Apr 05 2021
Encryption is either secure or it’s not – there is no middle ground
Adopting new rules
We remain deeply concerned, therefore, that the Council of the European Union is seeking to adopt new rules that would effectively do away with encryption. At the end of last year, they released a five-page resolution that called for the EU to pass new rules to govern the use of end-to-end encryption in Europe. We are completely against this resolution as it effectively ends the notion of true encryption.
There’s no such thing as strong encryption if you allow the institution of backdoors for government or law enforcement officials – and don’t believe any politicians who say otherwise – they are, at best, ill-informed. The most important takeaway here is that encryption is either secure or it is not. Users either have privacy or they do not.
Encryption is either secure or it’s not – there is no middle ground
Apr 05 2021
List of data breaches and cyber attacks in March 2021 – 21 million records breached
Don’t be fooled by the fact that we only recorded 20,995,371 breached records in March; it was one of the leakiest months we’ve ever seen, with 151 recorded incidents.
By comparison, there was a seemingly Lilliputian 82 recorded breaches in January and 118 in February.
The issue is that in far more cases than we’d expect, the number of breached records wasn’t included in the notification, so we can’t include it here.
We typically expect ambiguity when it comes to ransomware, because organisations are locked out of their files and can’t calculate what’s been affected. But there were dozens of other cyber attacks and data breaches where the organisation either didn’t know or reveal the extent of the damage.
You can find our full list of incidents below, with those affecting UK organizations listed in bold.
Contents
- Cyber attacks
- Ransomware
- Data breaches
- Financial information
- Malicious insiders and miscellaneous incidents
- In other news…
Apr 04 2021
Malware attack on Applus blocked vehicle inspections in some US states
Applus Technologies is a worldwide leader in the testing, inspection and certification sector, the company was recently hit by a malware cyberattack that impacted vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.
The attack took place on March 30th, in response to the infection the company was forced to disconnect its IT systems from the Internet to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems, but experts speculate the involvement of a ransomware attack.
“Unfortunately, incidents such as this are fairly common and no one is immune,” said Darrin Greene, CEO of the US entity, Applus Technologies, Inc. “We apologize for any inconvenience this incident may cause. We know our customers and many vehicle owners rely on our technology and we are committed to restoring normal operations as quickly as possible.”
The company will spend some time to fully restore the operations and continue the vehicle inspections, at the time of this writing it has yet to provide a timetable. According to the Department of Motor Vehicle (DMV), inspections will likely be suspended at least for another couple of days.
“Due to the enhanced technology and programming required to operate the program, it is imperative that we ensure every component of the program is free from malware, thoroughly tested and operating normally before bringing the program back online. The testing process will involve all of our agencies as well as the station owners who own and operate the computerized workstation equipment used to perform the motor vehicle inspections.” continues Applus Technologies.
“We will routinely update the return to service status as additional information becomes available. It is important to note that we want to make sure we have resolved all issues before restarting the system in order to avoid any additional delays or inconvenience once the program is back up and running.”
The Applus team is collaborating with the DMV providing frequent updates on the status of the incident response, it is also working with the DMV on the 60-day retest requirement and free retest policy to extend both during this time.
Apr 03 2021
Applications Are Everything and Everywhere – Does Whack-a-Mole Security Work?
The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration is preparing an executive order outlining new software security and breach disclosure requirements.
As organizations look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets – which are ripe targets for attackers and can provide unrestricted privileged access to sensitive systems.
Cloud-Native Apps Expand Security Needs
Today, many organizations are taking a cloud-native approach to building, testing and deploying new applications – whether front- or back-office, consumer-facing, web or mobile. And by embracing DevOps methodologies and automation, they’re quickly moving along the digital maturity curve.
As applications are increasingly built using microservices and run in dynamic, short-lived containerized environments, everything needs to interact with each other – sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.
What’s more, the powerful DevOps and automation tools developers use such as Jenkins and Ansible to build applications store massive amounts of credentials and secrets within them. This allows the projects, playbooks and scripts managed by these mission-critical “Tier 0” assets to access other tools, services and platforms. All of these tools also require high levels of privilege.
Apr 03 2021
Malware Hidden in Call of Duty Cheating Software
Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them.
“It is common practice when configuring a cheat program to run it the with the highest system privileges,” the report notes. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.”
Detailed report.
Apr 03 2021
Decrypting Cryptocurrencies
Cryptocurrencies are a topic that touches many areas; not only finance and investing but technology and even political arenas. Although apolitical in itself, it is the structure behind these cryptocurrencies that make them a much talked about subject amongst political purists from across the political spectrum. This structure can be boiled down to the following; think of cryptocurrencies as a ‘big spreadsheet’, and when you ‘mine’ crypto you essentially fill in the spreadsheet, keeping the ledger up to date on who is transferring currency to another party.
It is perhaps this decentralised nature which has contributed to the meteoric rise of cryptocurrency value. Modern investors see the value in having an immutable ledger, meaning that external users or third-parties cannot tamper with previous transactions. This becomes more crucial when you consider the impact that quantitative easing has had on the economy over the past several decades. Cryptocurrencies, compared to their physical counterparts, are practically immune from quantitative easing as there is a predetermined number of coins in circulation at one time meaning that they are impervious to inflation. This has contributed to more individuals over the years turning to cryptocurrencies as a ‘safe-haven asset’ in the same way that investors would traditionally turn to gold. In my eyes, I see Bitcoin as better at being Gold than Gold itself, because of its ability to be infinitely divisible into micro units and decimal points of a Bitcoin rather than a single gold coin. It also inherits another important characteristic of Gold which has fuelled its rise in price, it is finite – there will only ever be 21 million of them in circulation (once all mined). Compare this to standard modern currency, on money printing and inflation consider this: a fifth of all US Dollars were created in 2020, and now in 2021 President Biden is considering a $1.9 Trillion stimulus plan. Indeed, it is this effort by central banks across the globe to print their way out of a pandemic/unstable economy that – in my opinion – has led to the exponential price increase in Bitcoin during 2020 rather than any other factor. As long as this continues (which it almost certainly will), faith in fiat currency will wane and interest in “unprintable” cryptocurrencies will only increase.
more on: Decrypting Cryptocurrencies
Blockchain Bubble or Revolution:
Apr 03 2021
Attackers are abusing GitHub infrastructure to mine cryptocurrency
Code repository hosting service GitHub launched an investigation in a series of attacks aimed at abusing its infrastructure to illicitly mine cryptocurrency.
Such kind of attacks was reported at least since the end of 2020, when some software developers reported the malicious activity on their repositories.
“I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my github actions thanks to a shitty pull request.” reads a post reporting a similar attack.
The Record reported that threat actors are abusing the GitHub Actions feature which was implemented to allow the automatic execution of software workflows.
Experts warn that threat actors are targeting repositories that have this feature enabled to add malicious GitHub Actions and fill malicious Pull Requests to execute the malicious attacker’s code.
“In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record.
“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.”
In recent attacks, threat actors are executing their own malicious code to mine cryptocurrency miners on the infrastructure of the code repository hosting service, in some cases, attackers could deploy hundreds of miners in a single attack.
Apr 02 2021
CISA Orders Action Against Exchange Vulnerabilities
“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency said in supplementary guidance to the earlier CISA Emergency Directive (ED) 21-02. “This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”
Apr 02 2021
The growing threat to CI/CD pipelines
Today, rapid digitalization has placed a significant burden on software developers supporting remote business operations. Developers are facing continuous pressure to push out software at high velocity. As a result, security is continuously overlooked, as it doesn’t fit into existing development workflows.
The way we build software is increasingly automated and integrated. CI/CD pipelines have become the backbone of modern DevOps environments and a crucial component of most software companies’ operations. CI/CD has the ability to automate secure software development with scheduled updates and built-in security checks.
Developers can build code, run tests, and deploy new versions of software swiftly and securely. While this approach is efficient, major data breaches have demonstrated a significant and growing risk to the CI/CD pipeline in recent months.
The growing threat to CI/CD pipelines
Pipeline as Code is a practical guide to automating your development pipeline in a cloud-native, service-driven world.
Apr 01 2021
Building Immunity at AppSec Insertion Points
The fundamentals of a formal, effective application security plan should start with business objectives, tools, processes and most of all, data, with the primary driver for securing applications focused on protecting data.
While it is important to surgically address the insecurities in a mission-critical application, it is equally important to continuously upskill the development and security teams, and create a culture where security is not looked at simply a ‘check-the-box’ item.
According to Setu Kulkarni, vice president of strategy at WhiteHat Security, the first step is to identify the right inflection points for injecting application security.
“CISOs need to recognize that no SDLC is built the same and no application is at the same level of maturity within its life cycle,” he said. “We have learned that testing applications continuously in production is critical to identify the real, exploitable vulnerabilities that create the maximum risk of being breached in production.”
Kulkarni noted one way to (almost always) ensure that security does not become an afterthought is to “top & tail” – in other words, make sure that your team gets a voice when the exit criteria is being defined during the requirements phase, and make sure the team is testing in pre-production and production.
“Everything in between is really a negotiation based on the maturity of the SDLC and the application itself. The most consequential best practice is to ensure that the Dev, Sec and Ops teams get accurate and actionable insight from the AppSec tests that are executed,” he said. “After all, the only way to eventually have security operate at the speed of DevOps is through some level of automation, and the efficacy of automation is directly proportional to the accuracy of the data used to drive the automation.”
Doug Dooley, COO of Data Theorem, pointed out that the business driver for AppSec is about privacy, trust and reputation that is directly tied to the brand of those who build and publish the applications.
He noted traditional AppSec testing focused on static and dynamic application security testing, including static application security testing (SAST) and dynamic application security training (DAST).
“However, with a more modern application stack, AppSec programs are starting to factor in third-party risks introduced by open source and software development kits, covered by software composition analysis,” Dooley explained.
Further, cloud-native applications make infrastructure services just another software extension of the application buildout, so many AppSec programs increasingly add cloud security tools, such as cloud security posture management (CSPM).
Apr 01 2021
CSA Survey Suggests Cloud Security Is Improving
New research suggests the overall state of cloud security continues to improve at a time when more organizations rely on multiple cloud service providers.
A survey of 1,900 security and IT professionals published this week by the Cloud Security Alliance (CSA) in collaboration with AlgoSec, a provider of network security tools, finds only 11% of respondents said they encountered a cloud security incident in the past year. The most common problems encountered were issues with a specific cloud provider (26%), security misconfigurations (22%) and attacks such as denial-of-service exploits (20%).
When asked about the impact of the cloud outages, more than a quarter of respondents said it took more than half a day to recover.
Despite growing confidence in cloud platforms, however, security remains a major area of focus. Top areas of concern include network security (58%), lack of cloud expertise (47%), migrating workloads to the cloud (44%) and insufficient staff to manage cloud environments (32%). In all, 79% of respondents noted some kind of issue involving IT staffing.
In the report, 52% of respondents reported they employed cloud-native tools to manage security as part of their application orchestration process, with half (50%) using orchestration and configuration management tools such as Ansible, Chef and Puppet. Less than a third (29%) said they used manual processes to manage cloud security.
Less clear, though, is who within the IT organization is responsible for cloud security. More than a third (35%) said their security operations team managed cloud security, followed by the cloud team (18%) and IT operations (16%). Other teams, such as network operations, DevOps and application owners, are all below 10%, the survey found.
Apr 01 2021
Akamai dealt with an 800Gbps ransom DDoS against a gambling company
CDN and cybersecurity firm Akamai warns of a worrying escalation in ransom DDoS attacks since the beginning of the year.
The company recently mitigated three of the six biggest volumetric DDoS attacks it has ever dealt, two of which were ransom DDoS attacks.
One of these two ransom DDoS attacks targeted a gambling company in Europe and peaked at 800Gbps, but the most worrisome aspect of the attack was its sophistication.
According to the company, the rise of the Bitcoin price is motivating the cybercriminals in intensifying their efforts and their attack bandwidth to carry out powerful attacks with extortion purposes.
“The most recent extortion attack — peaking at more than 800 Gbps and targeting a European gambling company — was the biggest and most complex we’ve seen since the widespread return of extortion attacks that kicked off in mid-August 2020. Since the start of the campaign, show-of-force attacks have grown from 200+ Gbps in August to 500+ Gbps by mid-September, then ballooned to 800+ Gbps by February 2021.” reads the analysis published by Akamai. “But the size of the extortion attack wasn’t the only notable characteristic of the actors’ modus operandi.”
Mar 31 2021
IETF deprecates TLS 1.0 and TLS 1.1, update to latest versions
IETF has formally deprecated the TLS 1.0 and TLS 1.1 cryptographic protocols because they lack support for recommended cryptographic algorithms and mechanisms
The Internet Engineering Task Force (IETF) formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Both versions lack support for current and recommended cryptographic algorithms and mechanisms. TLS version 1.2 was recommended for IETF protocols in 2008 and became obsolete with the introduction of TLS version 1.3 in 2018.
The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.
The move to deprecate old versions aims at making products using them more secure.
The IETF now only recommends the use of the two latest versions TLS 1.2 and TLS 1.3.
Experts pointed out that older versions of the protocol were using cryptographic algorithms that were hit by multiple attacks over the years, including as BEAST, LUCKY 13, POODLE, and ROBOT.
Recently the US National Security Agency (NSA) published a guide urging organizations on eliminating obsolete Transport Layer Security (TLS) protocol configurations.
However, the number of organizations that are still using the deprecated versions of the protocol is still high.
Mar 31 2021
Translating TTPs into Actionable Countermeasures | All-Around Defenders
Ismael Valenzuela (McAfee/SANS) and Vicente Diaz (Threat Intel Strategist at Virustotal)
SANS Institute‘s #SEC530 course co-authored by Ismael Valenzuela (@aboutsecurity), providing students access to VTIntelligence to help them make TTPs actionable.
MITRE Enterprise ATT&CK Framework
Comparing Layers in ATT&CK Navigator – MITRE ATT&CK®
Mar 31 2021
3 steps to meeting data privacy regulation compliance through identity programs
Lesson 1: Take stock of identities and lock them down
When it comes to data protection, security and compliance, organizations must keep the potential technology risk within acceptable limits, which means mobilizing efforts to identify data lakes and applications where personally identifiable information (PII) and other sensitive information is stored. Organizations should then use digital transformation as the catalyst to lock those applications down with the proper controls to prevent the unauthorized use of data and use analytics to gain visibility into the management-sensitive data.
The key to any data privacy compliance is proper data protection because under these laws, consumers retain the right to deny and revoke the collection of their data. The first step in any plan around compliance is to have a basic understanding of whose data you have, where it is, and who has access to it. This principle is the foundation of identity management and governance.
Source: 3 steps to meeting data privacy regulation compliance through identity programs
Active Directory Administration Cookbook: Actionable, proven solutions to #identitymanagement and authentication on servers and in the cloud
Mar 31 2021
Cyber Strategy – Risk-driven Security and Resiliency
Cyber Strategy – Risk-driven Security and Resiliency
Provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate plan with buy-in from senior management that will efficiently utilize resources, target high risk threats, and evaluate risk assessment methodologies and the efficacy of resultant risk mitigations. The book discusses all the steps required from conception of the plan from preplanning (mission/vision, principles, strategic objectives, new initiatives derivation), project management directives, cyber threat and vulnerability analysis, cyber risk and controls assessment to reporting and measurement techniques for plan success and overall strategic plan performance. In addition, a methodology is presented to aid in new initiative selection for the following year by identifying all relevant inputs.
“This is the tour de force on designing, implementing and maintaining a modern cyber security and resiliency program. This book is a necessity for all information security and resiliency professionals.” – Howard Taylor, CISO of Radware
OUTLINE
This book lays out a systematic process for developing corporate strategy in the area of cyber (meaning IT) security and resilience.
NBlog – book review on “Cyber Strategy” discuss pros & cons
Mar 30 2021
Risky business: 3 timeless approaches to reduce security risk in 2021
Steps to reduce security risk in 2021
A summary of the tactical and strategic moves CISOs can make to reduce security risk:
- Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection
- Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design
- Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.
Are you doing enough? Do you understand your risks? What if the brightest aren’t always the best choice for your company?
The Smartest Person in the room
![The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]](https://m.media-amazon.com/images/I/41KIWmjt6sL.jpg)
« Previous Page — Next Page »
