Les Bell and Associates Pty Ltd
Site blog
News Stories
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
Intel APIC Vulnerability Breaks Crypto
A couple of security students from Rome and Graz, Austria, have discovered a vulnerability in Intel's SGX security archicture which will leak information via uninitialized memory reads - a variation on the classic Time of Check/Time of Use class of vulnerabilities.
The SGX architecture is intended to protect sensitive data such as encryption keys in memory by the creation of secure memory blocks called enclaves. The proof-of-concept exploit uses a vulnerability in the Advanced Programmable Interrupt Controller to access stale data in registers and thereby break SGX, obtaining a 128-bit AES key in 1.35 seconds with 94% success rate. It can alse extract a 1024-bit RSA key (but who uses those?) in an average of 81 seconds with a 74% success rate.
The lesson here? The complexity of modern CPU's is making it impossible to make guarantees about security. For some years, the use of formal methods in hardware design had made the possible, but for the last 5 years or so, we have seen the growth of CPU vulnerabilities like Spectre, Meltdown and others which created sidechannel attacks, and now ÆPIC. As we have long known, the enemy of security is complexity.
Goodin, Dan, SGX, Intel's supposedly impregnable data fortress, has been breached yet again, Ars Technica, 10 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/.
WIndows 11 Crypto Bug Corrupts Data
A newly-discovered bug in Windows 11 affects systems using AES-XTS and AES-GCM encryption modes on Intel Ice Lake, Tiger Lake, Rocket Lake and Alder Lake processors. Let's break this down.
AES-XTS is XEX-based tweaked codebook mode with ciphertext stealing (I won't delve further into this, but it's something I cover in a forthcoming course on crypto for developers), and is primarily used for encrypted filesystems such as Bitlocker, Veracrypt, etc. AES-CGM is much more common - it's the Galois Counter Mode used by the majority of TLS connections on the web.
The processor architectures listed cover some of Intel's 10th-generation laptop processors, as well as all their 11th- and 12th-geeration Core CPU's. AMD's as yet un-released Zen 4 processors will also support the VAES (Vector AES) instructions which underlie the problem.
Microsoft introduced a patch for the problem in the June 2022 security update package for Windows 11 and Windows Server 2022. If you have deployed this patch, you will not be hit with the data corruption problem - but systems running before this may have as-yet-undetected corrupted data - most likely in encrypted filesystems. Clearly, the fix should be applied ASAP. The first version of the patch caused performance degradation, probably because it disabled hardware crypto acceleration. The July 2022 version should remedy this, however.
Unattributed, KB5017259 - Windows devices that have the newest supported processors might be susceptible to data damage, Microsoft Windows support, August 2022. Available online at https://support.microsoft.com/en-us/topic/kb5017259-windows-devices-that-have-the-newest-supported-processors-might-be-susceptible-to-data-damage-d5e7c0cb-6e0a-4865-81ed-c82e91657a24.
Cisco Small Business Routers - Update Urgently
Cisco has disclosed multiple vulnerabilities in their Small Business RV160, RV260, RV340 and RV345 series routers, which can allow a remote code execution (RCE) by an unauthenticated remote threat attacker, or simply trigger a denial of service. There are no workarounds - the only fix is a software update.
You know what to do.
Uncredited, Cisco Small Business RV Series Routers Vulnerabilities, Cisco Security Advisory, 3 August 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR.
A New Form of Steganography
The classic approach to steganography was the use of milk, urine and other substances as an invisible ink which would reveal a message when heated over a candle. Now, scientists at the University of Texas at Austin have put a twist on this by storing a 256-bit encryption key into a polymer material made up of sequence-defined polymers - basically long chains of polymers, each of which corresponds to one of 16 different symbols, which they then incorporated into a special ink.
Ouelette, Jennifer, Scientists hid encryption key for Wizard of Oz text in plastic molecules, Ars Technica, 9 August 2022. Available online at https://arstechnica.com/science/2022/08/scientists-encoded-the-wizard-of-oz-in-the-chemical-structure-of-ink/.
Customer Engagement Firm Twilio Breached
Twilio, which provides mass marketing, email and customer communications services, had several employees fall victim to a smishing attack, which gained an as-yet-unidentified threat actor access to some of the company's internal systems. The SMS messages looked credible, taking employees to what looked like Twilio's SSO sign-in page hosted at fake domains.
This illustrates a weakness in using federated identity management systems hosted by external providers - they take the employee out of the company domain to one they don't really take notice of, in order to sign in. The best additional layer of defence is multi-factor authentication - and a text-message-based mTAN is emphatically not the right approach here!
Uncredited, Incident Report: Employee and Customer Account Compromise - August 4, 2022, Twilio Security Blog, 7 August 2022. Available online at https://www.twilio.com/blog/august-2022-social-engineering-attack.
Nice Doggy - Now Roll Over
A few weeks ago, a video of a robot dog firing a machine gun went viral:
If this has been giving you sleepless nights, take comfort from the fact that the robot killer canine is just as vulnerable as your garage door opener - a kill signal sent over a 433 MHz channel will instantly disable the dog. You can use any of many devices, such as a Flipper Zero, to send the signal; if you aren't familiar with these, ask your friendly local car thief.
Gault, Matthew, Hacker Finds Kill Switch for Submachine Gun-Wielding Robot Dog, Vice, 8 August 2022. Available online at https://www.vice.com/en/article/akeexk/hacker-finds-kill-switch-for-submachine-gun-wielding-robot-dog.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
News Stories
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
Targeted Ransomware Attacks on South Korea
South Korean manufacturing, pharmaceutical and healthcare companies are being targeted by Linux and Windows ransomware which will lock up files including VMware ESXi virtual machines. The GiswinLocker ransomware is produced by an otherwise-unidentified threat actor with a good knowledge of South Korean business - the attacks occurred on Korean public holidays and in the early hours of the morning. "Gwisin" means "ghost" in Korean.
The ransom note text files left behind include a lot of very specific information, including the victim company name and the types of data stolen, indicating a highly targeted attack.
Toulas, Bill, New GwisinLocker ransomware encrypts Windows and Linux ESXi servers, Bleeping Computer, 6 August 2022. Available online at https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/.
Cheat Sheet Maps MITRE ATT&CK to Google Cloud Platform
MSSP Expel is offering a mind map cheat sheet which maps the MITRE ATT&CK framework to the services and API calls a threat actor would use at each stage of an attack in Google Cloud Platform. The 18-page map is useful to SOC analysts for incident response triage and investigations as well as to security architects designing instrumentation for SOAR.
It wouldn't be too difficult to re-map this approach to other cloud platforms like AWS and Azure. It's not a playbook, but a very useful adjunct.
Pellett, Kyle, A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP), Expel Inc, 5 August 2022. Available online at https://expel.com/blog/mitre-attack-cheat-sheet-for-gcp/ (registration required for download).
Fixing Open Source Vulnerabilities At Scale
The fact that thousands of open source projects firstly, are open source and secondly, are hosted on public repositories like GitHub make it possible to use search tools like GitHib's code query language, CodeQL, to find common vulnerabilities across many projects and automate their reporting and fixing. Jonathan Leitschuh, inaugural Dan Kamitsky Fellow at HUMAN Security, has used his fellowship year to work on refining tools and methods for this process, and will be delivering a presentation on it at Black Hat in Las Vegas this week.
Given that open source components permeate not just the open source culture but also vast swathes of the proprietary code ecosystem, vulnerabilities in them can be devastating, as we have seen with the notorious Log4J vulnerability. This research could well have a massive payoff.
Chickowski, Ericka, We Have the Tech to Scale Up Open Source Vulnerability Fixes - Now It's Time to Leverage It, Dark Reading, 9 August 2022. Available online at https://www.darkreading.com/dr-tech/we-have-the-tech-to-scale-up-open-source-vulnerability-fixes-now-it-s-time-to-leverage-it.
Insurer Found Not Liable for Ransomware Remediation
The Federal Court of Australia has delivered a judgement in favour of the insurer in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883. Inchcape had suffered a ransomware attack which had encrypted its primary server, deleted the primary and offsite (!?!) backups, spread to client machines and exfiltrated data, and had claimed for the costs of incident response and forensic investigations, the costs of replacing hardware, data recovery and the additional manpower requirements.
Their policy with Chubb had three separate agreements covering 1, computer systems fraud in general, 2, direct financial loss from computer virus and similar programs, and 3, direct financial loss resulting from the fraudulent modification of electronic data, electronic media or electronic instruction.
The case primarily hinged on whether the expression "direct financial loss resulting directly from" in the latter two agreements would include the incident response costs, hardware replacement, etc. or be limited to just the cost of actually reproducing the lost data, etc.
I have simplified this substantially - Justice Jagot's judgement lays out the questions in much greater detail. The reasoning is very restricted to the specific policy and circumstances, but is a useful reminder to have your corporate counsel review the fine print of your insurance policies. In particular, be aware that cyber insurance policies are designed to provide specific incident response expertise and covers those costs - what Inchcape had was a more general - but tightly worded - policy to cover the costs of data recovery only.
Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883, Federal Court of Australia, 1 August 2022. Available online at https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2022/883.html.
Danish 7-Eleven Stores Closed Due to POS Attack
7-Eleven stores throughout Denmark were closed on Monday, due to an early-morning cyber attack on their checkout and point-of-sale systems.
There's a business continuity planning challenge here: keeping an old-fashioned cash register on hand is not going to be any use; since COVID-19 struck, almost everyone uses cashless, contactless, payment these days - in fact, credit cards are less used than smartphone payment systems.
Abrams, Lawrence, 7-Eleven stores in Denmark closed due to a cyberattack, Bleeping Computer, 8 August 2022. Available online at https://www.bleepingcomputer.com/news/security/7-eleven-stores-in-denmark-closed-due-to-a-cyberattack/.
Incident Response Delay Comes Back to Bite Experian
Credit reference company Experian suffered a major breach in July, due to really bad design of its account recovery processes. It appears that customers could regain access to locked accounts by simply recreating them on a different email address, using their name, address, phone number, social security number and answering a few questions based on publicly-available information.
Experian's real problem was that a couple of customers contacted security blogger Brian Krebs, who set out to replicate their experience and investigate further, publishing his findings. At this point, a major vulnerability was now public knowledge, but rather than moving rapidly to fix it, Experian downplayed the problem and claimed that additional controls would prevent account hijacking. Unfortunately, this was incorrect, and a number of people had their accounts hijacked.
Experian is now facing a class action for their failure to fix this issue, with the filing quoting liberally from the KrebsonSecurity article. It is doubtful if much will result from this, but it does illustrate the need to move quickly to really address vulnerability disclosure, rather than relying on crisis communications to manage public sentiment.
Krebs, Brian, Class Action Targets Experian Over Account Security, KrebsOnSecurity, 5 August 2022. Available online at https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/.
Amazon Acquired iRobot - Here's Why
Last week, retail giant Amazon acquired iRobot Corp., maker of the best home appliance ever, the Roomba (as well as various other mopping, gutter-cleaning and other gizmos). Although Amazon does use Roomba-like gadgets in its warehouses (as does IBM, for temperature monitoring in the aisles of its data centers), and iRobot is a profitable business with lots of growth potential, these are perhaps not the real motivation for the acquisition.
It's about mapping the inside of your home. Amazon has big designs on being a smart-home company; its Echo smart speakers outsell their rivals, in part due to low pricing which Amazon will recoup through the devices' ability to directly order products from the company with minimal user effort. These smart speakers support a smart home ecosystem that can interact with lighting, security cameras, thermostats and much more. The company also sells tablets and streaming services, and has acquired grocery retailer Whole Foods, doorbell manufacturer Ring and wi-fi device manufacturer Eero.
But until now, Amazon hasn't known exactly where these gadgets were. Now, mapping data from the Roomba meandering from room to room will tell the company the size of your home, the layout of the rooms, the furniture layout, and much more. It's going to be interesting to see how privacy advocates and legislators respond to this.
Webb, Alex, Amazon's Roomba Deal Is Really About Mapping Your Home, Bloomberg, 6 August 2022. Available online at https://www.bloomberg.com/news/articles/2022-08-05/amazon-s-irobot-deal-is-about-roomba-s-data-collection.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
News Stories
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
Local Privilege Escalation Vuln in Kaspersky VPN Client
A vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows will allow an already-authenticated user to gain SYSTEM privilege on the victim's computer. While no exploits for CVE-2022-2735 have been seen in the wild, customers should update to version 21.6 or later.
Seals, Tara, High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover, Dark Reading, 5 August 2022. Available online at https://www.darkreading.com/endpoint/high-severity-bug-kaspersky-vpn-client-pc-takeover.
Phishers Exploit Unvalidated Redirects on Amex and Snapchat Sites
The problem of unvalidated redirects and forwards in web server code has been known about since - well, since soon after CGI code first ran on web servers. Yet it continues to catch out many developers and their sites' users, most recently a campaign which was active for over two and a half months, and targeted American Express - who fixed the problem - and Snapchat, which remains vulnerable. Similar attacks have previously targeted Fedex and Microsoft.
Kay, Roger, Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites, INKY Email Security Blog, 3 August 2022. Available online at https://www.inky.com/en/blog/phishers-bounce-lures-off-unprotected-snapchat-amex-sites.
5.4 Million Twitter Accounts Compromised
Not the highest-impact social media breach by a long shot, but Twitter has confirmed that a threat actor used a zero-day exploit to gather the profiles of 5.4 million Twitter users, including verified phone numbers and email addresses, screen names, login name, location and other information. The hacker subsequently sold this data dump to two different interested parties.
While much of this information was public anyway, it may have exposed personal information of users who had pseudonymous accounts for privacy reasons. It also seems likely that the information could be used by the purchasers to run highly-targeted spear-phishing attacks. Twitter recommends that users who may be affected - or suspect they may be affected - should enable multi-factor authentication on their accounts.
Abrams, Lawrence, Twitter confirms zero-day used to expose data of 5.4 million accounts, Bleeping Computer, 5 August 2022. Available online at https://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/.
Cloud Billing Risk: Recursive Serverless Functions
I'm almost certain you never foresaw this particular risk: the possibility that a recursive function, running on a serverless cloud platform, could rapidly consume massive amounts of resources before any budget alert could fire to warn you of what's happening. Cloud developers are reporting horror stories on all the major cloud platforms - AWS, Azure and Google Cloud Platform - with one developer burning through $US72,000 in a few hours while exploring and testing.
OK, this isn't strictly security, but it's a big risk and probably worth passing on to your development teams. It's one thing to screw up and max out CPU and memory on your own development workstation - it's quite another to do it on a pay-as-you-go platform that can automagically scale up to consume an entire cloud.
Losio, Renato, Are Recursive Serverless Functions the Biggest Billing Risk on the Cloud?, InfoQ, 6 August 2022. Available online at https://www.infoq.com/news/2022/08/recursive-serverless-functions/.
Traffic Light Protocol Updated to Version 2.0
The Traffic Light Protocol, which governs the dissemination of threat intelligence, has seen its first significant update. The colour WHITE has been replaced by CLEAR (to avoid racial and ethnic overtones as well as the connotation of white being an additive mix of all the other colours) and a new marker, TLP:AMBER+STRICT, has been added. So there are now five levels:
- TLP:RED - for the eyes and ears of individual attendees only; you can act on information but not forward it; used when information cannot be effectively acted upon without significant risk for the privacy, reputation or operations of the organizations involved.
- TLP:AMBER+STRICT - may be shared within recipient's organization only but cannot be shared with customers, business partners or suppliers
- TLP:AMBER - may be shared within the recipient's organization and also with customers or clients
- TLP:GREEN - may be circulated freely within your community (which if not otherwise defined is the cybersecurity/defence community), but not publicly nor outside the community
- TLP:CLEAR - may be freely shared with the world
FIRST, TRAFFIC LIGHT PROTOCOL (TLP): FIRST Standards Definitions and Usage Guidance - Version 2.0, August 2022. Available online at https://www.first.org/tlp/.
Boards Now On Board with Security?
Not quite, not yet. According to a global survey report released by executive recruitment firm Heidrick and Struggles, only 12% of CISO's actually sit on the board of their company, but the situation is improving, in part due to market regulators like the SEC, ASIC and stock markets themselves. Gartner now predicts that 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member by 2025.
However, growing awareness of cybersecurity incidents and breaches by the board requires a change in approach, as they become inured to 'the sky is falling' pitches for budget increases. By now, many firms have lived through ransomware and other attacks and recovered to resume business as usual. A more measured approach is required to dealing with cybersecurity risks.
Aiello, Matt, et. al., 2021 Global Chief Information Security Officer (CISO) Survey, Heidrick & Struggles, 2022. Available online at https://www.heidrick.com/en/insights/technology-officers/2021-global-chief-information-security-officer-ciso-survey.
Glover, Claudia, Cybersecurity on the board: How the CISO role is evolving for a new era, Tech Monitor, 5 August 2022. Available online at https://techmonitor.ai/technology/cybersecurity/ciso-on-the-board.
IoT Device SSH Servers Used to Form Botnet
A derivative of the Mirai botnet named RapperBot has been rapidly evolving since first discovered back in June, The malware scans IoT devices and attempts to brute-force its way into the embedded SSH server, and has now amassed over 3,500 IP addresses it uses for this purpose. Once it has broken into a device it exfiltrates valid credentials back to its C2 network, and since mid-July, it has switched from propagating further to maintaining remote access into the compromised devices, adding its own public key to the authorized_keys file on the victim. In a nasty twist, it also deletes the existing public keys, which will prevent administrators logging in to fix the issue.
Lakshamanan, Ravie, New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack, The Hacker News, 6 August 2022. Available online at https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html.
Weapons Systems Increasingly Complex, Increasingly Vulnerable
As high-tech weapons systems become more complex, relying on networked digital components, they are increasingly difficult to secure. An opinion piece in The Hill calls attention to the need to address the national security risk posed by vulnerabilities in weapons systems ranging from the B2 Spirit bomber, through tactical radio systems down to the engine and transmission controllers of ground combat vehicles.
Gates, Alexander, US strategic advantage depends upon addressing cybersecurity vulnerabilities of weapon systems, The Hill, 6 August 2022. Available online at https://thehill.com/opinion/cybersecurity/3591153-us-strategic-advantage-depends-upon-addressing-cybersecurity-vulnerabilities-of-weapon-systems/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
The whole concept of identity is a complex one, and this was brought home to me by events of the last week.
I work from home, as does my better half. We have dedicated offices, quite a sophisticated network setup (as you'd expect) and some years ago we switched from using an on-premises Lotus Notes and Domino setup to Google Workspace domains to provide email, calendar and other services for our businesses. This reduced my admin workload markedly, which was a great relief, and Workspace has turned out to be a great resource for many collaborative tasks - you'll notice that some of the course slides on this site are maintained in Google Slides, for example, and we make heavy use of Google Meet, Chat, Groups and Spaces, etc.
We also have a smart home, with voice-actuated lighting, Chromecast with Google TV, Chromecast Audio devices for music in various places, voice-controlled air conditioning and rooftop solar PV which is monitored using a Google Sheets-based dashboard. I also have uploaded music in what used to be Google Play Music and is now YouTube Music, as well as purchased movies in Google Play or YouTube or Google TV or whatever it's called this week.
A couple of weeks ago, our doorbell died. It's a classic battery-operated electro-mechanical chime, suffering the ravages of time and corrosion, so I searched online for a replacement. Nobody makes them any more - the closest replacements are completely electronic, with synthesized tones that really don't appeal. But we already have a home full of smart devices, so the obvious answer is to add a smart doorbell, and an even more obvious next move is to extend our Google ecosystem with a Google Nest doorbell.
Now, I'd already had some hints that this might not be straightforward; our Google Nest smoke detectors don't work in the Google Home app, instead requiring the Nest app. And I found I couldn't set up the Nest app using my Google Workspace account - it gave spurious error messages and in the end I had to resort to a free Gmail account, which is now doing little other than attracting spam.
But I attributed that to the Nest app pre-dating the Google acquisition. By now, surely, Nest had been integrated into the Googleverse, their developers brought up to speed on the Google Way of doing things? And indeed, a Nest Hub I'd bought had configured itself with no problems. So the doorbell should work with it, right?
Boy, was I wrong!
I ordered a doorbell from the Google Store, and it duly arrived. I immediately ripped the package open and set about following the setup instructions, which involve scanning a QR code printed on the doorbell and its packaging. However, when I got to a step which involved "Supplemental Nest terms", tapping on "I agree" I got an error message: "Request contains an invalid argument" and the setup process hung. No matter what I tried, I could not get past that point.
So I did all the usual things, and ended up requesting an online chat session with Nest support (in my experience, it's easier to debug phone-based setups without using the phone, and the chat session also preserves a record - something I felt might be useful).
To cut a long story short, Google's response is essentially that a Google Workspace account is not a Google account. In essence, "thanks for being a paying customer - screw you".
The support tech asked me to use a different email account. I said I wouldn't.
I asked, "Are you saying that a Google device will not work with a Google account?", and got the reply, "It will work with a Google account but it should not be any business account".
No matter what I said, the answer was, "Create another account". That won't work - and there's a very simple reason - every other device in our household is configured to use my Google Workspace account.
In the interests of fairness and accuracy, I later did do what they had recommended - I set up the doorbell using a free Gmail account, and guess what? It worked, but was useless, since whenever the button was pressed, nothing happened on any of the Google Home or Nest Hub devices in our home.
So I went back to the Google Store, and filled in their Returns form - and the very first pull-down option for the return reason in the form was "Does not work with my account". It certainly looks like this is a common complaint.
Why Is This So?
Look, I'm a security architect. I get it. In a Google Workspace account, the data is managed by the organization that runs the domain - in my case, that's my company. Google obviously feels that doorbell events, video recordings etc. are personal data that shouldn't be available to an employer.
But guess what? I am the employer. There's a conflict between Google Workspace and the Google Home app, and its related devices when, as in my case, your Workspace is your Home.
Besides, there are lots of small businesses that are located in converted warehouses, terrace houses (very popular in inner Sydney suburbs and North Sydney) or even suburban brick veneer house-like premises that actually have a front door and need a doorbell. Retails jewelers are an obvious example, but I can think of market research consultancies, accountants, advertising agencies, dentists and optometrists, medical specialists and many others that work this way. In this case, the owner of the doorbell is in no sense a person - it's the business.
We've seen this problem of corporate vs personal data being accessed by corporate or personal systems before. When the Google Home devices and the related Google Assistant feature for phones were first introduced, they were able to access email and calendar information for free Gmail accounts only. I suspect Google were concerned that allowing "home" devices to access information in Workspace accounts would cause them problems in passing SSAE 18 SOC 2 and 3 audits and the like (it's interesting that these devices use voice matching to identify who is speaking and respond appropriate - but this is not really authentication).
But then, a beta program was opened up, and eventually the feature was made fully available. Each morning the little speaker on my desktop greets me at 8:30 am and then tells me my appointments for the day, and will answer questions like "when is my next meeting?". The feature needs to be enabled in the Google Workspace admin console, but that's completely appropriate.
This is a risk management decision that needs to be made by the customer and not by Google. If someone is able to get into my office and somehow access sensitive data by talking to a smart speaker, I've got much bigger problems, primarily with physical security, than I do with voice authentication. I'd probably want to upgrade my physical security controls - perhaps by installing Google Nest cameras and a Google Nest doorbell . . . Oh, wait . . .
Google needs to similarly configure a flag which allows a Nest doorbell owner to accept that their doorbell data will be stored in a Workspace account and - shock! horror! - accessible by their employer, which is themselves. (In fact, I'm not entirely sure that Workspace admins can access that kind of profile data - I can't see anything like it in my own Workspace admin console.) Or it needs to allow a Google Workspace account to define locations which can be managed by Google Workspace.
At heart, the problem is one of our multi-faceted identities. Some of us do have a personal identity and a work identity, and possibly others. Google expects these to be different accounts. However, for some people these are just different facets of a single identity, or maybe it's all one.
For Google, this is a big problem that needs to be addressed.
I've struck lots of problems because of having a Workspace account. The first was trying to get a Xiami Mi Box running Android TV to work; because we had implemented mobile device management, and Workspace assumed that this Android device must be mobile, yet could not run the necessary agent, I never did manage to get it to work.
Then the ability to set reminders was removed, "in order to improve the product". My reminder to plug in a backup drive simply stopped working. I can't tell my smart device to remind me to move my laundry to the tumble dryer in an hour, because I'm a Google Workspace user.
If you are a paying Google customer, everybody else's products work better for you than Google's.
Then there were the Nest Alert smoke detectors - but then, I don't think even ordinary Gmail account users can see them in the Home app yet. If I try to invite my better half, who shares this home, to join the Google Home, I get yet another spurious, "Unable to send invitation - try again later", message. Google One cloud storage, which I got free when I bought a Pixel phone, is not available to me. Family sharing won't work.
The list goes on, and on. This is a problem that crops up again and again in Google's support communities, where volunteers simply tell those who complain what they already know - "this feature is not supported for Workspace accounts. Have a nice day". Don't tell us - tell Google. Before long, threads are simply locked or deleted, to avoid the extent of the customer unrest becoming obvious.
Nobody in senior management at Google seems to have any coherent strategy for building a Google ecosystem, or leveraging their product lines. Products are launched, achieve popularity and are then withdrawn, to join many others in the legendary Google Graveyard. But if you are a paying Google customer, it's even worse: everybody else's products work better for you than Google's. Ring doorbells, Sonos speakers - you name it.
I can't imagine any other company managing to do so much to alienate their best customers.
Epilogue
You couldn't make this stuff up. Here's a newly-posted Google Workspace "Ask Me Anything" video on the subject of cloud identity. Less than four minutes in, the presenter is selling the virtues of a single cloud identity by pointing out that having to have multiple identities, with different credentials is time consuming, not secure, and an unpleasant user experience, requiring different passwords.
https://www.youtube.com/watch?v=c6ddHRc_f0M
So why is Google's answer to the problem of its own products not working with Google Workspace, "create another identity"?
There's an old saying: don't pee on my leg and tell me it's raining.
Welcome to this issue of Security News, for the week commencing 1st August 2022.
News Stories
Russia-Ukraine Cyberwarfare Escalates
As the conventional conflict in Ukraine grinds on, Russia is finding itself on the receiving end of attacks in cyberspace - not just from Ukrainians but from hackers all over the world. Cyber activist group Anonymous, in particular, has launched multiple campaigns which have compromised many websites and databases, changing some file names to "Glory to Ukraine" and deleting most others using a wiper script, and disrupting the web sites of Gazprom and state news (i.e. propaganda) channel Russia Today (RT). They even managed to shut down the control center of the Russian Space Agency, Roscosmos.
Fowler, Jeremiah, Hacker Group Anonymous and Others Targeting Russian Data, Website Planet blog, July 2022. Available online at https://www.websiteplanet.com/blog/cyberwarfare-ukraine-anonymous/.
Bad News for Students Everywhere
The CEO of textbook publisher, Pearson PLC, has said that he hopes blockchain technology will help the company take a cut of secondhand sales of its books.
"In the analogue world, a Pearson textbook was resold up to seven times, and we would only participate in the first sale", he told reporters.
Struggling students everywhere groaned into their ramen bowls.
CISSP course attendees can read more in the wiki's Cryptocurrencies and Blockchain Technology page.
Seal, Thomas, Pearson Says Blockchain Could Make It Money Every Time E-Books Change Hands, Bloomberg Technology, 1 August 2022. Available online at https://www.bloomberg.com/news/articles/2022-08-01/pearson-hopes-blockchain-will-make-it-money-every-time-its-e-books-change-hands.
Craig Wright - Satoshi or Not?
Australian Craig Wright has often
claimed to be the mythical Satoshi Nakomoto, who developed Bitcoin back in 2009.
In August 2022, Wright technically won a libel case against a blogger who had claimed that he was a fraud. However, the judge in the UK High Court case ruled that Wright had given "deliberately false evidence" in the case, and awarded only GBP1 in damages (Milmo, 2022). The claim that Wright was, in fact, Satoshi Nakamoto was not tested in court.
CISSP course attendees can read more in the wiki's Cryptocurrencies and Blockchain Technology page.
Milmo, Dan, Craig Wright wins 'only nominal damages of GBP1 in bitcoin libel case, The Guardian, 2 August 2022. Available online at https://www.theguardian.com/technology/2022/aug/01/craig-wright-wins-only-nominal-damages-of-1-in-bitcoin-libel-case.
Hackers Steal Passwords for 140,000 Payment Terminals
Wiseasy is a popular Android-based payment terminal used in hospitality and retail outlets in the Asia-Pacific region. The company's Wisecloud service provides remote management, configuration and update of its terminals. However, pen-testing and dark web monitoring company Buguard found Wiseasy employee passwords on a dark web marketplace used by cybercriminals.
The passwords, which were stolen by credential-stealing malware, were the only protection for two cloud dashboards - the Cloudeasy system did not use multi-factor authentication or other protections, although MFA has now been added.
CISSP course attendees can read more about Multi-Factor Authentication and password stealers in the course wiki.
Whittaker, Zack, Hackers stole passwords for accessing 140,000 payment terminals, Tech Crunch, 2 August 2022. Available online at https://techcrunch.com/2022/08/01/wiseasy-android-payment-passwords/.
Post-Quantum Cryptography News
The mere threat of quantum computers which could break all widely-deployed public-key cryptoprimitives such as RSA and Diffie-Hellman has been enough to spur frantic development of post-quantum, or quantum-resistant algorithms. At first, development seemed lethargic, but it accelerated in recent years with NIST running an open competition to standardize on the winners.
At the end of the third round, last month, NIST announced one winning algorithm for key encapsulation and four winning signature algorithms. Now, IBM has announced the available of most of these - the CRYSTALS-Kyber key encapsulation algorithm, and the CRYSTALS-Dilithium, FALCON and SPHINCS+ algorithms for signatures.
NIST also announced that four other key encapsulation algorithms, while not adopted as standards, would advance to a fourth round. However, one of these - SIKE (Supersingular Isogeny Key Encapsulation) - is quite probably dead in the water following the unexpected release of a paper detailing an attack which can recover a key in approximately one hour on a single-core PC.
Meanwhile, the ACM (Association for Computing Machinery) Technology Policy Council has released a short technical bulletin highlighting some risks and opportunities which have been obscured by our focus on the code-breaking implications of possible quantum computers. They point out that little progress has been made on quantum cryptanalysis, while powerful quantum simulators could be in use within two years.
CISSP course attendees can read the full background on the algorithms and the NIST competition in the Post-Quantum Cryptography wiki page, and some basic information on quantum computers on the Quantum Cryptography page.
Dames, Ann, How IBM z16 positions you to begin using quantum-safe cryptography, IBM cloud blog, 26 July 2022. Available online at https://www.ibm.com/cloud/blog/announcements/available-on-ibm-z16-future-proof-digital-signatures-with-a-quantum-safe-algorithm-selected-by-nist.
Garfinkel, Simson L. and Chris J. Hoofnagle, Quantum Computing and Simulation, ACM Technology Policy Council TechBrief, July 2022. Available online at https://dl.acm.org/doi/pdf/10.1145/3551664.
Goodin, Dan, Post-quantum encryption contender is taken out by single-core PC and 1 hour, Ars Technica, 2 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/.
Attackers Scanning for New Vulnerabilities
A new report from Palo Alto Networks' Unit 42 provides some insights which can assist defenders in planning their incident response plans and playbooks.
First, attackers tend to have particular favourites which they will scan for and repeatedly exploit, with just six CVE categories (ProxyShell, Log4j, ProxyLogon, SonicWall and Fortinet vulns and a vulnerability in Zoho ManageEngine ADSelfService Plus) accounting for more than 87% of vulnerabilities being exploited. These are all well known and have patches or compensating controls; the fact that they keep working clearly shows the importance of proactive patching. A second lesson is the importance of analyzing backwards along the kill chain, to find the vulnerability that led to the later stages of an attack, fix it, and block a campaign.
However, in other cases, some attackers are seen to be scanning for a vulnerability within 15 minutes of a CVE being released. This reinforces the old dilemma - patch as soon as you can, or regression-test the patch before deploying? Your vulnerability management and patch management processes clearly need to deal with this, possibly by patching highly-exposed systems immediately, but performing regression testing before patching well-defended critical systems such as back-end databases.
As found by others, the top access vectors was phishing, followed by software exploits, then brute-force credential attacks targeting RDP.
CISSP course attendees can read more background information in the Patch Management, Vulnerability Management and Incident Response wiki pages.
Edge Editors, Attackers Have 'Favorite' Vulnerabilities to Exploit, Dark Reading, 30 July 2022. Available online at https://www.darkreading.com/edge-threat-monitor/attackers-have-favorite-vulnerabilities-to-exploit.
Unit 42, Incident Response Report 2022, Palo Alto Networks, July 2022. Available online at https://www.paloaltonetworks.com/unit42/2022-incident-response-report.
Stealthy Trojan Bypasses AntiVirus
A new variant of a 2018 bot called Amadey is being distributed via SmokeLoader malware, disguised as software cracks and fake keys which naive people use to try to activate pirated software. Once Amadey has been downloaded, it resides in the Windows TEMP folder and also registers itself as a scheduled task so that it can persist.
From there, it contacts a C2 server and downloads a plug-in to collect environment information such as the current user and computer names, OS and a list of installed applications. It also takes periodic screenshots, which it sends back to the C2 server. It also catalogues the installed anti-malware software, and can bypass antivirus products from 14 different vendors, including Avast, Avira, BitDefender, Kaspersky, Sophos and Microsoft.
After inspecting the gathered information, the attackers can then take any of several follow-up actions, including installing specialized plug-ins, such as an Outlook email stealer, a generic info-stealer called RedLine, or a tool for gathering information about any VPN clients installed on the system.
Interestingly, researchers who examined an earlier version of Amadey noted that it would not install these additional payloads if it judged that the victim was in Russia.
For more information about bots and trojans, CISSP course attendees can see the Trojan wiki page.
Vijayan, Jai, Supercharged Version of Amadey Infostealer & Malware Dropper Bypasses AVs, Dark Reading, 26 July 2022. Available online at https://www.darkreading.com/attacks-breaches/supercharged-version-amadey-infostealer-malware-dropper-bypass-av.
URL Parsing Vulnerability Affects Golang Applications
Application developers increasingly rely on standard function and class libraries in modern languages such as Rust and Go, rather than writing all that low-level code themselves. This is not a bad thing - apart from the productivity gains, writing high-quality, high-performance, versatile low-level code is not easy, and shared code with lots of users and lots of eyes on it is likely to be safer than rolling your own.
Unless it's not, as developers using the Go programming language are finding out. A new vulnerability called ParseThru allows a threat actor to bypass URL argument validation, exposing the API's of applications written in the language to exploitation. The vulnerability is caused by changes to the way the net/url language library handles semicolons (;) in URL arguments - prior to version 1.17 they were treated as separators, but in 1.17 and later, non-URL-encoded semicolons are rejected and a warning logged.
When a Golang API using net/url version 1.17 or later communicates with a back-end service running an earlier version, an attacker is able to send a specially-crafted request containing a semicolon in the URL argument. The API code will ignore this, silently discarding the error message, but the back-end service will process it.
URL parsing vulnerabilities are not unique to Go, of course - this year alone they have been seen in libraries for C, JavaScript, PHP, Python and Ruby.
The take-away is that configuration management databases need to have a high degree of granularity. Would you know if an application you depended upon used two different versions of Go's net/url and was therefore vulnerable?
For CISSP course attendees, there's a little bit more information about the Go programming language in the course wiki, as well as info on configuration management databases.
Lakshmanan, Ravie, New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications, The Hacker News, 2 August 2022. Available online at https://thehackernews.com/2022/08/new-parsethru-parameter-smuggling.html.
Atlasssian Resolves RCE Vulnerability in Jira Server
Continuing its (Australian) winter of woe, has acted to fix a remote code execution vulnerability in its widely-used Jira Server and Data Center products. While the exploit, which worked via template injection in the Email Templates feature, required admin permissions, the company still gave it at CVSS score of 7.8.
Chirgwin, Richard, Atlassian patches email template vulnerability in Jira, IT News, 3 August 2022. Available online at https://www.itnews.com.au/news/atlassian-patches-email-template-vulnerability-in-jira-583531.
Australian Businesses Rate Cybersecurity As Highest Risk
While 20% of international respondents to PWC's annual Global Risk Survey rated 'cyber' as the top risk, behind market risks (22%) and business operating model risk (21%), Australian businesses see things differently, with 32% seeing 'cyber' as the top risk. Business operating model risk and geopolitical risks came well behind, at 22% and 19% respectively - in fact, the impact of COVID-19, economic volatility and climate change trailed even further behind.
This, in part, reflects increasing government attention, with the appointment of a Federal Minister for Home Affairs and Minister for Cyber Security (Claire O'Neil) - the first time cybersecurity has been a dedicated cabinet portfolio. However, it may also reflect an increasing realization that historical under-investment in cybersecurity has left companies exposed.
Perhaps we are finally getting the message through?
Crethar, Rick, et. al., PWC 2022 Global Risk Survey - Australian Highlights, Price Waterhouse Coopers, July 2022. Available online at https://www.pwc.com.au/publications/global-risk-survey/2022-GRS-Australian-highlights.pdf.
Samaratunga, Sam, et. al., PWC 2022 Global Risk Survey, Price Waterhouse Coopers, July 2022. Available online at https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-risk-survey.html.
New Exploitation Framework Found in the Wild
Many of us are familiar with the Cobalt Strike toolkit, which is widely used by both sides of the business. Now researchers have found a similar framework, named Manjusaka, which seems to have been developed and deployed by Chinese threat actors to attack both Windows and Linux systems. It joins an earlier toolkit called Brute Ratel.
Manjusaka consists of a versatile remote access trojan (RAT) which can execute arbitrary commands via a shell, steal credentials from the OS itself, web browsers, and wifi interfaces, as well as capturing screenshots. A matching file management module can explore directories and files, read, write and delete files, and move them.
A unique characteristic of Manjusaka is the fact that it is written in the Go programming language, while its implants are written in the cross-platform language, Rust, making possible attacks on different processors, such as those found in embedded systems and industrial control systems.
Abrams, Lawrence, Ransomware, hacking groups move from Cobalt Strike to Brute Ratel, Bleeping Computer, 6 July 2022. Available online at https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-move-from-cobalt-strike-to-brute-ratel/.
Toulas, Bill, Chinese hackers use new Cobalt Strike -like attack framework, Bleeping Computer, 2 August 2022. Available online at https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-cobalt-strike-like-attack-framework/.
China - Taiwan Tensions Could Impact Chip Shortages
The semiconductor supply chain woes that have bedevilled many industries could be made much worse if China was to invade Taiwan. The world's biggest semiconductor manufacturer, TSMC, is headquartered in Hsinchu, Taiwan, and would be rendered inoperable in any conflict.
"Nobody can control TSMC by force. If you take a military force or invasion, you will render TSMC factory not operable", the Chairman of the company said in an interview with CNN this week. "Because this is such a sophisticated manufacturing facility, it depends on real-time connection with the outside world, with Europe, with Japan, with U.S., from materials to chemicals to spare parts to engineering software and diagnosis."
This gives the western world yet another incentive to maintain stability in the region - but in this respect, China would gain nothing, either.
Zakaria, Fareed, On GPS: Can China afford to attack Taiwan?, CNN, undated. Available online at https://edition.cnn.com/videos/tv/2022/07/31/exp-gps-0731-mark-liu-taiwan-semiconductors.cnn.
India Backs Down on Data Privacy
While the Indian government has passed far-reaching legislation dealing with cybersecurity and privacy, it has put on hold the introduction of its long-awaited Personal Data Protection Bill.
The bill, which was introduced in 2019, had attracted criticism from all sides: tech giants Meta, Google and Amazon expressed concerns as expected, but privacy groups had complained that the bill exempted government departments, prioritized the interests of large corporations and did not adequately respect the fundamental right to privacy.
A parliamentary panel received dozens of recommendations and proposed amendments which identified issues that were relevant but beyond the scope of a modern digital privacy law, according to Junior IT Minister Rajeev Chandrasekhar. The government will now work on a new comprehensive legal framework and present a new bill.
Given that India is the world's second-largest Internet market and many companies have dealings there, the passage of a sweeping privacy bill there could pose challenges, especially if it is tighter that the EU's GDPR, which many find challenging enough.
CISSP course attendees can find more background in the course wiki's Privacy page.
Singh, Manish, India withdraws personal data protection bill that alarmed tech giants, TechCrunch, 3 August 2022. Available online at https://techcrunch.com/2022/08/03/india-government-to-withdraw-personal-data-protection-bill/.
VMWare Vulnerabilities - Patch Promptly!
VMware has released security updates to address multiple vulnerabilities
in multiple products
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability (CVE-2022-31656) affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability (CVE-2022-31658). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability (CVE-2022-31659), which VMware has evaluated to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
And many, many more . . . See https://www.vmware.com/security/advisories/VMSA-2022-0021.html for full details.
Universities Expose Students To Email Threats
A study of DMARC reports done by Proofpoint has revealed that universities are not doing a good job of securing their student email systems, exposing students to spam, phishing, malmail-based ransomware and other email-based threats.
While 65% of the top US and UK universities - 13 out of 20 - did have a base level of DMARC protection, 5 of the top 10 US universities did not publish any level of DMARC record, Proofpoint found.
Montalbano, Elizabeth, Universities Put Email Users at Cyber Risk, ThreatPost, 2 August 2022. Available online at https://threatpost.com/universities-email-cyber-risk/180342/.
Checkpoint Releases its 2022 Mid-Year Cyber Attack Trends Report
Security vendor Checkpoint has released its mid-year report on cyber attack trends and, as you'd expect, it makes depressing reading. Major trends include continuing growth in cyber attacks - up 42% globally - cyberwarfare (with associated hacktivism) becoming an essential part of conventional warfare, ransomware remaining the number one threat, supply chain attacks moving into the cloud, and everyday life now being noticeably impacted by cybercrime.
The chapter on prevention of attacks is interesting; for some years the focus in our industry seems to have swung away from prevention towards detection and response, leading to a perpetual game of whack-a-mole as entry-level SOC analysts frantically respond to what they see in Splunk - the theory being that the Bad Guys will get in anyway, so detection and response are where the rubber meets the road. The problem is that it can get hard to spot the Bad Guys, hidden as they are among the Very Naughty Boys - you'd better have some experienced threat hunters on hand to sort the wheat from the chaff
Perhaps it is time to apply a bit more effort to prevention, through the application of some basic security architecture and hygiene principles - this will improve the signal-to-noise ratio and also reduce the manpower requirements. Of course, Checkpoint would love to sell you a complete 'solution' to do a lot of this, but the basic principles are universally applicable.
Horowitz, Maya, et. al., Cyber Attack Trends 2022 Mid-Year Report, Checkpoint Research, August 2022. Available online at https://pages.checkpoint.com/cyber-attack-2022-trends.html.
Cryptocurrency Irony Abounds
Cryptocurrencies aren't usually a concern for infosec professionals, but you probably get dragged into conversations about cryptocurrencies and blockchain technology (which is why the CISSP course wiki has a page devoted to the topic). After I've regaled people with a few horror stories of rug pulls and other scams, my interlocutors generally lose interest, and I check off my good deed for the day.
But the horror stories continue. The collapse of cryptocurrency lender Celsius has provided yet another cautionary tale, this time laced with irony. The crypto giant was "marketing itself much like a bank but without the same regulations" (my emphasis), the lack of regulation presumably being why investors could expect huge returns. When the inevitable happened and the company collapsed, those same investors are now petitioning the bankruptcy court in hopes that regulations might allow them to recover at least some of their money.
How can I put this? If you take huge risks on unregulated . . . for lack of a better word, scams . . . then you cannot rely on regulation to kiss it better.
It would be funny, except that people have lost their life savings, causing real hardship.
In related news, the market is being flooded with second-hand Rolex and Patek Phillipe watches, as desperate crypto bros are forced to liquidate some of their toys.
Bogle, Ariel, Australian investors left with nothing as cryptocurrency giant Celsius goes bankrupt, ABC News, 4 August 2022. Available online at https://www.abc.net.au/news/science/2022-08-04/cryptocurrency-celsius-network-bankruptcy-australian-investors/101293028.
Hoffman, Andy, The Crypto Collaps Has Flooded the Market With Rolex and Patek, Bloomberg Pursuits, 29 July 2022. Available online at https://www.bloomberg.com/news/articles/2022-07-29/the-crypto-collapse-has-flooded-the-market-with-rolex-and-patek.
Everyone's a Winner in the Upcoming (ISC)² Board of Directors Election
In November, (ISC)² will run the election for its Board of Directors. There are five open positions, and by coincidence, the Board's Nomination Committee has recommended, and the entire Board has endorsed, five candidates. Unless a few candidates manage to raise the required 500 signatures to successfully petition to be included in the ballot, it's hardly an election at all.
Lest readers think this is no big deal, here are a few facts and figures: according to (ISC)²'s IRS form 990, its gross receipts for the last reported financial year were $US85,362,992 - not exactly chicken feed - and its assets were $US115,725,304. CISSP's might want to ask themselves whether this non-profit is delivering value for the Annual Maintenance Fees; those who think not might consider petitioning to stand for election - instructions were in the Board Candidates announcement email they received yesterday. The deadline is 2 September - better start organising those signatures now!
(Form 990 figures sourced from https://www.guidestar.org).
Remote Worker Reprimanded for Using Mouse Jiggler
A cautionary tale: telecommuter Gabrielle Judge was reprimanded by her employer for using a 'mouse jiggler' program, which keeps a computer awake and gives the appearance the worker is online and available. The program was not the only issue - apparently she had missed some meetings and explained offline periods as due to thunderstorms.
Security lessons: Obviously, there's the issue of a user installing unauthorised software (but if this is really a concern, use application whitelisting and don't give the user local admin privileges). But then there's the issue of security staff being dragged into policing employee productivity and timekeeping. It's not a security issue, but one of management supervision, and security can have a fraught relationship with staff anyway, with constant "Don't do this, don't do that" messaging. This just further erodes the trust we need. What do you think?
Harding, Rebekah, 'My manager caught me': Remote worker says they got reprimanded for using 'mouse jiggler' app, sparking debate, Daily Dot, 1 August 2022. Available online at https://www.dailydot.com/irl/remote-work-mouse-jiggler/.
Zero-Day Defence Hints
An article by Akamai's Principal Security Researcher provides a list of useful techniques for hardening defences against zero-day exploits, returning us to the them of stiffening defences, rather than operating reactively. The techniques should be well known to all of us, but it's good to be reminded now and again:
- Monitor and update from vulnerability scanner repositories
- Make the most of your web application firewall
- Monitor client reputation
- Control traffic rates
- Watch out for bots
- Don't overlook outbound activity
- Sequester identified attack sessions
- Contain the blast radius (network enclaves, microsegmentation)
CISSP course attendees can find more resources throughout the course wiki, but especially on the Cyber Resilience page
Barnett, Ryan, Zero-Day Defense: Tips for Defusing the Threat, Dark Reading, 4 August 2022. Available online at https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat.
GitHub Projects Cloned, Not Hacked, to Distribute Malware
Cloning of GitHub projects is not uncommon as people fork open-source projects to create customised derivatives. But attackers have cottoned on to this technique as a way of distributing back-doored versions and malware. Software developer Stephen Lacy dropped a bombshell when he revealed that he had discovered over 35,000 different cloned github repositories, including clones of crypto, golang, python, js, bash and docker. The malware is added to rpm package install scripts, docker images and install documentation.
The malicious projects were easily identified by a single IoC, the URL of what it presumably a C2 server - which suggests a single group is behind this attack.
Update: a day later, Paul Ducklin at Sophos followed up with some more information. A Twitter account going under the name of "pl0x_plox_chiken_p0x" claims to have created the cloned projects as part of some bugbounty research. To which we can only say: pull the other leg, squire - it has got bells on.
The lesson: it's safer to install software as signed packages from official distribution repositories, and when looking for software, don't search GitHib but instead follow links from official software project pages.
Ducklin, Paul, GitHub blighted by "researcher" who created thousands of malicious projects, Sophos Naked Security, 4 August 2022. Available online at https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/.
Sharma, Ax, 35,000 repos not hacked - but clones flood GitHub to serve malware, Bleeping Computer, 3 August 2022. Available online at https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/.
Malware Masquerades as Legit Software
Yet another reason to block users installing unauthorised software: threat actors are tricking users into downloading and installing malware by making it look like popular programs. The most popular mimicked applications include Skype, Adobe Reader, VLC Player, 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom and WhatsApp.
Independent users - working from home or in SME's, etc. - often simply Google for software they need to join webinars and meetings, unzip files, or perform other tasks. So they Google for them - and very often, unauthorised distribution sites appear at the top of the results page - and, of course, the attackers can simply pay Google to ensure they are at the top of the page. They also register plausible-looking domain names, add the icon of the genuine product to their infected installer program and generally look authentic and plausible. In other cases, the genuine software product is simply packaged with other malware infectors, or the malware is installed from within a modified installation script.
Lakshamanan, Ravie, VirusTotal Reveals Most Impersonated Software in Malware Attacks, The Hacker News, 3 August 2022. Available online at https://thehackernews.com/2022/08/virustotal-reveals-most-impersonated.html.
Draytek Vigor Routers RCE Vulnerability
Alhtough Draytek routers are not normally found in enterprise networks, the prevalence of telecommuting and hybrid work means that we need to keep a watching brief on devices like these that are widely deployed in homes and small businesses. Another vulnerability (CVE-2022-032548) has popped up, and given that this is an RCE vuln with a CVSS score of 10 and these routers are a favourite target of Chinese state-sponsored attackers, this one is worthy of prompt action.
Laulheret, Philippe, Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers, Trellix, 3 August 2022. Available online at https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html.
Security Training - Common Mistakes
The gap between the informed and always-on approach of security professionals and the sleepy approach of the average user means that we are not always the most sympathetic and well-equipped people to design and especially deliver security education, training and awareness to The Great Unwashed - err, I mean, the non-technical personnel in our enterprises. Nonetheless, there are some activities we typically have to be involved in, and one of these is phishing simulations.
Given that phishing is the number one attack vector - just ask any pen-tester how effective it is for them - it's worth doing this right, and a short article from CybReady gives three common phishing simulation mistakes that can sabotage our training efforts:
- Testing instead of educating - trying to catch and punish repeat offenders is counterproductive
- Using the same simulation for all employees - this will only catch the stragglers of the herd
- Relying on data from a single campaign
CISSP course attendees will find more tips in our Security Education, Training and Awareness wiki page.
CyebReady staff, Three Common Mistakes That May Sabotage Your Security Training, The Hacker News, 4 August 2022. Available online at https://thehackernews.com/2022/08/three-common-mistakes-that-may-sabotage.html.
Lockheed Martin Manufacturing Systems Targeted by Russian Hacktivists
The Russia-Ukraine conflict continues to spill over into cyberspace. According to Killmilk, the leader of pro-Russian hacker group Killnet, his group has switched from its earlier DDoS attacks on such targets as Lithuanian government and business, the website of the US Congress and - for some weird reason - the website of a Connecticut airport, to a more sophisticated attack on the manufacturing systems of defence contractor Lockheed Martin.
Killmilk has claimed he would also leak personal information of the company's employees so that they could be "persecuted and destroyed around the world", and has set out to recruit other groups to the cause: "I call on all hacker groups to create an escalation in Lockheed Martin's production cycles around the world, as well as to spread personal information about the terrorists of this company", he posted on Telegram.
In related news, the Russian military has claimed to have hacked into the US-supplied HIMARS Multiple Launch Rockets System which Ukraine has been putting to devastatingly good use against Russian command centres, ammo dumps and supplies.
Kadam, Tammay, Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS - Reports, The Eurasian Times, 2 August 2022. Available online at https://eurasiantimes.com/russian-hackers-launch-cyber-attacks-on-lockheed-martin/.
Top Malware Strains of 2021
The US Cybersecurity & Infrastructure Security Agency and Australian Cyber Security Centre have issued a joint advisory (Alert AA22-216A) listing a hit parade of 2021's malware. Probably most concerning is that two aging bits of code - the Qakbot and Ursnif banking trojans - have continued to evolve, adding new functionality such as reconnaisance, lateral movement, data gathering and infiltration, payload dropping and the formation of botnets.
As discussed here previously, phishing and malmail remain the most popular vectors for delivery, followed by RDP brute-forcing, and the best defensive controls remain the obvious ones: proactive patching, security education, training and awareness, offline, offsite backups and multi-factor authentication.
The advisory includes brief descriptions of the top malware strains - Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader - as well as Snort signatures for them.
CISA and ACSC, 2021 Top Malware Strains, Alert AA22-216A, 4 August 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-216a.
Identity and Access Management is the New Perimeter
The process of deperimeterization and movement to cloud has shifted our focus away from firewalls and network security. In an upcoming talk at Black Hat in Las Vegas, Igal Gofman, will make the case that threat actors have also shifted focus - to cloud-hosted IAM systems. He's got a good point - many enterprises, of all sizes, have cut costs by migrating to SaaS systems like Google Workspace and Microsoft 365, as well as building systems using PaaS and IaaS. This has now led to increasingly complex cloud architectures in which services authenticate to each other via API keys.
The problem is, says Gofman, that the Bad Guys are figuring out ways to compromise these identities, and his talk will cover these techniques, the competing cloud providers' security architectures, as well as open-source tools for gaining visibility into infrastructure.
Seals, Tara, Cyberattackers Increasingly Target Cloud IAM as a Weak Link, Dark Reading, 5 August 2022. Available online at https://www.darkreading.com/cloud/cyberattackers-increasingly-target-cloud-iam-as-a-weak-link.
Getting Started With Post-Quantum Crypto
Cloudflare has quickly jumped on the post-quantum bandwagon, and has encouraged others to do so as well by adding support for the CRYSTALS-Kyber key encapsulation algorithm on a number of test domains, and also adding support for CRYSTALS-Kyber in forks of the BoringSSL and Go open-source projects. This will allow security architects to investigate the performance and RAM requirement impact of using this algorithm.
Westerbaan, Bas, Christopher Patton and Peter Wu, Experiment with post-quantum cryptography today, Cloudflare blog, 4 August 2022. Available online at https://blog.cloudflare.com/experiment-with-pq/.
Logical Qubits Used for First Calculation
Researchers have, for several years, been trying to improve the stability of the qubits that form the basis of quantum computers. Last year, both Google and Honeywell announced significant advances by linking qubits into more stable groups called logical qubits, which use quantum error-correction. Without this, current quantum computers have error rates as high as one in one-thousand, which is clearly insufficient for even simple computing tasks.
Now, startup Quaninuum, formed through a merger between Cambridge Quantum and Honeywell Quantum Solutions, has been able to demonstrate - wait for it - calculations performed using a pair of logical qubits. This might not sound like much, but this is one of those 'walk before you can run' steps that will eventually make quantum computers practical.
Google Quantum AI, Exponential suppression of bit or phase errors with cyclic error correction, Nature, vol. 595, no. 7867, pp. 383–387, Jul.y 2021. doi: 10.1038/s41586-021-03588-y.
[Ryan-Anderson, C. et al., Realization of real-time fault-tolerant quantum error correction, arXiv, Jul. 15, 2021. Available online at http://arxiv.org/abs/2107.07505.
Shankland, Stephen, This '90's-Era Quantum Computing Idea Could Lead to a Massive Breakthrough, CNet, 5 August 2022. Available online at https://www.cnet.com/tech/computing/new-technique-brings-quantum-computers-closer-to-their-promise/.
Final Funny
Tying Spammers in Knots
Courtesy of contributor Peter Hillier: Security researcher Troy Hunt, of https://haveibeenpwned.com/ fame has wreaked vengeance on spammers by replying to them and inviting them to register on a site via an online form which ties them up in password generation hell. 😂
This reminds me of a similar technique I used to use on unsolicited salespersons calling our company. I had created a script for our Asterisk VoIP PBX which would read the weather forecast from the Bureau of Meterology web site every few hours, strip out the HTML, and drop the resulting text in a file. I had a matching extension number which, when dialled, would read the contents of the file via a text-to-speech library.
So when someone rang and tried to sell me cheaper electricity, or long-distance services, or whatever, I would quickly reply, "Sorry - you're talking to the wrong person. I'm not in charge of that, but I'll transfer you to the right person, if you'll just hold for a few seconds". Then I'd transfer them to that extension, leaving them befuddled by what sounded like Stephen Hawking regaling them with the Sydney weather forecast.
They never rang back.
Fraunfelder, Mark, This guy made a diabolical form to send spammers to password purgatory, BoingBoing, 4 August 2022. Available online at https://boingboing.net/2022/08/04/this-guy-made-a-diabolical-form-to-send-spammers-to-password-purgatory.html.
That ends this weekly security news summary. I'll resume on Monday with a new daily format which should be smaller, easier to read and keep track of. Watch for it in your RSS feed or at https://www.lesbell.com.au/blog/index.php.
Welcome to the first of what I hope will be many weekly news briefs. This is a short one, starting part-way through the week, and consists of the stories that cross my desk as I continually update the various course wikis.
News Stories
Data Breach Costs Now Average $US4.35 Million
The cost of a data breach can be significant and continues to rise each year, hitting an average of $US4.35 million in the year between March 2021 and March 2022 (Fowler, 2022; Ponemon Institute and IBM Security, 2022). Critical infrastructure operators face even higher costs, with an average breach costing $US4.82 million.
Of the 550 organizations who responded to the Ponemon/IBM Security Cost of a Data Breach study, 83% had had more than one breach. 45% of the breaches were cloud-based, while 19% occurred because of a compromise at a business partner. There's more info for course attendees in the Cyber Event Impact and Asset Valuation pages of the CISSP Fast Track Review course wiki.
Fowler, Bree, Average Data Breach Costs Hit a Record $4.4 Million, Report Says, CNet, 27 July 2022. Available online at https://www.cnet.com/tech/services-and-software/average-data-breach-costs-hit-a-record-4-4-million-report-says/.
Ponemon Institute and IBM Security, Cost of a Data Breach Report 2022, IBM Security technical report, July 2022. Available online at https://www.ibm.com/security/data-breach.
Fraudulent Crypto Apps Net $US42.7 Million
The FBI has warned that cyber criminals are contacting investors and convincing them to download fraudulent mobile apps for cryptocurrency services. To date, 244 victims have been identified, with a collective total loss of $US42.7 million (Federal Bureau of Investigation, 2022). Investors are warned to be wary of unsolicited requests to download investment applications, verify that the company offering the app is legitimate, and treat applications with limited and/or broken functionality with skepticism.
In a letter to Apple CEO Tim Cook and Google CEO Sundar Pinchai, US Senator Sherrod Brown transferred some liability to the tech firms, asking them to explain their processes for reviewing and approving crypto trading and wallet apps in their app stores (Kelly, 2022). Meanwhile, multiple US government agencies are pursuing alleged crypto scammers (Clark, 2022).
The CISSP course wiki page on Cryptocurrencies and Blockchain Technology contains more detail.
Clark, Mitchell, The government's going after alleged crypto scammers as market crashes, The Verge, 1 July 2022. Available online at https://www.theverge.com/2022/7/1/23188158/government-actions-cftc-doj-fbi-bitcoin-nft-investment-scams-market-crash.
Federal Bureau of Investigation, Cyber Criminals Create Fraudulent Cryprocurrency Investment Applications to Defruad US Investors, FBI Cyber Division Private Industry Notification, 18 July 2022. Available online at https://www.ic3.gov/Media/News/2022/220718.pdf.
Kelly, Makena, Apple and Google come under scrutiny for scammy crypto apps, The Verge, 28 July 2022. Available online at https://www.theverge.com/2022/7/28/23282297/apple-google-cryptocurrency-app-scams-trading-investors-senate.
UEFI Rootkits Discovered After 6 Years in the Wild
The UEFI BIOS flash ROM of system boards offers a particularly effective hiding place for rootkits - specifically, bootkits which infect a system before the operating system boots and loads - and which can survive reinstallation of the operating system and applications or even complete replacement of an SSD or hard drive.
In 2016, security firm Qihoo 360 reported on an early UEFI rootkit which had existed for a year, but the Western world did not notice this. However, Kaspersky has now detailed how the rootkit - which can reside in the firmware of some Gigabyte and ASUS motherboards - hijacks the boot process, acting to modify the boot manager, then the OS loader, the OS kernel and finally contacts a C2 server to download a malware payload (Global Response and Analysis Team, 2022).
The bootkit appears to be of Chinese origin, and has been detected in China, Vietnam, Iran and Russia. Some components of the bootkit chain have previously been used by a Chinese-operated botnet called MyKings (Goodin, 2022). You can find more information in the Rootkits and Memory pages of the CISSP course wiki.
Goodin, Dan, Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us, Ars Technica, 27 July 2022. Available online at https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/.
Global Response and Analysis Team, CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit, Kaspersky SecureList, 25 July 2022. Available online at https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/.
Malicious Browser Extension Steals Emails
A malicious extension for Chromium-based web browsers (Chrome, Edge and Whale) can install invisibly to the user and then steal emails from GMail and AOL accounts (Gatlan, 2022). The attackers, believed to be a North Korean group dubbed Kimusky, and previously the subject of a CISA alert in 2020, install the extension by using a VBS script to replace the browsers preferences and secure preferences files with ones downloaded from a C2 server. Once the files have been replaced, the browser will automatically install the extension, which inspects and infiltrates emails. Kimusky targets victims working in foreign policy, nuclear and other areas of strategic interest, primarily in the US, Europe and South Korea. There is more information for course attendees in the Browser Attacks page of the CISSP course wiki.
Cybersecurity & Infrastructure Security Agency, North Korean Advanced Persistent Threat Focus: Kimusky, Alert AA20-301A, 27 October 2020. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa20-301a.
Gatlan, Sergiu, Cyberspies use Google Chrome extension to steal emails undetected, Bleeping Computer, 28 July 2022. Available online at https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/.
Cyber Mercenary Sells Windows and Adobe Zero-Day Exploits
Although many APT's are either directly employed by, or at least sponsored by, nation states and occasionally terrorist networks, there are mercenary black hats who develop and sell zero-day exploits. One example, identified by Microsoft, seems to be selling Windows and Adobe Reader zero-day exploits to customers who have used them to target law firms, banks and strategic consultancies in the UK, Austria and Panama (Lakshamanan, 2022). The attacker, which Microsoft refers to as KNOTWEED, also acts directly, offering access-as-a-service and hack-for-hire services. Read more about Advanced Persistent Threats in the CISSP course wiki.
Lakshamanan, Ravie, Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits, The Hacker News, 28 July 2022. Available online at https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html.
Samsung Feature Protects Personal Data from Phone Technicians
Samsung is preparing to introduce a new feature for their Galaxy phones which will protect personal data from technicians working to repair a phone (Amadeo, 2022). Before sending a phone for repair, the owner can put the phone in 'repair mode'; technicans can now work on the phone and will have access to the default apps, but with no personal data, so that they can test the phone's operation. Upon return, the owner can re-authenticate, turn off 'repair mode' and resume normal usage.
Although Samsung does not reveal how the feature works, it is quite probably based on standard functionality of the underlying Android operating system, such as user profiles. Expect similar functionality from other phone manufacturers in the future.
Amadeo, Ron, Samsung's "repair mode" lets technicians look at your phone, not your data, Ars Technica, 30 July 2022. Available online at https://arstechnica.com/gadgets/2022/07/samsungs-repair-mode-lets-technicians-look-at-your-phone-not-your-data/.
Australian Spyware Author Charged
The Australian Federal Police have charged a 24-year-old Frankston man with six offences for creating, selling and administering a remote access tool between 2013 and 2019. The man had sold his RAT, which was named Imminent Monitor, to more than 14,500 people in 128 countries and had netted somewhere between $A300,000 and $A400,000 from the malware, which he mostly spent on delivery of fast food and other consumable items.
The AFP identified some 200 purchasers in Australia, mostly through their PayPal records, and also identified 44 victims; 14 of the purchasers had domestic violence orders against them and one was also registered on the Child Sex Offender Register. Global police raids in June 2019 resulted in 13 people being arrested for criminal activity using the RAT.
There is more information on trojan programs in the CISSP course wiki.
Travers, Penny and Elizabeth Byrne, Australian man charged over alleged spyware operation after global investigation involving AFP, ABC News, 30 July 2022. Available online at https://www.abc.net.au/news/2022-07-30/afp-charge-australian-man-over-alleged-spyware-operation/100996670.
Byrne, Elizabeth, AFP charge Australian man over alleged spyware operation, ABC TV News, 29 July 2022. Available online at https://www.youtube.com/watch?v=KtdfN06ur2s.
Hackers Work Around Disabling of MS Office Macros
While Microsoft has disabled the automatic execution of macros in its Office suite, threat actors have simply adopted a variety of new techniques to work around this. Between October 2021 and June 2022 the use of macro-enabled attachments by attackers dropped by about 66%, but they simply switched to using ISO, ZIP, RAR and other container attachments, as well as Windows Shortcut (.lnk) files. The reason for this is that Windows flags downloaded files as untrusted, with an attribute called the Mark of the Web (MOTW). So a directly downloaded .xlsx file will bear the Mark of the Web. A downloaded ZIP file will also bear the MOTW - but a spreadsheet file extracted from it will not. Attackers are also increasing their use of .XLL files, a specialized type of .DLL (Dynamic Link Library) file for Excel.
Larson, Selena, Daniel Blackford and the Proofpoint Threat Research Team, How Threat Actors Are Adapting to a Post-Macro World, Proofpoint blog, 28 July 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world.
Supply Chain Security Guidelines, In Brief
Back in May, NIST released an update to SP 800-161, "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations". The 326-page document is dense, as you'd expect, but IBM's Security Intelligence blog has a useful summary (Elgan, 2022).
Elgan, Mike, NIST Supply Chain Security Guidelines: 10 Key Takeaways, IBM Security Intelligence, 28 July 2022. Available online at https://securityintelligence.com/articles/nist-supply-chain-guidelines-ten-takeaways/. There's more info in our CISSP Fast Track Review course wiki page on Cybersecurity Supply Chain Risk Management, obviously (for those enrolled in the course only).
Codebreakers Finally Break Some 1850's Ciphertext
This is absolutely fascinating. Between 1850 and 1855, a series of cryptic advertisements appeared in newspaper, The Times. Over the decades, many attempts were made to break and read these, but were always unsuccessful.
The ad appearances coincided with an attempted rescue mission headed by naval officer Richard Collinson, who was trying to find lost arctic explorer John Franklin and his men, who had disappeared in 1848. Franklin had set out to find the fabled Northwest Passage which would link the Atlantic and Pacific Oceans via the north of Canada, speeding trade with Asia and India.
Cryptanalysts Elonka Dunin and Klaus Schmeh, aided by journalist A.J. Jacobs, tackled the mystery, and have now cracked some of the ads with the aid of an 1817 naval codebook.
You can read the full story here:
Franceschi-Biccierai, Lorenzo, Codebreakers Find 'Sexts', Arctic Dispatches in 200-Year-Old Encrypted Newspaper Ads, Vice Motherboard, 27 July 2022. Available online at https://www.vice.com/en/article/4axwz3/codebreakers-find-sexts-arctic-dispatches-in-200-year-old-encrypted-newspaper-ads.
Free Online Skills Courses
Recruitment and personnel management company Hays has been promoting free courses, some of which may be useful to technical professionals. A few relevant topics include:
- Implementing a Digital Transition
- Defining Problems Accurately
- Understanding Communication Skills
- What is Design Thinking?
- Root-Cause Analysis to Solve Problems
- Ethical Hacking (!?!)
I have not investigated these, cannot testify to their quality, and offer no warranties - it's possible that after registering, you are bombarded with marketing materials, and if you are, please let me know.
See https://www.hays.com.au/online-learning/skills-development.
Site News
New Forums
Attendees at our courses now have access to three new forums which allow for social chat, job-related postings (both recruiting and job-seeking) and services (again, both looking for and providing services such as pen-testing, consulting, audits, mentoring, etc.). These are located in the Security Watering Hole, where we can safely congregate.