InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
This episode features Rafeeq Rehman. He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:
1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
3. To serve your business better, train staff on business acumen, value creation, influencing and human experience.
4. Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
6. Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
Often we see stories about cyber attacks that breached an organisations’ security parameters, and advice on how we can protect against future threats. However, what is often missed, is just how these threat actors managed to breach a system, and as such, the fact that the Domain Name System (DNS) probably played a very large role in the attacker’s entry point.
In this Help Net Security video, Chris Buijs, Chief Evangelist at EfficientIP, talks about the importance of making the DNS as part of an organisation’s security strategy.
When implementing and maintaining a management system, it becomes vitally important to ensure that you have acquired adequate knowledge of the standard to ensure success. It does not matter if you are considering ISO 27001:2013 for information security, ISO 9001:2015 for quality management, or ISO 14001:2015 for environmental management, gaining the necessary knowledge about the standard requirements is an important first step to implementing. However, it can be difficult to pick the right course.
Below is a table explaining the different training courses available, including duration and suggested participants:
Which course should you choose?
So, with all of the training course options available, how do you pick the right course? This is very much dependent on which role you will play in the implementation and maintenance of the management system.
Here is a bit about the different types of courses to help you decide:
Foundations course – Do you just need to understand the basics of the ISO standard? Then the foundations course might be what you want. This course becomes invaluable if you will have expert assistance for your implementation, but need to have a good overall understanding of the requirements. For instance, if you will have a consultant, but want to know what to do when they are done, then an overall understanding of the ISO standard could be enough knowledge.
Data protection officer course – With the EU General Data Protection Regulation (GDPR) governing how personal information needs to be protected, you will want to have a main person in charge of meeting this regulation: the data protection officer. If this will be you, then the EU GDPR data protection officer course is what you need to understand the ins and outs of this regulation and what it means for your business.
Internal auditor course – All management systems include a process for your organization to perform an audit of your processes internally to your organization to confirm for yourself that your processes are happening as you planned them to. If you will be one of the internal auditors who will perform these process audits, then this course will help you to understand not only the requirements of the standard, but also the requirements of how to perform a process audit to confirm conformity and find opportunities for improvement in your organization.
Lead implementer course – The main person in charge of implementing the management system needs more than just a passing understanding of the standard requirements. If this will be you, then the lead implementer course will give you a more in-depth knowledge of what the standard requires, as well as knowledge of how to implement the requirements at your organization with practical tools to help. If you are going to be a consultant for others, this course is also an invaluable tool, with certification an option to demonstrate your competence.
Lead auditor course – With the ISO management system standard, many companies will choose to apply for certification as an independent method to demonstrate their compliance with the standard. This process is done by auditors from a third-party, independent certification body who will confirm that the processes you have implemented meet the requirements of the ISO standard. The auditors who will perform these audits need to pass the examination for lead auditor certification. If you are performing internal audits for a company, this training can also be beneficial, as it allows you to understand the training taken by the certification auditors.
Find the training that is right for you
Remember, when picking the training, you should first think about how you will apply the knowledge to ensure you choose the most suitable training for your current or future role. You don’t want to finish training only to find that how you are intended to apply your newfound skills is incompatible with the knowledge gained, as you may then need to re-take additional training for the new role. Choose the right training from the start, and you can be better assured that your utilization of the knowledge will be better applied, and your management system implementation will be easier.
I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.
Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.
ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.
The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges. Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative. ENISA seeks to provide targeted as well as general reports, recommendations, analyses and other actions on future cybersecurity scenarios and threat landscapes, supported through a clear and publicly available methodology.
By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. The following threat landscapes could be considered as examples.
Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.
Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.
The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).
You can download the ENISA Threat Landscape Methodology here:
Supply chain risks are compounded for organizations that must protect both their IT and the OT from cyber-attacks. What technologies and approaches should they consider implementing? What specific pitfalls should they avoid, and how?
Most third party risk programs are IT-focused – including suppliers that have access to the organization’s intellectual property or network. But some OT suppliers have access – physical and remote – to the OT environment, for troubleshooting, maintenance, etc., and it’s important that the risk posed by those suppliers is included in the enterprise third party risk program, since remote access to OT poses obvious security risks, and on-site access often involves USB drives and other direct electronic access which also can introduce malware into the OT environment. The good news is that these vendors can simply be included in existing third party risk programs.
On the other hand, more and more suppliers are being impacted by ransomware hitting their OT environment. This impacts their ability to provide their products and services to their customers, which can in turn impact their customers’ operations. Therefore, the scope of third party risk programs needs to be broadened once again to include critical suppliers in OT – those whose products or services are critical to the organization’s own OT operations. Now the bad news: existing third party risk programs typically do not assess security risk in OT environments. In fact, although frameworks and best practices are emerging in OT security, organizations usually need to rely on OT security experts to assist in these assessments and remediation recommendations.
Finally, we have seen increasing cyber attacks against the software supply chain, as well as attacks targeting vulnerabilities in critical OT products. When choosing suppliers of critical OT products, it is important to determine whether the vendor is certified to ISA/IEC 62443 – the leading security certification in OT. Those certifications should be an important factor in choosing products for the OT environment.
Another day, another De-Fi (decentralised finance) attack.
This time, online smart contract company Harmony, which pitches itself as an “open and fast blockchain”, has been robbed of more than $80,000,000’s worth of Ether cryptocoins.
Surprisingly (or unsurprisingly, depending on your point of view), if visit Harmony’s website, you’ll probably end up totally unware of the massive loss that the business just suffered.
Even the business’s official blog, linked to from the website, doesn’t mention it.
Unfortunately, those lost funds aren’t these lost funds.
Apparently, at the start of the year, those lost funds happened when five individuals were ripped off to the tune of just over 19 million of Harmony’s ONE tokens, then apparently worth about 25 US cents each.
Harmony made an offer, back on 04 January 2022, stating that:
We wish to provide the suspect an opportunity to communicate with the Harmony Foundation and return all funds. Harmony will not pursue further legal action or dox your identity so long as we receive your full cooperation. The team will offer you a bounty to reveal how this theft was performed so long as it can be validated.
We’re not sure whether it’s legal for a company to offer to rewrite history to pretend that an unauthorised and probably illegal hack was actually legitimate research, though it did seem to work in the infamous $600 million hack of Poly Networks.
The perpetrator in that case made a flurry of curious pseudo-political blockchain announcements ALL IN CAPS, written in artifically poor English, to claim that money wasn’t the motivator behind the crime.
Ultimately, after currying favour with the cracker by adopting the nickname Mr White Hat, Poly Networks (to many people’s astonishment, including our own) got most of their funds back.
We’re also not sure just how much insulation from prosecution any offer from the victim not to “press charges” is likely to provide, given that in many countries, it’s the state that usually takes the decision to investigate, charge and prosecute suspects for criminal offences.
Some countries, such as England, do give private individuals (including professional bodies or charities) the right to conduct a private prosecution if the state doesn’t want to do it, but they don’t give crime victims a “corollary right” to prevent the state from prosecuting a case if it does want to do so.
Nevertheless, Poly Networks’ unexpected success in recovering more than half-a-billion dollars has encouraged other cryptocurrency businesses to try this “wipe the slate clean” approach, presumably on the grounds that there’s often not much else they can do.
It certainly didn’t seem to work for Harmony in January 2022, though if the perpetrator hasn’t yet been able to cash out their ill-gotten gains, they might regret not taking up the offer.
By 15 January 2022, when Harmony’s fake “bug bounty offer” expired, ONE tokens peaked at $0.35, but have since sunk to below 2.5 cents each, according to CoinGecko.
The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.
The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.
“Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” reads the announcement published by Mitre.
“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”
Improper Control of Generation of Code (‘Code Injection’)
3.32
4
+3
Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.
The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: “Deserialization of Untrusted Data” over all four years.
When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.
While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.
Ransomware readiness can be divided into three major components: preparation, detection and isolation.
Preparation
Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.
The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.
Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.
Detection
Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:
Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.
Isolation
To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:
Limiting any individual employee’s access to only the files and data they must have to do their jobs.
Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.
Responding to an ransomware attack
Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.
Expert discovered a remote memory-corruption vulnerability affecting the latest version of the OpenSSL library.
Security expert Guido Vranken discovered a remote memory-corruption vulnerability in the recently released OpenSSL version 3.0.4. The library was released on June 21, 2022, and affects x64 systems with the AVX-512 instruction set.
“OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are not affected. Furthermore, only x64 systems with AVX512 support are affected. The bug is fixed in the repository but a new release is still pending.” reads the post published by Vranken.
The issue can be easily exploited by threat actors and it will be addressed with the next release.
Google researcher David Benjamin that has analyzed the vulnerability argues that the bug does not constitute a security risk. Benjamin also found an apparent bug in the paper by Shay Gueron upon which the RSAZ code is based.
Sonatype researchers have discovered Python packages that contain malicious code that peek into and expose secret AWS credentials, network interface information, and environment variables.
All those credentials and metadata then get uploaded to one or more endpoints, and anyone on the web can see this. Going up a directory level showed hundreds of TXT files containing sensitive information and secret.
In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, explains the situation in more detail.
Python – How to access DB credentials from AWS Secrets Manager?
Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.
Google: Seven zero-days in 2021 developed commercially and sold to governments
Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan.
The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed by spyware vendor RCS Labs and telecoms company Tykelab Srl.
The Google report examined the spyware from RCS Labs, noting that the Italian vendor “uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”
Google TAG researchers Benoit Sevens and Clement Lecigne also touch on the wider commercial spyware industry, noting that Google continues to track the activities of vendors and recently testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work they’re doing “to monitor and disrupt this thriving industry.”
“Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Sevens and Lecigne explained.
“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”
The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.
The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.
NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.
“We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”
In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.
In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS).
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.
If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.
The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets – an Israeli executive, product designer, software developer and entrepreneur.
“An investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 “The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” – said Secretary-general of Amnesty International.” concludes the report. “The right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.”
Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year.
To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of the Brave browser.
Additionally, a new search results curation feature called “Goggles” will be released in beta and made available to those who wish to test it.
Brave Search grows by almost 5,000%
Since launching in June 2021, Brave Search grew by almost 5,000%, starting with 8.1 Million search queries in June 2021 and growing to 411.7 million by the end of May 2022.
Brave says it grew its current query volume four times quicker than DuckDuckGo, likely assisted by its large community of Brave Browser users.
Brave says that independence has remained at the epicenter of the company’s focus, with Brave Search users receiving 92% of their queries directly from Brave’s independent search index rather than through Bing and Google indexes.
“Search engines that depend too much or exclusively on Big Tech are subject to censorship, biases, and editorial decisions,” explains Brave in the blog post.
“Brave Search is committed to openness in search. It does not manipulate its algorithm to bias, filter, or down-rank results (unless it’s compelled by law to do so).”
Besides focusing on privacy and independence, Brave also strived to offer new mechanisms that would enrich the experience of using Brave Search.
Discussions were introduced this April as a new feature on Brave Search to draw results from social media platforms like Reddit.
Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?
We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answered…
…but that rarely, if ever, turn out to have a familiar voice at the other end.
Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.
If you haven’t seen it, the video starts with the words, “I have 100 cockroaches here, and I placed them in this James Bond-style contraption,” so you can probably imagine how things end.
Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)
Fake refund scams
The scammers in Rober’s video seem to go in mainly for what are known as “fake refund” tricks, which go something like this:
Scammers “refund” you an impressive but believable amount, say $2000, for an “over-billing” for a product or service you actually use.
They then “help” you login to your bank account to ensure that the transaction went through.
They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! won’t you help?
Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the “extra” money out of your own account.
After all, you can see the giant refund is there… except that it isn’t, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.
You’re scammed into thinking that they’ve made a mistake that will definitely get them in trouble, and could get you into trouble, too.
The crooks therefore hope to persuade you to help them “cover up” their mistake by withdrawing the “excess” from your own account and paying the non-existent “difference” back to them via some other channel.
While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, you’ll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.
Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.
Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.
Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a “non-intrusive” probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
“The number of secrets exposed via the front end of hosts is alarmingly huge,” said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.
“Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.”
Millions of secrets
The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.
Google’s reCAPTCHA alone accounted for more than half (212,127) of these secrets – and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).
Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
A majority of exposures across both phases – 77% – occurred in frontend JavaScript files.
Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.
Mondal blamed the “decades”-old problem of leaked secrets on the “complexities of the software development lifecycle”, adding: “As the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.”
‘Non-intrusive’ research
The RedHunt Labs research team told The Daily Swig that they are still “continuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home page”.
The researchers said they had encountered no legal problems related to the research so far.
“We received a few abuse reports against the boxes on which the scan was run and we have handled them,” they said.
The “extremely non-intrusive” process involved no “more than a few HTTP requests per domain” and no written actions – “only read requests to HTTP URLs and JavaScript files were sent”.
The captured secrets, meanwhile, are “stored on an encrypted volume with access to very limited folks” and “will be disposed of after a month”, added the researchers.
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.
Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild.
Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild.
The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in 2016 experts discovered a way to bypass the fix.
“Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations.” reads the post published by Google Project Zero. “This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022.”
Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620 (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild.
The zero-day vulnerability was fixed by Apple in February, it is a use-after-free issue that could be exploited by processing maliciously crafted web content, leading to arbitrary code execution
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the security advisory published by Apple. “A use after free issue was addressed with improved memory management.”the google researcher Maddie Stone added. “The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.”
The vulnerability was reported by an anonymous researcher and the company addressed it by improving memory management.
“Whenever I’m doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.” she said.
The researcher noticed that the commits dated October 2016 and December 2016 were very large, she discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions.
“Usually when we talk about variants, they exist due to incomplete patches: the vendor doesn’t correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We don’t know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.” concludes the expert. “There’s no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices.”
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
Deep Instinct released the third edition of its annual Voice of SecOps Report, focused on the increasing and unsustainable stress levels among 1,000 C-suite and senior cybersecurity professionals across all industries and roles. The research found that 45% of respondents have considered quitting the industry due to stress, with the primary issues being an unrelenting threat from ransomware and the expectations to always be on call or available.
The research reinforced that paying a ransom remains a hotly debated topic. 38% of respondents admitted to paying a ransom, with 46% claiming their data was still exposed by the hackers; and 44% could not restore all their data even after a ransom was paid.
The great cybersecurity resignation
The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months. This was especially the case for those working within critical infrastructure. These increased stress levels have led cybersecurity professionals to consider leaving the industry altogether, joining in the “Great Resignation,” rather than moving to a new cybersecurity role at a new employer.
45% admit to considering quitting the industry on at least one or two occasions
46% know at least one person who left cybersecurity altogether in the past year due to stress
Who’s stressed and why?
Stress is not only felt by SOC teams and others on the cyber frontlines but also among those in the C-Suite who are making the difficult decisions on how to use their available resources more efficiently.
Biggest stress culprit: Ransomware
45% of respondents said that ransomware was the biggest concern of their company’s C-Suite. The survey found that 38% of respondents admitted to paying up in order to receive the encryption key primarily to avoid downtime (61%) or bad publicity (53%). However, paying the ransom did not guarantee a resolution post-attack in many cases.
Of those reporting that a payment was made:
46% claimed to still have their data exposed by the hackers
44% couldn’t restore all their data
Only 16% claimed to have no further issues to date
In response to these issues with ransomware payment, 73% of respondents claimed they would not pay a ransom in the future.
Among those who claimed they would still pay a ransomware demand in the future, widespread fear remained that they would be trouble-free in the future.
The fear of paying a ransom in the future included the following:
75% do not expect to have all their data restored
54% fear the criminals will still make the exfiltration of data public knowledge, and
52% fear the attackers will have installed a back door and will return
“Considering that the constant waves of cyber-attacks are likely to become more common and evasive as we move forward, it’s of the utmost importance to ensure that those who dedicate their careers and lives to defending our businesses and country don’t become overly stressed and give up,” said Guy Caspi, CEO of Deep Instinct.
“By adopting and utilizing new defensive techniques, like artificial intelligence and deep learning, we can help the cybersecurity community mitigate one of the most important issues that is often overlooked by many: the people behind the keyboard.”
![Why you should download Brave Browser NOW! by [Eddie Lance]](https://m.media-amazon.com/images/I/41dDRaRp9EL.jpg)
