TofuSec
An Absolute Layperson's Guide to the Spectre CPU Speculative Execution Exploits
January 13, 2018
The recent discovery of the Meltdown and Spectre of exploits have significant, long-lasting implications on the field of computer security; the two exploits assault fundamental assumptions made by software, enabling container and VM escapes. As Meltdown is being rapidly patched, this article will focus on the Spectre exploit. (more)
Adversarial Modeling: Determining Your Enemies January 7, 2018 This article is an instructional extension of the Threat Modeling articles. By the end of this piece, you should be able to create an accurate, precise, comprehensive, and helpful adversarial model. Let's jump right in! (more)
Threat Modeling (pt.3) December 31, 2017 This article will have the same purpose as Threat Modeling (pt. 1) and Threat Modeling (pt. 2); the intent behind these three articles is to familiarize you with constructing InfoSec action plans by providing many detailed examples. (more)
Threat Modeling (pt.2) December 30, 2017 While Kuro's adversaries are far less capable than Ashley's, Ashley can do something Kuro can't: Ashley can keep her secrets to herself. Ashley doesn't need to trust anyone; Ashley's employees don't even need to know who she is. Kuro, on the other hand, needs to trust members of their design team. (and possibly also marketing, legal (to prevent patent violations and file patents), etc.) (more)
Data Exfiltration (Methods and Mitigation) December 29, 2017 "Data exfiltration" is what your adversary does when she sends information from your systems to hers. It is the unauthorized transfer of data between systems. Data exfiltration is most commonly and obviously committed via the internet; the internet is fast, near-ubiquitous, and convenient. While well-resourced organizations may be able to afford constant, competent network packet analysis; most individuals should disconnect their sensitive devices from the internet. (more)
Threat Modeling (pt.1) December 27, 2017 This is an actionable InfoSec plan for Ashley: An individual with a state adversary.This is a continuation of the "Threat Modeling" informational series; you are recommended to read Threat Modeling (pt. 0) before this article. (read)
A Criticism of 2 Factor Security (As it is commonly implemented) December 26, 2017 We are often advised to use 2 factor authentication (2FA) to secure our accounts; it seems reasonable for us to supplement passwords given the frequency of password compromises. Unfortunately, common forms of 2FA are incredibly flawed, leaving users with merely an illusion of security. (more)
Threat Modeling (pt. 0) December 25, 2017 Most pieces of security advise you receive will make an assumption regarding the capabilities of your adversar/ies, and the amount of effort they're willing to expand to attack you. These assumptions are often inaccurate, as threat models vary wildly across individuals. To aid you through the process of threat modeling, I will introduce three fictional characters and describe their specific threat models. (more)
The Imperativeness of (Software) Decentralization December 24, 2017 In a world where corporations and governments perpetually attempt to manipulate and intercept the flow of information, well-designed decentralization in technology is imperative. (more)
The Broken Promise of User Privilege December 24, 2017 The recent MacOS "root" security bug has struck widespread terror amongst Mac users. Root access on Unix systems is incredibly powerful. Malwares utilizing this exploit could modify system files, adjust kernel options, and for all intents and purposes exercise free reign over the operating system. (more)
Hello, World! (and an introduction to TofuSec) December 24, 2017 Hello, world! So this was supposed to be my first post, but I got too excited about writing and forgot to introduce myself! (more)
Adversarial Modeling: Determining Your Enemies January 7, 2018 This article is an instructional extension of the Threat Modeling articles. By the end of this piece, you should be able to create an accurate, precise, comprehensive, and helpful adversarial model. Let's jump right in! (more)
Threat Modeling (pt.3) December 31, 2017 This article will have the same purpose as Threat Modeling (pt. 1) and Threat Modeling (pt. 2); the intent behind these three articles is to familiarize you with constructing InfoSec action plans by providing many detailed examples. (more)
Threat Modeling (pt.2) December 30, 2017 While Kuro's adversaries are far less capable than Ashley's, Ashley can do something Kuro can't: Ashley can keep her secrets to herself. Ashley doesn't need to trust anyone; Ashley's employees don't even need to know who she is. Kuro, on the other hand, needs to trust members of their design team. (and possibly also marketing, legal (to prevent patent violations and file patents), etc.) (more)
Data Exfiltration (Methods and Mitigation) December 29, 2017 "Data exfiltration" is what your adversary does when she sends information from your systems to hers. It is the unauthorized transfer of data between systems. Data exfiltration is most commonly and obviously committed via the internet; the internet is fast, near-ubiquitous, and convenient. While well-resourced organizations may be able to afford constant, competent network packet analysis; most individuals should disconnect their sensitive devices from the internet. (more)
Threat Modeling (pt.1) December 27, 2017 This is an actionable InfoSec plan for Ashley: An individual with a state adversary.This is a continuation of the "Threat Modeling" informational series; you are recommended to read Threat Modeling (pt. 0) before this article. (read)
A Criticism of 2 Factor Security (As it is commonly implemented) December 26, 2017 We are often advised to use 2 factor authentication (2FA) to secure our accounts; it seems reasonable for us to supplement passwords given the frequency of password compromises. Unfortunately, common forms of 2FA are incredibly flawed, leaving users with merely an illusion of security. (more)
Threat Modeling (pt. 0) December 25, 2017 Most pieces of security advise you receive will make an assumption regarding the capabilities of your adversar/ies, and the amount of effort they're willing to expand to attack you. These assumptions are often inaccurate, as threat models vary wildly across individuals. To aid you through the process of threat modeling, I will introduce three fictional characters and describe their specific threat models. (more)
The Imperativeness of (Software) Decentralization December 24, 2017 In a world where corporations and governments perpetually attempt to manipulate and intercept the flow of information, well-designed decentralization in technology is imperative. (more)
The Broken Promise of User Privilege December 24, 2017 The recent MacOS "root" security bug has struck widespread terror amongst Mac users. Root access on Unix systems is incredibly powerful. Malwares utilizing this exploit could modify system files, adjust kernel options, and for all intents and purposes exercise free reign over the operating system. (more)
Hello, World! (and an introduction to TofuSec) December 24, 2017 Hello, world! So this was supposed to be my first post, but I got too excited about writing and forgot to introduce myself! (more)
