Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

German General Data Retention Rule Violates EU Law

Attempts by European governments to proactively collect data in case it turns out to be useful in counter-terrorism investigations have taken a serious hit, with the European Union's Court of Justice ruling that such blanket collection of data can only be done in circumstances where there is a serious threat to national security.

The ruling illustrates the tension between governments' desire to make use of massive data collection and analytics in the name of national security and public safety, and citizens increasing concerns over personal privacy, especially in light of several countries' swing towards authoritarianism.

The ruling is the result of a case brought by Deutsche Telekom and ISP SpaceNet AG, challenging the German data retention law. Of course, the tech companies are less motivated by concerns for their customers' privacy and more by the burdensome costs of collecting and storing all that data.

Chee, Foo Yun, Germany's blanket data retention law is illegal, EU top court says, Reuters, 20 September 2022. Available online at https://www.reuters.com/technology/indiscriminate-data-retention-is-illegal-eu-top-court-says-2022-09-20/.

Enhancements in Windows 11 22H2 Security Baseline

Microsoft has released their security configuration baseline settings for Windows 11 22H2, adding a number of security improvements. Top of these has to be additional hardware-based protection against stack-smashing and return-oriented/jump-oriented programming attacks for machiines that use Intel's Control-flow Enforcement Technology or similar shadow stacks. The new feature, called Kernel Mode Hardware-enforced Stack Protection, also requires Virtualization Based Protection of Code Integrity (HVCI) to be enabled.

Other enhancements include enhanced phishing protection, including detection of the reuse of enterprise passwords on other applications or web sites and credential theft protection by blocking the loading of custom security support and authentication providers into the Local Security Authority Subsystem Service (LSASS) - a technique used by some credential stealers. The update also allows Administrator accounts to be locked in the event of brute-force attacks.

The new baseline can be downloaded using the Microsoft Security Compliance Toolkit found at https://www.microsoft.com/en-us/download/details.aspx?id=55319.

Munck, Rick, Windows 11, version 22H2 Security baseline, Microsoft Security Baselines Blog, 20 September 2022. Available online at https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520.

EU Proposes Stricter Regulation of Software and IoT Devices

Back to the EU, which has laid out its proposals for a new regulation, called the Cyber Resilience Act, which will regulate security of both digital hardware and software products. The legislators claim that an estimated annual cost of €5.5 trillion is down to two major problems with these products:

• A low level of cybersecurity, stemming from widespread vulnerabilities and no way to patch them, and
• Insufficient understanding and access to security information by users, leading them to choose insecure products and use them in an insecure fashion.

The Act will broaden the scope of existing legislation to cover non-embedded software and some hardware products which are not currently in scope, and aims to encourage the development of secure prodycts and a market in which purchasers are adequately informed to take cybersecurity into account when selecting and using products.

Uncredited, Cyber Resilience Act, Policy and Legislation proposal, 15 September 2022. Available online at https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.

Australia Plans Restrictions on Online Content

Still on the subject of proposed legislation, Australian enterprises may find themselves unexpectedly affected by changes in the industry codes relating to the Online Safety Act. The changes are intended to regulate what is described - and determined - by the eSafety Commissioner as "harmful online content". This is broken up into "Class 1" material, which is essentially material that would be refused classification under the National Classification Scheme, and "Class 2", which would be X18+ or R18+ materials. Class 1 is further subdivided, according to the nature of the offensive material.

Industry groups point to several problems with this approach. First, the classification scheme is - perhaps by necessity - somewhat vague, and can encompass some materials which are legal to create, distribute and possess. Secondly, while classification is definitely done for movies released to theatres, it is not practical to do this for every piece of material floating around the Internet.

Furthermore, the use of automated approaches to the detection of harmful content could seriously impact privacy, while manual review could prove even worse.

Bogle, Ariel, Australia's changing how it regulates the internet - and no-one's paying attention, ABC News, 21 September 2022. Available online at https://www.abc.net.au/news/science/2022-09-21/internet-online-safety-act-industry-codes/101456902.

Domain Shadowing Borrows Reputation for C2 Servers

Palo Alto Networks' Unit 42 researchers have documented a new tactic employed by cybercriminals in order to maintain their C2 domains by borrowing the reputation of legitimate enterprises. The tactic works by compromising the domain name servers of a legitimate business and then creating malicious subdomains. Because the legitimate domain names have existed for some years, they have established a good reputation in threat intelligence databases, and because this tactic does not affect the enterprise's other systems, it is likely to pass completely unnoticed.

Unit 42 built an automated pipeline which uses machine learning to analyze passive DNS traffic logs, detecting over 12,000 such shadowed domains between late April and late June of this year. Of these, only 200 were marked as malicious by vendors in VirusTotal. In one example, the operators of a phishing campaign had shadowed domains in the AU and US TLD's, and their shadowed domains had IP addresses located in Russia.

Szurdi, Janos, Rebekah Houser abd Daping Liu, Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime, technical report, 21 September 2022. Available online at https://unit42.paloaltonetworks.com/domain-shadowing/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.