PREVIOUSLY on BREAKING NEWS
October - December 2023
| December 2023 | Headline | News – Distilled from a detailed review review of 160 cybersecurity postings this month |
| Dec #123 | Building on Shaky Ground | Given the countless threat detection, prevention and removal software and non-IT defenses, it’s a sobering thought that there are still questions being asked regarding vulnerabilities in underlying software, hardware and drivers. The Windows Common Log File System (CLFS) is increasingly being targeted by threat actors as reported by Dark Reading as its inherent weakness become discovered. Dark Reading’s conclusion that this important Windows system component is due for a redesign. |
| Dec #122 | Comcast bleeds data of 35.9 million customers | We don’t cover the masses of daily ransomware and data breach attacks here unless there are lessons to be learned. It seems no coincidence that the SEC’s rules on disclosing cybersecurity incidents within 3 days came into effect the day before Comcast revealed that the CitrixBleed data breach hit them (actually possibly 35.9 of their Xfinity customers) back in mid-October. So, the legal department thought they’d better say something about it. However, beyond that, the question is “how they heck did it happen?” (1) Was the customer data on a server or was it lost in transit through Comcast’s network? (2). Either way, where was the microsegmentation of data that might have made exfiltration impossible. (3) It seems clear that there is no implementation of Zero Trust was deployed to prevent escalation of privilege least privilege for ID management, and the list goes on. |
| Dec #121 | Those boring predictions | Everywhere you look there are “Summaries of 2023” and “Predictions for 2024” that mostly regurgitate the same old boring stuff. Here’s mine.
|
| Dec #120 | Quantum Computing Breakthrough | The approach of Quantum Computing and the demise of currently dominant asymmetrical encryption algorithms took an important step nearer with the announcement by DARPA (the U.S. Defense Advanced Research Projects Agency) and a paper in Nature Journal announced results from a team of almost two dozen scientists, most of them from Harvard, funded by a DARPA program known as ONISQ (Optimization with Noisy Intermediate-Scale Quantum devices). This has created a 200 fold increase in the creation of “logical qubits” – Quantum’s primary compute elements. Important new work on the creation of symmetrical encryption methods, resistant to quantum decryption is under way by NIST. More on both of these developing stories early in 2024. |
| Dec #119 | My New Article on Critical Infrastructure | I just took on the mammoth topic of Critical Infrastructure that impacts all of us. My latest article published in this month’s ISE magazine covers the challenges that have caused so many recent high-profile headlines. It examines how implementing the reborn Network as a Service, cybersecurity basics and Critical Infrastructure specifics can eliminate the scary incidents we see daily. Since completing article several weeks ago, much has happened and the story continues on the site on my Critical Infrastructure page. My next article publishes in February! |
| Dec #118 | SEC regulations come into effect 12/18 but who decides the math? | It turns out that the Security Exchange Commission (SEC) regulations that require public companies to disclose material breaches only seem to apply to reporting to the SEC and really only to the FBI. I.e. 4 days can turn into 60 subject to FBI involvement or even 120 if the FBI deems it to be a “substantial security risk.” This sounds like an opportunity for political manipulation but is likely better than what we had before. More on this Bank Info Security Article and on our hot topics page. |
| Dec #117 | Why do more attacks result in less security personnel? | To quote from an interesting report and survey run by the CSO publication: “Even as the number of security incidents continues to grow in all sectors, 47% of the respondents plan to reduce their security headcounts, a new report by Observe has revealed. Remarkably, 62% of these organizations also reported a higher number of security incidents per month.” Also of interest the survey show the kind of tools being used. Perhaps the indicate that cybersecurity is becoming more of a business as usual operation. |
| Dec #116 | Progress continues | It’s always good to be aware of the collective progress in cybersecurity. The DoDs latest recommendations on protection of weakness related to DoD controlled information applies everywhere and is definitely worth a read & aligned with everything we cover. The document refers to a table of 14 categories based on NIST SP 800-171 revision 2. |
| Dec #115 | EU Votes to break Internet Security | In #107 below we warned of the EU’s determination to ignore reason and put the privacy and security of all EU citizens at risk and put web certification in the hands of member countries. In a behind-the-doors vote the legislation passed, including the soon to be infamous “Article 45.” |
| Dec #114 | What bank is that again? | For those who are still clicking on those innocent looking emails, these scary examples show how fraught and tricky the problem is. So, which one of these emails is legitimate and which is from a man-in-the-middle attack? onlinebanking@ealerts.bankofamerica.com onlinebanking@еαlerts.bankοfamerica.com onlinebɑnking@еalerts.bankоfamerica.com The first and second highlighted in a couple of alerts recently is in the letter “α” being a cyrillic alpha but our brain registers it as an “a”. However, The third was not covered in alerts but is much trickier as the “o” is actually a Greek omicron character. I.e. it’s not enough just to look at the address when it’s hidden by the font. (good grief!) |
| Dec #113 | Trains & Boats and Trains | Ahead of much coverage of Critical Infrastructure this month, the intertwining of networks, IoT and cybersecurity is highlighted by a feature on rail systems rolling stock security by Siemens. This is not a promo for the company but it does highlight the focus on rail system security. Last month we covered the threats to Boats and Planes and shortly an article published on critical infrastructure featuring both security and network integrity wiLl also appear on this site. Update: now there news of a water treatment system in Philadelphia under attack by a Hammas attack group targeting (yes, you’ve guessed it) devices connected directly to the Internet. The big surprise is that this is a surprise to anyone. To be continued. |
| November 2023 | Headline | News |
| Nov #112 | Lock Down | Given that both Experian and TransUnion credit bureaus – who know everything about your financials, status and history – are being held to ransom for $30m apiece, the recommendation is to lock down your credit with them. I.e if someone does get your credentials they can’t take out a credit card or loan or find out how much money you have so easily and you will be alerted should there be attempted access to that information. |
| Nov #111 | Delegate Don’t Abdicate | It started as a simple article in ISE magazine in the July/August edition but it’s grown into a monster. Applying Zero Trust principals to delegation and Network as a Service, was also part of our ONUG Fall presentation in New York last month. It’s also found it’s way into the MEF’s update to the MEF 118.1 Zero Trust Specification. The latest update is on this site. |
| Nov #110 | Tis that time of the year. | Yes, Chistmas is coming and it’s time for Black Friday scams – (“hovver before you touch” or check that Fedex tracking email or Best Buy special.) However, among the 10 best list of the 10 best predictions for 2024 is something cool. Cyber Security Hub lists the 10 security misconfigurations to fix right now. Yes the obvious ones – using default configs, not using least privilege, non-automated updating lack of segmentation are there. Others are less well considered: insufficient internal network monitoring, weak MFA methods, insufficient Access Controls and system bypasses, poor credential hygiene and lazy (my word) oversight of code execution. |
| Nov #109 | The nerve of some robbers! | It’s bad enough that the ALPHV Ransomware group held the MGM hotel group to ransom – but to file a complaint that the MGM did not report it in time is to ridcule and make a mockery of all concerned. It’s like a bank robber stealing money from a bank and then suing them for lack of security. |
| Nov #108 | 3 Critical Infrastucture Issues | Time to look at critical infrastructure. As a lead into this monster topic, three incidents occured in the second week of November: The Australian port systems was hit, there are new concerns about aircraft safety and the world’s largest bank were all hit separately. In the third week, the personal information of 5700 employees at US Nuclear Energy Center was leaked. Not a good place to have an insider threat or social engineering attack based the vulnerable past of an employee. As a first step, it’s a timely reminder for executives in these major organizations to stop thinking in the past and focus on the basics to Break the Vicious Circle? Also, to focus on the many issues of the above critical infrastructure instances and their special requirements. More to follow on these topics. |
| Nov #107 | EU time machine to return to 2011 | Despite almost every major security and tech company’s efforts, the blinkered non-experts in the EU are about to take the Internet’s security and personal exposure back 12 years. The proposed legislation (eIDAS 2.0 and more specifically Article 45) to quote Mozilla:”This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.” Loads of coverage on this potential disaster: (1) Security Now ep 947. (2) The Register (3) EFF civil liberties foundation. The EU give carte blanch to governments and probably hackers to run amock to evesdrop on everyone!! |
| Nov #106 | When will they learn? | It seems to have escaped the world of cybersecurity software vendors that they are the main targets. Following reports about leaking OKTA personal login data, Microsoft jugernaut seems be be waking up – responding to significant U.S. Government pressure. Cybersecurity Dive is one of many to report “government branches being concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features.” Microsoft’s Secure Future Initiative addresses this with an update to its Microsoft Security Development Lifecycle (that we cover on this site.) to become “dynamic SDL” (dSDL), updating its “security defaults” and identity management. Lots of good intention. What it translates into is definitely left as an exercise for the subscriber – and any improvement would be good for all. |
| Nov #105 | Delegation not Abdication | My original ISE article in August 2023 has been greatly expanded covering six key areas that require verification of companies, services and software. This blueprint covers 26 functions helping support an organization’s responsibility to verify its operation and that of its suppliers. I hope that the proposed CISA cuts don’t slow down their effort in this area. |
| Nov #104 | 40+ Countries to Pay No Ransomware | This fanfared story received much coverage but it maybe limited to organizations who would likely not bepaying anyway even if it’s enforceable. When signed, it appears to be limited to govrnment agencies, not the organizations who operate in those countries. If it comes to “breaking the agreement” or survival, we will see which one wins and puts a dent in the project $bn problem by the end of 2023. What is often overlooked is that paying ransomware to state-sponsored threat actors likely breaks the law in the U.S. The 2021 Dept of the Treasury Office of Asset Control update explains more on this. It is not clear how you can possibly know who you are paying? |
| October 2023 | Headline | News |
| Oct #103 | Solar Winds | Almost 3 years since Texas-based SolarWinds disclosure of its infamous breach, the Securities and Exchange Commission filed charges against the company and its CISO, Timothy G. Brown, alleging that the software company misled investors about its cybersecurity misstatements and omissions that concealed its deficiencies and poor cybersecurity practices. This is a story that will concern a much wider audience. |
| Oct #102 | Boeing goes boing? | It will be interesting to see how Lockbit’s ransomware attack on $60bn Boeing Company. The attackers threat to make public stolen data from the massive commercial and defense aviation and space company does not respond by Nov 2nd. What the cybersecurity community wants to know is what are the lessons to be learned. “Why did this happen?” should also be part of the new CISA rules, however painful that might be. It would be good to see laws against ransomware payments come into effect, though this might turn complicated. Update: Lockbit posted what it claimed was some of this stolen data on Nov 10th. |
| Oct #101 | $2 Billion Domino Effect | It never ceases to amaze that the basic security fundamentals are neither part of a security software company’s development process, or a subscriber’s delegation and verification process. The $2bn in question is the loss in the market cap of OKTA, the industry’s go-to company on Identity Management, at the heart of all Zero Trust implementations. The impact on its 18.000 customers (many household names) is not known but MGM, Caesars, Cloudflare and 1Password are on the list of dominos that have fallen. What’s concerning is that the MGM Okta incident was known about for more than a month and yet the rest of the stories are just seeping out. |
| Oct #100 | An new paradigm for cybersecurity in the board? | Given the dramatic story below, this 100th posting of the year takes on a more optimistic note. It appears that a new model for cybersecurity is taking shape in executive teams and company boards. The emergence of a security committee consisting of or including one or more consultants is taking responsibility and providing executive oversight is becoming popular. About time too! Given that the CISOs or designated security expertise within an organization have neither the business skills or experience to even speak the language of the executive team this is an important trend that can scale up or down to almost any size or type of organization. More on this on this site to follow shortly. Splunk’s 2023 Report includes data on this trend. |
| Oct #99 | Ouch! | The Web User Interface of Cisco’s IOS XE software appears to have a serious flaw as reported by Sentinel One and CyberDive. This Advance Persistent Threat attack is triggered by a threat actor with unauthenticated accounts being able to elevate their privilege to Cisco’s highest level (15) causing untold chaos to monitoring, routing, physical and virtual processes and insert man-in-the-middle malware and impacted 140,000+ systems and their customers worldwide! (Yes a big ouch!) (Update: October 23rd. Cisco has produced a patch for the problem. Without the patch, …) Cisco states that all end-users (and presumably Service, Cloud and managed service providers) disable the “web UI feature”. CISA has given it’s highest rating (10) to CVE-2023-20198. That’s the facts but the critical unanswered question is that “How with all their expertise could Cisco possibly allow that to happen?” If they were hacked in this way what hope is there for other organizations? It appears that more than three weeks went by before the severity was realized. We will keep this story updated in more depth. However, given that no-one wants to reveal their defense for fear of it revealing other weakeness, our assumptions is that we will never know. |
| Oct #98 | New HTTP/2 Design Vulnerability. | Cloudflare alerted the world to a huge denial of service attack – actually the biggest of all time. This is covered in more detail in the Bot and HTTP sections of our cyberpedia page. Those being alarmed by this should be alerted to the fact that this is an example of proper DDoS attack protection being a requirement. |
| Oct #97 | Social Networking Tool Users Beware. | Vulnerabilites in Atlassian’s Confluence Social Networking Tools were reported by SentinelOne as CVE-2023-22515 and was rated as 10.0 with patching required. Gaining access to such tools can open the flood gates to man-in-the-middle and phishing attacks. For those unfamiliar with Atlassian’s confluence wiki, it’s been the mainstay of many organizations for collaboration and developing work for well over a decade. Like Slack, Google Docs, etc., it’s used in many industry associations and thousands of users have freely made their contact info available on such platforms. All of these tools have had a history of exploits – even Zoom, Microsoft Teams and messaging apps such as Skype and WhatsApp (as reported this month by Nextgen Hero) have been attacked in the past and the lesson to be learned is to have several email addresses, never use single common sign-in and to watch for phishing attacks that appear to be from previously trusted members or leaders of such groups. Also in an adjacent space, many will be aware that as recently as August 2023, Cyberint reported a significant wave of attacks on LinkedIn users. |
| Oct #96 | Significant IoT risks for Critical Infrastructures | One aspect of Microsoft’s 2023 Digital Defense Report published this month was importance of keeping separation or “air gap” between Operational and IT networks for Critical Infrastucture systems. Chapter 4 covers the fact that of the 78% of IoT devices that have known vulnerabities (bad enough in itself), 32% could be patched and of those 46% cannot be patched. This makes it even more critical to ensure that no device (IoT or otherwise) directly or indirectly is exposed to Internet connections from Cloud-based applications or self hosted apps. What’s more is that any software apps that do connect to critical IoT devices are properly verified for secure operation and communicate with such network devices over secure and encrypted tunnels. A commentary on legacy IOT devices is that 25% of them use unsupported operating systems. (good grief!) |
| Oct #95 | Be aware or be prosecuted | The SEC’s new rules have raised the cybersecurity bar for public companies and will no doubt trickle down to their supply chains. For organizations who are U.S. government contractors, increasing scrutiny spelled out in the government’s False Claims Act is falling upon those who knowingly: (1) provide deficient cybersecurity products or services; (2) misrepresent their cybersecurity practices or protocols; or (3) violate obligations to monitor and report cybersecurity incidents and breaches. Read more in this new article from Corporate Compliance Insights. Government agencies who apply cybyr.com’s Delegation Methodology can protect themselves and help their suppliers to prevent this problem. |
| Oct #94 | Misconfiguered Misconfiguration List? | The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on the Top Ten Cybersecurity Misconfigurations. It’s received a lot of uncommented coverage and is well intentioned we are sure. Yes, the list contains 10 or so of a hundred possible cybersecurity best practices but only one of them (5. Poor patch management) actually covers misconfigurations. I can immediately think of at least 10 more actual misconfigurations and I put these on my Cyberpedia page – which has now grown to more than 260 terms. Sounds like a contribution to CISA is needed. This topic deals with misconfigurations due weak policy, human errors and incorrectly programmed automation. It does not cover how such lists should be protected from deliberate misconfiguration! |
| Oct #93 | MGM Announces $100m loss. | In more SEC-driven disclosures, MGM resorts revealed that the attacks impacted its third quarter losses to around $100m! It also revealed that sensitive personal data for those that conducted transactions with the resorts before 2019 was also stolen – though it does not say from when. Source for this is Cybersecurity Dive. Full coverage and the lessons to be learned from the whole MGM story is now on the new in-depth topics page. It covers and the thirteen steps you should take to avoid it happening to you and looks at the possible real reason for the attack that no-one else has mentioned. |
| Oct #92 | AWS=MFA | AWS says by mid-2024 it will require the use of MFA beginning with the “most privileged users” of accounts. See the Cybersecurity Dive article for details, The question is: Why wait? (Note, as we reported previously, MFA is by no means infallible.) |
| Oct #91 | FBI Warnings | This article posted by the World Economic Forum covers 4 topics including the latest FBI warnings |
| Oct #90 | Cybersecurity Month to last forever? | A new article from Forbes “Beyond Cybersecurity Awareness Month: Finding A Signal In The Noise” focuses on medical device security but importantly that “cybersecurity isn’t a fleeting concern.” Also is NIST’s piece on Cybersecurity month: |
July - September 2023
| September 2023 | Headline | News |
| Sept #89 | Crticial Infrastructure Initiatives | If you think Critical Infrastructure is not you then read these two pieces. The first is description of the 16 sectors and many subsectors that it comprises (See the CISA description). Almost everone reading this is a part of this. Just published at the end of September is the Critical Infrastructure Protection piece on this hot topic published by the Government Accountability Office (who knew that this existed?) to highlight information and actions. For further details see our Cyberpedia. |
| Sept #88 | Cisco Goes Splunk | With so many M&A breaches and ransomware stories, few get past out 10 stories per month filter. This one is different because it impacts two cornerstones of the IT world and ones to which this author is most connected. Oh, and it’s quite large – a $28 Billion all cash acquisition. Specifically, the relationship with the new enterprise-focused Network as a Service and Cybersecurity will likely be pivotal. Splunk has already played a key role in harmoinizing Cloud even notifications and lines up with AI and software driven focus of today’s Cisco. There will be many other aspects. Click here for CNBC coverage including interviews from the two CEOs. |
| Sept #87 | MITRE Evaluation | About to be announced are the annual “MITRE Engenuity ATT&CK” Evaluations rating how security services and providers are able to cope with well known attacks. Some like SentinelOne.com have pre-announced their success. These are restricted to specific defenses against specific attacks. While useful it is not a holistic test of organizations, their software development or the security of their operations. This is mentioned mostly for those unfamiliar with the mind-bending cybersecurity resource that is MITRE. Click here for more info. |
| Sept #86 | September 18th Update | The MGM story coverage has moved to our new in-depth topics page |
| Sept #85 | More on the MGM issue | The MGM story coverage has moved to our new in-depth topics page |
| Sept #84 | Monster MGM breach may affect millions | The massive breach of the MGM hotel chain (they have 31 properties) that disabled everything from room key entry, room bookings, use of casino machines and payouts and taken down their website will cost them millions. However, it’s the loss of personal data stored in their MLife system or who stayed at any of their properties providing credit card, email or even bank details or social security details may be the big risk. The MGM story coverage has moved to our new in-depth topics page |
| Sept #83 | MoveIT: counting the cost | It’s been almost 2 months since Emisoft posted their findings that the MoveIT file transfer software attack by the CL0P group had impacted 56 million users in 1100+ organizations at a cost of $11bn. SDX Central has new analysis together with new trends as ransomware attacks evolve. |
| Sept #82 | No need to touch your iPhone … | … to get into trouble. Apple reacted quickly to a Zero Click attack with new releases of its various operating systems. The attack begins with malware embedded in an image file to deliver NSO Pegasus spyware, it seems. It is less clear exactly the damage it causes though crypto transactions are mentioned. There are two, as yet unpublished CVEs (CVE-2023-41061 and CVE-2023-41064). Apple indicates that there very few users who would be affected (it doesn’t say what category of users). Everyone “who thinks they could be targets” can be protected by turning on “Lockdown Mode” found in ‘Settings>Privacy and Security.’ It provides “extreme optional protection” described by Apple. Maybe I spent too long in corporate America but this smacks of the legal department given that it’s such a pain to use your iPhone when Lockdown Mode is turned on. I.e. if you have a security event and you don’t have Lockdown Mode enabled then “it’s your fault and don’t say we didn’t warn you.” A great idea. I suspect there will be more fallout from this! |
| Sept #81 | Waking up to SEC Rulings | Commentators are waking up to the ramifications of the SEC rulings regarding the new responsibilities of corporation executives to report and manage cybersecurity incidents. It also connects to pending NIST requirements that corporations take seriously their responsibilities to properly assure that third parties of all kinds and especially software companies employ security best practices. More on the SEC ruling from Corporate Compliance Insights. It underlines the need to implement proper holistic cybersecurity. The requirement to elevate the topic in the executive is finally gaining momentum. It’s why I created this Holistic Cybersecurity concept since how can it be effective for the whole organization if it doesn’t come from the top. Dark Reading adds their thoughts on how the SEC ruling will improve the situation for those responsible for cybersecurity. |
| Sept #80 | Big Trends Emerging. | There are many stories at the beginning of the month covering rise in ransomware, un-patched vulnerabilities, weakness in OT systems, etc. However, perhaps more importantly, there are two trends worth noting that will have a big impact. One is the realization that the SEC changes will have impact across industries, legal and supporting software industries and the other is increased understanding of insurance companies to the profits and liabilities of cybersecurity insurance coverage. Both will be covered in the coming months and are connected. Given the SEC latching on to the US. Government’s 2023 strategy holding exploited companies and hence software suppliers to be liable for the damage of caused by breaches. The insurance companies are beginning to have coverage exclusions in their policies for those who do not have and make available their threat avoidance and defense policies. Still smarting from last year’s court case that Merck’s massive $1.4bn claim was not ruled as an act of war, their world has woken up to how to make money prudently from cybersecurity insurance. It underlines the importance of having a security policy that address this holistically as covered in our security as a service offering and documenting them in a living security strategy. If you do have cyber-insurance it’s definitely time to check out that email covering new terms and conditions that maybe you didn’t really read. If you didn’t get cyber-insurance yet then check the fine print, negotiate the coverage. It’s much easier to get now but it’s more expensive and more restricted. |
| Sept #79 | Chrome extensions can steal your data | Covered by Bleeping Computer and others is the “surprising” news that legitimate-looking Chrome browser extensions can access the Domain Object Module (DOM) Tree containing in-the-clear user text on the source code of popular web sites. Web sites such as gmail.com, amazon, irs.gov, Citibank, Capitalone and Facebook can be accessed to give up your login, social security and credit card info. The origin of this discovery is the University of Wisconsin-Madison. Click this link for their 26 page PDF containing all the details. |
| August 2023 | Headline | News |
| Aug #78 | NIST Cybersecurity Framework 2.0. At least 15 critical areas missed? | What should have been exciting news following the “Initial Public Draft” of its 2.0 Framework just left me cold. Last week Forbes basically produced a rant that the SEC had missed 5 critical elements in its announcement. I can count 15 things that NIST missed in their Framework! Allowing for the fact that it coins new phrases for well-established ideas, the word-smithing and structure (Govern, Identify, Protect, Detect, Respond, And Recover) – sounds okay but adds little value. It’s as if they haven’t been paying attention to the world of cybersecurity. At first glance it covers the usual topics at a high level but closer inspections reveals all the vulnerabilities that they haven’t addressed. No mention of implementing Zero Trust in the document (not even ZTNA), nothing about automation, monitoring, delegation and verification of third parties, insider threats, social engineering, no reference to work on self-attestation for software companies (CISA’s initiative). There’s almost nothing about holistic cybersecurity across the organization, distributed work forces, nothing multi-factor authentication, passkeys, nothing about transport layer security, secure APIS, combating phishing, elevation of privilege and lateral movement threats and just one line on measurement of progress. OK, that’s enough on this topic. |
| Aug #77 | In Cloud we trust (but not in Denmark, it seems). | Thinking of moving everything to the Cloud? Read this. Danish Cloud service provider Cloud Nordic revealed that it has told customers “to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud providers’ servers” and “paralyzed CloudNordic completely,” according to the IT outfit’s online statement. All hosted client data, websites and mail services are permanently lost. This is an almost unbelievable chain of incompetence and chaos at so many levels and it makes you wonder how many other Cloud providers are in the same boat. If only they had read my book on holistic cybersecurity, implemented my holistic cybersecurity as a service, or even read my article on delegation to third parties it could have been avoided. They say that it happened because of the proliferation of infected systems and that all back ups are also infected. There’s too many things they likely did not do, so I would say the cause is actually gross ignorance and incompetence. (End of rant.) |
| Aug #76 | Generative AI and Cybersecurity controversies. | This is the first posting on this highly controversial topic. There are several issues: Do we trust information currently based on unknown sources from the unreliable postings in the past? Can any system predicting and informing from learned information innovate for the future? Generative AI systems have been penetrated by multiple threat actors. We will develop this into a future page. |
| Aug #75 | Delegating without Abdication | One of the most difficult challenges when adopting Zero Trust is how to delegate to third parties who you do not control. “Don’t Trust” is easy but “Always Verify” is not so straightforward. My new articles covers how to verify key elements of a supplier’s security – especially software and cybersecurity solution providers. This covers the organization itself, the development of the products and the security of those solutions. See the page on this site and links to the published article. |
| Aug #74 | Dallas Counts the Cost | Perhaps this is the final(?) chapter of the May breaches covered extensively here. Dallas has approved payment of $8.5m+ to be paid to remediate the results of the data breaches. Given that the details are not public, one wonders if some of the “repairs” are being paid to companies whose software was in the supply chain that contained vulnerabilities. Whether true or not, it points out that security is only as strong as its weakest link and the cost of weak cybersecurity. More from CyberDive on this and from the Dallas City Council. Announced mid-month was that 30253 individuals were impacted by the attack. There may be more on this after all. |
| Aug #73 | Providers and Tech Companies under Scrutiny | Looking beyond the headlines of the CNN story: “A group of teenage hackers managed to breach some of the world’s biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, is a cautionary tale for America’s critical infrastructure.” Following on the heels of Cloud issues, this is an unwanted read flag for Service Providers who claim that their services are secure. All the more reason to use the process of verification outlined in my new article. |
| Aug #72 | More critique of the SEC ruling. | One of the many updates on this topic (From Forbes) also poured cold water on the SEC. It cited the most important of 5 omissions being the requirement for a member of the board who understood Cybersecurity. Maybe the SEC should have listened to Forbes on that topic or read my book on Holistic Cybersecurity. |
| Aug #71 | Welcome to the safety of the Cloud | With such a rise in Phishing attacks with texts posing as USPS, Google etc., identity theft and ransomware it’s easy to assume that the answer lies in the Cloud. However, last week, it was reported on the WIZ blog that an involving an elevation of privilege exploit affecting millions of Cloud workloads existed when it it was thought fixed some time ago. The consequences for many applications are not easy to know but the new fix should be applied immediately. In the true tradition of journalism, here’s two more recent Cloud issues. Microsoft are being accused by Tenable of negligence in its cybersecurity practices following a breach in its Azure platform. This has caused a furore given that acknowledged vulnerabilities months after Tenable discovered and reported it. See The Verge for the full story. Next Google claimed or disclaimed that poor asset management was at the root of most cloud compromises blaming many credential weaknesses dash but aren’t the cloud providers the gatekeepers for Access Authentication and least privilege best practices? |
| Aug #70 | TETRA:BURST | A collection of vulnerabilities impacting the Terrestrial Trunked Radio (TETRA) standard used around the world – though less in the US – by law enforcement, military and in critical infrastructure communications. Two are particularly nasty as they can interfere with and corrupt first responder messages or be used to conceal reporting of gas pipelines, transport networks, etc. A full exposé is anticipated at the Las Vegas Red Hat Conference this month. Worse still, it seems to have been covered up for some time. Not a problem really, unless you are the one affected! |
| Aug #69 | US Chamber of Commerce says “Not So fast…” | There’s been lots of coverage of the July 27th story below on the SEC. The US Chamber of Commerce is not so supportive due to the public exposure it describes. Christopher Roberti, U.S. Chamber senior vice president for Cyber, Space, and National Security Policy, states: “The Cyber Incident Reporting for Critical Infrastructure Act (2022) made it clear that cyber incident reporting should be confidential. However, the SEC ruling sharply diverges from the President’s National Cybersecurity Strategy.” Click for the full statement. |
| July 2023 | Headline | News |
| July #68 | Trickle-down #2 starts here | The Securities and Exchange Commission (SEC) announced rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. The final amendment requires disclosure within 4 business days of discovering that a cybersecuirty incident is material. There’s detailed coverage by Scadden Arps. Why this will likely impact many non-SEC organizations and is labelled “Trickle-down #2” is because the implication is that if a breach was caused by a third party then surely that party would have to be named, thus creating a trickle-down effect in the supply chain. This would include all manner of legal, security software companies, and so on. This is very much in alignment with the CISA initiative on self attestation to combat liability, which would also trickle down. Presumably breaches can no longer be covered up under this new ruling turning up the pressure on everyone. |
| July #67 | Don’t stand underneath when they fly by. | This is not about standing under Santa Clause’s reindeer on Christmas eve. It’s about the physical and cybersecurity vulnerability of satellite systems. We started this month with troubling news below the ocean and we end it, with the troubling threats to the damaging satellites that fall to earth or software vulnerabilities that disable communication functionality. This tail of caution should temper people flipping to satellite communications for business. This is about to explode with the advent of nano-satellites put into orbit by the thousand. The full story is covered by Steve Gibson in his Security Now Show notes in 2 parts 1 & 2. |
| July #66 | CISA announces partnership with Microsoft | Behind this announcement was pressure by the Cybersecurity and Infrastructure Security Agency (CISA) for Microsoft to make available free logging data to all Outlook users. This followed email hacks of government sites. Available in September, neither Microsoft nor the CISA announcement make it clear exactly what information will be made available. |
| July #65 | This one is personal | It’s bad enough when one of America’s favorite chain of stores – Bed, Bath and Beyond – shuts its doors but when scammers pose as its web site and purport to do a clearance sale in order to grab my credit card details, it’s personal. Really, someone who losses a billion dollars of cryptocurrency doesn’t impact most lives. This one covered by sites such as MalwareTips really does. Shame on these cyberthieves. |
| July #64 | US Cybersecurity Labeling Program Announced. | In mid-July the U.S. Administration announced its Cybersecurity Labeling Program for Smart Devices. To be based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.
 The label above will presumably be accompanied by manufacturer’s name, product and an approval number and be linked to a registry of approved devices via a QR code (hmm). Its headline is “Protection for American Consumers” but IoT and other devices in critical infrastructures will benefit. The program is to engage non-US stakeholders, etc. It certainly addresses an important issue of trust and verification. However, the questions will be about the cost of replacing non-compliant legacy devices in critical networks and of course how such a system could be circumvented (e.g. fake QR codes on labels). Also, it’s not clear what constitutes a “Smart Device” (IP connection, able to store and update passwords, Zero Trust enabled access authentication via a trusted connection, etc?). It is silent on vulnerabilities of “unsmart” devices and protection of connected networks especially consumer wi-fi. We shall see when the work is completed in 2024. |
| July #63 | Healthcare still the top target | Becton Dickinson’s infusion pump that helps continuously or intermittently deliver fluids, medications, blood and blood products to adult, pediatric or neonatal patients is the latest device to be hacked warned a CISA advisory. The hack can do various malicious changes that could result in dosage changes and worse. |
| July #62 | US Cybersecurity Implementation Plan announced. | Earlier this year the U.S. Administration released its National Cybersecurity Strategy covered in items #21 and #54 on this page. On July 13th it announced the publication of 57 page National Cybersecurity Strategy Implementation Plan (NCSIP) as a “roadmap” to implement the strategy. Its five pillars cover 65 initiatives including: proactive threat actor countermeasures, security of critical infrastructures and IoT devices, shifting liability for insecure software projects (a passion of cybyr.com), explore federal cyber insurance, strengthening Internet security, international collaboration and much more. This is a demonstration the U.S. Government’s commitment to combat what is a war and hopefully it will have a far reaching impact. It expected to face challenges such as the ones already seen with states blocking the requirements for water system cybersecurity saying it was too burdensome. The US admin has yet to replace Chris Inglis, the now former cybersecurity director. Hopefully, some progress will be made. |
| July #61 | Threats up, CEO and board involvement down. | The antithesis of Holistic Cybersecurity. Heidrick & Struggles 2023 CISO survey shows that only 5% CISOs report to the CEO. That’s a downward trend over the last two years. Meanwhile, Cybercrime continues its steep rise. A correlation, perhaps? This supports the importance of the tenet that Cybersecurity should be a board level imperative. 38% of CISOs report to the CIO. The rest are scattered though the organization. Oh dear. But wait, there’s more. A study by IANS research that only about 14% of CISOs have the skills to sit on the board. This perhaps explains that as Cybersecurity has become more technically complex and IT-focused, the less that mature and more rounded skills and experience needed as a board member are present. |
| July #60 | Top Five organizations under threat | In the course of research, I found somewhat surprisingly that the top 5 industry types targeted are 1 Healthcare, 2 IT and Telecoms, 3 Legal Firms, 4 HR and Recruitment firms, 5 Manufacturing and utilities. In particular it means that legal firms who have their clients intimate data and HR firms that have massive amounts of personal info are more targeted than financial firms, education and the rest of critical infrastructure identified as vulnerable. As if to underline this, many of the biggest law firms were subject of attack by the now infamous CL0P group, last month, affecting more than 15 million individuals. |
| July #59 | Zero day 8 months later. A lesson to be learned. | The interesting thing about this threat was that it was first logged 8 months ago in early November 2022. This threat exploits weakness in Netwrix auditor video recording software to install TrueBot trojan software. The Netwrix software is used by 13,000 organizations, many household names. The Trubot trojan, launches other software to elevate the privilege level and then load all kinds of damaging software. By now a familiar story. What should concern readers is that its an example of a known exploit not being automatically updated 8 months after its discovery. This is another case of abdication of responsibility by the users of software not ensuring its suppliers follow sensible processes. The Lesson is: be vigilant and have a process. Another survey revealed that while the most agregious Zero Day attacks are resolved within a few days, the average time for users to implement these changes is a staggering 60 days. That gives threat actors 2 months to cause chaos. It shows how threat awareness and fast response plays such an improtant role. More on this in the next few weeks. See Common Vulnerabilities and Exposures (CVE) on the CISA site and CVE.org site for CVE-2022-31199. Both are interesting sites that catalog threats and their resolution. |
| July #58 | Quishing – not just an email threat? | There’s been coverage on the increase of QR codes linking to malicious sites – “QR Code Phishing” recently adopting the title Quishing. This is where you might get an email encouraging you to check a completed DocuSign pdf (which you never created in the first place.) using the QR code embedded in the email. Ok, that would likely fool you if had actually just completed a DocuSign. However, these QR codes are everywhere: on web sites, big screens and events, restaurants and shops and TV programs. From a Zero Trust perspective, verification seems impossible and you don’t know if the innocent creator was falsely led to believe that the QR code came from a genuine source. Caution is recommended to avoid your phone being infected yet no-one seems to be warning of this issue outside of email Phishing attacks. |
| July #57 | Meanwhile, at the bottom of the ocean … | Last week’s report on the Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future causes a sharp intake of breath. It shows the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Increasing Chinese involvement and Russian interest reveals the potential crippling effect on the global economy should the network be compromised or sabotaged. In addition, the problem is compounded by threat actors selling access to communication satellite systems. It underlines that cybersecurity requires a holistic approach. |
January - June 2023
| June 2023 | Headline | News |
| June #56 | A Lesson | Unsurprisingly, leaking of 100,000+ ChatGPT login IDs made the news. It’s only a problem to those who use those credentials elsewhere or have not migrated to Passkeys and have not gotten over the novelty of the ChatGPT hype. |
| June #55 | We know where lots of you live. | MalwareBytes reported that Researchers at NC State University have discovered potential privacy issues with fitness app Strava, used by 100 million people(!) which could lead to users’ homes being pinpointed. The findings are detailed in a paper called Heat marks the spot. |
| June #54 | Next Steps in Software Security Compliance | June saw an update to the requirements of software companies by the US Government to be aligned with its published White House Cybersecurity Strategy and the 2022 Secure Software Development Framework (SSDF). The intention is that companies who want to do business with the US Government and its agencies will be required to complete and submit a self-attestation form covering their (hopefully) best practices in the development of their products or services. The draft CISA form calls out some of the elements called out in the SSDF. It looks as if the points in the SSDF have already been diluted. As it stands the self-attestation goes only some of the way to addressing the issues that Cybyr.com thinks are important covering the companies developing software but not to how the products operate. The 12 or so areas in 4 main categories are certainly an important step forward if a little aspirational. Cybyr.com has identified 23 potential vulnerabilities as a minimum. The latest update actually gives companies more time to respond to the self-attestation form. This is given much space here since it is a very important area for all organizations. Although this is a U.S. initiative, it applies and will no doubt be followed everywhere. It touches on the key area of verifying software supply chains so as to enable delegation of trust. It also puts teeth into the adoption of best practices by such companies. Cybyr.com has submitted its inputs on this important topic to CISA. More on what we believe is the most important topic in cybersecurity is covered in our July article in ISE magazine. |
| June #53 | Why an attack on a library is worth noting. | With 2000+ cybersecurity reports each month, many are education and health targets. What makes this one special is that like the Dallas attack, many of the systems, the personal data and facilities were attacks by polymorphic malware. This makes it even more important to take a holistic approach to guard against so many vulnerabilities. |
| June #52 | What really happened in Dallas? Part 3. | Well into June, there are still no clear answers or further statements from Dallas. It’s hardly surprising because it likely would reveal incompetence at many levels or worse that the remaining vulnerabilities that have been exploited are not yet corrected. That makes this an educational story is that it’s likely an example of Hacking as a Service and Polymorphic Malware. I.e., several attacks were combined into one, first to penetrate by various means then spread further malware (Lateral Movement Attacks) to cause damage and chaos across many vulnerable targets, The whole Dallas attack is the antithesis of Zero Trust thinking, and lack of proper third party delegation. The latest twist is that a new threat similar to Royal ransomware called BlackSuit is emerging (see Bleeping Computer article). |
| June #51 | Only 4 Myths? But these are really good ones. | Finally, Gartner has come up with something that really aligns with my book – he said modestly. These four myths are nicely explained in their new article. My book adds many more in terms of weak links that are overlooked. The myths covered are:
|
| June #50 | MOVEit if you wanna lose it! | MOVEit Transfer, the file transfer tool used by thousands of users, experienced a severe SQL zero day attack that cause user data to be stolen. This is an example of an increasing trend for SQL Injections attacks to be useed. On June 7th CISA issued an advisory on this CL0P ransomware attack. Update: by the end of June, more than 100 organizations, including seven U.S. universities, have been listed as having been impacted. |
| June #49 | Something Rotten in the Chrome App Store Does Lurk. | Avast Security have unearthed a significant number of Chrome browser extension that have been infected with malware. Some are old extensions or were purchased just so that they can be infiltrated. It’s being investigated but there are supposedly large numbers of downloads – though even these numbers may be untrue. Read more here. |
| June #48 | What really happened in Dallas? Part 2. | Last month’s Royal Ransomware attack is still having repercussions with first responder computer systems offline one month later. The CSO said that restoration is 90% complete. Another report says city leaders are being asked not to comment. It will be interesting to track the root cause if it is ever revealed. Further news reports are to be going to be made public on June 5th, one news agency claimed. See further update 2351 above. |
| June #47 | Never Trust, Always Verify, saves the day. | What happens when the one person you do trust, your cybersecurity watchdog, is the insider threat you have all been warned against. In last week’s weekly summary, Sentinel One reported (definitely read this) that a court in the UK found Ashley Liles, formerly an IT security analyst, guilty of doing just that after his employer was hit with a ransomware attack in February 2018. Liles was among those responsible for investigating the attack, but surreptitiously began hacking a board member’s emails as they negotiated with the attackers. Liles replaced the hackers bitcoin account details with his own. He was found out because someone noticed that emails had been intercepted and tampered with. Thank goodness for “Never Trust always Verify” even though it may have been accidental. |
| May 2023 | Headline | News |
| May #46 | .Zip It at your peril | If you are not tracking the issues regarding Google’s new .zip web site debacle, Steve Gibson revealed on Security Now, and in the show notes, the pitfalls, showing how innocent looking email links can be used to spoof malicious sites with the now innocent-looking “.zip” TLD (stands for Top Level Domain) (Hint: is that really a “/” in “CISA.org/newsfeed.@jan24.zip”). |
| May #45 | Not the only painful extraction at your dentist | Bleeping computer revealed that Nearly 9 million patients of Managed Care of North America (MCNA) Dental had their personal data stolen by everyone’s favorite Hacking as a Service ransomware gang LockBit. The question that no-one is asking or answering is how. |
| May #44 | CISA Creates Pre-Ransomware Notifications | Most of the US government warnings contain well-intentioned ideas but lack actual substance or actions. This one from CISA pilots a Ransomware Vulnerability Warning initiative as put into law in March 2022. More details on this story reported at the beginning of May are detailed in a fact sheet. It tells you how to report issues but this well-intentioned work does not inform us on how exactly to receive these notifications but they are appearing in media this month! |
| May #43 | Malicious Windows kernel drivers | We do cover driver vulnerabilities on the CyberPedia page recommending that hardware and kernel drivers are always signed. They are especially dangerous since they give admin access to any malware that is infected. Then all hell can break loose. This is covered here because Bleeping Computer just reported that attackers have been using keys stolen from Microsoft’s Hardware Developer program to evade detection. Originally seen last year this has resurfaced. However, Microsoft recommends the simple actions for Windows users to protect yourself. |
| May #42 | Man Bites Shark | The Man in the story is a hacking group. The Shark in the story is Barracuda – well known and reputable security software and service company. The Bite consists likely removal of profits after they revealed that it was hacked. The incident coverage explained that Barracuda revealed that a Zero Day attack had impacted its Email Security Gateway appliances. The exploit was listed as CVE-2023-2868. This is just another example of attacks on security defense software. |
| May #41 | Using contractors may become safer | By November, the Pentagon will have a contractor cybersecurity plan said David McKeown, DOD’s CISO, at GovExec’s Cyber Summit last week. Having read the description one hopes that it contains something more than the high-level outline given so far. If it does, then it will bring some very much-needed help to the private sector too whose organizations need protection from remote staff, contractors, et al. |
| May #40 | Official – it’s the end of Ransomware. | Anne Neuberger, Deputy National Security Advisor for cyber and emerging technologies, is now reconsidering the previously discarded ban on ransom payments. Does that mean if it becomes the law cybercriminals will no longer be allowed to break the law by collecting money? Wait, isn’t that why they are called criminals? Cybersecurity Dive covered this craziness in more detail. Yes, it’s a thin month for real news. |
| May #39 | CISA Director warns of tech industry repeating mistakes with AI | Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency issued a cautionary warning about the rush to introduce generative AI, reminding me of the term “there is no bandwagon onto which the tech industry will not jump.” – but enough about SASE. |
| May #38 | Healing Health | MITRE has published policy checklist for healthcare cybersecurity as a high level paper entitled Cybersecurity And Patient Safety In The Healthcare Setting. Spanning 17 areas its 7 pages cover increased protection of Healthcare delivery organizations (HDOs) among other topics. Although it is a high level overview it’s definitely worth a read. It’s further covered by Healthcare IT news. |
| May #37 | Chickens come home to roost in Texas | In another instance of Royal Ransomware attack, first encountered last year and highlighted again in March this year, has been seen in Dallas. It’s an example of security software that protects and prevents attacks being disabled. It has come to the fore because of its targeting critical infrastructures, healthcare, (and now in Dallas Police), etc. We have identified 8 possible holistic vulnerabilities and 16 threat vulnerabilities in security software organizations and their products that such companies overlook. Here’s a link to Dallas coverage from the first week of May. It is particularly nasty because of its ability to disable installed anti-virus software, to exfiltrate and encrypt data before extorting $millions in ransomware. In March, the FBI and the CISA released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. The advisory indicates how infections can likely happen, how to identify infected partially encrypted files but only gives general best practices for prevention. It’s also a reference to section 3 of the February US cybersecurity strategy of holding software companies – especially as here, security software companies – accountable. Having flaky security software and companies just signals the threat actors that “there is something worth attacking here – let’s disable the protection and attack.” This will hopefully raise enterprise awareness guiding them to properly evaluate/delegate to proposed security services and products while still remaining responsible. |
| May #36 | Ransomware Vulnerability – CISA Pilot | Per the US 2022 Critical Infrastructure Act CISA published its Ransomware Warning Pilot. |
| April 2023 | Headline | News |
| April #35 | The Shrinking Password | Hive Systems just published analysis of brute force cracking of passwords is an eye-opener. From 2020 to 2023 increasing compute power has dramatically accelerated the ability of threat actors to crack passwords – in some instances by 100-250 times faster! Hive’s analysis of password length and content reveals that passwords with numbers only as many as 14 numbers in as little as 50 seconds! Even the popular eight character passwords with a mix of all character types can be cracked in just 5 minutes. Bottom line, which anyone reading his likely knows but doesn’t always follow is (1) Use 15-25 character mixed character passwords (2) never re-use passwords (3) Never login with your Google, Facebook password (4) use two-factor authentication (5) don’t get phished. |
| April #34 | Hacking as a Service | The introduction to this page states that items listed here are limited to the most egregious breaking news. This is one of those. The UK cybersecurity agency NCSC has issued a new report covering the growing sale of services by cybercriminal organizations to states and unscrupulous parties. Coined Hacking as a Service, these give access to many tools and custom services that can generate all kinds of threats and spyware. Rather like PhaaS and RaaS the use of these tools do not require cybersecurity expertise and include the ability to generate Zero Day attacks and Zero Click attacks making them even more potent. The report from the National Cyber Security Centre paints a grim picture of increased activities and widespread increase in targets over the next five years. |
| April #33 | Every Day is Zero Day Lockbit3.0 | As last month’s CISA advisory shows Lockbit3.0 is not only one threat but a continuously evolving set of many threats. This implies that with Lockbit3.0 every day is a Zero Day. Being the most active Ransomware as a Service threat it’s the variety of threat types contained and the ability to generate variants means that threat detection and protection tools must be equally comprehensive and sophisticated. |
| April #32 | Infiltration for Exfiltration | We cover Bring Your Own Vulnerable Driver (BYOVD) in the terminology page. This new attack known as AuKill disables Endpoint Detection & Response (EDR) Software on targets’ system. Legitimate drivers with signed valid certificates are infiltrated in user or system hardware, disable security protection and as such runs with elevated (kernel) privilege to take over the device. It is also associated with Lockbit 3.0 attacks, etc. The use of Hypervisor-Protected Code Integrity (HVCI) and Attack Surface Reduction to prevent bad drivers from being written to disk has not completely removed the threat apparently. the bottom line is that it’s important only to add drivers from known reliable sources. |
| April #31 | The Unhealthy Health Report | With Healthcare vulnerabilities so obvious resulting hospital closures and potential dangers to life, it’s not surprising that unscrupulous threat actors the attack Healthcare as a major target. What is surprising (actually shocking) is the report in this month’s Beckers Hospital Review found that still only 22% of workers say that cybersecurity protocols are not being enforced. Only 39% of hospital staff said they even look at security protocols when introducing new technology. This is clearly a problem of lack of understanding of Holistic Cybersecurity and a failure of both management and HR. As Salim Ismail famously reported, Healthcare science is really good – it’s just the support and delivery that’s the problem. Any healthcare practitioner reading this should contact us. We can help. |
| April #30 | Dangers Lurking in Video Files | The University of Texas in Austin has published its research and discussion of the dangers lurking deep inside H264 encoded videos – the most commonly used video format defined 20 years ago by the ITU (a.k.a. AVC defined by MPEG). Link to the published paper. The paper entitled “The Most Dangerous Codec in the World” covers the use of H26Forge an open source tool available on GitHub that was used for the investigation. While the tool has been invaluable in identifying vulnerabilities, the complexity of H264 encoding makes it very challenging for any tools to identify if there is malware inside such videos. These vulnerabilities are pervasive and actions are required by graphics hardware vendors who need to take corrective actions listed in the paper. The actions you should take are not obvious but at least the paper raises awareness of the issue – and how the tool could be used by hackers to generate new threats. |
| April #29 | Microsoft and Fortra defend attacks | With two further cybersecurity companies having had their defensive tools manipulated and infected with malware, it’s good to know that both Microsoft (whose Software Development Kits) and Fortra (and its Cobalt Strike software) have teamed up with The Health Information Sharing and Analysis Center (H-ISAC) in an announcement to take all necessary action to eliminate these threats. This is another example of cybersecurity software being the target of attacks or being used by threat actors – and it’s good to see such attacks being combated in this manner. |
| April #28 | New kind of encrypting Ransomware | No, ransomware has not gone away, with Rorschach using a technique known as DLL side-loading to load the ransomware payload, and effect the fastest encryption seen yet. |
| April #27 | Dissecting the US Critical Infrastructure Cybersecurity Directive. Where’s the meat? | Dissecting the new US Presidential Policy Directive 21 requires considerable study. At first sight the work seems shockingly devoid of practical guidance and refers to extremely dated material. It’s ambitious scope does cover almost every sector so maybe, to be generous, this is a start. So maybe it’s up to the security communities to take the next steps to develop the main course. From a cybersecurity perspective there are both commonalities (the fact that their incapacitation would be so damaging to the country) and individual distinct challenges. The initial question might be why are there only 16 critical infrastructure sectors and what about the ones that didn’t make it? The topic will be developed on this site. |
| April #26 | Navigating Your Journey When There’s No Destination | A new wide-ranging article on the journey to the Secure Network Cloud was published in ISE Magazine. It covers Secure Access Service Edge and Secure Service Edge, Standards and Open-Source Challenges, Newly Available Standards, Layered Business Architecture and Service and Cloud Provider, Integrator and End-user perspectives. View article. |
| March | Headline | News |
| March #25 | And you thought you were just flying a drone … | It turns out that DJI’s GO4 app – the controlling app does not close when you close it. Not only that but it’s download and update bypasses the Google app store and its function is not therefore, managed or monitored. Instead, the app uploads selected elements of your private data from your mobile device. Finally, note that DJI has about 90% of the market. (ouch!). It is possible that other apps could be doing the same thing by bypassing Google’s process. In fact, there is no oversight for any of the 2.5 million apps on the Google Apps/Play store! (ouch again!) |
| March #24 | Avoiding Crypto Currency vulnerabilities | Reuse of long-standing crypto keys has been found to be responsible for losses of millions in crypto wallets. The answer is to always request new secret keys. The vulnerability results from hackers ability to break the “Elliptic Curve Digital Signature Algorithm” used by Etherium/Crypto Blockchains to sign transactions. The vulnerability being able to deduce the reuse of secret keys. |
| March #23 | We thought it was bad, but not this bad! | The advent of Phishing and Phishing as a Service has been much discussed but the annual Digital Forensics and Incident Response (DFIR) report published this month shockingly reveals that nearly 70% of all attacks in 2022 were Phishing attacks. Next at 15% was also surprisingly Drive-by attacks. It could be that the high numbers of these attacks are skewed by vulnerabilities of small companies/individuals who lack email compromise software – or if that detection software is just not good enough. |
| March #22 | Taking the OAuth … or not | When you can’t find a password it’s so tempting to use the “Login using Facebook, Google, etc.” but thanks to Steve Gibson of Security Now realizing why the recent Chick-Fil-A breach was so significant, we now know of the dangers of using such logins. The answer is that it encourages the lazy to adopt the much-discredited use of the same password for many logins. This is exactly what the hack was about. What the hackers were doing was saving the users Facebook credentials since those logging in with Facebook at that site would likely be doing it everywhere. (Good Grief.) They had no interest in the login for Chick-Fil-A, it was the stealing and re-using credentials that was the prize. This login approach reveals the weakness in the underlying OAuth ID technology. Just remembering if I ever did that is a challenge in itself. |
| March #21 | US Cybersecurity Strategy. Third reaction. This seems to bear on Section 230. | Continuing from below, the White House Cybersecurity Strategy Strategic Objective 3.3 shifts liability to Software products and services. It refers to the NIST Secure Software Development Framework from Feb 2022 and states it must continue to evolve. It’s detailed and has some but not all of the issues covered in the “second reaction” point below. Strangely, it does not call out hardware or firmware except ioT devices in 3.2. More importantly, it does not extend the liability to those who aggregate or resell software programs (e.g., Apple, Microsoft), or refer or advertise or review and recommend them (e.g., Google, Amazon and hence the section 230 implications) or advertise plugins (e.g., WordPress, Salesforce) or – and here’s the clincher, test or certify security products or services! Who would be responsible for a Zero Day attack on security software a la Royal Ransomware below? |
| March #20 | A Right Royal Mess | Royal Ransomware was first encountered last year but has come to the fore because of its targeting critical infrastructures, healthcare, etc. It is particularly nasty because of its ability to disable installed anti-virus software, to exfiltrate and encrypt data before extorting $millions in ransomware. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. The advisory indicates how infections can likely happen, how to identify infected partially encrypted files but only gives general best practices for prevention. This advisory follows on from the VMware ESXiArgs Ransomware issues last month. |
| March #19 | US Cybersecurity Strategy Published. Second reaction. | So, what does taking responsibility look like for tech companies? Certainly, ensuring that product marketing specifies the security aspects of a product are part of the market requirements. Next, that development bakes these into functional specifications especially when deciding to use third party elements (such as open source code), ensuring that memory-safe software development languages are used. Next as part of DevSecOps to make sure that code is not written with “useful” back door entry points. Testing should always be built into development cycles and specifically into any planned regression testing. as new versions are ready. Next all delivered software should have a software bill of materials. For distributed apps with user interfaces, Zero Trust fundamentals should be applied to any user interfaces have proper ID management and access control, etc. |
| March #18 | US Cybersecurity Strategy Published. First reaction. | At first sight there’s a lot of fluff and sections on tech/software companies taking on liability and comparing the tech companies with car manufacturers taking steps to avoid selling vehicles with faults. This makes total sense but it seems to lack both detail and abdicates organizational responsibility that comes with holistic cybersecurity. |
| March #17 | Head above the trenches | The U.S. Marshals Office and other security sensitive organizations are obvious attack targets since they hold useful insights on security – but attacks elsewhere continue unabated. Dish Networks ransomware, Tresor Crypto/NFT and attacks on schools and healthcare are almost daily occurrences that hardly qualify as breaking news. |
| March #16 | BYOOD: Bring Your Own Obvious Disaster | The latest in the LastPass saga has revealed that the cause of the penetration was a staffer having his device being exploited from home. Really? If there was ever an example of using a ZTNA implementation from home this was a missed opportunity. It’s no surprise that the LastPass star has fallen. |
| February 2023 | Headline | News |
| Feb #15 | Signal and WhatsApp won’t be pushed around | In a follow-on to the requirement to decrypt all messages on the EEC Internet (mentioned earlier this month), Signal the encrypted message app, said it would quit the UK if it was forced to do this. I believe that WhatsApp has said the same. But don’t worry the UK government said it would reach a compromise where the new legislation and decrypted data would both be possible. (This seemed a fine example of political nonsense). |
| Feb #14 | Zelle not responsible!? | With 192,878 losing a reported $213m from their Zelle account it appears that many of those phished for their account details can’t get their money back. The point being that the seven banks who own Zelle seem not to be governed by the law as that protect consumers from credit card fraud and are inconsistent with their care and reimbursement policy. The moral of this story is the same as the one below: “hover before clicking.” |
| Feb #13 | Hover first before clicking | It’s become extremely risky to click on what appear to be genuine ads on Google. Increasingly they can take you to fake sites that look real. “Hover first before clicking.” check the actual email on the link carefully. If in doubt don’t click even if the link looks sort of ok. This seems the inevitable future for all of us. Same applies to all the phishing email attacks below. A damaging example are the password managers and another reason that passkeys are becoming more widely used (BitWarden and recently 1Password are examples). |
| Feb #12 | Phishing Blitz | So many phishing attacks this month, Reddit, many health care breaches, Scaring Facebook user with ““Recently, we discovered a breach of our Facebook Community Standards on your page. Your page has been disabled for violating Facebook Terms. Click here to ..”, TA886 targets organizations in the US and Germany with the custom malware tool “Screenshotter” to perform surveillance and data theft on infected systems, etc., but perhaps the most bizarre is stolen iPhones with users being trolled to a fake site when using the “Find my phone” app and being sent to a fake site where there Apple ID is taken. |
| Feb #11 | Ascon: A New Standardized Encryption Technology | This month, following a close competition, NIST announced the choice of Ascon, a new cryptography standard for Lightweight Cryptography (LWC) protection. Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight (i.e., suitable for devices with low computation power and resources such as IoT devices) and easy to implement, even with added countermeasures against side-channel attacks. It is as yet unclear whether the millions (billions?) of legacy deployed devices could be upgradeable with significant positive impact on critical infrastructures such as utilities, transport, manufacturing and smart cities. Ascon’s security characteristics are such the it could supersede other encryption technologies such as AES used in IETF’s TLS systems and other asymmetrical encryption approaches. |
| Feb #10 | I always feel like somebody’s watching me … | … and I have no privacy. Rockwell’s song 39 years ago couldn’t be more current! A few months ago, the EEC said that to protect children, all Internet traffic must be examined (being decrypted) if encrypted. Wait, did they say all? Yes they did. Just this week Joe Biden’s state of the union speech included a rant about protecting people’s privacy and not making information available. This triggered more thoughts. The most interesting part is who is going to pay for the extra compute power to do this? Where in the billions of connected wireless and wireline connected networks could this possibly happen and how? Perhaps all messages will now be required to be in the clear and unencrypted. But wait there’s more. That can’t happen because as of Jan 2024 the requirement to run encrypted traffic over TLS 1.3 is being government mandated. So where can this description take place? In the network at a middlebox function being developed in the unlikely event that it could possibly scale. Also, provided that well known IPsec encryption is being used. Probably not a Layer 2 encryption like MACsec and providing no malicious hacker got into the service providers control plane who was not using Zero Trust. Oh, and where is there enough compute power? Would anyone stand for this in the current political climate? On balance the legislators cannot understand what’s involved and would be better off finding other ways of tracking down culprits. |
| Feb #9 | New Revision | Download the fourth edition of my E-book on Holistic Cybersecurity from Amazon.com |
| Feb #8 | Big Brother is watching – and it’s a good thing | The good news is that the FBI has itself quietly hacked into a high profile hacker site and given a large number of encryption keys to those who have been hacked, restoring encrypted data to those who are the victims of ransomware. The bad news? The hacker’s government are now aware of this and prevented the FBI’s further intervention. |
| January 2023 | Headline | News |
| Jan #7 | If LastPass can be attacked … | If LastPass can be hacked why not undermine the rest of the password managers? Following on from earlier posts this month, the latest phishing attacks purport to be 1Password and Bitwarden by posting malicious ads on Google (who say they are addressing this). If you are on 1Password or Bitwarden sites all is well – but are you really on their site? Check carefully. Even being cautious it’s easy to assume Google links are ok but maybe they aren’t. Proceed with caution. |
| Jan #6 | Who needs a human hacker when you have OpenAI/ChatGPT? | Many instances are emerging of ChatGPT being used to generate malware that is not (easily) detectable. Further this malware can mutate or morph so that each time it runs it is different. Oh, and those generating malware via the OpenAI/ChatGPT platform need no coding skills. Good grief! This puts Ransomware as a Service and Phishing as a Service into the shade. Here’s a link to an article from CyberArk with much more on this. |
| Jan #5 | Tsunami approaching Jan 2024? | This is about Transport Layer Security TLS 1.3. Given the lack of business cases and vast potential disruption only a small number of entities have updated their systems to TLS 1.3 from the 2008 standard of TLS 1.2 used in most web communications. This is about to change as NIST will push this down through government and banking networks and anyone who wants to do business with them. TLS 1.3 was published 4 years ago but has limited adoption despite it updating acceptable encryption methodologies, deprecating early/old ones, upgrading key exchanges, etc. It is believed that TLS 1.3 will be mandated at Jan 1st, 2024. |
| Jan #4 | Well, who can you trust? | Every security company’s nightmare is being hacked and losing credibility and customers. Following the Last Pass debacle, LifeLock, PayPal and sensitive credit bureau Experian have reportedly been hacked resulting in loss of confidentiality. Getting the truth is a challenge since these companies are shy on giving the full story. |
| Jan #3 | Terminology page grows daily | What started as a few simple terms has grown to a compendium of almost 100 cybersecurity related definitions separating meaning from marketing hype and unraveling recently observed vulnerabilities. |
| Jan #2 | A new article on Holistic Cybersecurity | The Search for Cyber-Sanity. My new article published in ISE magazine explores why Zero Trust is only the beginning to holistic cybersecurity effectiveness. Discover how to improve your cybersecurity best practices. Read the article. |
| Jan #1 | Passwords and Password Managers | What to do and not do with passwords? With the debacle at LastPass and the resulting lack of confidence the question is who to trust? Does the exfiltration of information that happened at LastPass erode confidence in all password managers such as BitWarden, Dashlane, 1Password, KeyPass, even Google? As adoption of passkeys gathers momentum the fundamentals still apply: Passwords >22 characters, MFA, care on password changes etc. |
July - December 2022
| Date | Topic | Update |
| 2022 | ||
| Dec 2022 | Critical year-end message re implementing Zero Trust | While we have extolled the virtues of automated and fully tested backups, they only repair after-the-fact ransomware attacks when data is encrypted or lost. I.e., if the data you have is sensitive (financial, personal or legal information) it is imperative that the information is not leaked or sold – which likely will be even after ransom payments are made. This is a going-out-of-business strategy. It’s why exfiltration of data prevented by implementing a comprehensive Zero Trust Strategy whose goal is prevention of data exfiltration.. |
| Dec 2022 | Web Application Vulnerabilities | Web Application attacks have been known for years but several instances of attacks not caught by Web Application Firewalls have resulted in SQL injection attacks. With SQL Databases being the norm on the web it has become critical to ensure verification of updated software. |
| Dec 2022 | More on Cameras | Anker’s Uefy Cameras claims of privacy, encryption and other security were debunked by the Verge. You have been warned. |
| Dec 2022 | U.S. bans more Chinese network devices. | Following the recent discovery of malware in Chinese company Hikvision’s popular camera products (about 80,000 being deployed), the US government have banned import and use of their products joining other Chinese companies such as Huawei, ZTE, etc. which were previously singled out by the US government. |
| Dec 2022 | Gone – Vishing | This one you don’t have to worry about – well until it surfaces next week as something else. This scam may have begun as well-intentioned or not but it offered a service for users to disguise their callerID. However, ispoof.com or hackers using it reputedly chalked up over $120m of illicit revenues over two years until the FBI and Eurpol shut them down and arrested 100+ hackers mostly in Europe. But the idea may resurface elsewhere. |
| Nov 2022 | Black Phishday Alert | Friday is a traditional day for Fish n’ Chips but this is Black Friday and Phish is on the menu but the chips are down on your security. Expecting to see great deals from your favorite stores and up to the moment delivery tracking info? Of course you are. However, about one in six delivery emails and about one in 25 “shopping sites” are malicious. So don’t touch that dial. Apology for the weak puns. |
| Nov 2022 | Delegate Don’t Abdicate | This is a possible solution to the complex problem of delegating to outside agencies, software companies, Sales CRMs, Physical Security Companies device vendors, etc. Since this is a problem of endless/recurring loss of control, the recommendation is that all contracts for purchase or partnership etc., put the responsibility on the provider to warranty that their service is responsible for any security issues or outcomes that arise from its use. |
| Nov 2022 | Update1: Crypto1 | With the bankruptcy of FTX and the evaporation of Sam Bankman-Fried’s $26 billion fortune, could the route to easy illicit money be on the verge of collapse? Will it be replaced by “the check’s in the mail.” Is this good news? |
| Nov 2022 | Update2: Crypto2 | In the “Causes” section of the book, I covered the move to the Cloud, Covid generated distributed workforces, etc., but I just realized that I did not cite Crypto currency as a cause since its presence is key. i.e. it’s what has allowed Bad Actors to easily collect ransomware payments that was never present before. But wait there’s more , see the above. |
| Nov 2022 | Update 3: Phishing as a Service | A few weeks ago this page covered the arrival of Phishing as a Service. Just a month later there has been a dramatic increase in the use of PhaaS reported. Akamai reported 299 Phishing as a Service tools kits (that means many times that number using these tool kits to initiate phishing attacks.) Good Grief. |
| Nov 2022 | CISA announces Cybersecurity “Performance” Goals | First the good news. It’s great that the government is really serious about cybersecurity. Now the confusing news. CISA (the U.S. government’s Cybersecurity and Infrastructure Security Agency) has published “The Cross-Sector Cybersecurity Performance Goals (CPGs).” for critical networks. If you are expecting to see a list of latency and CPU requirements that ensure minimal delay while ensuring defense to attack, then you may be disappointed and go to dictionary.com to look up “Performance.” Rather, the CPGs “strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks.” None the wiser? Well, before you click on the link and download these purely voluntary goals, then I’d like to wish you good luck! Visit https://www.cisa.gov/cpg to be enlightened (or not). |
| Nov 2022 | New MEF Zero Trust Specification | For the last two years I have been privileged to be a contributor to a new industry specification approved for publication on 10/25/2022. “MEF 118: Zero Trust Framework for MEF Services.” It recognizes the key ZT principles and strategies and specifies the attributes augmenting MEF services to implement Zero Trust functionality. To access this significant addition to service provider services was published today 11/3/22. Access to the linked piece by editor Ralph Santoro is https://bit.ly/3zJsCVT. The PDF of MEF 118 can be found on the MEF site. |
| Nov 2022 | Zero Trust goes mainstream | The U.S. government has made it mandatory for all federal agencies to adopt zero-trust by 2024. The National Institute of Standards and Technology (NIST) has also been told to build a playbook for the private sector. Hopefully, this playbook consists of lots of use cases. Gartner apparently anticipates spending on zero-trust to more than double between now and 2025 to $1.674 billion – thought it doesn’t say if that’s a system or component revenue or how it equates principles and strategy into market dollars? NIST has had an architecture for several years, check out the reference pages. |
| Oct/Nov 2022 | New Edition of the Book published. | Halloween seemed the right day to publish the third edition of my paperback and eBook containing the latest on Holistic Cybersecurity. Check it out om Amazon at https://amzn.to/3P7xb1U. |
| Oct/Nov 2022 | Passkey Update | Passkey’s (intended to obsolete passwords) new web site showing that latest on this controversial initiative is worth checking out. Passkey.dev gives the updated info. It is critical that authentication and identity managers are delegated carefully vetted outsourced companies, since passkey security will fail – as was seen in November 2022 |
| Oct 2022 | Privacy Law Chaos | The UK has made the Privacy laws and hence the attacks on web sites even more chaotic for multinationals by announcing it will be joining Japan, South Africa and others in replacing the EUs GDPR legislation with a home grown version. Good grief. |
| Oct 2022 | More Crypto Troubles | Binance Cryptocurrency platform hack lost $570m earlier this month as covered by Reuters. Related to this the Zcash blockchain DDoS attack consisted of blasting of bogus transactions. |
| Oct 2022 | The Very Latest on Zero Trust | Fresh from the Zero Trust panel at ONUG Fall on (10/20/22) is our new summary of Zero Trust shown a the foot of the cybyr.com home page. |
| Oct 2022 | Exponential Organizations | Given that only 25% of large and midsize companies have Cybersecurity as an executive imperative, the role of Exponential Organization methodology to introduce disruptive technologies such as Holistic Cybersecurity is critical. At the October 13th ExO All Hands meeting this key connection was explored. For more on how ExO methodology overcomes an organization’s resistance to change – click here. |
| Oct 2022 | Network Cloud | An all-new podcast covering Services, Connections and Security for the Network Cloud. Leaders from ONUG’s Network Cloud working group discuss critical network strategies that will affect an organization’s digital transformation. Click to view the podcast. |
| Oct 2022 | Government Initiatives | October is Cybersecurity Awareness Month with government initiatives to be found at Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). Five pretty basic actions but it’s all about starting with the weakest links. |
| Sept/Oct 2022 | Ransomware as a Service | You may encounter LockBit3.0. Lockbit2.0 was reportedly responsible for 1000+ attacks. A precocious group offering a Ransomware as a Service (for all!) is just the tip of this RaaS and PhaaS (see below) pandemic. Unsurprisingly, there are many (100+) RaaS groups stealing code from each other. The point of this post is that to alert you to the escalation of tools to create attacks that are falling into the hands of unskilled criminals. Like other pandemics, mutations of attacks can be expected. Prevention of Phishing is the best approach but not infallible. If impacted, we suggest searching for services that will help. |
| Sept/Oct 2022 | MFA Fatigue | Following recent breaches of Uber’s records it’s become apparent that push notifications you receive on your phone are really just a front for another scam. Eventually, the user succumbs to the MFA requests. This has been termed MFA Fatigue. Do not click on these unless you are certain of the origin and timing. Uber and others have now taken action with more sophisticated notifications to render such scams less potent. |
| Sept 2022 | Phishing as a Service with MFA Bypass | It was probably inevitable. The emergence of Phishing as a Service (PhaaS) combines middle-man attacks to spoof web sites and defeat Two Factor authentication. This is part of a PhaaS kit from EvilProxy and was discovered by resecurity in their must read article published in September. this tool allows subscribers with little know-how to set up crippling phishing attacks. Expect this to generate more difficult to detect Phishing attacks. |
| Sept 2022 | Hidden Scary Software Supply Chain Problems in Mobile Apps | Just when you thought they fixed security in the Cloud it’s been discovered by Symantec that thousands of mobile apps using open-source SDKs are infected with code that can reveal your AWS credentials. IoS apps and their supply chains are creating these disastrous vulnerabilities. If you are not concerned, then know that including in these are banking apps that are exposing customer data! Oh, and almost every mobile gaming apps are using the same flawed software. Remember delegate don’t abdicate your security. |
| Sept 2022 | The Bumblebee Loader | The Bumblebee Loader has recently become the biggest new story on the malware front. Instigated by a single phishing attack, this horrendous new Living-off-the-Land Attack is impacting tens of millions of windows devices. Click the here for the full story. |
| Sept 2022 | Quantum Computing | The implications of Quantum computing is that nothing (including decrypting nuclear weapon guidance systems – yes we thought that might get your attention) could be more important for world control – if discovered. However, most recent commentary is that it may never happen. The point being invest with caution and focus on other security weak links instead. |
| Aug 2022 | Build in Testing and then actually test it | This was definitely not emphasized enough in the book. It’s one thing to effect a disaster recovery program to ensure that data is stored offline and even that restores are done and tested to be valid. What also needs to be done is to look at potential data breach, insider threats, etc., and perform dress rehearsals for how you can recover. It does not mean that you will be able to second guess a specific problem but at least there will be a Fire-Drill, a tested and a calmly written process when things do go wrong. (Looks so much better than running around like a headless chicken!) |
| Aug 2022 | Cyber Insurance | This was covered in the book but it just got worse. Much worse. Lloyds of London (the most influential insurance underwriter) has notified the world in a market bulletin as of March 31st 2023 to exclude nation-state Cybersecurity attacks. This sounds like a complete can of worms since how can it be proved who sponsored your attack??? It certainly makes it important to deploy defense against nation state attacks. this was likely triggered by Merck’s massive successful Cyber Insurance claim. |
| Aug 2022 | New Term Added | SPIFFE and SPIRE production software methodologies were not included in the book and have been added to the Terminology page. |
| Aug 2022 | Oops, then there were three | It turns that one of four finalists (SIKE) was cracked due to a vulnerability in its underlying algorithm. |
| July 2022 | Encryption – the end is nigh? | Maybe not! NIST announced the four finalists of new encryption systems defined to defeat potential Quantum computing (future) encryption cracking algorithms. |
| July 2022 | Phishing | Strangely the definition was missing in the first edition of the book and is included in the online terminology page |
| July 2022 | Threat Hunting | Not addressed in the book because it’s become a hyped marketing term, being part of several systems: Wikipedia says it’s a proactive cyber defense activity. It is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” It will be included in the online terminology page |