This week
FTC may take legal action against those who don’t mitigate Log4Shell
The US Federal Trade Commission has indicated that it may “use its full legal authority,” including potential legal action, against companies that “fail to take reasonable steps to protect consumer data from exposure” resulting from Log4j and other similar future vulnerabilities.
This is both a non-story — of course, a regulator is expected to enforce regulation using its full power — but also particularly assertive. Analysis by Google (vol. 4, iss. 51) showed that in more than 1/4 cases Log4j is a dependency nested five packages deep. Many organisations don’t know what their first level of dependencies is, let alone their fifth.
One of the most overlooked, but effective, ways of mitigating against Log4Shell (and indeed many cyber threats) is ensuring that you have egress filtering/outbound firewall rules that limit access to legitimate, trusted sources only.
Interesting stats
I missed this back in October, however…
98% profit margin for ransomware actors, according to Coveware, who compared digital criminal enterprise to that of cocaine trafficking in the ‘90s (91% profit margin for the drug dealers) coveware.com
Other newsy bits
Phishing attacks using Google Docs
Reports of phishing attacks that use the comments feature of Google Docs to send messages to victims. The attacker creates a document and then adds a comment and tags the victim’s email address. A notification is generated by Google that includes a preview of the message, including any hyperlinks that the attacker wants to direct the victim to. Because the messages are ‘legitimately’ generated by Google they’re difficult to block (without blocking all Google messages) and the notifications also don’t show the originating account email - effectively masking the attacker. Notification abuse isn’t a new technique and is something that companies should be aware of when developing products that include user-generated content.
Related: You do phishing tests? Why? ”[In] almost all cases, you’re essentially giving them a detention, rather than a lesson” blueteamhackers.com (h/t Nick!)
New UK Information Commission begins five-year term
John Edwards has taken over from Elizabeth Denham as the UK’s Information Commissioner, and begins a five-year term responsible for data protection and freedom of information, amongst the other responsibilities of the role. Previously Edwards was Privacy Commissioner in New Zealand. Concerns exist (vol. 4, iss. 27, vol. 4, iss. 35) around the future direction of UK data protection regulation, not least Denham who gave a warning over the importance of independent governance of the ICO.
Twenty years of Trustworthy Computing
While chief executive of Microsoft, Bill Gates periodically wrote memos to all staff for high priority items that staff at Redmond and around the world should focus on. Twenty years ago his theme was trustworthy computing and it marked the beginning of Microsoft getting on top of the (seemingly) endless security issues affecting the Windows operating system.
“Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create.” — Bill Gates
Trustworthy computing had a profound e nffect on the way that Microsoft designed, built, tested and shipped its flagship operating system.
Today, security is still a key strategy for Microsoft, with revenues for their security business surpassing $10 billion this time last year (a 40% year-on-year growth). While a product line in its own right — rather than table stakes as Gates worried — the recent vulnerabilities in Azure are perhaps indicative of the need for a reboot of-sorts at Redmond?
Longer reads
Reframing cybersecurity to build a safer net
Great article from Dr Melanie Garson. If ‘cyber is a team sport’ then we need to ensure that, at every level, people want to be part of our team. Sovereign ‘splinternets’ are counter to this and increase digital divides.
As game theorist and Nobel laureate Thomas C. Schelling noted “there is a tendency in our planning to confuse the unfamiliar with the improbable … what is improbable need not be considered seriously.”
Lots of positive security here :-)
Assessment of EDR solutions
In An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors, George Karantzas and Constantinos Patsakis of the Universally of Piraeus and Athena Research Center in Greece look at the performance of common endpoint detection and response (EDR) solutions and their ability to detect and block behaviours often associated with advanced persistent threats (APTs). H/t Catalin Cimpanu.
In brief
Attacks, incidents & breaches
- Data breach at Florida healthcare provider Broward Health in October 2021 resulted in the compromise of 1.3M people’s patient data bleepingcomputer.com
- McMenamins, a craft brewer who run over 60 bars, venues and hotels, lost over 20 years of employee data during a ransomware attack. It’s interesting because, while storing these records for such a long time, many were inevitably out of date, making it difficult to contact the affected ex-employees. Know what data you’re storing, why, and how long you need to retain it for zdnet.com
- Websites for over 5,000 schools hosted by Finalsite, a vendor who offers ‘an easier way to market your school and manage communications’ have been affected by a ransomware incident techcrunch.com
- Online calendar bookings tool FlexBooker has announced a breach affecting 3.7 million users’ names, email addresses, phone numbers, password hashes and partial credit card information zdnet.com
Threat intel
- Cyber-criminals are using a modified version of Atera’s remote monitoring and management (RMM) software to install info-stealing malware and ransomware payloads bleepingcomputer.com
- This is almost comically brilliant: North Korea trying to infect Russian embassies with trojanised screensavers masquerading as new year greetings. The screeners themselves are 90s WordArt-tastic therecord.media
- MageCart / card skimming gangs compromised Brightcove’s cloud video service to steal information from ‘over one hundred’ sites that embedded video content on their site. Your checkout flow should have minimal third-party content loaded on it, and use subresource integrity (SRI) checks to detect unauthorised changes bleepingcomputer.com
- Not strictly cyber, however, Sweden has launched a ‘physiological defence agency’ to counter misinformation. It strikes me that the magic trick of persistent misinformation is ‘forcing’ liberal democracies into more authoritarian action and stances that undermine public trust and neutralise the ‘bad authoritarian regime’ card they love to play therecord.media
- Security researchers at ZecOps have published a proof of concept that blocks and then simulates the reboot function of an iOS device. Many iOS spyware and malware strains are unable to achieve persistence, meaning a reboot of a device would require an attacker to re-compromise the device. Intercepting and spoofing that reboot fools the user into thinking the reboot has occurred and removes the need to achieve that persistence therecord.media
Vulnerabilities
- Setting a long (500,000+ character) name for an Apple HomeKit device leads to denial of service bleepingcomputer.com
Cyber defence
- Sonicwall email and firewall products have been not logging events properly and preventing access to junk mailboxes because of the way the firm handles date stamps and the ‘Y2K22’ bug affecting the maximum size of an integer bleepingcomputer.com (see also, Honda, below)
Operational technology
- Some car models manufactured by Honda and Acura have been struck by the ‘Y2K22’ bug, resetting the clock in their navigation systems to 2002. Engineers from Honda believe the issue will self-resolve in August 2022, though they are working on a fix to ‘correct it sooner’ bleepingcomputer.com
Mergers, acquisitions and investments
- Recorded Future has acquired SecurityTrails (having previously invested in the firm) who collect and log domain and IP address information for $65M techcrunch.com
- Google has acquired security orchestration outfit Siemplify for $500M and will integrate these automation capabilities into its Chronicle offering theverge.com
And finally
Norton AV now comes bundled with a crypto-miner
As I covered back in June last year (vol. 4, iss. 23), NortonLifeLock decided that what their antivirus customers really needed was the ability for their AV to mine crypto-currency when their computer ‘is not in use’.
The feature is now live and, quelle surprise, users aren’t happy with one thread on Norton’s customer support forum describing how they are “absolutely furious” at the company and that “Norton should be DETECTING and killing off crypto mining hijacking, not installing their own.”
On a more serious note, Norton has ~80 million users, of which over 20 million paying customers, and the feature is also being rolled out to their Avira subsidiary who has over 500 million users on their free AV product. Norton is merging with Avast, who bring a further 435 million users to the party (though no news on any crypto features for Avast AV yet). That’s a huge number of people to be introduced to crypto-currency, and places a big responsibility on the company to be educating users on the risks and protections necessary to safeguard their digital assets.
I think there is also a significant question outstanding for the board of NortonLifeLock whose environmental, social and governance (ESG) priorities include establishing “NortonLifeLock as an environmentally responsible business.” Giving over half a billion users the option to dramatically increase their electricity consumption would seem counter to that objective. Still, they have planted 3,500 trees.