BREAKING NEWS and UPDATES
March 26th, 2023
Cybersecurity changes faster that you can read about it with hundreds of reports each week from around the world. It’s intention is also to filter in and highlight the most egregious new security issues. This also page updates changes from the book first published in 2022. New editions of my book absorb these additions.
| Date | Topic | Update |
| March 2023 | And you thought you were just flying a drone … | It turns out that DJI’s GO4 app – the controlling app does not close when you close it. Not only that but it’s download and update bypasses the Google app store and its function is not therefore, managed or monitored. Instead, the app uploads selected elements of your private data from your mobile device. Finally, note that DJI has about 90% of the market. (ouch!). It is possible that other apps could be doing the same thing by bypassing Google’s process. In fact there is no oversight for any of the 2.5 milion apps on the Google Apps/Play store! (ouch again!) |
| March 2023 | Avoiding Crypto Currency vulnerabilities | Reuse of long-standing crypto keys has found to be responsible for losses of millions in crypto wallets. The answer is to always request new secret keys. The vulnerabiliy results from hackers ability to break the “Elliptic Curve Digital Signature Algorithm” used by Etherium/Crypto Blockchains to sign transactions. The vulnerability being able to deduce the resue of secret keys. |
| March 2023 | We thought it was bad, but not this bad! | The advent of Phishing and Phishing as a Service has been much discussed but the annual Digital Forensics and Incident Response (DFIR) report published this month shockingly reveals that nearly 70% of all attacks in 2022 were Phishing attacks. Next at 15% was also surprisingly Drive-by attacks. It could be that the high numbers of these attacks are skewed by vulnerabilities of small companies/individuals who lack email compromise software – or if that detection software is just not good enough. |
| March 2023 | Taking the OAuth … or not | When you can’t find a password it’s so tempting to use the “Login using facebook, Google, etc.” but thanks to Steve Gibson of Security Now realizing why the recent Chick-Fil-A breach was so significant, we now know of the dangers of using such logins. The answer is that it encourages the lazy to adopt the much-discredited use of the same password for many logins. This is exactly what the hack was about. What the hackers were doing was saving the users Facebook credentials since those logging in with Facebook at that site would likely be doing it everywhere. (Good Grief.) They had no interest in the login for Chick-Fil-A, it was the stealing and re-using credentials that was the prize. This login approach reveals the weakness in the underlying OAuth ID technology. Just remembering if I ever did that is a challenge in itself. |
| March 2023 | US Cybersecurity Strategy. Third reaction. This seems to bear on Section 230. | Continuing from below, the White House Cybersecurity Strategy Strategic Objective 3.3 shifts liability to Software products and services. It refers to the NIST Secure Software Development Framework from Feb 2022 and states it must continue to evolve. It’s detailed and has some but not all of the issues covered in the “second reaction” point below. Strangely, it does not call out hardware or firmware except ioT devices in 3.2. More importantly, it does not extend the laibility to those who aggregate or resell software programs (e.g. Apple, Microsoft), or refer or advertize or review and recommend them (e.g. Google, Amazon and hence the section 230 implications) or advertise plugins (e.g. WordPress, Salesforce) or – and here’s the clincher, test or certify security products or services! Who would be responsible for a Zero Day attack on security software a la Royal Ransomware below? |
| March 2023 | A Right Royal Mess | Royal Ransomware was first encountered last year but has come to the fore because of its targeting critical infrastructures, healthcare, etc. It is particularly nasty because of its ability to disable installed antivirus software, to exfiltrate and encrypt data before extorting $millions in ransomware. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. The advisory indicates how infections can likely happen, how to identify infected partially encrypted files but only gives general best practices for prevention. This advisory follows on from the VMware ESXiArgs Ransomware issues last month. |
| March 2023 | US Cybersecurity Strategy Published. Second reaction. | So, what does taking responsibility look like for tech companies? Certainly ensuring that product marketing specifies the security aspects of a product are part of the market requirements. Next, that development bakes these into functional specifications especially when deciding to use third party elements (such as open source code), ensuring that memory-safe software development languages are used. Next as part of DevSecOps to make sure that code is not written with “useful” back door entry points. Testing should always be built into development cycles and specifically into any planned regression testing. as new versions are ready. Next all delivered software should have a software bill of materials. For distributed apps with user interfaces, Zero Trust fundamentals should be applied to any user interfaces have proper ID management and access control, etc. |
| March 2023 | US Cybersecurity Strategy Published. First reaction. | At first sight there’s a lot of fluff and sections on tech/software companies taking on liability and comparing the tech companies with car manufacturers taking steps to avoid selling vehicles with faults. This makes total sense but it seems to lack both detail and abdicates organizational responsibility that comes with holistic cybersecurity. |
| March 2023 | Head above the trenches | The U.S. Marshals Office and other security sensitive organizations are obvious attack targets since they hold useful insights on security – but attacks elsewhere continue unabated. Dish Networks ransomware, Tresor Crypto/NFT and attacks on schools and healthcare are almost daily occurrences that hardly qualify as breaking news. |
| March 2023 | BYOOD: Bring Your Own Obvious Disaster | The latest in the LastPass saga has revealed that the cause of the penetration was a staffer having his device being exploited from home. Really? If there was ever an example of using a ZTNA implementation from home this was a missed opportunity. It’s no surprise that the LastPass star has fallen. |
| March 2023 | ||
| Feb 2023 | Signal and WhatsApp won’t be pushed around | In a follow-on to the requirement to decrypt all messages on the EEC Internet (mentioned earlier this month), Signal the encrypted message app, said it would quit the UK if it was forced to do this. I believe that WhatsApp has said the same. But don’t worry the UK government said it would reach a compromise where the new legislation and decrypted data would both be possible. (This seemed a fine example of political nonesense). |
| Feb 2023 | Zelle not responsible!? | With 192,878 losing a reported $213m from their Zelle account it appears that many of those phished for their account details can’t get their money back. The point being that the seven banks who own Zelle seem not to be governed by the law as that protect consumers from credit card fraud and are inconsistent with their care and reimbersment policy. The moral of this story is the the same as the one below: “hover before clicking.” |
| Feb 2023 | Hover first before clicking | It’s become extremely risky to click on what appear to be genuine ads on Google. Increasingly they can take you to fake sites that look real. “Hover first before clicking.” check the actual email on the link carefully. If in doubt don’t click even if the link looks sort of ok. This seems the inevitable future for all of us. Same applies to all the phishing email attacks below. A damaging example are the password managers and another reason that passkeys are becoming more widely used (BitWarden and recently 1Password are examples). |
| Feb 2023 | Phishing Blitz | So many phishing attacks this month, Reddit, many health care breaches, Scaring facebook user with ““Recently, we discovered a breach of our Facebook Community Standards on your page. Your page has been disabled for violating Facebook Terms. Click here to ..”, TA886 targets organizations in the US and Germany with the custom malware tool “Screenshotter” to perform surveillance and data theft on infected systems, etc., but perhaps the most bizarre is stolen iPhones with users being trolled to a fake site when using the “Find my phone” app and being sent to a fake site where there Apple ID is taken. |
| Feb 2023 | Ascon: A New Standardized Encryption Technology | This month, following a close competition, NIST announced the choice of Ascon, a new cryptography standard for Lightweight Cryptography (LWC) protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. It is as yet unclear whether the millions (billions?) of legacy deployed devices could be upgradeable with significant positive impact on critical infrastructures such as utilities, transport, manufacturing and smart cities. Ascon’s security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS systems and other asymmetrical encryption approaches. |
| Feb 2023 | I always feel like somebody’s watching me … | … and I have no privacy. Rockwell’s song 39 years ago couldn’t be more current! A few months ago, the EEC said that to protect children, all Internet traffic must be examined (being decrypted) if encrypted. Wait, did they say all? Yes they did. Just this week Joe Biden’s state of the union speech included a rant about protecting people’s privacy and not making information available. This triggered more thoughts. The most interesting part is who is going to pay for the extra compute power to to this? Where in the billions of connected wireless and wireline connected networks could this possibly happen and how? Perhaps all messages will now be required to be in the clear and unencrypted. But wait there’s more. That can’t happen because as of Jan 2024 the requirement to run encrypted traffic over TLS 1.3 is being government mandated. So where can this description take place? In the network at a middlebox function being developed in the unlikely event that it could possibly scale. Also, provided that well known IPsec encryption is being used. Probably not a Layer 2 encryption like MACsec and providing no malicious hacker got into the service providers control plane who was not using Zero Trust. Oh and where is there enough compute power? Would anyone stand for this in the current political climate? On balance the legislators cannot understand what’s involved and would be better off finding other ways of tracking down culprits. |
| Feb 2023 | Big Brother is watching – and it’s a good thing | The good news is that the FBI has itself quietly hacked into a high profile hacker site and given a large number of encryption keys to those who have been hacked, restoring encrypted data to those who are the victims of ransomware. The bad news? The hacker’s government are now aware of this and prevented the FBI’s further intervention. |
| Jan 2023 | If LastPass can be attacked … | If LastPass can be hacked why not undermine the rest of the password managers? Following on from earlier posts this month, the latest phishing attacks purport to be 1Password and Bitwarden by posting malicious ads on Google (who say they are addressing this). If you are on 1Password or Bitwarden sites all is well – but are you really on their site? Check carefully. Even being cautious it’s easy to assume Google links are ok but maybe they aren’t. Proceed with caution. |
| Feb 2023 | Download the fourth edition of my E-book on Holistic Cybersecurity from Amazon.com |
|
| Jan 2023 | Who needs a human hacker when you have OpenAI/ChatGPT? | Many instances are emerging of ChatGPT being used to generate malware that is not (easily) detectable. Further this malware can mutate or morph so that each time it runs it is different. Oh, and those generating malware via the OpenAI/ChatGPT platform need no coding skills. Good grief! This puts Ransomware as a Service and Phishing as a Service into the shade. Here’s a link to an article from CyberArk with much more on this. |
| Jan 2023 | Tsunami approaching Jan 2024? | This is about Transport Layer Security TLS 1.3. Given the lack of business cases and vast potential disruption only a small number of entities have updated their systems to TLS 1.3 from the 2008 standard of TLS 1.2 used in most web communications. This is about to change as NIST will push this down through government and banking networks and anyone who wants to do business with them. TLS 1.3 was published 4 years ago but has limited adoption despite it updating acceptable encryption methodologies, deprecating early/old ones, upgrading key exchanges, etc. It is believed that TLS 1.3 will be mandated at Jan 1st, 2024. |
| Jan 2023 | Well, who can you trust? | Every security company’s nightmare is being hacked and losing credibility and customers. Following the Last Pass debacle, LifeLock, PayPal and sensitive credit bureau Experian have reportedly been hacked resulting in loss of confidentiality. Getting the truth is a challenge since these companies are shy on giving the full story. |
| Jan 2023 | Terminology page grows daily | What started as a few simple terms has grown to a compendium of almost 100 cybersecurity related definitions separating meaning from marketing hype and unravelling recently observed vulnerabilities. |
| Jan 2023 | A new article on Holistic Cybersecurity | The Search for Cyber-Sanity. My new article published in ISE magazine explores why Zero Trust is only the beginning to holistic cybersecurity effectiveness. Discover how to improve your cybersecurity best practices. Read the article. |
| Jan 2023 | Passwords and Password Managers |
What to do and not do with passwords? With the debacle at LastPass and the resulting lack of confidence the question is who to trust? Does the exfiltration of information that happened at LastPass erode confidence in all password managers such as BitWarden, Dashlane, 1Password, KeePass, even Google? As adoption of passkeys gathers momentum the fundamentals still apply: Passwords >22 characters, MFA, care on password changes etc. |
| Date | Topic | Update |
| 2022 | ||
| Dec 2022 | Critical year-end message re implementing Zero Trust | While we have extolled the virtues of automated and fully tested backups, they only repair after-the-fact ransomware attacks when data is encrypted or lost. I.e., if the data you have is sensitive (financial, personal or legal information) it is imperative that the information is not leaked or sold – which likely will be even after ransom payments are made. This is a going-out-of-business strategy. It’s why exfiltration of data prevented by implementing a comprehensive Zero Trust Strategy whose goal is prevention of data exfiltration.. |
| Dec 2022 | Web Application Vulnerabilities | Web Application attacks have been known for years but several instances of attacks not caught by Web Application Firewalls have resulted in SQL injection attacks. With SQL Databases being the norm on the web it has become critical to ensure verification of updated software. |
| Dec 2022 | More on Cameras | Anker’s Uefy Cameras claims of privacy, encryption and other security were debunked by the Verge. You have been warned. |
| Dec 2022 | U.S. bans more Chinese network devices. | Following the recent discovery of malware in Chinese company Hikvision’s popular camera products (about 80,000 being deployed), the US government have banned import and use of their products joining other Chinese companies such as Huawei, ZTE, etc. which were previously singled out by the US government. |
| Dec 2022 | Gone – Vishing | This one you don’t have to worry about – well until it surfaces next week as something else. This scam may have begun as well-intentioned or not but it offered a service for users to disguise their callerID. However, ispoof.com or hackers using it reputedly chalked up over $120m of illicit revenues over two years until the FBI and Eurpol shut them down and arrested 100+ hackers mostly in Europe. But the idea may resurface elsewhere. |
| Nov 2022 | Black Phishday Alert | Friday is a traditional day for Fish n’ Chips but this is Black Friday and Phish is on the menu but the chips are down on your security. Expecting to see great deals from your favorite stores and up to the moment delivery tracking info? Of course you are. However, about one in six delivery emails and about one in 25 “shopping sites” are malicious. So don’t touch that dial. Apology for the weak puns. |
| Nov 2022 | Delegate Don’t Abdicate | This is a possible solution to the complex problem of delegating to outside agencies, software companies, Sales CRMs, Physical Security Companies device vendors, etc. Since this is a problem of endless/recurring loss of control, the recommendation is that all contracts for purchase or partnership etc., put the responsibility on the provider to warranty that their service is responsible for any security issues or outcomes that arise from its use. |
| Nov 2022 | Update1: Crypto1 | With the bankruptcy of FTX and the evaporation of Sam Bankman-Fried’s $26 billion fortune, could the route to easy illicit money be on the verge of collapse? Will it be replaced by “the check’s in the mail.” Is this good news? |
| Nov 2022 | Update2: Crypto2 | In the “Causes” section of the book, I covered the move to the Cloud, Covid generated distributed workforces, etc., but I just realized that I did not cite Crypto currency as a cause since its presence is key. i.e. it’s what has allowed Bad Actors to easily collect ransomware payments that was never present before. But wait there’s more , see the above. |
| Nov 2022 | Update 3: Phishing as a Service | A few weeks ago this page covered the arrival of Phishing as a Service. Just a month later there has been a dramatic increase in the use of PhaaS reported. Akamai reported 299 Phishing as a Service tools kits (that means many times that number using these tool kits to initiate phishing attacks.) Good Grief. |
| Nov 2022 | CISA announces Cybersecurity “Performance” Goals | First the good news. It’s great that the government is really serious about cybersecurity. Now the confusing news. CISA (the U.S. government’s Cybersecurity and Infrastructure Security Agency) has published “The Cross-Sector Cybersecurity Performance Goals (CPGs).” for critical networks. If you are expecting to see a list of latency and CPU requirements that ensure minimal delay while ensuring defense to attack, then you may be disappointed and go to dictionary.com to look up “Performance.” Rather, the CPGs “strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks.” None the wiser? Well, before you click on the link and download these purely voluntary goals, then I’d like to wish you good luck! Visit https://www.cisa.gov/cpg to be enlightened (or not). |
| Nov 2022 | New MEF Zero Trust Specification | For the last two years I have been privileged to be a contributor to a new industry specification approved for publication on 10/25/2022. “MEF 118: Zero Trust Framework for MEF Services.” It recognizes the key ZT principles and strategies and specifies the attributes augmenting MEF services to implement Zero Trust functionality. To access this significant addition to service provider services was published today 11/3/22. Access to the linked piece by editor Ralph Santoro is https://bit.ly/3zJsCVT. The PDF of MEF 118 can be found on the MEF site. |
| Nov 2022 | Zero Trust goes mainstream | The U.S. government has made it mandatory for all federal agencies to adopt zero-trust by 2024. The National Institute of Standards and Technology (NIST) has also been told to build a playbook for the private sector. Hopefully, this playbook consists of lots of use cases. Gartner apparently anticipates spending on zero-trust to more than double between now and 2025 to $1.674 billion – thought it doesn’t say if that’s a system or component revenue or how it equates principles and strategy into market dollars? NIST has had an architecture for several years, check out the reference pages. |
| Oct/Nov 2022 | New Edition of the Book published. | Halloween seemed the right day to publish the third edition of my paperback and eBook containing the latest on Holistic Cybersecurity. Check it out om Amazon at https://amzn.to/3P7xb1U. |
| Oct/Nov 2022 | Passkey Update | Passkey’s (intended to obsolete passwords) new web site showing that latest on this controversial initiative is worth checking out. Passkey.dev gives the updated info. It is critical that authentication and identity managers are delegated carefully vetted outsourced companies, since passkey security will fail – as was seen in November 2022 |
| Oct 2022 | Privacy Law Chaos | The UK has made the Privacy laws and hence the attacks on web sites even more chaotic for multinationals by announcing it will be joining Japan, South Africa and others in replacing the EUs GDPR legislation with a home grown version. Good grief. |
| Oct 2022 | More Crypto Troubles | Binance Cryptocurrency platform hack lost $570m earlier this month as covered by Reuters. Related to this the Zcash blockchain DDoS attack consisted of blasting of bogus transactions. |
| Oct 2022 | The Very Latest on Zero Trust | Fresh from the Zero Trust panel at ONUG Fall on (10/20/22) is our new summary of Zero Trust shown a the foot of the cybyr.com home page. |
| Oct 2022 | Exponential Organizations | Given that only 25% of large and midsize companies have Cybersecurity as an executive imperative, the role of Exponential Organization methodology to introduce disruptive technologies such as Holistic Cybersecurity is critical. At the October 13th ExO All Hands meeting this key connection was explored. For more on how ExO methodology overcomes an organization’s resistance to change – click here. |
| Oct 2022 | Network Cloud | An all-new podcast covering Services, Connections and Security for the Network Cloud. Leaders from ONUG’s Network Cloud working group discuss critical network strategies that will affect an organization’s digital transformation. Click to view the podcast. |
| Oct 2022 | Government Initiatives | October is Cybersecurity Awareness Month with government initiatives to be found at Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). Five pretty basic actions but it’s all about starting with the weakest links. |
| Sept/Oct 2022 | Ransomware as a Service | You may encounter LockBit3.0. Lockbit2.0 was reportedly responsible for 1000+ attacks. A precocious group offering a Ransomware as a Service (for all!) is just the tip of this RaaS and PhaaS (see below) pandemic. Unsurprisingly, there are many (100+) RaaS groups stealing code from each other. The point of this post is that to alert you to the escalation of tools to create attacks that are falling into the hands of unskilled criminals. Like other pandemics, mutations of attacks can be expected. Prevention of Phishing is the best approach but not infallible. If impacted, we suggest searching for services that will help. |
| Sept/Oct 2022 | MFA Fatigue | Following recent breaches of Uber’s records it’s become apparent that push notifications you receive on your phone are really just a front for another scam. Eventually, the user succumbs to the MFA requests. This has been termed MFA Fatigue. Do not click on these unless you are certain of the origin and timing. Uber and others have now taken action with more sophisticated notifications to render such scams less potent. |
| Sept 2022 | Phishing as a Service with MFA Bypass | It was probably inevitable. The emergence of Phishing as a Service (PhaaS) combines middle-man attacks to spoof web sites and defeat Two Factor authentication. This is part of a PhaaS kit from EvilProxy and was discovered by resecurity in their must read article published in September. this tool allows subscribers with little know-how to set up crippling phishing attacks. Expect this to generate more difficult to detect Phishing attacks. |
| Sept 2022 | Hidden Scary Software Supply Chain Problems in Mobile Apps | Just when you thought they fixed security in the Cloud it’s been discovered by Symantec that thousands of mobile apps using open-source SDKs are infected with code that can reveal your AWS credentials. IoS apps and their supply chains are creating these disastrous vulnerabilities. If you are not concerned, then know that including in these are banking apps that are exposing customer data! Oh, and almost every mobile gaming apps are using the same flawed software. Remember delegate don’t abdicate your security. |
| Sept 2022 | The Bumblebee Loader | The Bumblebee Loader has recently become the biggest new story on the malware front. Instigated by a single phishing attack, this horrendous new Living-off-the-Land Attack is impacting tens of millions of windows devices. Click the here for the full story. |
| Sept 2022 | Quantum Computing | The implications of Quantum computing is that nothing (including decrypting nuclear weapon guidance systems – yes we thought that might get your attention) could be more important for world control – if discovered. However, most recent commentary is that it may never happen. The point being invest with caution and focus on other security weak links instead. |
| Aug 2022 | Build in Testing and then actually test it | This was definitely not emphasized enough in the book. It’s one thing to effect a disaster recovery program to ensure that data is stored offline and even that restores are done and tested to be valid. What also needs to be done is to look at potential data breach, insider threats, etc., and perform dress rehearsals for how you can recover. It does not mean that you will be able to second guess a specific problem but at least there will be a Fire-Drill, a tested and a calmly written process when things do go wrong. (Looks so much better than running around like a headless chicken!) |
| Aug 2022 | Cyber Insurance | This was covered in the book but it just got worse. Much worse. Lloyds of London (the most influential insurance underwriter) has notified the world in a market bulletin as of March 31st 2023 to exclude nation-state Cybersecurity attacks. This sounds like a complete can of worms since how can it be proved who sponsored your attack??? It certainly makes it important to deploy defense against nation state attacks. this was likely triggered by Merck’s massive successful Cyber Insurance claim. |
| Aug 2022 | New Term Added | SPIFFE and SPIRE production software methodologies were not included in the book and have been added to the Terminology page. |
| Aug 2022 | Oops, then there were three | It turns that one of four finalists (SIKE) was cracked due to a vulnerability in its underlying algorithm. |
| July 2022 | Encryption – the end is nigh? | Maybe not! NIST announced the four finalists of new encryption systems defined to defeat potential Quantum computing (future) encryption cracking algorithms. |
| July 2022 | Phishing | Strangely the definition was missing in the first edition of the book and is included in the online terminology page |
| July 2022 | Threat Hunting | Not addressed in the book because it’s become a hyped marketing term, being part of several systems: Wikipedia says it’s a proactive cyber defense activity. It is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” It will be included in the online terminology page |