BREAKING NEWS, UPDATES and INSIGHTS

Cybersecurity changes faster than you can read about it. 

This page features coverage and commentary of around 10 of the 2000+ news items seen each month.

Updated October 2nd, 2023

 

October 2023HeadlineNews
Oct #90Head in the Nevada Sand MonthVarious states and countries have designated October as “cybersecurity awareness month” but some (e.g. the Nevada Independent” and Cybersecurity firm Bulletproof) need to wake up to the fact that security is not just an IT issue. The Nevada Independent statement that the two Nevada-based hotel chains “did everything they could but were still hacked,” says it all about the lack of understanding about cybersecurity and holistic cybersecurity in particular. Perhaps it should have been titled “Cybersecurity Understanding Month.”  
September 2023 Headline News
Sept #89 Crticial Infrastructure Initiatives If you think Critical Infrastructure is not you then read these two pieces. The first is description of the 16 sectors and many subsectors that it comprises (See the CISA description). Almost everone reading this is a part of this. Just published at the end of September is the Critical Infrastructure Protection piece on this hot topic published by the Government Accountability Office (who knew that this existed?) to highlight information and actions. For further details see our Cyberpedia.
Sept #88 Cisco Goes Splunk With as many M&A stories as ransomware stories few get past out 10 stories per month filter. This one is different because it impacts two cornerstones of the IT world and the ones to which this author is most connected. Oh, and it’s quite large – a $28 Billion all cash acquisition. Specifically, the relationship with the new enterprise-focused Network as a Service and Cybersecurity will likely be pivotal. Splunk has already played a key role in hrmoinizing Cloud even notifications and lines up with AI and software driven focus of today’s Cisco. There will be many other aspects. Click here for CNBC coverage including interviews from the two CEOs.
Sept #87 MITRE Evaluation About to be announced are the annual  “MITRE Engenuity ATT&CK” Evaluations rating how security services and providers are able to cope with well known attacks. Some like SentinelOne.com have pre-announced their success. These are restricted to specific defenses against specific attacks. While useful it is not a holistic test of organizations, their software development or the security of their operations. This is mentioned mostly for those unfamiliar with the mind-bending cybersecurity resource that is MITRE. Click here for more info.
Sept #86 September 18th Update The reason the MGM story holds the attention is the lessons that can be learned. It’s tricky because the hotel chain is not saying anything. More than two weeks after the incident access to accounts and room booking are still offline (Sept 26th). It’s all rumor but if the hack really began with employee credential theft then the questions begin for them and anyone reading this. (1) Is there no MFA (two factor or multi-factor authentication) at MGM so anyone can log in from anywhere without challenge? (2) It appears that they are still using old style user name and passwords rather than Passkeys (3) Assuming the breach was not from a device owned by MGM and at an approved location then there is likely no ban on BYOD (Bring your own device). (4) It appears that OKTA is being used for identity management by MGM. Did this fail too? Does the OKTA software include operational or management level protection of it’s own software, even if the new CISA work does not require it? (4) Was Least Privilege in place? If not, then why not? (5) It’s highly likely that the attack had multiple phases that could have included elevation of privilege, lateral movement, etc. Does MGM deploy software that detects that? (6) It seems that the internal system does not employ Zero Trust principals that would have caught non-typical user behavior in many ways (time of day, data systems accessed, data loss prevention, privilege and separation of duties code, etc. It should have provided event notification. (7) Was customer data encrypted anywhere in the system and was there an air-gap backup to such data and alternative back up servers etc. If so, was it even tested? (8) If the MGM has a security policy (my guess is not), then does it include social engineering or insider threat strategy that would have easily prevent unusual user access?  (9) What did MGM do to verify the security of the software systems deployed, or did it trust that it was all good!? (10) Under the new SEC guidelines, reporting is required but how much of the above was actually disclosed?  Okay. It was a long list  off the top of my head and there’s probably more. Any one of the protections could have prevented the incident.  The question is: do you have any or all of these in place in your organization? If you need help contact us. Footnote:  “vx-underground” on “X” who reported how ALPHV penetrated MGM were themselves taken offline with a Denial of Service attack today. Why are we not surprised? 
Sept #85 More on the MGM issue Following on from my post on this topic below, MGM has  jumped on the SEC ruling by the 8-K filing of the outage yesterday (how could they not?). For everyone, the breach is another wake-up call to anyone who does not understand the importance of Holistic Cybersecurity – it’s not just the largely unverified IT software, it’s the whole organization. The lack of Insider Threat strategy, social engineering monitoring, lack of Zero Trust thinking and lack of a meaningful third party software verification system, just doesn’t cut it any more. The juggernaut of the SEC is coming and it’s interesting that the good work by CISA’s Secure by Design and Default initiative (April 2023) – but it would not have come close to preventing the MGM issue! Neither would NIST’s upcoming self-attestation initiative. (Yes, I know, these are becoming more of a rant or blog than news items.) To see how you can be better protected click here. 
Sept #84 Monster MGM breach may affect millions The massive breach of the MGM hotel chain (they have 31 properties) that disabled everything from room key entry, room bookings, use of casino machines and payouts and taken down their website will cost them millions. However, it’s the loss of personal data stored in their MLife system or who stayed at any of their properties providing credit card, email or even bank details or social security details may be the big riskk. Typically, your bank (I checked with mine), etc., would protect you from any attempt to directly remove funds that was not from a merchant (e.g. mortgage company, gas or phone company) approved for a direct debit and would raise a security alert. I.e. that applies to compromised MGM data and other merchants with whom you have direct debits. This is not the first time MGM was breached. 4 years ago the MLife database was compromised but it sounds like the lessons were not learned. This time the FBI have been called in and maybe they can “help” the MGM “learn.” Update. “vx-underground” on “X” reported that the cause may have been social engineering exploited by the ALPHV group. This was later denied in a strange posted message by the hackers. Finally, Caesars Palce also admitted being hacked by a different group and paid a multi-million dollar ransom in order to avoid sensitive customer data being exploited. Meanwhile, MGM has made a weak statement about the situation and not a word about exposing customer info.
Sept #83 MoveIT: counting the cost It’s been almost 2 months since Emisoft posted their findings that the MoveIT file transfer software attack by the CL0P group had impacted 56 million users in 1100+ organizations at a cost of $11bn. SDX Central has new analysis together with new trends as ransomware attacks evolve.
Sept #82 No need to touch your iPhone …  … to get into trouble. Apple reacted quickly to a Zero Click attack with new releases of its various operating systems. The attack begins with malware embedded in an image file to deliver NSO Pegasus spyware, it seems. It is less clear exactly the damage it causes though crypto transactions are mentioned. There are two, as yet unpublished CVEs (CVE-2023-41061 and CVE-2023-41064). Apple indicates that there very few users who would be affected (it doesn’t say what category of users). Everyone “who thinks they could be targets” can be protected by turning on “Lockdown Mode” found in ‘Settings>Privacy and Security.’ It provides “extreme optional protection” described by Apple. Maybe I spent too long in corporate America but this smacks of the legal department given that it’s such a pain to use your iPhone when Lockdown Mode is turned on. I.e. if you have a security event and you don’t have Lockdown Mode enabled then “it’s your fault and don’t say we didn’t warn you.” A great idea. I suspect there will be more fallout from this!
Sept #81 Waking up to SEC Rulings Commentators are waking up to the ramifications of the SEC rulings regarding the new responsibilities of corporation executives to report and manage cybersecurity incidents. It also connects to pending NIST requirements that corporations take seriously their responsibilities to properly assure that third parties of all kinds and especially software companies employ security best practices. More on the SEC ruling from Corporate Compliance Insights. It underlines the need to implement proper holistic cybersecurity. The requirement to elevate the topic in the executive is finally gaining momentum. It’s why I created this Holistic Cybersecurity concept since how can it be effective for the whole organization if it doesn’t come from the top. Dark Reading adds their thoughts on how the SEC ruling will improve the situation for those responsible for cybersecurity.
Sept #80 Big Trends Emerging. There are many stories at the beginning of the month covering rise in ransomware, un-patched vulnerabilities, weakness in OT systems, etc. However, perhaps more importantly, there are two trends worth noting that will have a big impact. One is the realization that the SEC changes will have impact across industries, legal and supporting software industries and the other is increased understanding of insurance companies to the profits and liabilities of cybersecurity insurance coverage. Both will be covered in the coming months and are connected. Given the SEC latching on to the US. Government’s 2023 strategy holding exploited companies and hence software suppliers to be liable for the damage of caused by breaches. The insurance companies are beginning to have coverage exclusions in their policies for those who do not have and make available their threat avoidance and defense policies. Still smarting from last year’s court case that Merck’s massive $1.4bn claim was not ruled as an act of war, their world has woken up to how to make money prudently from cybersecurity insurance. It underlines the importance of having a security policy that address this holistically as covered in our security as a service offering and documenting them in a living security strategy. If you do have cyber-insurance it’s definitely time to check out that email covering new terms and conditions that maybe you didn’t really read. If you didn’t get cyber-insurance yet then check the fine print, negotiate the coverage. It’s much easier to get now but it’s more expensive and more restricted.
Sept #79 Chrome extensions can steal your data Covered by Bleeping Computer and others is the “surprising” news that legitimate-looking Chrome browser extensions can access the Domain Object Module (DOM) Tree containing in-the-clear user text on the source code of popular web sites. Web sites such as gmail.com, amazon, irs.gov, Citibank, Capitalone and Facebook can be accessed to give up your login, social security and credit card info. The origin of this discovery is the University of Wisconsin-Madison. Click this link for their 26 page PDF containing all the details.
August 2023 Headline News
Aug #78 NIST Cybersecurity Framework 2.0. At least 15 critical areas missed? What should have been exciting news following the “Initial Public Draft” of its 2.0 Framework just left me cold. Last week Forbes basically produced a rant that the SEC had missed 5 critical elements in its announcement. I can count 15 things that NIST missed in their Framework! Allowing for the fact that it coins new phrases for well-established ideas, the word-smithing and structure (Govern, Identify, Protect, Detect, Respond, And Recover) – sounds okay but adds little value. It’s as if they haven’t been paying attention to the world of cybersecurity.  At first glance it covers the usual topics at a high level  but closer inspections reveals all the vulnerabilities that they haven’t addressed. No mention of implementing Zero Trust in the document (not even ZTNA), nothing about automation, monitoring, delegation and verification of third parties, insider threats, social engineering, no reference to work on self-attestation for software companies (CISA’s initiative). There’s almost nothing about holistic cybersecurity across the organization, distributed work forces, nothing multi-factor authentication, passkeys, nothing about transport layer security, secure APIS, combating phishing, elevation of privilege and lateral movement threats and just one line on measurement of progress. OK, that’s enough on this topic.
Aug #77 In Cloud we trust (but not in Denmark, it seems). Thinking of moving everything to the Cloud? Read this. Danish Cloud service provider Cloud Nordic revealed that it has told customers “to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud providers’ servers” and “paralyzed CloudNordic completely,” according to the IT outfit’s online statement. All hosted client data, websites and mail services are permanently lost. This is an almost unbelievable chain of incompetence and chaos at so many levels and it makes you wonder how many other Cloud providers are in the same boat. If only they had read my book on holistic cybersecurity, implemented my holistic cybersecurity as a service, or even read my article on delegation to third parties it could have been avoided. They say that it happened because of the proliferation of infected systems and that all back ups are also infected. There’s too many things they likely did not do, so I would say the cause is actually gross ignorance and incompetence. (End of rant.)
Aug #76 Generative AI and Cybersecurity controversies. This is the first posting on this highly controversial topic. There are several issues: Do we trust information currently based on unknown sources from the unreliable postings in the past? Can any system predicting and informing from learned information innovate for the future?  Generative AI systems have been penetrated by multiple threat actors. We will develop this into a future page.
Aug #75 Delegating without Abdication One of the most difficult challenges when adopting Zero Trust is how to delegate to third parties who you do not control. “Don’t Trust” is easy but “Always Verify” is not so straightforward. My new articles covers how to verify key elements of a supplier’s security – especially software and cybersecurity solution providers. This covers the organization itself, the development of the products and the security of those solutions. See the page on this site and links to the published article.
Aug #74 Dallas Counts the Cost Perhaps this is the final(?) chapter of the May breaches covered extensively here. Dallas has approved payment of $8.5m+ to be paid to remediate the results of the data breaches. Given that the details are not public, one wonders if some of the “repairs” are being paid to companies whose software was in the supply chain that contained vulnerabilities. Whether true or not, it points out that security is only as strong as its weakest link and the cost of weak cybersecurity. More from CyberDive on this and from the Dallas City Council. Announced mid-month was that 30253 individuals were impacted by the attack. There may be more on this after all.
Aug #73 Providers and Tech Companies under Scrutiny Looking beyond the headlines of the CNN story: “A group of teenage hackers managed to breach some of the world’s biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, is a cautionary tale for America’s critical infrastructure.” Following on the heels of Cloud issues, this is an unwanted read flag for Service Providers who claim that their services are secure. All the more reason to use the process of verification outlined in my new article.
Aug #72 More critique of the SEC ruling. One of the many updates on this topic (From Forbes) also poured cold water on the SEC. It cited the most important of 5  omissions being the requirement for a member of the board who understood Cybersecurity. Maybe the SEC should have listened to Forbes on that topic or read my book on Holistic Cybersecurity.
Aug #71 Welcome to the safety of the Cloud With such a rise in Phishing attacks with texts posing as USPS, Google etc., identity theft and ransomware it’s easy to assume that the answer lies in the Cloud. However, last week, it was reported on the WIZ blog  that an involving an elevation of privilege exploit affecting millions of Cloud workloads existed when it it was thought fixed some time ago. The consequences for many applications are not easy to know but the new fix should be applied immediately. In the true tradition of journalism, here’s two more recent Cloud issues. Microsoft are being accused by Tenable of negligence in its cybersecurity practices following a breach in its Azure platform. This has caused a furore given that acknowledged vulnerabilities months after Tenable discovered and reported it. See The Verge for the full story. Next Google claimed or disclaimed that poor asset management was at the root of most cloud compromises blaming many credential weaknesses dash but aren’t the cloud providers the gatekeepers for Access Authentication and least privilege best practices?
Aug #70 TETRA:BURST A collection of vulnerabilities impacting the Terrestrial Trunked Radio (TETRA) standard used around the world – though less in the US – by law enforcement, military and in critical infrastructure communications. Two are particularly nasty as they can interfere with and corrupt first responder messages or be used to conceal reporting of gas pipelines, transport networks, etc. A full exposé is anticipated at the Las Vegas Red Hat Conference this month. Worse still, it seems to have been covered up for some time. Not a problem really, unless you are the one affected!
Aug #69 US Chamber of Commerce says “Not So fast…” There’s been lots of coverage of the July 27th story below on the SEC. The US Chamber of Commerce is not so supportive due to the public exposure it describes. Christopher Roberti, U.S. Chamber senior vice president for Cyber, Space, and National Security Policy, states:  “The Cyber Incident Reporting for Critical Infrastructure Act (2022) made it clear that cyber incident reporting should be confidential.  However, the SEC ruling sharply diverges from the President’s National Cybersecurity Strategy.”  Click for the full statement.
July 2023 Headline News
July #68 Trickle-down #2 starts here The Securities and Exchange Commission (SEC) announced rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. The final amendment requires disclosure within 4 business days of discovering that a cybersecuirty incident is material. There’s detailed coverage by Scadden Arps. Why this will likely impact many non-SEC organizations and is labelled “Trickle-down #2” is because the implication is that if a breach was caused by a third party then surely that party would have to be named, thus creating a trickle-down effect in the supply chain. This would include all manner of legal, security software companies, and so on. This is very much in alignment with the CISA initiative on self attestation to combat liability, which would also trickle down. Presumably breaches can no longer be covered up under this new ruling turning up the pressure on everyone.
July #67 Don’t stand underneath when they fly by. This is not about standing under Santa Clause’s reindeer on Christmas eve. It’s about the physical and cybersecurity vulnerability of satellite systems. We started this month with troubling news below the ocean and we end it, with the troubling threats to the damaging satellites that fall to earth or software vulnerabilities that disable communication functionality. This tail of caution should temper people flipping to satellite communications for business. This is about to explode with the advent of nano-satellites put into orbit by the thousand. The full story is covered by Steve Gibson in his Security Now Show notes in 2 parts 1 & 2.
July #66 CISA announces partnership with Microsoft Behind this announcement was pressure by the Cybersecurity and Infrastructure Security Agency (CISA) for Microsoft to make available free logging data to all Outlook users. This followed email hacks of government sites. Available in September, neither Microsoft nor the CISA announcement make it clear exactly what information will be made available.
July #65 This one is personal It’s bad enough when one of America’s favorite chain of stores – Bed, Bath and Beyond – shuts its doors but when scammers pose as its web site and purport to do a clearance sale in order to grab my credit card details, it’s personal. Really, someone who losses a billion dollars of cryptocurrency doesn’t impact most lives. This one covered by sites such as MalwareTips really does. Shame on these cyberthieves.
July #64 US Cybersecurity Labeling Program Announced. In mid-July the U.S. Administration announced its Cybersecurity Labeling Program for Smart Devices. To be based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities. The label above will presumably be accompanied by manufacturer’s name, product and an approval number and be linked to a registry of approved devices via a QR code (hmm). Its headline is “Protection for American Consumers” but IoT and other devices in critical infrastructures will benefit. The program is to engage non-US stakeholders, etc. It certainly addresses an important issue of trust and verification. However, the questions will be about the cost of replacing non-compliant legacy devices in critical networks and of course how such a system could be circumvented (e.g. fake QR codes on labels). Also, it’s not clear what constitutes a “Smart Device” (IP connection, able to store and update passwords, Zero Trust enabled access authentication via a trusted connection, etc?). It is silent on vulnerabilities of “unsmart” devices and protection of connected networks especially consumer wi-fi. We shall see when the work is completed in 2024.
July #63 Healthcare still the top target Becton Dickinson’s infusion pump that helps continuously or intermittently deliver fluids, medications, blood and blood products to adult, pediatric or neonatal patients is the latest device to be hacked warned a CISA advisory. The hack can do various malicious changes that could result in dosage changes and worse.
July #62 US Cybersecurity Implementation Plan announced. Earlier this year the U.S. Administration released its National Cybersecurity Strategy covered in items #21 and #54 on this page. On July 13th it announced the publication of 57 page National Cybersecurity Strategy Implementation Plan (NCSIP) as a “roadmap” to implement the strategy. Its five pillars cover 65 initiatives including: proactive threat actor countermeasures, security of critical infrastructures and IoT devices, shifting liability for insecure software projects (a passion of cybyr.com), explore federal cyber insurance, strengthening Internet security, international collaboration and much more. This is a demonstration the U.S. Government’s commitment to combat what is a war and hopefully it will have a far reaching impact. It expected to face challenges such as the ones already seen with states blocking the requirements for water system cybersecurity saying it was too burdensome. The US admin has yet to replace Chris Inglis, the now former cybersecurity director. Hopefully, some progress will be made.
July #61 Threats up, CEO and board involvement down. The antithesis of Holistic Cybersecurity. Heidrick & Struggles 2023 CISO survey shows that only 5% CISOs report to the CEO. That’s a downward trend over the last two years. Meanwhile, Cybercrime continues its steep rise. A correlation, perhaps? This supports the importance of the tenet that Cybersecurity should be a board level imperative. 38% of CISOs report to the CIO. The rest are scattered though the organization. Oh dear. But wait, there’s more. A study by IANS research that only about 14% of CISOs have the skills to sit on the board. This perhaps explains that as Cybersecurity has become more technically complex and IT-focused, the less that mature and more rounded skills and experience needed as a board member are present.
July #60 Top Five organizations under threat In the course of research, I found somewhat surprisingly that the top 5 industry types targeted are 1 Healthcare, 2 IT and Telecoms, 3 Legal Firms, 4 HR and Recruitment firms, 5 Manufacturing and utilities. In particular it means that legal firms who have their clients intimate data and HR firms that have massive amounts of personal info are more targeted than financial firms, education and the rest of critical infrastructure identified as vulnerable. As if to underline this, many of the biggest law firms were subject of attack by the now infamous CL0P group, last month, affecting more than 15 million individuals.
July #59 Zero day 8 months later. A lesson to be learned.  The interesting thing about this threat was that it was first logged 8 months ago in early November 2022.   This threat exploits weakness in Netwrix auditor video recording software to install TrueBot trojan software. The Netwrix software is used by 13,000 organizations, many household names. The Trubot trojan, launches other software to elevate the privilege level and then load all kinds of damaging software. By now a familiar story. What should concern readers is that its an example of a known exploit not being automatically updated 8 months after its discovery. This is another case of abdication of responsibility by the users of software not ensuring its suppliers follow sensible processes. The Lesson is: be vigilant and have a process. Another survey revealed that while the most agregious Zero Day attacks are resolved within a few days, the average time for users to implement these changes is a staggering 60 days. That gives threat actors 2 months to cause chaos. It shows how threat awareness and fast response plays such an improtant role. More on this in the next few weeks. See Common Vulnerabilities and Exposures (CVE) on the CISA site and CVE.org site for  CVE-2022-31199. Both are interesting sites that catalog threats and their resolution.
July #58 Quishing – not just an email threat? There’s been coverage on the increase of QR codes linking to malicious sites – “QR Code Phishing” recently adopting the title Quishing. This is where you might get an email encouraging you to check a completed DocuSign pdf (which you never created in the first place.) using the QR code embedded in the email. Ok, that would likely fool you if had actually just completed a DocuSign. However, these QR codes are everywhere: on web sites, big screens and events, restaurants and shops and TV programs. From a Zero Trust perspective, verification seems impossible and you don’t know if the innocent creator was falsely led to believe that the QR code came from a genuine source. Caution is recommended to avoid your phone being infected yet no-one seems to be warning of this issue outside of email Phishing attacks.
July #57 Meanwhile, at the bottom of the ocean … Last week’s report on the Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future causes a sharp intake of breath. It shows the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Increasing Chinese involvement and Russian interest reveals the potential crippling effect on the global economy should the network be compromised or sabotaged. In addition, the problem is compounded by threat actors selling access to communication satellite systems. It underlines that cybersecurity requires a holistic approach.
June 2023 Headline News
June #56 A Lesson Unsurprisingly, leaking of 100,000+ ChatGPT login IDs made the news. It’s only a problem to those who use those credentials elsewhere or have not migrated to Passkeys and have not gotten over the novelty of the ChatGPT hype.
June #55 We know where lots of you live. MalwareBytes reported that Researchers at NC State University have discovered potential privacy issues with fitness app Strava, used by 100 million people(!) which could lead to users’ homes being pinpointed. The findings are detailed in a paper called Heat marks the spot.
June #54 Next Steps in Software Security Compliance June saw an update to the requirements of software companies by the US Government  to be aligned with its published White House Cybersecurity Strategy and the 2022 Secure Software Development Framework (SSDF). The intention is that companies who want to do business with the US Government and its agencies will be required to complete and submit a self-attestation form covering their (hopefully) best practices in the development of their products or services. The draft CISA form calls out some of the elements called out in the SSDF.  It looks as if the points in the SSDF have already been diluted. As it stands the self-attestation goes only some of the way to addressing the issues that Cybyr.com thinks are important covering the companies developing software but not to how the products operate. The 12 or so areas in 4 main categories are certainly an important step forward if a little aspirational. Cybyr.com has identified 23 potential vulnerabilities as a minimum. The latest update actually gives companies more time to respond to the self-attestation form. This is given much space here since it is a very important area for all organizations. Although this is a U.S. initiative, it applies and will no doubt be followed everywhere. It touches on the key area of verifying software supply chains so as to enable delegation of trust. It also puts teeth into the adoption of best practices by such companies. Cybyr.com has submitted its inputs on this important topic to CISA. More on what we believe is the most important topic in cybersecurity is covered in our July article in ISE magazine.
June #53 Why an attack on a library is worth noting. With 2000+ cybersecurity reports  each month, many are education and health targets. What makes this one special is that like the Dallas attack, many of the systems, the personal data and facilities were attacks by polymorphic malware. This makes it even more important to take a holistic approach to guard against so many vulnerabilities.
June #52 What really happened in Dallas? Part 3. Well into June, there are still no clear answers or further statements from Dallas. It’s hardly surprising because it likely would reveal incompetence at many levels or worse that the remaining vulnerabilities that have been exploited are not yet corrected. That makes this an educational story is that it’s likely an example of Hacking as a Service and Polymorphic Malware. I.e., several attacks were combined into one, first to penetrate by various means then spread further malware (Lateral Movement Attacks) to cause damage and chaos across many vulnerable targets, The whole Dallas attack is the antithesis of Zero Trust thinking, and lack of proper third party delegation. The latest twist is that a new threat similar to Royal ransomware called BlackSuit is emerging (see Bleeping Computer article).
June #51 Only 4 Myths? But these are really good ones. Finally, Gartner has come up with something that really aligns with my book – he said modestly. These four myths are nicely explained in their new article. My book adds many more in terms of weak links that are overlooked. The myths covered are:
  1. More data on cybersecurity equals better protection.
  2. More technology equals better protection.
  3. More cybersecurity professionals equals better protection.
  4. More controls equals better protection.
June #50 MOVEit if you wanna lose it! MOVEit Transfer, the file transfer tool used by thousands of users, experienced a severe SQL zero day attack that cause user data to be stolen. This is an example of an increasing trend for SQL Injections attacks to be useed. On June 7th CISA issued an advisory on this CL0P ransomware attack. Update: by the end of June, more than 100 organizations, including seven U.S. universities, have been listed as having been impacted.
June #49 Something Rotten in the Chrome App Store Does Lurk. Avast Security have unearthed a significant number of Chrome browser extension that have been infected with malware. Some are old extensions or were purchased just so that they can be infiltrated. It’s being investigated but there are supposedly large numbers of downloads – though even these numbers may be untrue. Read more here.
June #48 What really happened in Dallas? Part 2. Last month’s Royal Ransomware attack is still having repercussions with first responder computer systems offline one month later. The CSO said that restoration is 90% complete. Another report says city leaders are being asked not to comment. It will be interesting to track the root cause if it is ever revealed.  Further news reports are to be going to be made public on June 5th, one news agency claimed. See further update 2351 above.
June #47 Never Trust, Always Verify, saves the day. What happens when the one person you do trust, your cybersecurity watchdog, is the insider threat you have all been warned against. In last week’s weekly summary, Sentinel One reported (definitely read this) that a court in the UK found Ashley Liles, formerly an IT security analyst, guilty of doing just that after his employer was hit with a ransomware attack in February 2018. Liles was among those responsible for investigating the attack, but surreptitiously began hacking a board member’s emails as they negotiated with the attackers. Liles replaced the hackers bitcoin account details with his own. He was found out because someone noticed that emails had been intercepted and tampered with. Thank goodness for “Never Trust always Verify” even though it may have been accidental.
May 2023 Headline News
May #46 .Zip It at your peril If you are not tracking the issues regarding Google’s new .zip web site debacle, Steve Gibson revealed on Security Now,  and in the show notes, the pitfalls, showing how innocent looking email links can be used to spoof malicious sites with the now innocent-looking “.zip”  TLD (stands for Top Level Domain) (Hint: is that really a “/” in “CISA.org/newsfeed.@jan24.zip”).
May #45 Not the only painful extraction at your dentist Bleeping computer revealed that Nearly 9 million patients of Managed Care of North America (MCNA) Dental had their personal data stolen by everyone’s favorite Hacking as a Service ransomware gang LockBit. The question that no-one is asking or answering is how.
May #44 CISA Creates Pre-Ransomware Notifications Most of the US government warnings contain well-intentioned ideas but lack actual substance or actions. This one from CISA pilots a Ransomware Vulnerability Warning initiative as put into law in March 2022. More details on this story reported at the beginning of May are detailed in a fact sheet. It tells you how to report issues but this well-intentioned work does not inform us on how exactly to receive these notifications but they are appearing in media this month!
May #43 Malicious Windows kernel drivers We do cover driver vulnerabilities on the CyberPedia page recommending that hardware and kernel drivers are always signed. They are especially dangerous since they give admin access to any malware that is infected. Then all hell can break loose. This is covered here because Bleeping Computer just reported that attackers have been using keys stolen from Microsoft’s Hardware Developer program to evade detection. Originally seen last year this has resurfaced. However, Microsoft recommends the simple actions for Windows users  to protect yourself.
May #42 Man Bites Shark The Man in the story is a hacking group. The Shark in the story is Barracuda – well known and reputable security software and service company.  The Bite consists likely removal of profits after they revealed that it was hacked. The incident coverage explained that Barracuda revealed that a Zero Day attack had impacted its Email Security Gateway appliances. The exploit was listed as CVE-2023-2868. This is just another example of attacks on security defense software.
May #41 Using contractors may become safer By November, the Pentagon will have a contractor cybersecurity plan said David McKeown, DOD’s CISO, at GovExec’s Cyber Summit last week. Having read the description one hopes that it contains something more than the high-level outline given so far. If it does, then it will bring some very much-needed help to the private sector too whose organizations need protection from remote staff, contractors, et al.
May #40 Official – it’s the end of Ransomware. Anne Neuberger, Deputy National Security Advisor for cyber and emerging technologies, is now reconsidering the previously discarded ban on ransom payments. Does that mean if it becomes the law cybercriminals will no longer be allowed to break the law by collecting money? Wait, isn’t that why they are called criminals? Cybersecurity Dive covered this craziness in more detail. Yes, it’s a thin month for real news.
May #39 CISA Director warns of tech industry repeating mistakes with AI Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency issued a cautionary warning about the rush to introduce generative AI, reminding me of the term “there is no bandwagon onto which the tech industry will not jump.” – but enough about SASE.
May #38 Healing Health MITRE has published policy checklist for healthcare cybersecurity as a high level paper entitled Cybersecurity And Patient Safety In The Healthcare Setting. Spanning 17 areas its 7 pages cover increased protection of Healthcare delivery organizations (HDOs) among other topics. Although it is a high level overview it’s definitely worth a read. It’s further covered by Healthcare IT news.
May #37 Chickens come home to roost in Texas In another instance of Royal Ransomware attack, first encountered last year and highlighted again in March this year, has been seen in Dallas. It’s an example of security software that protects and prevents attacks being disabled. It has come to the fore because of its targeting critical infrastructures, healthcare, (and now in Dallas Police), etc. We have identified 8 possible holistic vulnerabilities and 16 threat vulnerabilities in security software organizations and their products that such companies overlook.  Here’s a link to Dallas coverage from the first week of May. It is particularly nasty because of its ability to disable installed anti-virus software, to exfiltrate and encrypt data before extorting $millions in ransomware. In March, the FBI and the CISA released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. The advisory indicates how infections can likely happen, how to identify infected partially encrypted files but only gives general best practices for prevention.  It’s also a reference to section 3 of the February US cybersecurity strategy of holding software companies –  especially as here, security software companies –  accountable.  Having flaky security software and companies just signals the threat actors that “there is something worth attacking here – let’s disable the protection and attack.” This will hopefully raise enterprise awareness guiding them to properly evaluate/delegate to proposed security services and products while still remaining responsible.
May #36 Ransomware Vulnerability – CISA Pilot Per the US 2022 Critical Infrastructure Act CISA published its Ransomware Warning Pilot.
April 2023 Headline News
April #35 The Shrinking  Password Hive Systems just published analysis of brute force cracking of passwords is an eye-opener. From 2020 to 2023 increasing compute power has dramatically accelerated the ability of threat actors to crack passwords – in some instances by 100-250 times faster! Hive’s analysis of password length and content reveals that passwords with numbers only as many as 14 numbers in as little as 50 seconds! Even the popular eight character passwords with a mix of all character types can be cracked in just 5 minutes. Bottom line, which anyone reading his likely knows but doesn’t always follow is (1) Use 15-25 character mixed character passwords (2) never re-use passwords (3) Never login with your Google, Facebook password (4) use two-factor authentication (5) don’t get phished.
April #34 Hacking as a Service The introduction to this page states that items listed here are limited to the most egregious breaking news. This is one of those. The UK cybersecurity agency NCSC has issued a new report covering the growing sale of services by cybercriminal organizations to states and unscrupulous parties. Coined Hacking as a Service, these give access to many tools and custom services that can generate all kinds of threats and spyware. Rather like PhaaS and RaaS the use of these tools do not require cybersecurity expertise and include the ability to generate Zero Day attacks and Zero Click attacks making them even more potent. The report from the National Cyber Security Centre paints a grim picture of increased activities and widespread increase in targets over the next five years.
April #33 Every Day is Zero Day Lockbit3.0 As last month’s CISA advisory shows Lockbit3.0 is not only one threat but a continuously evolving set of many threats. This implies that with Lockbit3.0 every day is a Zero Day. Being the most active Ransomware as a Service threat it’s the variety of threat types contained and the ability to generate variants means that threat detection and protection tools must be equally comprehensive and sophisticated.
April #32 Infiltration for Exfiltration We cover Bring Your Own Vulnerable Driver (BYOVD) in the terminology page. This new attack known as AuKill disables Endpoint Detection & Response (EDR) Software on targets’ system. Legitimate drivers with signed valid certificates are infiltrated in user or system hardware, disable security protection and as such runs with elevated (kernel) privilege to take over the device. It is also associated with Lockbit 3.0 attacks, etc. The use of  Hypervisor-Protected Code Integrity (HVCI) and Attack Surface Reduction to prevent bad drivers from being written to disk has not completely removed the threat apparently. the bottom line is that it’s important only to add drivers from known reliable sources.
April #31 The Unhealthy Health Report With Healthcare vulnerabilities so obvious resulting hospital closures and potential dangers to life, it’s not surprising that unscrupulous threat actors the attack Healthcare as a major target. What is surprising  (actually shocking) is the report in this month’s Beckers Hospital Review found that still only 22% of workers say that cybersecurity protocols are not being enforced. Only 39% of hospital staff said they even look at security protocols when introducing new technology. This is clearly a problem of lack of understanding of Holistic Cybersecurity and a failure of both management and HR. As Salim Ismail famously reported, Healthcare science is really good – it’s just the support and delivery that’s the problem. Any healthcare practitioner reading this should contact us. We can help.
April #30 Dangers Lurking in Video Files The University of Texas in Austin has published its research and discussion of the dangers lurking deep inside H264 encoded videos – the most commonly used video format defined 20 years ago by the ITU (a.k.a. AVC defined by MPEG). Link to the published paper. The paper entitled “The Most Dangerous Codec in the World” covers the use of H26Forge an open source tool available on GitHub that was used for the investigation. While the tool has been invaluable in identifying vulnerabilities, the complexity of H264 encoding makes it very challenging for any tools to identify if there is malware inside such videos.  These vulnerabilities are pervasive and  actions are required by graphics hardware vendors who need to take corrective actions listed in the paper. The actions you should take are not obvious but at least the paper raises awareness of the issue – and how the tool could be used by hackers to generate new threats.
April #29 Microsoft and Fortra defend attacks With two further cybersecurity companies having had their defensive tools manipulated and infected with malware, it’s good to know that both Microsoft (whose Software Development Kits) and Fortra (and its Cobalt Strike software) have teamed up with The Health Information Sharing and Analysis Center (H-ISAC) in an announcement to take all necessary action to eliminate these threats. This is another example of cybersecurity software being the target of attacks or being used by threat actors – and it’s good to see such attacks being combated in this manner.
April #28 New kind of encrypting  Ransomware No, ransomware has not gone away, with Rorschach using a technique known as DLL side-loading to load the ransomware payload, and effect the fastest encryption seen yet.
April #27 Dissecting the US Critical Infrastructure Cybersecurity Directive. Where’s the meat? Dissecting the new US Presidential Policy Directive 21 requires considerable study. At first sight the work seems shockingly devoid of practical guidance and refers to extremely dated material. It’s ambitious scope does cover almost every sector so maybe, to be generous, this is a start.  So maybe it’s up to the security communities to take the next steps to develop the main course. From a cybersecurity perspective there are both commonalities (the fact that their incapacitation would be so damaging to the country) and individual distinct challenges. The initial question might be why are there only 16 critical infrastructure sectors and what about the ones that didn’t make it? The topic will be developed on this site.
April #26 Navigating Your Journey When There’s No Destination A new wide-ranging article on the journey to the Secure Network Cloud was published in ISE Magazine. It covers Secure Access Service Edge and Secure Service Edge, Standards and Open-Source Challenges, Newly Available Standards, Layered Business Architecture and Service and Cloud Provider, Integrator and End-user perspectives. View article.
March  Headline  News
March #25 And you thought you were just flying a drone … It turns out that DJI’s GO4 app – the controlling app does not close when you close it. Not only that but it’s download and update bypasses the Google app store and its function is not therefore, managed or monitored. Instead, the app uploads selected elements of your private data from your mobile device. Finally, note that DJI has about 90% of the market. (ouch!). It is possible that other apps could be doing the same thing by bypassing Google’s process. In fact, there is no oversight for any of the 2.5 million apps on the Google Apps/Play store! (ouch again!)
March #24 Avoiding Crypto Currency vulnerabilities Reuse of long-standing crypto keys has been found to be responsible for losses of millions in crypto wallets. The answer is to always request new secret keys. The vulnerability results from hackers ability to break the “Elliptic Curve Digital Signature Algorithm” used by Etherium/Crypto Blockchains to sign transactions. The vulnerability being able to deduce the reuse of secret keys.
March #23 We thought it was bad, but not this bad! The advent of Phishing and Phishing as a Service has been much discussed but the annual Digital Forensics and Incident Response (DFIR) report published this month shockingly reveals that nearly 70% of all attacks in 2022 were Phishing attacks. Next at 15% was also surprisingly Drive-by attacks. It could be that the high numbers of these attacks are skewed by vulnerabilities of small companies/individuals who lack email compromise software – or if that detection software is just not good enough.
March #22 Taking the OAuth … or not When you can’t find a password it’s so tempting to use the “Login using Facebook, Google, etc.” but thanks to Steve Gibson of Security Now realizing why the recent Chick-Fil-A breach was so significant, we now know of the dangers of using such logins. The answer is that it encourages the lazy to adopt the much-discredited use of the same password for many logins. This is exactly what the hack was about. What the hackers were doing was saving the users Facebook credentials since those logging in with Facebook at that site would likely be doing it everywhere. (Good Grief.) They had no interest in the login for Chick-Fil-A, it was the stealing and re-using credentials that was the prize. This login approach reveals the weakness in the underlying OAuth ID technology. Just remembering if I ever did that is a challenge in itself.
March #21 US Cybersecurity Strategy. Third  reaction. This  seems to bear on Section 230. Continuing from below, the White House Cybersecurity Strategy Strategic Objective 3.3 shifts liability to Software products and services. It refers to the NIST Secure Software Development Framework from Feb 2022 and states it must continue to evolve. It’s detailed and has some but not all of the issues covered in the “second reaction” point below. Strangely, it does not call out hardware or firmware except ioT devices in 3.2.  More importantly, it does not extend the liability to those who aggregate or resell software programs (e.g., Apple, Microsoft), or refer or advertise or review and recommend them (e.g., Google, Amazon and hence the section 230 implications) or advertise plugins (e.g., WordPress, Salesforce) or – and here’s the clincher, test or certify security products or services!  Who would be responsible for a Zero Day attack on security software a la Royal Ransomware below?
March #20 A Right Royal Mess Royal Ransomware was first encountered last year but has come to the fore because of its targeting critical infrastructures, healthcare, etc. It is particularly nasty because of its ability to disable installed anti-virus software, to exfiltrate and encrypt data before extorting $millions in ransomware. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. The advisory indicates how infections can likely happen, how to identify infected partially encrypted files but only gives general best practices for prevention. This advisory follows on from the VMware ESXiArgs Ransomware issues last month.
March #19 US Cybersecurity Strategy Published. Second reaction. So, what does taking responsibility look like for tech companies? Certainly, ensuring that product marketing specifies the security aspects of a product are part of the market requirements. Next, that development bakes these into functional specifications especially when deciding to use third party elements (such as open source code), ensuring that memory-safe software development languages are used. Next as part of DevSecOps to make sure that code is not written with “useful” back door entry points. Testing should always be built into development cycles and specifically into any planned regression testing. as new versions are ready. Next all delivered software should have a software bill of materials. For distributed apps with user interfaces, Zero Trust fundamentals should be applied to any user interfaces have proper ID management and access control, etc.
March #18 US Cybersecurity Strategy Published. First reaction. At first sight there’s a lot of fluff and sections on tech/software companies taking on liability and comparing the tech companies with car manufacturers taking steps to avoid selling vehicles with faults. This makes total sense but it seems to lack both detail and abdicates organizational responsibility that comes with holistic cybersecurity.
March #17 Head above the trenches The U.S. Marshals Office and other security sensitive organizations are obvious attack targets since they hold useful insights on security – but attacks elsewhere continue unabated. Dish Networks ransomware,  Tresor Crypto/NFT and attacks on schools and healthcare are almost daily occurrences that hardly qualify as breaking news.
March #16 BYOOD: Bring Your Own Obvious Disaster The latest in the LastPass saga has revealed that the cause of the penetration was a staffer having his device being exploited from home. Really? If there was ever an example of using a ZTNA implementation from home this was a missed opportunity. It’s no surprise that the LastPass star has fallen.
February 2023  Headline News
Feb #15 Signal and WhatsApp won’t be pushed around In a follow-on to the requirement to decrypt all messages on the EEC Internet (mentioned earlier this month), Signal the encrypted message app, said it would quit the UK if it was forced to do this. I believe that WhatsApp has said the same. But don’t worry the UK government said it would reach a compromise where the new legislation and decrypted data would both be possible. (This seemed a fine example of political nonsense).
Feb #14 Zelle not responsible!? With 192,878 losing a reported $213m from their Zelle account it appears that many of those phished for their account details can’t get their money back. The point being that the seven banks who own Zelle seem not to be governed by the law as that protect consumers from credit card fraud and are inconsistent with their care and reimbursement policy. The moral of this story is the same as the one below: “hover before clicking.”
Feb #13 Hover first before clicking It’s become extremely risky to click on what appear to be genuine ads on Google. Increasingly they can take you to fake sites that look real. “Hover first before clicking.”  check the actual email on the link carefully. If in doubt don’t click even if the link looks sort of ok. This seems the inevitable future for all of us. Same applies to all the phishing email attacks below. A damaging example are the password managers and another reason that passkeys are becoming more widely used (BitWarden and recently 1Password are examples).
Feb #12 Phishing Blitz So many phishing attacks this month, Reddit, many health care breaches, Scaring Facebook user with ““Recently, we discovered a breach of our Facebook Community Standards on your page. Your page has been disabled for violating Facebook Terms. Click here to ..”,  TA886 targets organizations in the US and Germany with the custom malware tool “Screenshotter” to perform surveillance and data theft on infected systems, etc., but perhaps the most bizarre is stolen iPhones with users being trolled to a fake site when using the “Find my phone” app and being sent to a fake site where there Apple ID is taken.
Feb #11 Ascon: A New Standardized Encryption Technology This month, following a close competition, NIST announced the choice of Ascon, a new cryptography standard for Lightweight Cryptography (LWC) protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. It is as yet unclear whether the millions (billions?) of legacy deployed devices could be upgradeable with significant positive impact on critical infrastructures such as utilities, transport, manufacturing and smart cities. Ascon’s security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS systems and other asymmetrical encryption approaches.
Feb #10 I always feel like somebody’s watching me … … and I have no privacy. Rockwell’s song 39 years ago couldn’t be more current! A few months ago, the EEC said that to protect children, all Internet traffic must be examined (being decrypted) if encrypted. Wait, did they say all? Yes they did. Just this week Joe Biden’s state of the union speech included a rant about protecting people’s privacy and not making information available. This triggered more thoughts. The most interesting part is who is going to pay for the extra compute power to do this? Where in the billions of connected wireless and wireline connected networks could this possibly happen and how? Perhaps all messages will now be required to be in the clear and unencrypted. But wait there’s more. That can’t happen because as of Jan 2024 the requirement to run encrypted traffic over TLS 1.3 is being government mandated. So where can this description take place? In the network at a middlebox function being developed in the unlikely event that it could possibly scale. Also, provided that well known IPsec encryption is being used. Probably not a Layer 2 encryption like MACsec and providing no malicious hacker got into the service providers control plane who was not using Zero Trust. Oh, and where is there enough compute power? Would anyone stand for this in the current political climate? On balance the legislators cannot understand what’s involved and would be better off finding other ways of tracking down culprits.
Feb #9 New Revision Download the fourth edition of my E-book on Holistic Cybersecurity from Amazon.com
Feb #8 Big Brother is watching – and it’s a good thing The good news is that the FBI has itself quietly hacked into a high profile hacker site and given a large number of encryption keys to those who have been hacked, restoring encrypted data to those who are the victims of ransomware. The bad news? The hacker’s government are now aware of this and prevented the FBI’s further intervention.
January 2023 Headline News
Jan #7 If LastPass can be attacked … If LastPass can be hacked why not undermine the rest of the password managers? Following on from earlier posts this month, the latest phishing attacks purport to be 1Password and Bitwarden by posting malicious ads on Google (who say they are addressing this). If you are on 1Password or Bitwarden sites all is well – but are you really on their site? Check carefully. Even being cautious it’s easy to assume Google links are ok but maybe they aren’t. Proceed with caution.
Jan #6 Who needs a human hacker when you have OpenAI/ChatGPT? Many instances are emerging of ChatGPT being used to generate malware that is not (easily) detectable. Further this malware can mutate or morph so that each time it runs it is different. Oh, and those generating malware via the OpenAI/ChatGPT platform need no coding skills. Good grief! This puts Ransomware as a Service and Phishing as a Service into the shade. Here’s a link to an article from CyberArk with much more on this.
Jan #5 Tsunami approaching Jan 2024? This is about Transport Layer Security TLS 1.3. Given the lack of business cases and vast potential disruption only a small number of entities have updated their systems to TLS 1.3 from the 2008 standard of TLS 1.2 used in most web communications. This is about to change as NIST will push this down through government and banking networks and anyone who wants to do business with them. TLS 1.3 was published 4 years ago but has limited adoption despite it updating acceptable encryption methodologies, deprecating early/old ones, upgrading key exchanges, etc. It is believed that TLS 1.3 will be mandated at Jan 1st, 2024.
Jan #4 Well, who can you trust? Every security company’s nightmare is being hacked and losing credibility and customers. Following the Last Pass debacle, LifeLock, PayPal and sensitive credit bureau Experian have reportedly been hacked resulting in loss of confidentiality. Getting the truth is a challenge since these companies are shy on giving the full story.
Jan #3 Terminology page grows daily What started as a few simple terms has grown to a compendium of almost 100 cybersecurity related definitions separating meaning from marketing hype and unraveling recently observed vulnerabilities.
Jan #2 A new article on Holistic Cybersecurity The Search for Cyber-Sanity. My new article published in ISE magazine explores why Zero Trust is only the beginning to holistic cybersecurity effectiveness. Discover how to improve your cybersecurity best practices. Read the article.
Jan #1 Passwords and Password Managers What to do and not do with passwords? With the debacle at LastPass and the resulting lack of confidence the question is who to trust? Does the exfiltration of information that happened at LastPass erode confidence in all password managers such as BitWarden, Dashlane, 1Password, KeyPass, even Google? As adoption of passkeys gathers momentum the fundamentals still apply: Passwords >22 characters, MFA, care on password changes etc.