This coming week is a busy one for me, culminating in celebrating five years of Cydea: a few spaces are left at our birthday bash this Thursday evening. Hit reply if you’re available and interested in coming.
This week
Yubikey side-channel attack allows cloning
- The popular Yubikey 5 series of hardware multi-factor authentication tokens contain a cryptographic flaw that makes them susceptible to cloning. The side channel attack results from a vulnerability in the Infineon SLE78 microcontroller chip embedded in the key-fob-sized devices.
- The attack requires knowledge of the username and password, plus physical access to the Yubikey and around $11,000 of specialist equipment. That means it’s not a realistic attack vector that most people need to worry about. Maybe if you’re a nation-state.
- There isn’t a way to update the Infineon chip’s firmware so that the vulnerability will persist in all the existing Yubico 5 keys. There are reports that Yubico intends to fix the issue by writing its own bespoke cryptographic library to include on future Yubikeys. That’s fine, and it’s their core business. However, these things are complex and take time.
- Yubikey’s are still a great type of ‘phishing resistant’ multi-factor authentication (MFA) and much better than using SMS one-time codes. LINK, ADIVSORY
Telegram CEO says “not enough” done on content moderation
- Fresh from his arrest and $5 million bail by French authorities, Telegram CEO Pavel Durov has said that Telegram is not an “anarchic paradise”. In his first comments since the arrest, Durov said that “we take down millions of harmful posts… every day,” but admitted that Telegram’s moderation efforts are “not enough”. LINK
- Sergey Lavrov, Russia’s foreign minister, has said that Durov was “too free” in the company’s approach to content moderation demands from the West. LINK
- Co-operation with Russian authorities may be more forthcoming: a teenager was identified within days of causing rail disruption after authorities discovered their anonymous Telegram channel registered using an “anonymous Estonian SIM card”. LINK
Transport for London cyber incident
- Transport for London (TfL) warned customers about a cyber attack this week, though was not forthcoming in any specifics. Trains, tubes, and busses of the transport operator were unaffected, though login pages for contactless and Oyster payments were down, and APIs for third-party apps like CityMapper also appeared to be impacted. LINK
Interesting stats
$212 billion projected spending on information security, 15% increase from 2024, according to Gartner, who reckon $101 billion will be spent on security software (including EDR), followed by $86 billion on security services, such as consulting and managed services. LINK
1/3 of CISOs say they aren’t hiring, though there is an 8% average increase in security spending, now accounting for 13% of over IT budget (up from 8l.6% in 2020), according to IANS LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Jumping air gaps by using computer memory to generate electromagnetic emissions by rapidly switching signals on/off within the RAM. ‘RAMBO’ as the technique is being called (short for Radiation of Air-gapped Memory Bus for Offense) is the brainchild of researchers at Israel’s Bun-Gurion University and can transmit data at around 1,000 bits per second (~0.125KB/s). The group has form, using similar techniques with LEDs, power supplies and other computer components. LINK, PAPER (PDF)
⚠️ Incidents:
- German air traffic control confirmed a cyber attack, but Deutsche Flugsicherung says operations were unaffected. LINK
- Tewkesbury Borough Council, in Gloucestershire, England, has notified residents of a cyberattack. It’s notable due to its proximity to GCHQ, the UK’s signals intelligence agency: presumably, some of Tewkesbury’s 97,000 residents work at ‘the doughnut’. LINK
- Avis has said that attackers breached one of its applications last month and stole personal information. In a letter to affected customers, the car rental giant said that the attacker had unauthorised access between 3rd and 6th August and that unspecified ‘sensitive data’ was accessed. Presumably, this could relate to identification or payment information. LINK
🏴☠️ Ransomware:
- Planned Parenthood of Montana has suffered a ransomware attack, with RansomHub claiming responsibility and threatening to leak 93GB of data it claims to have stolen from the systems of the reproductive healthcare non-profit. LINK
- An Iranian IT-managed service provider is believed to have paid at least $561,000 in Bitcoin to cybercriminals amidst efforts to get its systems back online. Tosan, the company in question, provides services to 45% of Iran’s banks. LINK
🕵️ Threat Intel:
- Threat intel provider Morphisec believes that the Cicada3301 ransomware group may be a rebrand of the BlackCat/ALPHV group, given the “striking similarities” that the two groups share. LINK
- Sextortion scammers are now including images of the victim’s home, copied from online mapping platforms like Google Maps. Campaigns identify individuals’ names, emails and home addresses and send aggressive emails purporting to have compromised the victim’s computer and recorded webcam footage of them watching porn. Separately, Australian authorities are warning that children as young as 12 are being targeted in sextortion schemes. LINK, CHILD VICTIMS
🪲 Vulnerabilities:
- Zyxel is warning customers about a critical vulnerability in its business internet routers. CVE-2024-7261 (9.8/10) is an input validation issue that allows remote, unauthenticated attackers to execute arbitrary commands on the devices. LINK, ADVISORY
- Veeam has fixed a critical vulnerability in its backup and replication software. CVE-2024-40711 (9.8/10) is a remote code execution bug and one of 18 high and critical vulnerabilities affecting Veeam Backup & Replication, Service Provider Console, and One. LINK, ADVISORY
- Cisco’s Smart Licensing Utility… isn’t. “Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running,” says Cisco in a warning about the two critical vulnerabilities. CVE-2024-20439 (9.8) relates to a ’static administrator credential’ (read: secret, hardcoded admin that you can just straight-up login with), and CVE-2024-20440 (9.8/10) is “excessive verbosity” in debug logs, which (you guessed it) included authentication credentials and can be accessed via API. Shambles. This is the kind of thing that secure-by-design practices are all about stopping. LINK, ADIVSORY
- Malicious Android apps are using optical character recognition routines to detect and steal cryptocurrency Walter information from infected devices. LINK
🛠️ Security engineering:
- Threat actors are conducting campaigns dubbed “revival hijack” by registering the names of previously deleted packages and using these to inject malicious code into downstream software. Software engineers should remove old packages from their code as and when they are retired to minimise their footprint and this type of exposure. LINK
🧿 Privacy:
- Clearview AI has been fined $33 million by the Dutch Data Protection Authority for “[building] an illegal database with billions of photos of faces” without gaining the proper consent. LINK
📜 Policy & Regulation:
- Security camera vendor Verkada will implement a comprehensive security programme as part of a settlement with the US Federal Trade Commission (FTC), which includes a $2.95 million settlement for poor email marketing practices. LINK
- The White House has turned its sights on Internet security, publishing a roadmap for telco infrastructure operators and government agencies to up their game on Border Gateway Protocol (BGP) security. BGP tells internet routers the best way to route traffic between their source and destination on the internet. Attackers have abused it to divert massive amounts of traffic down suspicious paths, such as via an unusual country. LINK
- Insurance companies Zurich and Marsh McLennan are calling on governments to engage in public-private partnerships to share the losses from “uninsurable” cyber events that cause critical infrastructure failure. (Some countries already have similar schemes to cover natural disasters like floods or terrorism). “At some point cyber events can potentially become large enough to move outside of the insurance industry and become societal,” said Tom Reagan, global cyber practice leader at Marsh McLennan. Cyber insurance premiums were around $14 billion in 2023 and are expected to rise to $29 billion by 2027. LINK
👮 Law Enforcement:
- Callum Picari (22), Vijayasidhurshan Vijayanathan (21), and Aza Siddeeque (19) have pleaded guilty to running a service called ‘OTP.Agency’ that helped cybercriminals to bypass multi-factor authentication and gain access to the bank accounts of UK victims. The National Crime Agency says criminals used the trio’s services to target over 125,000 people between September 2019 and March 2021. LINK
💰 Investments, mergers and acquisitions:
- The GRC Group has acquired a pen testing outfit called Pentest People to bolster cyber security capabilities. GRC Group, previously a division of Marlowe plc, was acquired by private equity firm Inflexion in May this year. (Disclaimer: Inflexion is a client of Cydea) LINK
- Airbus has acquired infodas, a German public security cyber security company accredited by Germany’s Federal Office for Information Security (BSI), to conduct cyber security audits and penetration tests. LINK
🗞️ Industry news:
- Darktrace CEO Poppy Gustafsson is to step down prior to the completion of the company’s acquisition by private equity firm Thoma Bravo. Chief Operating Officer Jill Popelka will take over. LINK
- The NCSC’s Cyber Advisor scheme has heralded the appointment of its 100th advisor. The scheme provides an endorsement to advisors that can help small businesses achieve a baseline level of cyber security, such as Cyber Essentials. LINK
And finally
- Crew onboard the US Navy ship USS Manchester were caught running a private wifi network called ‘STINKY’. Unhappy with the restrictions on the ship’s internet provision, the crew secretly bolted a Starlink satellite to the vessel and then subsequently added additional ethernet cables and wifi repeaters when they found the coverage at the end of the ship wasn’t good enough. Ultimately, the ship’s command got wind of it, and the individuals were court-martialed. LINK