse case. 7 points: Clear and effective mitigations are provided for all misuse cases. 2-6 points: Mitigations are provided for most misuse cases, with some gaps or less effective solutions. 0-1 points: Few or no mitigations provided, or mitigations are ineffective. 5. UML Misuse Case Diagram (6 points) The diagram represents the relationships between actors, use cases, misuse cases, and mitigations logically and accurately. 6 points: The diagram is complete, accurate, and well-organized. Clear representation of use cases, misuse cases, and mitigations. 2-5 points: The diagram is mostly correct but may have minor organizational or accuracy issues. 0-1 points: The diagram is incomplete, confusing, or incorrectly structured.    

Throwback Attack: Chinese hackers steal plans for the F-35 f…

Throwback Attack: Chinese hackers steal plans for the F-35 fighter in a supply chain heist As cyberattacks on national critical infrastructure and private industry increase, the U.S. Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices for defense contractors. This process is critical, as demonstrated by China’s 2007 theft of sensitive F-35 Lightning II documents, which was confirmed by Edward Snowden’s 2015 leak. Snowden’s documents revealed that a Lockheed Martin subcontractor data breach allowed China to access F-35 designs, contributing to the development of their J-31 stealth fighter. Supply chain attacks like this are becoming more frequent and damaging, as seen in high-profile cases such as the SolarWinds and Kaseya attacks. According to Ryan Heidorn, co-founder of Steel Root, adversaries are stealing intellectual property at an alarming rate, targeting large primes like Lockheed Martin and smaller suppliers that may lack sophisticated cybersecurity. The CMMC aims to curb this issue by ensuring DoD contractors implement strict cybersecurity practices. While many companies already face these requirements, CMMC enforces compliance through assessments and certification, making it a critical mechanism to prevent the loss of sensitive information. The goal is to protect valuable defense technology, like the F-35, from further theft as adversaries like China continue to target critical U.S. systems. In the context of the 2007 theft of sensitive F-35 Lightning II technical documents and other similar supply chain attacks, how could the PASTA (Process for Attack Simulation and Threat Analysis) methodology enhance defense contractors’ and DoD vendors’ overall security process to prevent future data breaches?