BREAKING NEWS and LESSONS LEARNED
Cybersecurity changes faster than you can read about it.
This page covers news, updates, comments and lessons learned on around 10 of the 7000+ cybersecurity stories covered each month.
Updated July 26th, 2024.
| July 2024 | Headline | News |
| #079 | Insider Out | In the current trend of targeting cybersecurity companies took a sureal twist when security firm KnowBe4 inadvertently hired fake IT worker who was actually working for North Korean state-sponsored hacker. |
News on Critical Infrastructure incidents is also tracked on the Critical Infrastucture page.
Click here to subscribe to our new news update service delievered via email. .
In Depth
Some stories need a closer, sometimes controversial look.
 |
The biggest IT disaster of all time? |
 |
“Let me just just get this it’s my father on the phone.” Or is it? Did AT&T open Pandora’s Box? |
 |
NIST’s Cybersecurity Framework “brings organization to cybersecurity implementation.” We explain why we have a very different view from others. |
 |
How and why the Securities and Exchange Commission is bringing discipline and accountability globally, helping everyone in cybersecurity. |
|
NIST’s Cybersecurity Framework “brings organization to cybersecurity implementation.” We explain why we have a very different view from others. |
 |
The now infamous breach of the MGM hotel and casino chain has become a poster child of how not to implement holistic cybersecurity. But what was the real unreported reason behind the attack? |
| July 2024 | Headline | News |
| #078 | Meanwhile in other news …. | As the world piles on to Crowdstrike for what is likely to be an important lesson for all, six other cybersecurity stories churn on in just the last 48 hours: in Los Angeles, the entire court systems that spans 36 courthouses and handles 1.2 million cases per year is currently shut down because of a ransomware attack – that’s one way for Hackers to avoid prosecutuion. The estimated cost of the Change Healthcase debacle has now been re-estimated to $2.3bn. The fragility of other software was shown with North Korean APT attacks on software company JumpCloud and vulnerabilities of Google privilege were realized with a privilege escalation design flaw. Returning to Crowdstrike, it appears that Crowdstrike’s platform is not available to smaller companies – so that’s something. Finally, Cisco managed to to chalk up a rare CVE 10.0 rated vulnerability allowing unauthorized users to do well – anything. |
| #077 | Major Costly Outage caused by cybersecurity prevention. | A systemic software supply chain failure (the automatic update of Crowdtrikes Falcon software) caused the biggest IT disaster of all time on July 18/19th. An example of software created to prevent attacks being worse than the attack itself with 8 million crashed Windows PCs and 26,000 affected companies, 4,000 flights cancelled and so much more. The full story is now covered at cybyr.com/hottopics/ |
| #076 | 2 year-old AT&T story – suddenly Breaking News? | The strange thing about this story is that it’s suddenly news. The question is why? It may be no coincidence that the timing of these disclosures and revelations are an attempt to ward off potential legal action as they come on the same day that the SEC has further strenghten its breach reporting regulations. Something doesn’t seem quite right here. In fact, wait … it involves problems for all This seems to be a disaster. See the full coverage at cybyr.com/hottopics/. Update: However, It appears that this is not really an AT&T story at all though what they did made it worse! The issue appears to be due to a breach at Snowflake the massive Cloud data and compute broker, whereby 400 of their customers had their credentials stolen. Well, Snowflake is blaming authentication weaknesses on its customers. Their users refute this. It does appear that Infostealers penetrated a Snowflake staff account and exfiltrated 400 customer company’s credentials who didn’t have MFA. Be that as it may, their end user customers are not off the hook because they did not properly delegate their responsibility – they abdicated it to Snowflake. This is not nearly the end of this and everyone is blaming everyone else! Lesson to be learned: adopt cybyr.com’s delegation methodology. Unbelievable. |
| #075 | I’m OK, My Data is Backed Up. | Time to be a bit scary. It’s touted that if we have our data backed up and even encrypted too, then we can’t be hacked. Even if we are hacked then our data is not lost and our business won’t be disrupted. Well, a survey conducted by YouTube Blog Veeam revealed that 96% of hackers target data backups, 76% were impacted only 20% were unaffected. Good Grief! Lesson to be learned: Notwithstanding other defenses, is having a Resilience Plan that backs up clean data that is encrypted and NOT online (as in there is an air-gap). A critical part of the plan is to both test the recovery and that such recovered data is scubbed for the presence of malware. Alternatives may be use of Cloud-based Backup as a Service (BaaS) or Disaster Recovery as a Service (DRaaS) but these need careful investigation too. (See also our notes on Asset Curation) |
| #074 | The Benefits of a Cyberattack! | What? Surely not! This is not actually a news item but maybe it should be. It was an insight from Heather Hughes of AON. What was revealed that companies who successfully defend an attempted breach and disclose both their breach attempt their dedication to security processes saw a 9% increase in their share value. This includes proper notification of such breaches and also applies to non public companies. This is all about the implementation of successful resilient asset curation, training and more. The reverse is also true. Loss of revenue, loss of share holder confidence, delays in operation by not following best practices. The lesson to be learned: following holistic cybersecurity best practices is a huge competitive business advantages. |
| #073 | Chevron Ruling Reverberations | The reverbarations from the “Chevron” ruling continue. First reported in #069 below, this new ruling overturns the 1984 case’s requirement for companies to defer to the federal authorities who it seems will have no longer have power to enforces their regulations such as breach reporting. The jury is still out on the ramifications but it has the potential to damage the saftey of organizations and their customers. (Update:It has also – according to the Daily Scoop – put the U.S. Government’s active but fragmented cybersecurity and new AI initiatives into a state of uncetrainty since it is no longer clear if, which and how enforceable these regulations have become with the Chevron ruling.) The article (#074 above) brings some business motivation. |
| #072 | Much too Open SSH | Esteemed for its long-standing security, Open Secure Shell has been vaunted as the right way to write code. Open SSH encrypts identities, passwords, and data avoiding theft. Unfortunately, a recent upgrade reintroduced an old flaw that created a vulnerability that exposes millions of Linux devices around the world. Discovered by Qualys Threat Research Unit, the flaw the report reveals why and how the vulnerability occurs. One drawback of explaining how it can be breached is that it educates threat actors on how to exploit this breach. It might be fair to question the integrity of the Open SSH group’s regression testing but more importantly it highlights the amount of care required when considering upgrades to such a pivotal piece of code. |
| #071 | Team Viewer Breach | A report from Cybersecurity Dive covered TeamViewer’s IT network breached through compromised employee credentials. It’s the same Midnight Blizzard attack that hacked into TeamViwer partner Microsoft. Although none of the 640,000 customers data was breached, either the breach was looking for employees with admin privilege that could cause further problems or was planning more mischief for the company itself. |
| #070 | New Holistic Cybersecurity Lesson | The ransomware breach at Infosys McCamish Systems that occurred in November 2023 was just revealed to have impacted more than six million of its customers. The lesson being that delegation to outside consultants (like cybyr.com!) is not risk free. Not only Infosys but other firms including those brought in to deal with ransomware(!) must also be treated with caution and that a consultant firm’s own security must be verified prior to engagement. It’s no surprise that not following the basics, like properly backing up data (as just happenend in Indonesia) enables ransomware. |
| June 2024 | Headline | News |
| #069 | Writing on the Wall for SEC Cybersecurity? | The June 27th ruling by the U.S. Supreme Court limited the power of the SEC to enforce Fraud violations, requiring such violations to go to a court. Whether that is a good or bad thing, it occurs that the SEC rulings on cybersecurity breaches could go the same way. If it did, it would make it less likely that possibly negligent behavior would be enforceable and diluting all of our protection. |
| #068 | Good News: Limited Liability Bill Vetoed | The interesting aspect of the news that Florida’s Governer De Santis vetoed a bill that would have limited the ability for business and local governments to be sued following a data breach is its impact elsewhere. If passed, it would have limited the organization’s liability which would have impacted the SEC regulations in that any supplier in an SEC company supply chain would have been let off the hook. This would have made it impossible for public companies to hold their suppliers accountable. Also would have meant that any company being breached would have no resposnsibility or incentive to verify the integrity of a supplying software company or its products. I.e. It’s a very good thing that this bill was vetoed – but I wonder if all the consequencies were understood? |
| #067 | Kaspersky Banned – Sort Of. | It’s taken a while but the doublespeak of Russian hackers and Russian Security company Kaspersky being okay is almost as strange as the new U.S. ruling banning Kaspersky. There never was any oversight of how Kaspersky developed, operated or managed their software or how it employed staff, etc., to hopefully guard against rogue hacker employees. For this reason, this company’s products or recommendations have never been featured on cybyr.com. It begs the question: “why is it being “banned” now?” Why not 2 years ago or more? Did something new get detected that wasn’t there before that they don’t want to reveal? The second bizarre part is that once sales of the products are banned from September 30th users of the products can still use the products but can’t update them! What? If it’s that bad why not ban the products today? So this is a license for hackers to infiltrate the software knowing that no patches will be issued. Also, it appears to give the apparently untrusted Kaspersky a small window to insert malicious code into their products. What could possibly go wrong? As if to prove this point, on the very same day, a Chinese threat actor UNC3886 is reported to have exploited a Zero Day in Fortinet and Ivanti security products. If it were a Kaspersky product and was exploited after September 30th, 2024, then it would never be patched. Good Grief! |
| #066 | 15,000 Car Dealers halt business | Lesson to be learned: CDK supporting 15,000 car dealerships closes down due to a Ransomware attack. Sounds like yet another company with no understanding of holistic cybersecurity. No tested resilience plan, encrypted information, or protected backup of systems and data? Update: One report confirms that lack of properly curated assets and resilience strategy is what mde the recovery so slow. |
| #065 | NIST Issues Draft Water & Waste Water Guidance | NIST has issued guidance on architectures for improved cybersecurity of Water and Waste Water Sectors. It’s only noted here because it begs the question of why is it purely voluntary when there is so much pressure to make such architectures if not mandatory then strongly recommended to avoid liability? |
| #064 | Microsoft: Shocking but Hardly Surprising | It would be easy to pile on to Microsoft’s much-reported cybersecurity woes with the Propublica story of the company’s role in the Solarwinds incident and the Cybersecurity Safety Board’s hearing before Congress. Maybe they deserve it because they play such a pivotal role in the end user and Cloud based systems today. They have the usual mixture of smart and corporate-based lifers in the organization. We’ve seen them in all large organizations: middle managers whose purpose is not doing something to get their boss fired and don’t think outside of their box. We’ve also seen how the media sensationalizes what seemed a good idea to someone just towing the corporate line. The aptly named Mr. Smith, of course complained that Microsoft’s competitors were on the safety committee who brought the complaint and so it goes on. The bottom line is that we need to trust and verify that Microsoft makes the right cybersecurity decisions going forward. This is where I have the biggest concern given there seeming miss-steps with their Total Recall announcement (#62 below and already renamed as just “Recall”) and their way overhyped Copilot+PC launch (there’s a Copilot button on the keyboard and the spacebar is smaller – and the processor has been rebranded as NPU). The questions to this observer are “will we ever be able to Verify the security of Microsoft’s products?” “Will the new well-intended Healthcare Security Initiative be based on actual substance or will it create more problems?” “Will the new pending Recall (AI product) create a single back door into every system?” Update: The June patch Tuesday from Microsoft contained a very long-standing bug which has exposed all Windows PC’s to intrusion via Wi-Fi for a very long time. This is exactly the kind of security risk that would be made much worse with Recall. This will be continued as a Deep Dive but for now – here’s several related links: Propublica, Federal News Network, The Hill, NPR, Propublica on 2016 incident, and last month’s launch of Copilot+PC. |
| #063 | Indicators of increased impact of cybersecurity attacks | Splunk’s new survey of downtime costs revealed that it accounted for and avarege of 9% across all global 2000 organizations and stock price devaulation. More than half the incidents being cybersecurity related. Clearly this can apply to all organizations. The biggest loss being $49m in one incident. It’s not getting any better either with a another new report from Risk&Insurance showing ransomware related insurance claims at record levels. |
| #062 | “Total Recall” Totally Recalled | Well, it seemed a good idea at the time but Microsoft have recalled their “Total Recall” initative even before it was released. Why has this created such an uproar? Apart from recalling everything you ever do, did or looked at, it creates a massive security and potential invasion of privacy when your PC or system is breached or disposed of. (Note that I said when not if.) When Microsoft does release it , they say it will be opt-in only. I still don’t want this near my laptop beacause, again, if my laptop gets breached it could likely be switched. Just stop it. |
| #061 | US Cybersecurity Strategy Updated | First published in March last year, the National Cybersecurity Strategy Implementation Plan (NCSIP) put the cat among the pigeons with its declaration of supplying companies being held “liable” for any vulnerabilities. This month, the Department of Homeland Security (of which CISA falls under) published official highlights of the NCSIP version 2. (as first covered last month in #47 below). Thirty-one new initiatives include: improvements to Critical Infrastructure initiatives, collaborative avoidance of attacks, digital product safety and education. |
| #060 | CSF 3.0 coming next year | Considering this site’s view of CSF2.0, it is with baited breath we hear that NIST is planning its “final” verion early next year. We will update with developments as they occur. Could it be any worse than 2.0? |
| #059 | AT&T Breached again | Now the hackers are repeating themselves. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” Bleeping Computer and others reported on the latest AT&T breach. With so many credential breaches it’s easy to see why we are becoming immune to them. |
| May 2024 | Headline | News |
| #058 | Don’t Step in … oh too late. |
Microsoft revealed that it is offering relocation to – mostly Chinese – engineeers to other countries. The numbers – in excess of 700 – speak volumes to the potential infiltration of code that has vulnerabilities deliberately inserted by nation-state actors. The issue doesn’t seem to go away when the staff are relocated. Good Grief! |
| #057 | Platform v. Point Solution |
Normally this page covers news stories looking for lessons to be learned. This falls into the lessons to be learned rather than news. This interesting interview with Brian Essex of JP Morgan Chase covers a shift from best of breed point solutions to platform solutions which have previously increased dependency on a single vendor but are starting to provided complete cybersecurtiy solutions from resilience to detection. What’s not clear yet is the affordability outside of large coorganizations. |
| #056 | EU Game-Changing AI passes into Law |
Artificial Intelligence Act: Members of the European Parliament voted overwhelingly to adopt the landmark law that includes: safeguards on general purpose artificial intelligence, limits on the use of biometric identification systems by law enforcement, bans on social scoring and AI used to manipulate or exploit user vulnerabilities, and right of consumers to launch complaints and receive meaningful explanations. It is anticipated to have a significant impact on cybersecurity – depending on how it is actually enforced. |
| #055 | RSA & ONUG Show Impact of AI on Networks and Cybersecurity | Forbes Interviews with companies at RSA in San Francisco reveal the progress being made by security companies on the use of AI to detect threats and protect users. Similarly at the ONUG Spring AI Networking Summit in Dallas revealed the potential for AI to make significant inroads into threats to the entire network ecosystem. For now, the focus is on protection of the larger enterprises. The challenge is to make that progress available to all organizations irrespective of size. Until it does, the threats will continue to increase. |
| #054 | SEC Ammends Rules | On May 16th, the SEC announced Rule Amendments to Regulation S-P to Enhance Protection of Customer Information. These covered incident response programs, customer notifications of data breaches, service provider oversight, scope of the safeguards and disposal rules, record keeping and an exception to the annual privacy notice requirement. Smaller organizations will have 2 years to comply , large organizations 18 months. For interesting commentary see the Debvoise and Plimton site. |
| #053 | Arup Hit With Deep Fake. | CNN covered this attack on a UK multinational design and engineering organization, Arup. The deep fake scam led to one of its Hong Kong employees being duped out of $25m when video and voice fakes were used to impersonate a known colleagues. Lesson to be learned: Identity verfication and multi-level authentication need to be implemented and training is sorely needed – especially when large sums live this are involved. |
| #052 | Life and Death Impact. | Top of the list of critical infrastructure targets is stiil healthcare – the most at risk to life and therefore the most likely to pay up. Following the recent ransomware on United Healthcase’s subsidiary, Ascension Healthcare with 140 hosptials in 19 states is the latest to have patient treatment and information severely compromised. BlackBlasta is the malware being blamed but the real cuplrit is surely lack of competent defense. In an update by CybersecurityDive, it was revealed how a hacker used Microsoft “Quick Assist, ” Vishing,etc. to create social engineer attacks. A sobering read. |
| #051 | The old ones are the bad ones. | Reported by many including Wired magazine, CISA’s Kevin Briggs, confirmed to the FCC that multiple cases of Americans trackedand penetrated via SS7 or Diameter (Cell Phone Protocol). This follows similar reports of German cell phone users having their bank accounts drained. This is a very long-standing vulnerability apparently. |
| #050 | 68 Sign the Pledge | … the CISA Security by Design Pledge that is. By signing the voluntary pledge, 68 companies producing software, services and software as a service pledge to, well ... and there in the detail it becomes not so strong. All basic stuff but words like “within 12 months developing a transition plan to use memory safe languages.” Great but that transition could take a decade. “Within a year to provide functionality to allow automated installation of patches.” Really, why wasn’t that mandated five years ago and even this does doesn’t make it a default that the user must override if they refuse it. It’s not a legally enforceable pledge so there appear to be no consequences if companies sign but don’t follow it … and so it goes on. Good intention but no doubt watered down by the signing participant companies. No mention of Zero Trust or secure management of products, Physical products and IoT devices are excluded. Maybe that excuses Apple, VMware and Intel but Cisco, Google, Microsoft, Lenovo and the main security companies have signed. Shame it’s so weak. Good news is that most are only signing up for what they already have in place today – and CISA does encourage companies to state that. All the details are in the link to the CISA page. |
| #049 | $10m anyone? | Time to look under the floorboards and see if Russian national Dmitry Yuryevich Khoroshev, LockBit creator/developer is hiding there. If he is, drag him down to your local DOJ office where you will find $10m in cash waiting for you. The story was covered everywhere. |
| #048 | Chinese attacks on undefended network devices | Speaking at this month’s annual RSA conference in San Francisco, Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency, said “The Chinese threat absolutely is the one that is keeping us awake every night.” More coverage of the story is on the Cybersecurity Dive web site. Volt Typhoon has embedded itself in unsecure network devices that are typically not protected in the same way as end systems. The plea is for network device providers and their service provider users to properly delegate the kind of best practices highlighted on this site. |
| #047 | U.S. NCSIP version 2 published | This month the US Government published its revised National Cybersecurity Strategy Implementation Plan. The 69 page PDF can be found here. The substance behind behind grandiose language covers (1) Defending Critical Infrastructure, (2) Disrupting and Dismantling Threat Actors, (3) Shaping Market Forces to Drive Security and Resilience, (4) Investing in a Resilient Future and (5) Forging International Partnerships to Pursue Shared Goals (getting international buy-in). further commentary to follow but its good to see the administration itaking leadership n the subject so earnestly. |
| #046 | Microsoft: Lessons being learned. | Microsoft’s response to CISA’s Cyber Safety Review Board scathing, across-the-board critism of their penetration by last year’s Advanced Persistant Threat attack immediately exposed the real problem for other companies. Yes it was good to see both Board Chair and CEO Satya Nadella and Security head Charlie Bell responded that cybersecurity would be a prirority. While the review shows that so much needs attention at Microsoft, it strikes me that (finally) others might copy Microsoft in having the security chief report directly to the CEO. Now, if they would only adopt holist cybersecurity. |
| #045 | Pass on Passkeys? | The day after the UK legislated to end weak passwords (in story #044 below), the reaction might have been “nice idea, 10 years too late and who needs them anyway – thank goodness we have Passkeys now” – that’s being adopted by many of the main players. Well that didn’t last for long. The very next day in a long and complex discussion, Passkeys were brought into question. The story unfolds describing the many technical issues being uncovered and issues with browsers. More on this to follow but for now catch up on the breaking story on page 12 of Steve Gibson’ latest podcast PDF. |
| April 2024 | Headline | News |
| #044 | UK makes use of weak passwords illegal! | The Product Security and Telecommunications Infrastructure (PSTI) Act came into effect on April 29th., requiring manufacturers of consumer-grade IoT products sold in the UK to stop using guessable default passwords and have a vulnerability disclosure policy. Really, why isn’t that the law everywhere? But wait, does this mean that ancient IoT devices that can’t be upgraded are likely illegal? Much more than that. It impacts wearable health trackers, cameras, TVs, speakers smoke detectors, door locks, kitchen appliances, etc. The details are available in a PDF found on the European Telecommunications Standards Institute (ETSI) web site. More to follow on this story. |
| #043 | ChatGPT-4 Excels at CVE Exploits | Coverage of Generative AI (e.g. ChatGPT variants) is made with caution here. However, when ChatGPT-4 was fed the CVE* database, its success at creating exploits that crack these vulnerabilities was at a staggering 87% as opposed to 7% without the data. Previous versions of ChatGPT and others scored 0%. *CVEs (Common Vulnerability and Exposure) can be found in CISA’s catalog of KEVs (Known Exploited Vulnerabilities). The article covered by Tech Radar goes into the sobering details discovered by the University of Illinois. |
| #042 | VMware Ransomware | According to an FBI advisory, the Akira ransomware group has breached over 250 organizations and has gained approximately $42 million in ransom payments since March 2023. Full story covered in many places including Spiceworks. These attacks exploited vulnerabilities in VMware ESXI virtual machines. |
| #041 | Water, water Everywhere | According to a CNN Report, an attack the water systems in Mulshoe, Texas cause water to overflow from their water tower. While that caused local issues, what’s more interesting from a wider perspective is that the linked report generated by security company Mandiant goes into great details of the Russian linked APT44 group and how they go about such threats. |
| #040 | Ransom-war Plague? | Last month’s report on Change Healthcare (#29) below looks like its going to cost its parent company United Healthcare upward of $1bn! Unsurprisingly despite paying millions in ransoms the threat actor is revealing its stolen information. In Tarrant County, Tx, 300 residents had all of their personal info: SS, DLs etc. put on the dark web in a ransomware attack. There are now well over 1000 articles on the ransomware plague each month. Perhaps it should better be termed RANSOMWAR. |
| #039 | It’s that easy | In a Forbes article, Jay Chaudhry, CEO and Chair of Zscaler, describes how easy it is for threat actors to use Generative AI and their Large Language Models to ask for vulnerabilities of specific organizations and then to write code to exploit them including it seems Advance Persistent Threats. We are living in the beginnings of the Skynet world of Terminator movies but unfortunately there’s no travelling backwards in time to remove the AI. He goes on to cover how Zscaler’s strategy and products use AI, firewall and VPN replacement, hide data and provide Zero Trust SD-WANs. This is not an endorsement of any Zscaler product but the article makes a very interesting/sobering read. |
| #038 | Critical Infrastructure Protection: Water Systems | One of the most targeted critical infrastructure sectors has become water systems with many reports and warnings regarding threat actors from government and other resources. A new bill to establish a Water Risk and Resilience Organization has been introduced in the U.S to strengthen and enforce cybersecurity. Further details are in this Statescoop article. |
| #037 | Who is protecting the protectors? | The problem when leading security software companies (such as Palo Alto Networks self-reporting a critical vulnerability updated 4/13) are (a) what are the development processes that were not in place that resulted in the vulnerability? (b) How can others learn from the mistakes when users are not safe until the problem is fixed (fixes are under-development*), (c) How can others learn from the mistakes even when the problem is fixed, the likelihood of the cause is either too risky or just bad business to reveal? (d) As soon as the problem is fixed will all systems be updated (probably ok in this instance but mostly not) (e) and lastly, if you can’t trust the market leaders then who can you trust? *Update 4/15: Palo Alto says it has fixed the problem and updates will be rolled out shortly. |
| #036 | Ransomware hits home – if you still have one | The Jackson County, Missouri ransomware attack has caused chaos for people buying and selling homes after the ransomware attack disabled the systems and caused offices to close for days. What makes it is a big deal is that with the offices closed, house sales can’t register or be closed, offers expire and loans can’t be enacted, people have moved out and new owners can’t move in. i.e. chaos. |
| #035 | CISA Initiative will have big impact | An initiative by CISA this week will bring regulatory focus on cybersecurity to several hundred thousand business organizations. It follows rules brought by the SEC to publicly traded and regulated companies last December. This process, known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements was initially introduced in 2022. This CISA update will require compliance to incident reporting and will likely, when complete, require companies to show that they have been taking documented, prudent, preventative steps. This document completes its comment phase June 3rd of 2024 and publication will follow. We will no doubt comment to CISA after carefully reading the draft document as we did with previous initiatives. Click here for the link that introduces the work that will apply to more than 20x the number of companies as the SEC. The impact on companies will hopefully be profound since it will become a legal requirement for businesses that continue to be oblivious of the cyberwar to finally take it seriously |
| #034 | The Big Picture | Sometimes we lose track of the big picture. In the first few days of April a fascinating presentation by a key member of the US Government catalogued that big picture. It covered the global economic, population decline impact, climate change and even water and crop shortage forces that make state-sponsored cybersecurity attacking the soft underbelly of first-world economies. It’s such a compelling and chilling reminder that there is a war going on and we are the targets. As it’s become a necessary part of those economies, it’s going to persist. It’s why every small business and large organization must strengthen its weak links and be vigilant permanently. |
| March 2024 | Headline | News |
| #033 | AT&T Breached again | Now the hackers are repeating themselves. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” Bleeping Computer and others reported on the latest AT&T breach. With so many credential breaches it’s easy to see why we are becoming immune to them. |
| #032 | How can they get it so wrong? | As an indication of the influence of form over function or hype over reality, this article from SDXCentral is an example what happens when market leader influence can get in the way of enterprise choice. I seriously doubt that Forrester said anything like what was reported. According to the article, the SSE market is the market of today and Zero Trust is of the past. and SASE is the way of the future. Since Zero Trust is at the heart of all such Gartner inspired derivatives, that SASE was superseded by SSE because supplier and market influence and none of it has any industry technical definition then it’s not difficult to see how journalists get confused. What began as I believe a good intention by Gartner to create an integration between networking and security has descended into a confusing mess for the enterprise. (End of rant). |
| #031 | Water, Water Everywhere | The latest missive from the U.S. Environmental Protection Agency (EPA) is more than hinting that water may be everywhere but there might not “be a drop to drink” unless action is taken to combat cybersecurity threats. The story in Cyberscoop, explains that there are 150,000 water utilities in the U.S. The staggering number is difficult to comprehend until you understand that there are 90,000 dams in the U.S. “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” The EPA is setting up a water sector cybersecurity task force to outline some of the biggest challenges the sector faces and develop strategies to defend against the threats. |
| #030 | One small step | Good Grief. Having spent the best part of a year and a half on a requirement for software companies to self-attest their secure development, CISA just published the work. If you do not conform then you can’t sell to the U.S. government. A very nice idea! However, it gives me no comfort to say that I think they missed critical elements including: (1) use of memory safe languages, (1) use of self-attested third party software elements, (3) requirement for Software Bill of Materials and (4) implementation of secure APIs. I personally submitted all of these to CISA but received no response and wrote an article that covered all the elements. What a missed opportunity. Oh, and if the software you sell was developed before September 2022 and hasn’t had a “major version update” then you don’t have to comply no matter how vulnerable it might be. In addition, also exempt are open source code publicly available. (what could possibly go wrong with that?) Good Grief! |
| #029 | Change Needed | The much-reported breach at Change Healthcare by Blackcat resulted in a staggering $22m ransomware payment. The outage in the billing and prescription arm of United Healthcare that processes 15bn transactions a year touches 1 in 3 patient records. First discovered on Feb 21, Change reports it will not be back online till the middle of this month. This is another Blackcat (RaaS) exploit, though the actual attack was claimed to be performed by “Nochy” – but maybe it’s all a scam? More on this from Cybersecurity Dive. |
| #028 | $12.5bn | Or to put it another way, that’s about $40 per person in the U.S. alone was lost in 2023 to cybercrime. There have been a plethora of reports looking back at last year but this one is an important reality check. According to the FBI as reported by tech.co news, 880,000+ complaints were made – a 22% increase on the previous year. Ransomware jumped 74% to $59m – and that was just what was reported! Investment frauds were the largest proportion followed by business email compromise. |
| #027 | Catch 22 | While it’s probably embarrassing that the US Department of Homeland Security (actually, even worse it was CISA) were breached, it does highlight a general problem. It’s not just that that “if they have been breached what hope is there for the rest of us?” The real issue is that the organization being breached does not want to disclose how it was breached since it reveals possibly systemic weaknesses that others may exploit. This makes it really difficult for others to learn from mistakes. Even disclosures to the SEC likely will not go into such detail publicly. The catch-22 is therefore: “we want you to learn from our experience – but we can’t tell you how!” Update: compounding this was the fact that CISA was using an Ivanti VPN (supposedly) secure gateway rather than ZTNA products and that CISA’s own “self-attestation” initiative can’t have been in place with Ivanti. Apparently the Zero Day vulnerability was breached by an APT(Advanced Persistent Threat) attack and even then the fix was not immediately implemented. Oh dear! (I don’t think I have an egg on the face emoji?) |
| #026 | White House Review | While it is not surprising that the White House is pleased with the progress it is making in cybersecurity, the “one year later” progress report is a useful reminder of the initiatives in play (69 of them apparently). Here’s the update from director Harry Coker. |
| #025 | The first cut is the deepest | Last year, this column covered the report: Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future, showing the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Today, 9 months later, CNN reported that several cables in the Red Sea have been cut impacting 25% of Internet traffic between Asia and Europe. A statement from HGC Communications says it has already mitigated the problem. However, other than a blame game, there is no public statement of who was responsible, or how the cuts had been made or whether it was deliberate or accidental! |
| #024 | Cloud | Following the re-emergence of Lockbit there are indicators of increasing threats aimed out cloud services, the U.K.’s National Cyber Security Centre warned this week. It underlines the importance of understanding the many methodologies required for protection when services and workloads are delegated to multiple clouds providers, application and security suppliers. |
| #023 | CSF 2.0 In-depth | It seems that the points raised in the previous entry covering CSF 2.0 are worthy of in-depth analysis on our Hot Topics Page. |
| February 2024 | Headline | News |
| #022 | CSF 2.0 Published | In January, this column made remarks in entry #004 about the draft of NIST’s Cybersecurity Framework 2.0, published mid 2023. The final version of CSF 2.0 is now published. I just don’t know what actions that could be taken from it. I don’t know if anyone from CISA provided oversight. Oh dear! |
| #021 | White House Ports Security | The White House Announced an Initiative to Bolster Cybersecurity of U.S. Ports. Supporting $5.4 trillion dollars of trade, the investment of $20bn will require the protection of systems, including cranes, 80% of which are of Chinese manufacture. Penalties for non-compliance are yet to be established. |
| #020 | DNS (=Dangerous Narrow Shave?) | A Group of German researchers discovered a very long-standing vulnerability (codenamed “KeyTrap”) in secure DNS, that if it had been exploited could have disabled the entire Internet. Fortunately, this has been responsibility mitigated. Full details are in Feb 20’s Security Now show notes (See page 12). |
| #019 | LockBit Lockdown (or was it?) | When one of the biggest threats of the last 18 months gets disabled by a coalition of 11 countries led by the US and UK, then it’s a big deal. All that’s left of Lockbit is a notice saying the site has been seized! But wait, just a few days later, there are still Lockbit sightings explained either by employees who took the work home with them, a remnant of a persistent threat attack or the use of a Lockbit type tool kit. We shall see. Feb 26th update: Well, that didn’t last for long, Lockbit has brazenly re-emerged – as noted in CybersecurityDive. (Cute graphic) |
| #018 | Weaponizing AI | Just as my daily use of Co-Pilot becomes an accelerator of my work, it gives some comfort that OpenAI (one of Microsoft’s Co-Piot’s AI engines) is shutting down accounts used to generate phishing and malware attacks (article). Dark Reading‘s “proceed with caution” seems prudent but is tempered by the level of sophistication being used by Korean threat actors as they make it difficult to spot phishing attacks from the genuine article and use AI to scale up their activities. This month, Google have announced their own AI Cyber Defense Initiative covered by Silicon Angle. |
| #017 | Clientless and Clueless | Next up in Microsoft’s 2024 woes is the news from Proofpoint that 200 Azure accounts have been compromised. Once the threat actors gain access to an Azure environment they carry out a host of malicious activity, according to Proofpoint, including manipulating MFA, data theft, follow-on phishing attacks and financial fraud. It seems that once you give up your envirnoment to a clientless reliance to Cloud providers such as Microsoft you are in the headlights of attacks. It makes you wonder if relying on unverifiable Microsoft security methodologies and relying on clientless IT, is a viable strategy. More on this from Cybersecurity Dive. |
| #016 | Mixed Bag | After a monster January in terms of important cybersecurity news, February is relatively quiet. However, the stories regarding Critical Infrastructure are hopefully raising awareness. Sentinel One and others are carrying stories regarding CISA, FBI and NSA warning of Volt Typhoon attacks on US, Canadian, UK, Australian Targets. Also, LastPass is back in the news after Apple somehow enabled duplicate postings of the once vaunted security app in their app store. |
| #015 | Big security staff shortages – big cybersecurity layoffs | This doesn’t seem to make sense. Report after report follows massive shortages of cybersecurity staff. At the same time SC Media Magazine is reporting on 110 cybersecurity firms laying off significant numbers of staff since the beginning of last year. Tech Crunch’s end-of-year summary called 2023 “the year of the Layoff.” Most of the tech layoffs are put down to overstaffing during the Covid years – but is there another reason? It may be an indicator that companies are still in denial about cybersecurity and would rather put their head in the sand rather then their hands in their pockets to pay for cybersecurity staff or solutions. |
| #014 | Zero Trust Brings a New Way of thinking | My latest article on Zero Trust in this month’s ISE Magazine takes a different twist on the topic which I hope you find interesting. |
| #013 | SEC creating board level impact | As now widely known, the SEC requires reporting of significant cybersecurity incidents within four days. What’s less well known is that it requires “most” public companies to disclose, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. This, according to a posting by Blackberry, applies to foreign companies seeking funding and listing in the U.S. This is a great step forward since it focuses the executive team on preventative measures and processes. |
| January 2024 | Headline | News |
| #012 | Too many articles | January had so many big stories and articles on cybersecurity. This page deliberately does not cover every Bitcoin, healthcare, ransomware story. However, this month I’ve posted a list of 130 or so articles that were considered and almost made it that may be of interest. |
| #011 | One to watch | Newly discovered malware covered by Bleeping Computer known as NSPX30 is spread by corrupted versions of update mechanisms of the very widely used WPS Office software. (This is not Microsoft Office). Automatic updating is encouraged as an important defense in cybersecurity. It begs the question of when the exploit is fixed how is the update effected if the update mechanism itself is compromised? |
| #010 | Hey, we’re here too! | Not to be upstaged by Microsoft, HP Enterprise also had their email hacked by the same Midnight Blizzard Advanced Persistent Threat attack. Although first noticed on December 12th, it took till the end of January to make it public. So much for the SEC’s 4-day reporting rule. It also makes you wonder if the compromised emails contained details of the then pending HPE purchase of Juniper. I guess the SEC can track suspicious purchases of Juniper stocks. |
| #009 | Microsoft Sprayed | In the second recent instance of Password Spraying, Microsoft CEO’s email was compromised. Covered by various sources such as Hacker News it’s concerning that executives in one of the leading security companies ignored best practices and makes you question the organizations own attitude. The article calls it a sophisticated attack but it isn’t sophisticated. Password Spraying is where an attacker scans accounts looking for weak passwords to access accounts. It beggars belief that Microsoft executives would have elevated privilege to access mission critical secure applications, that they are using non-MFA access and worse still that they are using passwords that are so weak that they can be guessed. I hope I’m wrong about this but it’s another instance of lack of holistic cybersecurity. Oh dear! Now, according to Security Dive Microsoft has announced that it is to review its security practices. (Embarrassment complete!) |
| #008 | CISA | Despite being stuck with a slightly odd name, the US Cybersecurity and Infrastructure Security Agency (CISA) continues to do excellent work. In addition to doing groundbreaking work on self-attestation for software development it tracks new threats and promote updates to avoid Zero Day threats that cause damage, publishes the Common Vulnerabilities and Exposures (CVE) List and issues emergency directives. This week it published directives for Ivanti Endpoint Manager Mobile following new directives on Citrix and NetScaler products. It also issued guidance of the danger to critical infrastructure systems from unmanned Chinese drones. |
| #007 | Fight, Fly or Freeze? | According to Malwarebytes (the Malware detection company) in their recent survey of 1000 users, everyone is scared of the Internet but little is being done in terms of basic protection. You can’t fly to escape the Internet, people do not fight with only 35% using anti-virus software, 27% using VPNs, 24% and less in 8 other categories, so the answer is freeze and hope it all goes away. Bear in mind that many of those interviewed may be working from home using non-corporate devices. |
| #006 | FBI and SEC increase pressure on reporting | Some updates on the SEC and FBI activities. There has been several iterations of the news that the FBI will rarely grant extensions to the four-day disclosure deadline in the SEC’s rule that came into effect in December. At the same time the enforcement re the Solar Winds exploits raises the bar should a company not take cybersecurity precautions seriously. At the same time, SEC Chair Gary Gensler was acknowledging the seriousness of the SEC hack of their Xtwit (my name for this marketing disaster) account that falsely claimed that they had approved a spot bitcoin exchange but claiming that none of their other accounts were impacted. (They received my headless chicken of the month award.) |
| #005 | Don’t Drop It! | Publicly reported on CNN, CBS, with more analysis from TechTarget, a Beijing Forensic Institute says it has “cracked” Apple’s Air Drop encryption. This is in response to protestors sharing information/”propaganda” to obtain the identify the ID of the sender, etc. Interestingly, about a year ago Apple restricted Airdrop to 10 minute sessions to avoid unsolicited information being sent to nearby iPhone users. The questions are: (1) It appears that an unfixed known vulnerability exposed senders ID and key information that led to decryption – this is just supposition. (2) Did they just get sender information and was the claimed encryption just a scare tactic? (3) Did they find a way of using stored keys to effect encryption, was it a real brute-force decryption and has the exploit been known for some time by others and in use elsewhere in the world. This is scary as it comes hot on the heels of the item below regarding Apple vulnerabilities. |
| #004 | Cybersecurity Framework? | Given the plethora “Top 3 tips to ensure your cybersecurity in 2024,” I remembered the NIST Cybersecurity Framework 2.0 issued last August which started with 5 or six categories and then sensibly broke these down into 106 individual subcategories. At least someone got across the complexity of it all. It was only when I started rereading the details that I realized that it’s not really a “Framework” at all. It is a list actions you have taken, or the outcome actions you are taking all in vague terms such as “Systems, hardware, software, and services are managed throughout their life cycle” or “Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded,” and “Cyber threat intelligence is received from information sharing forums and sources.” It goes on in this fashion. Yes it’s good as a reminder not to miss important links in the chain, but there is nothing about the actions to take or how to take them. “A” for effort and getting across the scope of the topic but really “no pass.” Oh, and Zero Trust, Microsegmentation, Critical Infrastructure, Phishing and IoT don’t get a mention. Just a very strange document. |
| #003 | Advance Persistent Threat Problems (2) | Kaspersky, has reported an attack that circumvents/bypasses Apple’s iPhone hardware security by writing to undocumented locations. This is a Zero Touch attack (i.e. no user action is required) that has been reported as NISTs CVE-2023-38606 with extensive commentary by Steve Gibson in the show notes of January 2nd’s Security Now podcast. It seems that only an Apple insider would have knowledge of these undocumented locations since the vulnerability is not externally discoverable. The result being that an attacker can control all aspects of the device and the user is not aware of the incursion. While the origins of the information is not known it has been patched by Apple for those who upgrade their phones. The explanation and the reason for this backdoor remains unanswered. It does beg the question of who instigated the back door, when did first happen, who knew about it and are their similar back doors in other manufacturers devices? |
| #002 | Advance Persistent Threat Problems (1) | This category is the hardest to defend because of its diversity. The latest malware to pry open the door is JinxLoader used as an element of Hacking as a Service. Advance Persistent Threat is the collection of elements that begins with intrusion via phishing or identity theft and then loads malware, Elevates Privilege and explores weaknesses inside a network or system, then uses Lateral Movement to deploy malware at those vulnerable places and then instigates attacks in due course. JinxLoader is the vehicle that hackers can but to begin the process. Further Coverage in this month’s Hacker News article. More coverage on addressing APTs is planned. |
| #001 | My aspirations for 2024 |
|
Last Year on Breaking News