Cybersecurity changes faster than you can read about it.
This page covers and comments on around 10 of the monthly 7000+ news items.

Updated April 15th, 2024.

April 2024HeadlineNews
#039It’s that easyIn a Forbes article, Jay Chaudhry, CEO and Chair of Zscaler, describes how easy it is for threat actors to use Generative AI and their Large Language Models to ask for vulnerabilities of specific organizations and then to write code to exploit them including it seems Advance Persistent Threats. We are living in the beginnings of the Skynet world of Terminator movies but unfortunately there’s no travelling backwards in time to remove the AI. He goes on to cover how Zscaler’s strategy and products use AI, firewall and VPN replacement, hide data and provide Zero Trust SD-WANs. This is not an endorsement of any Zscaler product but the article makes a very interesting/sobering read.

In Depth

Some stories need a closer, sometimes controversial look.

How and why the Securities and Exchange Commission is bringing discipline and accountability globally, helping everyone in cybersecurity.
NIST’s Cybersecurity Framework “brings organization to cybersecurity implementation.” We explain why we have a very different view from others.
The now infamous breach of the MGM hotel and casino chain has become a poster child of how not to implement holistic cybersecurity. But what was the real unreported reason behind the attack?
April 2024HeadlineNews
#038Critical Infrastructure Protection: Water SystemsOne of the most targeted critical infrastructue sectors has become water systems with many reports and warnings regarding threat actors from government and other resources. A new bill to establish a Water Risk and Resilience Organization has been introduced in the U.S to strengthen and enforce cybersecurity. Further details are in this Statescoop article.
#037Who is protecting the protectors?The problem when leading security software companies (such as Palo Alto Networks self-reporting a critical vulnerability updated 4/13) are (a) what are the development processes that were not in place that resulted in the vulnerability? (b) How can others learn from the mistakes when users are not safe until the problem is fixed (fixes are under-development*), (c) How can others learn from the mistakes even when the problem is fixed, the likelihood of the cause is either too risky or just bad business to reveal? (d) As soon as the problem is fixed will all systems be updated (probably ok in this instance but mostly not) (e) and lastly, if you can’t trust the the market leaders then who can you trust? 
*Update 4/15: Palo Alto says it has fixed the problem and updates will be rolled out shortly.
#036Ransomware hits home- if you still have oneThe Jackson County, Missouri ransomware attack has caused chaos for people buying and selling homes after the ransomware attack disabled the systems and caused offices to close for days. What makes it is a big deal is that with the offices closed, house sales can’t register or be closed, offers expire and and loans can’t be enacted, people have moved out and new owners can’t move in. i.e. chaos.
#035CISA Initiative will have big impactAn initiative by CISA this week will bring regulatory focus on cybersecurity to several hundred thousand business organizations. It follows rules brought by the SEC to publicly traded and regulated companies last December. This process, known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements was initially introduced in 2022. This CISA update will require compliance to incident reporting and will likely, when complete, require companies to show that they have been taking documented, prudent, preventative steps. This document completes its comment phase June 3rd of 2024 and publication will follow. We will no doubt comment to CISA after carefully reading the draft document as we did with previous initiatives. Click here for the link that introduces the work that will apply to more than 20x the number of companies as the SEC.
The impact on companies will hopefully be profound since it will become a legal requirement for businesses that continue to be oblivious of the cyberwar to finally take it seriously
#034The Big PictureSometimes we lose track of the big picture. In the first few days of April a fascinating presentation by a key member of the US Government catalogued that big picture. It covered the global economic, population decline impact, climate change and even water and crop shortage forces that make state-sponsored cybersecurity attacking the soft underbelly of first-world economies. It’s such a compelling and chilling reminder that there is a war going on and we are the targets. As it’s become a necessary part of those economies, it’s going to persist. It’s why every small business and large organization must strengthen its weak links and be vigilant permanently.
March 2024 Headline News
#033 AT&T Breached again Now the hackers are repeating themselves. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” Bleeping Computer and others reported on the latest AT&T breach. With so many credential breaches it’s easy to see why we are becoming imune to them.
#032 How can they get it so wrong? As an indication of the influence of form over function or hype over reality, this article from SDXCentral is an example what happens when market leader influence can get in the way of entrprise choice. I seriously doubt that Forrester said anything like what was reported. According to the article, the SSE market is the market of today and Zero Trust is of the past. and SASE is the way of the future. Since Zero Trust is at the heart of all such Gartner inspired derivatives, that SASE was superseded by SSE because supplier and market influence and none of it has any industry technical definition then it’s not difficult to see how journalists get confused. What began as I believe a good intention by Gartner to create an intgeration between networking and security has descended into a confusing mess for the enterprise. (End of rant).
#031 Water, Water Everywhere The latest missive from the U.S. Evironmental Protection Agency (EPA) is more than hinting that water may be everywhere but there might not “be a drop to drink” unless action is taken to combat cybersecurity threats. The story in Cyberscoop, explains that there are 150,000 water utilities in the U.S. The staggerinng number is difficult to comprehend until you understand that there are 90,000 dams in the U.S. “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” The EPA is setting up a water sector cybersecurity task force to outline some of the biggest challenges the sector faces and develop strategies to defend against the threats.
#030 One small step Good Grief. Having spent the best part of a year and a half on a requirement for software companies to self-attest their secure development, CISA just published the work. If you do not conform then you can’t sell to the U.S. government.  A very nice idea! However, it gives me no comfort to say that I think they missed critical elements including: (1) use of memory safe languages, (1) use of self-attested third party software elements, (3) requirement for Software Bill of Materials and (4) implementation of secure APIs. I personally submitted all of these to CISA but received no response and wrote an article that covered all the elements. What a missed opportunity. Oh, and if the software you sell was developed before September 2022 and hasn’t had a “major version update” then you don’t have to comply no matter how vulnerable it might be. In addition, also exempt are open source code publicly available. (what dould possibly go wrong with that?) Good Grief!
#029 Change Needed The much-reported breach at Change Healthcare by Blackcat resulted in a staggering $22m ransomware payment. The outage in the billing and prescription arm of United Healthcare that processes 15bn transactions a year touches 1 in 3 patient records. First discovered on Feb 21, Change reports it will not be back online till the middle of this month. This is another Blackcat (RaaS) exploit, though the actual attack was claimed to be performe by “Nochy” – but maybe it’s all a scam? More on this from Cybersecurity Dive.
#028 $12.5bn Or to put it another way, that’s about $40 per person in the U.S. alone was lost in 2023 to cybercrime. There have been a plethora of reports looking back at last year but this one is an important reality check. According to the FBI as reported by news, 880,000+ complaints were made – a 22% increase on the previous year. Ransomware jumped 74% to $59m  – and that was just what was reported! Investment frauds were the largest proportion followed by business email compromise.
#027 Catch 22 While it’s probably embarrassing that the US Department of Homeland Security (actually, even worse it was CISA) were breached, it does highlight a general problem. It’s not just that that “if they have been breached what hope is there for the rest of us?” The real issue is that the organization being breached does not want to disclose how it was breached since it reveals possibly systemic weaknesses that others may exploit. This makes it really difficult for others to learn from mistakes. Even disclosures to the SEC likely will not go into such detail publicly. The catch-22 is therefore: “we want you to learn from our experience – but we can’t tell you how!” Update: compounding this was the fact that CISA was using an Ivanti VPN (supposedly) secure gateway rather than ZTNA products and that CISA’s own “self-attestation” initiative can’t have been in place with Ivanti. Apparently the Zero Day vulnerability was breached by an APT(Advanced Persistent Threat) attack and even then the fix was not immediately implemented. Oh dear! (I don’t think I have an egg on the face imoji?)
#026 White House Review While it is not surprising that the White House is pleased with the progress it is making in cybersecurity, the “one year later” progress report is a useful reminder of the initiatives in play (69 of them apparently). Here’s the update from director Harry Coker.
#025 The first cut is the deepest Last year, this column covered the report: Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future, showing the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Today, 9 months later, CNN reported that several cables in the Red Sea have been cut impacting 25% of Internet traffic between Asia and Europe. A statement from HGC Communications says it has already mitigated the problem. However, other than a blame game, there is no public statement of who was responsible, or how the cuts had been made or whether it was deliberate or accidental!
#024 Cloud Following the re-emergence of Lockbit there are indicators of increasing threats aimed out cloud services, the U.K.’s National Cyber Security Centre warned this week. It underlines the importance of understanding the many methodologies required for protection when services and workloads are delegated to multiple clouds providers, application and security suppliers.
#023 CSF 2.0 In-depth It seems that the points raised in the previous entry covering CSF 2.0 are worthy of in-depth analysis on our Hot Topics Page.
February 2024HeadlineNews
#022CSF 2.0 PublishedIn January, this column made remarks in entry #004 about the draft of NIST’s Cybesecurity Framework 2.0, published mid 2023. The final version of CSF 2.0 is now published. I just don’t know what actions that could be taken from it. I don’t know if anyone from CISA provided oversight. Oh dear! 
#021White House Ports SecurityThe White House Announced an Initiative to Bolster Cybersecurity of U.S. Ports. Supporting $5.4 trillion dollars of trade, the investment of $20bn will require the protection of systems, including cranes, 80% of which are of Chinese manufacture. Penalties for non-compliance are yet to be established.
#020DNS  (=Dangerous Narrow Shave?)A Group of German researchers discovered a very long-standing vulnerability (codenamed “KeyTrap”) in secure DNS, that if it had been exploited could have disabled the entire Internet. Fortunately, this has been responsibily mitigated. Full details are in Feb 20’s Security Now show notes (See page 12).
#019LockBit Lockdown (or was it?)When one of the biggest threats of the last 18 months gets disabled by a coalition of 11 countries led by the US and UK, then it’s a big deal. All that’s left of Lockbit is a notice saying the site has been seized! But wait, just a few days later, there are still Lockbit sightings explained either by employees who tokk the work home with them, a remnant of a persistent threat attack or the use of a Lockbit type tool kit. We shall see. Feb 26th update: Well, that didn’t last for long, Lockbit has brazenly rermerged – as noted in CybersecurityDive. (Cute graphic)
#018Weaponizing AIJust as my daily use of Co-Pilot becomes an accelerator of my work, it gives some comfort that OpenAI (one of Microsoft’s Co-Piot’s AI engines) is shutting down accounts used to generate phishing and malware attacks (article). Dark Reading‘s “proceed with caution” seems prudent but is tempered by the level of sophistication being used by Korean threat actors as they make it difficult to spot phishing attacks from the genuine article and use AI to scale up their activities.  This month, Google have announced their own AI Cyber Defense Initiative covered by Silicon Angle.
#017Clientless and CluelessNext up in Microsoft’s 2024 woes is the news from Proofpoint that 200 Azure accounts have been compromised. Once the threat actors gain access to an Azure environment they carry out a host of malicious activity, according to Proofpoint, including manipulating MFA, data theft, follow-on phishing attacks and financial fraud. It seems that once you give up your envirnomentto a clientless reliance to Cloud providers such as Microsoft you are in the headlights of attacks. It makes you wonder if relying on unverifiable Miscosoft security methodologies and relying on clientless IT, is a viable stratgey. More on this from Cybersecurity Dive.
#016Mixed BagAfter a monster January in terms of important cybersecurity news, February is relatively quiet. However, the stories regarding Critical Infrastucture are hopefully raising awareness. Sentinel One and others are carying stories regarding CISA, FBI and NSA warning of Volt Typhoon attacks on US, Canadian, UK, Australian Targets. Also, LastPass is back in the news after Apple somehow enabled duplicate postings of the once vaunted security app in their app store.
#015Big security staff shortages – big cybersecurity layoffsThis doesn’t seem to make sense. Report after report follows massive shortages of cybersecurity staff. At the same time SC Media Magazine is reporting on 110 cybersecurity firms laying off significant numbers of staff since the beginning of last year. Tech Crunch’s end-of-year summary called 2023 “the year of the Layoff.” Most of the tech layoffs are put down to overstaffing during the  Covid years – but is there another reason? It may be an indicator that companies are still in denial about cybersecurity and would rather put their head in the sand rather then their hands in their pockets to pay for cybersecurity staff or solutions.
#014Zero Trust Brings a New Way of thinkingMy latest article on Zero Trust in this month’s ISE Magazine takes a different twist on the topic which I hope you find interesting.
#013SEC creating board level impactAs now widely known, the SEC requires reporting of significant cybersecurity incidents within four days. What’s less well known is that it requires “most” public companies to disclose, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. This, according to a posting by Blackberry, applies to foregn companies seeking funding and listing in the U.S. This is a great step forward since it focuses the executive team on preventative measures and processes.
January 2024HeadlineNews
#012Too many articlesJanuary had so many big stories and articles on cybersecurity. This page deliberately does not cover every Bitcoin, healthcare, ransomware story. However, this month I’ve posted a list of 130 or so articles that were considered and almost made it that may be of interest.
#011One to watchNewly discovered malware covered by Bleeping Computer known as NSPX30 is spread by corrupted versions of update mechanisms of the very widely used WPS Office software. (This is not Microsoft Office). Automatic updating is encouraged as an important defense in cybersecurity. It begs the question of when the exploit is fixed how is the update effected if the update mechanism itself is compromised?
#010Hey, we’re here too!Not to be upstaged by Microsoft, HP Enterprise also had their email hacked by the same Midnight Blizzard Advanced Persistent Threat attack. Although first noticed on December 12th, it took till the end of January to make it public. So much for the SEC’s 4-day reporting rule. It also makes you wonder if the compromised emails contained details of the then pending HPE purchase of Juniper. I guess the SEC can track suspicious purchases of Juniper stocks.
#009Microsoft SprayedIn the second recent instance of Password Spraying, Microsoft CEO’s email was compromised. Covered by various sources such as Hacker News it’s concerning that executives in one of the leading security companies ignored best practices and makes you question the organizations own attitude. The article calls it a sophisticated attack but it isn’t sophisticated. Password Spraying is where an attacker scans accounts looking for weak passwords to access accounts. It beggars belief that Microsoft executives would have elevated privilege to access mission critical secure applications, that they are using non-MFA access and worse still that they are using passwords that are so weak that they can be guessed. I hope I’m wrong about this but it’s another instance of lack of holistic cybersecurity. Oh dear! Now, according to Security Dive Microsoft has announced that it is to review its security practices. (Embarrassment complete!)
#008CISADespite being stuck with a  slightly odd name, the US Cybersecurity and Infrastructure Security Agency (CISA) continues to do excellent work. In addition to doing groundbreaking work on self-attestation for sofrtware development it tracks new threats and promote updates to avoid Zero Day threats that cause damage, publishes the Common Vulnerabilities and Exposures (CVE) List and issues emergency directives. This week it published directives for Ivanti Endpoint Manager Mobile following new directives on Citrix and NetScaler products. It also issued guidance of the danger to critical infrastructure systems from unmanned Chinese drones.
#007Fight, Fly or Freeze?According to Malwarebytes (the Malware detection company) in their recent survey of 1000 users, everyone is scared of the Internet but little is being done in terms of basic protection. You can’t fly to escape the Internet, people do not fight with only 35% using anti-virus software, 27% using VPNs, 24% and less in 8 other categories, so the answer is freeze and hope it all goees away. Bear in mind that many of those interviewed may be working from home using non-corporate devices.
#006FBI and SEC increase pressure on reportingSome updates on the SEC and FBI activities. There has been several iterations of the news that the FBI will rarely grant extensions to the four-day disclosure deadline in the SEC’s rule that came into effect in December. At the same time the enforcement re the Solar Winds exploits raises the bar should a company not take cybersecurity precautions seriously. At the same time, SEC Chair Gary Gensler was acknowledging the seriousness of the SEC hack of their Xtwit (my name for this marketing disaster) account that falsely claimed that they had approved a spot bitcoin exchange but claiming that none of their other accounts were impacted. (They received my headless chicken of the month award.)
#005Don’t Drop It!Publicly reported on CNN, CBS, with more analysis from TechTarget, a Beijing Forensic Institute says it has “cracked” Apple’s Air Drop encryption. This is in response to protestors sharing information/”propaganda” to obtain the identify the ID of the sender, etc. Interestingly, about a year ago Apple restricted Airdrop to 10 minute sessions to avoid unsolicited information being sent to nearby iPhone users. The questions are: (1) It appears that an unfixed known vulnerability exposed senders ID and key information that led to decryption – this is just supposition. (2) Did they just get sender information and was the claimed encryption just a scare tactic? (3) Did they find a way of using stored keys to effect encryption, was it a real brute-force decryption and has the exploit been known for some time by others and in use elsewhere in the world. This is scary as it comes hot on the heels of the item below regarding Apple vulnerabilities.
#004Cybersecurity Framework?Given the plethora “Top 3 tips to ensure your cybersecurity in 2024,” I remembered the NIST Cybersecurity Framework 2.0 issued last August which started with 5 or six categories and then sensibly broke these down into 106 individual subcategories. At least someone got across the complexity of it all. It was only when I started rereading the details that I realized that it’s not really a “Framework” at all. It is a list actions you have taken, or the outcome actions you are taking all in vague terms such as “Systems, hardware, software, and services are managed throughout their life cycle” or “Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded,” and “Cyber threat intelligence is received from information sharing forums and sources.” It goes on in this fashion. Yes it’s good as a reminder not to miss important links in the chain, but there is nothing about the actions to take or how to take them. “A” for effort and getting across the scope of the topic but really “no pass.” Oh, and Zero Trust, Microsegmentation, Critical Infrastructure, Phishing and IoT don’t get a mention. Just a very strange document.
#003Advance Persistent Threat Problems (2)Kaspersky, has reported an attack that circumvents/bypasses Apple’s iPhone hardware security by writing to undocumented locations. This is a Zero Touch attack (i.e. no user action is required) that has been reported as NISTs  CVE-2023-38606 with extensive commentary by Steve Gibson in the show notes of January 2nd’s Security Now podcast. It seems that only an Apple insider would have knowledge of these undocumented locations since the vulnerability is not externally discoverable. The result being that an attacker can control all aspects of the device and the user is not aware of the incursion. While the origins of the information is not known it has been patched by Apple for those who upgrade their phones. The explanation and the reason for this backdoor remains unanswered. It does beg the question of who instigated the back door, when did first happen, who knew about it and are their similar back doors in other manufacturers devices?
#002Advance Persistent Threat Problems (1)This category is the hardest to defend because of its diversity. The latest malware to pry open the door is JinxLoader used as an element of Hacking as a Service. Advance Persistent Threat is the collection of elements that begins with intrusion via phishing or identity theft and then loads malware, Elevates Privilege and explores weaknesses inside a network or system, then uses Lateral Movement to deploy malware at those vulnerable places and then instigates attacks in due course. JinxLoader is the vehicle that hackers can but to begin the process. Further Coverage in this month’s Hacker News article. More coverage on addressing APTs is planned.
#001My aspirations for 2024
  • Executives in many large enterprises and in almost all SMB companies will no longer be in denial re cybersecurity – and “it won’t happen to us” will be a memory.
  • Companies will no longer be negligent on automatic patching, anti-phishing training and will implement proper delegation to software companies.
  • I will get across the importance of Holistic Cybersecurity resulting in significantly reduced risk.
  • People will get that security is only as strong as the weakest link. All publications, software companies, CISA, NIST etc., will stop listing “the top 3, 4 or 5 things to ensure cybersecurity” because they believe that no-one will read anything that covers the real the real number of 30, 40, 50, 100+ actions.
  • The SEC, CISA and NIST will continue their good work and not succumb to corporate political lobbyists to water down their innovative work.
December 2023 Headline News – Distilled from a detailed review review of 160 cybersecurity postings this month
 Dec #123 Building on Shaky Ground Given the countless threat detection, prevention and removal software and  non-IT defenses, it’s a sobering thought that there are still questions being asked regarding vulnerabilities in underlying software, hardware and drivers. The Windows Common Log File System (CLFS) is increasingly being targeted by threat actors as reported by Dark Reading as its inherent weakness become discovered. Dark Reading’s conclusion that this important Windows system component is due for a redesign.
 Dec #122 Comcast bleeds data of 35.9 million customers We don’t cover the masses of daily ransomware and data breach attacks here unless there are lessons to be learned. It seems no coincidence that the SEC’s rules on disclosing cybersecurity incidents within 3 days came into effect the day before Comcast revealed that the CitrixBleed data breach hit them (actually possibly 35.9 of their Xfinity customers) back in mid-October. So, the legal department thought they’d better say something about it.  However, beyond that, the question is “how they heck did it happen?” (1) Was the customer data on a server or was it lost in transit through Comcast’s network? (2). Either way, where was the microsegmentation of data that might have made exfiltration impossible. (3) It seems clear that there is no implementation of Zero Trust was deployed to prevent escalation of privilege least privilege for ID management, and the list goes on.
 Dec #121 Those boring predictions Everywhere you look there are “Summaries of 2023” and “Predictions for 2024” that mostly regurgitate the same old boring stuff.  Here’s mine.
  • 2023 Summary
    • Read the 120 stories below
  • 2024 predictions
    • Large enterprise executives and SMB companies will continue to be in denial re cybersecurity – and will get hacked.
    • Companies will continue to be negligent on automatic patching, anti-phishing training and software – and will get hacked.
    • I will continue the uphill challenge of getting people to understand the importance of holistic cybersecurity. Those that can be convinced will have significantly reduced risk.
    • Cybersecurity will keep being unpredictable with new threats.
    • The SEC, CISA and NIST will continue their good work with increasing pressure from enterprises via political lobbyists to water down their efforts.
 Dec #120 Quantum Computing Breakthrough The approach of Quantum Computing and the demise of currently dominant asymmetrical encryption algorithms took an important step nearer with the announcement by DARPA (the U.S. Defense Advanced Research Projects Agency) and a paper in Nature Journal announced results from a team of almost two dozen scientists, most of them from Harvard, funded by a DARPA program known as ONISQ (Optimization with Noisy Intermediate-Scale Quantum devices). This has created a 200 fold increase in the creation of “logical qubits” – Quantum’s primary compute  elements. Important new work on the creation of symmetrical encryption methods, resistant to quantum decryption is under way by NIST. More on both of  these developing stories early in 2024.
 Dec #119 My New Article on Critical Infrastructure I just took on the mammoth topic of Critical Infrastructure that impacts all of us. My latest article published in this month’s ISE magazine covers the challenges that have caused so many recent high-profile headlines. It examines how implementing the reborn Network as a Service, cybersecurity basics and Critical Infrastructure specifics can eliminate the scary incidents we see daily. Since completing article several weeks ago, much has happened and the story continues on the site on my Critical Infrastructure page. My next article publishes in February!
 Dec #118 SEC regulations come into effect 12/18 but who decides the math? It turns out that the Security Exchange Commission (SEC) regulations that require public companies  to disclose material breaches only seem to apply to reporting to the SEC and really only to the FBI. I.e. 4 days can turn into 60 subject to FBI involvement or even 120 if the FBI deems it to be a “substantial security risk.”  This sounds like an opportunity for political manipulation but is likely better than what we had before. More on this Bank Info Security Article and on our hot topics page.
 Dec #117 Why do more attacks result in less security personnel? To quote from an interesting report and survey run by the CSO publication: “Even as the number of security incidents continues to grow in all sectors, 47% of the respondents plan to reduce their security headcounts, a new report by Observe has revealed. Remarkably, 62% of these organizations also reported a higher number of security incidents per month.” Also of interest the survey show the kind of tools being used. Perhaps the indicate that cybersecurity is becoming more of a business as usual operation.
 Dec #116 Progress continues It’s always good to be aware of the collective progress in cybersecurity. The DoDs latest recommendations on protection of weakness related to DoD controlled information applies everywhere and is definitely worth a read & aligned with everything we cover. The document refers to a table of 14 categories based on NIST SP 800-171 revision 2.
 Dec #115 EU Votes to break Internet Security In #107 below we warned of the EU’s determination to ignore reason and put the privacy and security of all EU citizens at risk and put web certification in the hands of member countries. In a behind-the-doors vote the legislation passed, including the soon to be infamous “Article 45.”
 Dec #114 What bank is that again? For those who are still clicking on those innocent looking emails, these scary examples show how fraught and tricky the problem is. So, which one of these emails is legitimate and which is from a man-in-the-middle attack? onlinebanking@еαlerts.bankο onlinebɑnking@еalerts.bankо The first and second highlighted in a couple of alerts recently is in the letter “α” being a cyrillic alpha but our brain registers it as an “a”. However, The third was not covered in alerts but is much trickier as the “o” is actually a Greek omicron character. I.e. it’s not enough just to look at the address when it’s hidden by the font. (good grief!)
 Dec #113 Trains & Boats and Trains Ahead of much coverage of Critical Infrastructure this month, the intertwining of networks, IoT and cybersecurity is highlighted by a feature on rail systems rolling stock security by Siemens. This is not a promo for the company but it does highlight the focus on rail system security. Last month we covered the threats to Boats and Planes and shortly an article published on critical infrastructure featuring both security and network integrity wiLl also appear on this site. Update: now there news of a water treatment system in Philadelphia under attack by a Hammas attack group targeting (yes, you’ve guessed it) devices connected directly to the Internet. The big surprise is that this is a surprise to anyone. To be continued.
November 2023 Headline News
Nov #112 Lock Down Given that both Experian and TransUnion credit bureaus  – who know everything about your financials, status and history – are being held to ransom for $30m apiece, the recommendation is to lock down your credit with them. I.e if someone does get your credentials they can’t take out a credit card or loan or find out how much money you have so easily and you will be alerted should there be attempted access to that information.
Nov #111 Delegate Don’t Abdicate It started as a simple article in ISE magazine in the July/August edition but it’s grown into a monster. Applying Zero Trust principals to delegation and Network as a Service, was also part of our ONUG Fall presentation in New York last month. It’s also found it’s way into the MEF’s update to the MEF 118.1 Zero Trust Specification. The latest update is on this site.
Nov #110 Tis that time of the year. Yes, Chistmas is coming and it’s time for Black Friday scams – (“hovver before you touch” or check that Fedex tracking email or Best Buy special.) However, among the 10 best list of the 10 best predictions for 2024 is something cool. Cyber Security Hub lists the 10 security misconfigurations to fix right now. Yes the obvious ones – using default configs, not using least privilege, non-automated updating lack of segmentation are there. Others are less well considered: insufficient internal network monitoring, weak MFA methods, insufficient Access Controls and system bypasses, poor credential hygiene and lazy (my word) oversight of code execution.
Nov #109 The nerve of some robbers! It’s bad enough that the ALPHV Ransomware group held the MGM hotel group to ransom – but to file a complaint that the MGM did not report it in time is to ridcule and make a mockery of all concerned. It’s like a bank robber stealing money from a bank and then suing them for lack of security.
Nov #108 3 Critical Infrastucture Issues Time to look at critical infrastructure. As a lead into this monster topic, three incidents occured in the second week of November: The Australian port systems was hit, there are new concerns about aircraft safety and the world’s largest bank were all hit separately. In the third week, the personal information of 5700 employees at US Nuclear Energy Center was leaked. Not a good place to have an insider threat or social engineering attack based the vulnerable past of an employee. As a first step, it’s a timely reminder for executives in these major organizations to stop thinking in the past and focus on the basics to Break the Vicious Circle? Also, to focus on the many issues of the above critical infrastructure instances and their special requirements. More to follow on these topics.
Nov #107 EU time machine to return to 2011 Despite almost every major security and tech company’s efforts, the blinkered non-experts in the EU are about to take the Internet’s security and personal exposure back 12 years. The proposed legislation (eIDAS 2.0 and more specifically Article 45)  to quote Mozilla:”This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.” Loads of coverage on this potential disaster: (1) Security Now ep 947. (2) The Register (3) EFF civil liberties foundation. The EU give carte blanch to governments and probably hackers to run amock to evesdrop on everyone!!
Nov #106 When will they learn? It seems to have escaped the world of cybersecurity software vendors that they are the main targets. Following reports about leaking OKTA personal login data, Microsoft jugernaut seems be be waking up – responding to significant U.S. Government pressure. Cybersecurity Dive is one of many to report “government branches being concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features.” Microsoft’s Secure Future Initiative addresses this with an update to its Microsoft Security Development Lifecycle (that we cover on this site.) to become  “dynamic SDL” (dSDL), updating its “security defaults” and identity management.  Lots of good intention. What it translates into is definitely left as an exercise for the subscriber – and any improvement would be good for all.
Nov #105 Delegation not Abdication My original ISE article in August 2023 has been greatly expanded covering six key areas that require verification of companies, services and software. This blueprint covers 26 functions helping support an organization’s responsibility to verify its operation and that of its suppliers. I hope that the proposed CISA cuts don’t slow down their effort in this area.
Nov #104 40+ Countries to Pay No Ransomware This fanfared story received much coverage but it maybe limited to organizations who would likely not bepaying anyway even if it’s enforceable. When signed, it appears to be limited to govrnment agencies, not the organizations who operate in those countries. If it comes to “breaking the agreement” or survival, we will see which one wins and puts a dent in the project $bn problem by the end of 2023. What is often overlooked is that paying ransomware to state-sponsored threat actors likely breaks the law in the U.S. The 2021 Dept of the Treasury Office of Asset Control update explains more on this. It is not clear how you can possibly know who you are paying?
October 2023 Headline News
Oct #103 Solar Winds Almost 3 years since Texas-based SolarWinds disclosure of its infamous breach, the Securities and Exchange Commission filed charges against the company and its CISO, Timothy G. Brown, alleging that the software company misled investors about its cybersecurity misstatements and omissions that concealed its deficiencies and poor cybersecurity practices. This is a story that will concern a much wider audience.
Oct #102 Boeing goes boing? It will be interesting to see how Lockbit’s ransomware attack on $60bn Boeing Company. The attackers threat to make public stolen data from the massive commercial and defense aviation and space company does not respond by Nov 2nd. What the cybersecurity community wants to know is what are the lessons to be learned. “Why did this happen?” should also be part of the new CISA rules, however painful that might be. It would be good to see laws against ransomware payments come into effect, though this might turn complicated. Update: Lockbit posted what it claimed was some of this stolen data on Nov 10th.
Oct #101 $2 Billion Domino Effect It never ceases to amaze that the basic security fundamentals are neither part of a security software company’s development process, or a subscriber’s delegation and verification process.  The $2bn in question is the loss in the market cap of OKTA, the industry’s go-to company on Identity Management, at the heart of all Zero Trust implementations. The impact on its 18.000 customers (many household names) is not known but MGM, Caesars, Cloudflare and 1Password are on the list of dominos that have fallen. What’s concerning is that the MGM Okta incident was known about for more than a month and yet the rest of the stories are just seeping out.
Oct #100 An new paradigm for cybersecurity in the board? Given the dramatic story below, this 100th posting of the year takes on a more optimistic note. It appears that a new model for cybersecurity is taking shape in executive teams and company boards. The emergence of a security committee consisting of or including one or more consultants is taking responsibility and providing executive oversight is becoming popular. About time too! Given that the CISOs or designated security expertise within an organization have neither the business skills or experience to even speak the language of the executive team this is an important trend that can scale up or down to almost any size or type of organization.  More on this on this site to follow shortly. Splunk’s 2023 Report includes data on this trend.
Oct #99 Ouch! The Web User Interface of Cisco’s IOS XE software appears to have a serious flaw as reported by Sentinel One and CyberDive. This Advance Persistent Threat attack is triggered by a threat actor with unauthenticated accounts being able to elevate their privilege to Cisco’s highest level (15) causing untold chaos to monitoring, routing, physical and virtual processes and insert man-in-the-middle malware and impacted 140,000+ systems and their customers worldwide! (Yes a big ouch!) (Update: October 23rd. Cisco has produced a patch for the problem. Without the patch, …) Cisco states that all end-users (and presumably Service, Cloud and managed service providers)  disable the “web UI feature”. CISA has given it’s highest rating (10) to CVE-2023-20198. That’s the facts but the critical unanswered question is that “How with all their expertise could Cisco possibly allow that to happen?”  If they were hacked in this way what hope is there for other organizations? It appears that more than three weeks went by before the severity was realized. We will keep this story updated in more depth. However, given that no-one wants to reveal their defense for fear of it revealing other weakeness, our assumptions is that we will never know.
Oct #98 New HTTP/2 Design Vulnerability. Cloudflare alerted the world to a huge denial of service attack – actually the biggest of all time. This is covered in more detail in the Bot and HTTP sections of our cyberpedia page. Those being alarmed by this should be alerted to the fact that this is an example of proper DDoS attack protection being a requirement.
Oct #97 Social Networking Tool Users Beware. Vulnerabilites in Atlassian’s Confluence Social Networking Tools were reported by SentinelOne as CVE-2023-22515 and was rated as 10.0 with patching required. Gaining access to such tools can open the flood gates to man-in-the-middle and phishing attacks. For those unfamiliar with Atlassian’s confluence wiki, it’s been the mainstay of many organizations for collaboration and developing work for well over a decade. Like Slack, Google Docs, etc., it’s used in many industry associations and thousands of users have freely made their contact info available on such platforms. All of these tools have had a history of exploits – even Zoom, Microsoft Teams and messaging apps such as Skype and WhatsApp (as reported this month by Nextgen Hero) have been attacked in the past and the lesson to be learned is to have several email addresses, never use single common sign-in and to watch for phishing attacks that appear to be from previously trusted members or leaders of such groups. Also in an adjacent space, many will be aware that as recently as August 2023, Cyberint reported a significant wave of attacks on LinkedIn users.
Oct #96 Significant IoT risks for Critical Infrastructures One aspect of Microsoft’s 2023 Digital Defense Report published this month was importance of keeping separation or “air gap” between Operational and IT networks for Critical Infrastucture systems. Chapter 4 covers the fact that of the 78% of IoT devices that have known vulnerabities (bad enough in itself), 32% could be patched and of those 46% cannot be patched.  This makes it even more critical to ensure that no device (IoT or otherwise) directly or indirectly is exposed to Internet connections from Cloud-based applications or self hosted apps. What’s more is that any software apps that do connect to critical IoT devices are properly verified for secure operation and communicate with such network devices over secure and encrypted tunnels. A commentary on legacy IOT devices is that 25% of them use unsupported operating systems. (good grief!)
Oct #95 Be aware or be prosecuted The SEC’s new rules have raised the cybersecurity bar for public companies and will no doubt trickle down to their supply chains. For organizations who are U.S. government contractors, increasing scrutiny spelled out in the government’s False Claims Act is falling upon those who knowingly: (1) provide deficient cybersecurity products or services; (2) misrepresent their cybersecurity practices or protocols; or (3) violate obligations to monitor and report cybersecurity incidents and breaches. Read more in this new article from Corporate Compliance Insights. Government agencies who apply’s Delegation Methodology  can protect themselves and help their suppliers to prevent this problem.
Oct #94 Misconfiguered Misconfiguration List? The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on the Top Ten Cybersecurity Misconfigurations. It’s received a lot of uncommented coverage and is well intentioned we are sure. Yes, the list contains 10 or so of a hundred possible cybersecurity best practices but only one of them (5. Poor patch management) actually covers misconfigurations.  I can immediately think of at least 10 more actual misconfigurations and I put these on my Cyberpedia page – which has now grown to more than 260 terms. Sounds like a contribution to CISA is needed. This topic deals with misconfigurations due weak policy, human errors and incorrectly programmed automation. It does not cover how such lists should be protected from deliberate misconfiguration!
Oct #93 MGM Announces $100m loss. In more SEC-driven disclosures, MGM resorts revealed that the attacks impacted its third quarter losses to around $100m! It also revealed that sensitive personal data for those that conducted transactions with the resorts before 2019 was also stolen – though it does not say from when.  Source for this is Cybersecurity Dive. Full coverage and the lessons to be learned from the whole MGM story is now on the new in-depth topics page. It covers and the thirteen steps you should take to avoid it happening to you and looks at the possible real reason for the attack that no-one else has mentioned.
Oct #92 AWS=MFA AWS says by mid-2024 it will require the use of MFA beginning with the “most privileged users” of accounts. See the Cybersecurity Dive article for details, The question is: Why wait? (Note, as we reported previously, MFA is by no means infallible.)
Oct #91 FBI Warnings This article posted by the World Economic Forum covers 4 topics including the latest FBI warnings
Oct #90 Cybersecurity Month to last forever? A new article from Forbes “Beyond Cybersecurity Awareness Month: Finding A Signal In The Noise” focuses on medical device security but importantly that “cybersecurity isn’t a fleeting concern.” Also is NIST’s piece on Cybersecurity month:
Previously on Breaking News