This week
Cyberspace Solarium Commission offers glimpse into future U.S. cyber strategy
Cyberspace Solarium Commission has spent the last twelve months charged with ‘developing and articulating a [bipartisan and] comprehensive strategic approach to defending the United States in cyberspace.’ The output will likely trickle through into US policy in the coming months and years.
Lawfare has a whole series, but two, in particular, caught my eye: ‘Digital Strangelove: The Cyber Dangers of Nuclear Weapons’ and ‘Defending Forward by Defending Norms.’ The former looks at the importance of ‘strategic deterrence’
The former covers two aspects: the compromise of nuclear weapons via cyber-attack, but also the intersection of ‘nuclear’ and ‘cyber’ in the strategic sense in conflict and diplomacy. The latter produced some interest conclusions:
“Nuclear capabilities must be revealed to be useful for deterrence. Nuclear deterrence works because nuclear weapons states can deliberately reveal their nuclear capabilities and thus signal the potential consequences for crossing red lines. By contrast, offensive cyber operations against sensitive targets cannot be revealed if they are to be useful at all. Cyber actors deliberately conceal or obfuscate their cyber capabilities and operations because compromise would enable the target to patch or take countermeasures that mitigates the capability.”
Cyber operations - for intelligence or military purposes - also often occur before (or below the threshold for) armed conflict. The concept of ‘defending forward’ is built on having laid the groundwork and having confidence in your access to an adversary in advance of needing it. You’ve used the capability before you needed to, in a way that ‘dropping a bomb’ is so clearly a response, not preparedness, action.
Doing so risks a capability being discovered. And once a tactic, technique or procedures is uncovered then adversaries can work out how to defend against it. (In much the same way as a lot of security tools rely on threat intelligence to keep them effective, for example, anti-virus.)
On the topic of cyber-norms, they recommend calling out misbehaviour in cyberspace more frequently. A recent example of which is the joint condemnation of Russia (vol. 3, iss. 8). The Commission suggests that the US concept of ‘defending forward’ is extended to a ‘whole-of-nation,’ and crucially non-military approach. They want to increase the cost to attackers and therefore make the US a less attractive target. This is kind-of the approach the UK has taken with NCSC advocating and improving cyber security across the civilian infrastructure to ‘make the UK the safest place to live and work online.’
In doing so the end-game is to establish better ‘cyber norms’ that dictate what is, and is not, acceptable. Perhaps this in itself may lead to less use of cyber-capabilities in the first place (just because you can, doesn’t mean you should.)
You can find a link to the full series from either of the posts below.
lawfareblog.com (nukes), lawfareblog.com (norms)
Interesting stats
$420 per employee, per year in lost productivity caused by resetting passwords, according to Widmeyer/Centrify (in 2014) sans.org
6,100 vulnerabilities found in open-source software found in 2019, up from 4,100 for the previous year, according to WhiteSource, who add that 85% of these are disclosed with a patch already available, but that 16% are not reported to the National Vulnerability Database zdnet.com
Other newsy bits
Patch now: ‘Wormable’ vulnerability in Windows file sharing code
Details of a serious vulnerability in the code that Windows computers use to share files was accidentally released by security companies this week. The bug in Server Message Block (SMB) version 3 allows an attacker to gain ‘system,’ or administrator, level privileges remotely without any need to login, or get the user to do anything.
The vulnerability is in Windows 10 and Windows Server 2019 (both v1903 and v1909 versions) of which Kyprtos Logic found 48,000 devices with the SMB port open to the Internet.
It appears that Microsoft was planning to patch the issue as part of its regular ‘Patch Tuesday’ and communicated the details in advance to some partners but then pulled it at the last minute, leaving the partners sharing details before a fix was available. Two days later Microsoft pushed an emergency update.
The issue is ‘wormable’ which means that once compromised the machine can be used to attack other computers that it is connected to - similar to the way that the WannaCry ransomware spread.
You should:
- Install the patch KB4551762 via Windows Update
- Not have SMB exposed to the Internet (if you are on your how wifi it is unlikely that you do)
If you cannot patch, Microsoft has issued an advisory (ADV200005) outlining a workaround that disabled SMBv3 compression.
theregister.co.uk, zdnet.com, Microsoft: CVE-2020-0796, KB4551762, ADV200005
Secret-sharing app Whisper… shares 900 million user’s secrets
Whisper is an anonymous social network with apps that allow users to interact with each other, share photos, video, and the like. This week it was revealed that security researchers found that site, which encourages people to “share real thoughts and feelings, forge relationships and engage in conversations on an endless variety of topics – without identities or profiles” was perhaps sharing a little more than a user might expect. A 5 terabyte database, containing over 900 million records was left exposed. Each user profile contained over 90 metadata fields that, while not including username, did include data on age, IP address, gender, and more sensitive fields like geolocation and ‘predator_probability’ which appears to be the company’s assessment on the likelihood that the user is a sexual predator. The data appears to date back to 2012 and included a ‘deleted’ S3 bucket that, presumably, user’s expected would have been deleted. theregister.co.uk
A bad week for Avast’s Anti-Virus
First there was an update that addressed issues in AVG’s AntiTrack privacy software which, ironically, increased the risk of user’s being subject to ‘man-in-the-middle’ attacks. Then the company disabled the JavaScript engine in their software after Google’s Project Zero team reported that it ran unsandboxed, and allowed remote code execution with admin-level privileges. The latter, to Avast’s credit, was acted on very quickly. zdnet.com, theregister.co.uk
In brief
Attacks, incidents & breaches
- Hackers used Pupy RAT to access to European electricity organization’s email server for weeks cyberscoop.com
- Data of 130,000 customers ‘taken without permission’ [That’s a new one!] from O2 partner Aerial Direct theregister.co.uk
- Microsoft strikes back at Necurs botnet by preemptively disabling hacking tools cyberscoop.com
Threat intel
- NSA Warns About Microsoft Exchange Flaw [CVE-2020-0688] as Attacks Start bleepingcomputer.com
- Cookiethief Android malware uses proxies to hijack your Facebook account zdnet.com
- VMWare Releases Fix for Critical Guest-to-Host Vulnerability bleepingcomputer.com
- Crafty Web Skimming Domain Spoofs “https” krebsonsecurity.com
- Card data from the Volusion web skimmer incident [affecting 6,589 stores] surfaces on the dark web zdnet.com
Security engineering
- Google Play Protect [detects just 33% of samples in] Android Protection Tests bleepingcomputer.com
Internet of Things
- Most Medical Imaging Devices Run Outdated Operating Systems - The end of Windows 7 support has hit health care extra hard, leaving [83% of medical imaging devices] vulnerable wired.com
Privacy
- Australia privacy watchdog sues Facebook over [Cambridge Analytica] data breach ft.com
- [Twenty] Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data for analytics company Sensor Tower buzzfeednews.com
Law enforcement
- Months-long trial of alleged CIA Vault 7 exploit leaker [Justin Schulte] ends with hung jury: Ex-sysadmin guilty of contempt, lying to FBI theregister.co.uk
- European police nab 26 suspects in SIM swapping dragnet cyberscoop.com
And finally
Hackers hacking hackers
Cyberreason has uncovered a campaign to compromise popular hacking tools with a remote access trojan called njRat. When run, the tools aim to compromise both the attacker, as well as their victim. techcrunch.com