InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.
The relevant security bulletins, update numbers, and where to find them online are as follows:
APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341
As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.
But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.
Build your ISO 27001 knowledge and win new business with Advisera’s free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Advisera’s courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.
The courses’ structure is simple:
Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.
Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.
Minimizing the RDP attack vector
The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold – a specific number of failed logon attempts – after which a user account will be locked.
Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is “guessed”.
From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.
The revelation has set off calls for the control to be backported to older Windows and Windows Server version – a move that’s apparently in the works.
Yes it’s being backported
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022
Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.
This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.
NFT marketplace warns users of phishing scams
Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.
The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.
OpenSea has since warned that the information could be used to launch phishing attacks.
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.
“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”
OpenSea warned users via an email notification
Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.
Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).
Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.
In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.
Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.
Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.
If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.
School district accidentally wires $200,000 to fraudulent bank
The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about £164,000) to a bank account controlled by cyber criminals.
Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.
Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.
Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”
It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.
“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”
Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.
It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291.
According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services.
The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).
The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents.
According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).
Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams.
Meanwhile, 18% of BEC messages used email domains owned by the attacker.
The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Metasploit is the most used penetration testing framework. In this Help Net Security video, Spencer McIntyre, Lead Security Researcher at Rapid7, talks about how Metasploit enables defenders to always stay one step (or two) ahead of the game, and offers a glimpse into the future.
McIntyre is a lead security researcher at Rapid7, where he manages the Metasploit Framework’s dedicated research and development team. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019.
Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.
An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.
“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”
The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.
The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.
Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.
MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.
CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.
The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.
BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”
Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-
“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”
These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).
Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.
Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The attackers used online storage services to exfiltrate data and drops their malicious payloads.
The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”
The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.
The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.
Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.
“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report
A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.
The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.
As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.
How a vCISO Works Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.
The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.
What to Expect From a vCISO When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.
The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.
Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.
The Value of a vCISO One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.
Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.
How to Convince the Executive Team A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.
Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.
The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.
As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.
The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.
The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship.
With previous versions of the browser, circumventing censorship of the Tor Network itself was a manual process that required users to dive into Tor Network settings and chose a bridge to unblock Tor.
Experts pointed out that censorship of Tor isn’t uniform, this means that a certain pluggable transport or bridge configuration may work in one country could not work elsewhere.
The Tor Browser version 11.5 implements a new feature called “Connection Assist”, which was developed to assign automatically the bridge configuration that could allow users in a specific location to bypass censorship.
“In collaboration with the Anti-Censorship team at the Tor Project, we’ve sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.” reads the announcement published by the Tor Project. “Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.”
Connection Assist downloading up-to-date list options that optimize the connection from the user’s country. To do this, the browser requests user consent.
Maintainers at the Tor Project pointed out that this is only version 1.0 of the Connection Assist, for this reason, they invite users to submit their feedback to help them improve the user experience in future releases.
Another feature implemented in version 11.5 is making ‘HTTPS-Only Mode’ which is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.
The above features are all for desktop, the announcement provides updates for Androidrs because the Tor Browser for Android is quite behind desktop in terms of feature parity.
Since the beginning of the year our priorities for Android have been three-fold:
Start releasing regular updates for Android again
Fix the crashes that many Android users have experienced
Begin catching up with Fenix (Firefox for Android) releases
Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any artifact a system can identify to support a Deepfake can also be removed in a subsequent Deepfake creation. This article discusses the art of Deepfake.
This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.
The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.
Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.
“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.
“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.
An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.
The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.
Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.
Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.
“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”
The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” .
The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.
In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.
“Our POC exploit thus became simply as follows:
Drop a “~$exploit.py” file with arbitrary Python commands.
Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.” continues the post.
For a country at war, monitoring the cellular networks in the conflict zone provides the most comprehensive view of mobile device activity. But before the conflict even begins, the nation can identify phones of interest, including the devices belonging to soldiers.
Because mobile app location data is often sold to commercial data brokers and then repackaged and sold to individual customers, a country can access such a database and then pick out the phones likely belonging to soldiers. Such devices will ping regularly in the locations of known bases or other military facilities. It’s even possible to identify the owner of a device by tracking the phone to its home address and then referencing publicly available information.
A country can also use information obtained from one or more data breaches to inform their devices of interest. The T-Mobile breach in 2021 demonstrated how much customer data is in the hands of a mobile operator, including a phone’s unique identifier (IMEI) and its SIM card’s identifier (IMSI).
Spies can also physically monitor known military sites and use devices known as IMSI catchers – essentially fake cell towers – to collect phone data from the phones in the vicinity. The Kremlin reportedly did this in the UK, with GRU officers gathering near some of the UK’s most sensitive military sites.
When a phone of interest appears on the monitored mobile network, the country can keep a close eye on the device’s location and other cellular data. The presence of two or more such devices in close proximity indicates that a mission may be taking place.
In addition to monitoring cell networks, a nation at war can utilize IMSI catchers on the battlefield to gather phone data for the purposes of locating and identifying devices. Location can be determined by triangulating signal strengths from nearby cell towers or by pinging a targeted device’s GPS system. Russia’s Leer-3 electronic warfare system, which consists of two drones containing IMSI catchers along with a command truck, can locate up to 2,000 phones within a 3.7-mile range.
To counter these location-finding drones, an opposing nation may jam a drone’s GPS signal, using a radio emitter to block the drone from receiving GPS signals. The country can also try GPS spoofing, employing a radio transmitter to corrupt the accuracy of the drone’s reported location. To counter such spoofing, systems for validating GPS signals have been deployed on the battlefield. In the larger picture, the corruptibility of GPS data has forced some nations to build their own geopositioning systems. For the US, M-Code serves as a military-only GPS signal that is both more accurate and provides anti-jamming and anti-spoofing capabilities.
Spyware is a more targeted approach to obtaining location data. It can be delivered over the cell network (via a malicious carrier update) or through an IMSI catcher. It’s also not uncommon for operators to pose as single women on social media sites to lure soldiers into downloading a malicious app. Hamas has reportedly used this tactic many times against Israeli soldiers. Such spyware can capture a device’s real-time location, among other capabilities.
Safe Security has made available a free cybersecurity benchmarking tool for predicting cyberattack risk within vertical industry segments and can be tuned by organizations to better assess their own chances of being attacked.
Saket Modi, Safe Security CEO, said the CRQ Calculator combines cybersecurity threat intelligence and telemetry data it collects to ascertain attack costs with metadata collected from primary sources, such as reports published by the Securities and Exchange Commission (SEC) and insurance claims, that is accessible via application programming interfaces (APIs).
That data uses Bayes’ theorem to generate reports for specific vertical industries that determine, for example, that the probability of a health care company falling victim to a successful cyberattack is 25% compared to 20% for a financial services company. Industries such as manufacturing and retail face less than a 15% probability of a successful cyberattack.
The overall goal is to give organizations a better appreciation for the actual level of risk they face so they can make better cybersecurity investment decisions based on business context, noted Modi. That’s become more critical as a downturn in the overall global economy forces more organizations to reduce costs, he noted.
While there is a greater appreciation for cybersecurity than ever, many organizations are struggling to determine what level of spending is required to mitigate the threats they face. Before those assessments can be made there is a need to determine the actual level of threat to a vertical industry.
Spending on cybersecurity as a percentage of the overall IT budget has certainly increased in recent years. However, cybersecurity leaders are being asked more often to determine some level of return on investment (ROI) for that spending. Ultimately, the goal is to determine what level of spending makes sense based on what similar organizations are spending.
Of course, there is no correlation between spending and the level of cybersecurity attained. While the volume and sophistication of attacks have increased, most of the cybersecurity issues organizations encounter can be traced back to human error. Most organizations would dramatically improve their overall cybersecurity simply by focusing on fundamental processes that, in many cases, would eliminate the number of misconfigurations that cybercriminals can potentially exploit, for example.
At the same time, the number of attack surfaces that need to be defended continues to increase, so there does need to be some corresponding increase in cybersecurity. Most of the cyberattacks being launched are fairly rudimentary; cybercriminals don’t see the need to invest more time and effort when it’s relatively simple for them to compromise credentials and gain unfettered access to an IT environment.
Organizations can’t stop these attacks from being launched, but the hope is that by making it more difficult for cybercriminals to succeed they will concentrate their efforts elsewhere. Ultimately, if enough organizations improve their cybersecurity posture, the cost of launching attacks might one day become cost-prohibitive for attackers.
Unfortunately, organizations are a long way from achieving that goal. At the very least, organizations should have a better understanding of how much they need to spend on cybersecurity today as they look to continuously improve cybersecurity in the months and years ahead.
The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.
Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.
ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.
According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.
Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.
Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.
“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”
The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.
The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.
“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.
The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.
The third weakness occurs in the FHSS sequence generation.
Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.“
The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.
NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?
Pictured is Christopher E. “Call Me Chris” Kubasik, L3Harris’s chairman and CEO. He’s no doubt disappointed that the White House put the kibosh on the deal—especially as other bits of the government gave tacit approval (or so we’re told).
But is everything quite as it seems? In today’s SB Blogwatch, we pay attention to the man behind the curtain.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI
“L3Harris and NSO declined to comment” A team of executives from an American military contractor quietly … in recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. … They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted “contrary to the national security or foreign policy interests of the United States,” the Biden administration said. … But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: … American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest to … the F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outraged … and that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance. … While not a household defense industry name … L3Harris earns billions each year from American government contracts. … The company once produced a surveillance system called Stingray. … L3Harris and NSO declined to comment. … A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. … The Commerce Department declined to give specifics about any discussions.
One arm of the government doesn’t know what another is doing? Say it ain’t so! Stephanie Kirchgaessner says it’s so—“US defence firm ends talks to buy NSO”:
“Definitive pushback” A person familiar with the talks said L3 Harris had vetted any potential deal for NSO’s technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal. … Once L3Harris understood the level of “definitive pushback”, a person familiar with the talks said, “there was a view … that there was no way L3 was moving forward with this. … If the government is not aligned, there is no way for L3 to be aligned,” the person said.
“Could have resulted in the blacklisting being lifted” A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. … NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices. … The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.
“NSO spent years pretending they changed” WHOA: Deal … tanked. … [It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would be … atrocious for human rights [and] bad for … counterintelligence. … This is not a company that prioritizes America’s national security. And it doesn’t play well with our tech sector. … NSO spent years pretending they changed … while using all available tricks to hide the fact that they kept doing … risky biz and dictator deals.
ELI5? Look on u/Ozymandias606’s words, ye mighty, and despair:
“Biden visits Israel tomorrow” Pegasus is a hacking tool [that] can turn anyone’s phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists. … The Commerce Department added Pegasus’ creator to a blacklist that has been slowly choking the company. … A US defense contractor later offered to buy Pegasus – and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the software’s source code to the “Five Eyes” cybersecurity alliance. … So, a handful of Western nations … were trying to control access to a cyber weapon that appears to take control of any phone in the world. … Biden visits Israel tomorrow – his first visit to the country.
Are you hinting what I think you’re hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [You’re fired—Ed.]
Unfortunately, many Americans are still in denial about what the US govt routinely do. … This is simply Tiktok 2.0 (or Alstrom 3.0). … Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.
Lockdown mode is nothing. It can’t work. If the software is compromised, letting software be the security can’t work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.
What next? The Combat Desert Penguin—@wolverine_salty—ponders alternative buyers:
Is Thiel interested?
Meanwhile, with a similarly snarky stance, here’s kmoser:
This episode features Rafeeq Rehman. He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:
1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
3. To serve your business better, train staff on business acumen, value creation, influencing and human experience.
4. Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
6. Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
Often we see stories about cyber attacks that breached an organisations’ security parameters, and advice on how we can protect against future threats. However, what is often missed, is just how these threat actors managed to breach a system, and as such, the fact that the Domain Name System (DNS) probably played a very large role in the attacker’s entry point.
In this Help Net Security video, Chris Buijs, Chief Evangelist at EfficientIP, talks about the importance of making the DNS as part of an organisation’s security strategy.
When implementing and maintaining a management system, it becomes vitally important to ensure that you have acquired adequate knowledge of the standard to ensure success. It does not matter if you are considering ISO 27001:2013 for information security, ISO 9001:2015 for quality management, or ISO 14001:2015 for environmental management, gaining the necessary knowledge about the standard requirements is an important first step to implementing. However, it can be difficult to pick the right course.
Below is a table explaining the different training courses available, including duration and suggested participants:
Which course should you choose?
So, with all of the training course options available, how do you pick the right course? This is very much dependent on which role you will play in the implementation and maintenance of the management system.
Here is a bit about the different types of courses to help you decide:
Foundations course – Do you just need to understand the basics of the ISO standard? Then the foundations course might be what you want. This course becomes invaluable if you will have expert assistance for your implementation, but need to have a good overall understanding of the requirements. For instance, if you will have a consultant, but want to know what to do when they are done, then an overall understanding of the ISO standard could be enough knowledge.
Data protection officer course – With the EU General Data Protection Regulation (GDPR) governing how personal information needs to be protected, you will want to have a main person in charge of meeting this regulation: the data protection officer. If this will be you, then the EU GDPR data protection officer course is what you need to understand the ins and outs of this regulation and what it means for your business.
Internal auditor course – All management systems include a process for your organization to perform an audit of your processes internally to your organization to confirm for yourself that your processes are happening as you planned them to. If you will be one of the internal auditors who will perform these process audits, then this course will help you to understand not only the requirements of the standard, but also the requirements of how to perform a process audit to confirm conformity and find opportunities for improvement in your organization.
Lead implementer course – The main person in charge of implementing the management system needs more than just a passing understanding of the standard requirements. If this will be you, then the lead implementer course will give you a more in-depth knowledge of what the standard requires, as well as knowledge of how to implement the requirements at your organization with practical tools to help. If you are going to be a consultant for others, this course is also an invaluable tool, with certification an option to demonstrate your competence.
Lead auditor course – With the ISO management system standard, many companies will choose to apply for certification as an independent method to demonstrate their compliance with the standard. This process is done by auditors from a third-party, independent certification body who will confirm that the processes you have implemented meet the requirements of the ISO standard. The auditors who will perform these audits need to pass the examination for lead auditor certification. If you are performing internal audits for a company, this training can also be beneficial, as it allows you to understand the training taken by the certification auditors.
Find the training that is right for you
Remember, when picking the training, you should first think about how you will apply the knowledge to ensure you choose the most suitable training for your current or future role. You don’t want to finish training only to find that how you are intended to apply your newfound skills is incompatible with the knowledge gained, as you may then need to re-take additional training for the new role. Choose the right training from the start, and you can be better assured that your utilization of the knowledge will be better applied, and your management system implementation will be easier.
I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.
Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.
ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.
The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges. Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative. ENISA seeks to provide targeted as well as general reports, recommendations, analyses and other actions on future cybersecurity scenarios and threat landscapes, supported through a clear and publicly available methodology.
By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. The following threat landscapes could be considered as examples.
Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.
Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.
The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).
You can download the ENISA Threat Landscape Methodology here:
