“Security Flaws Seen in China’s Mandatory Olympics App for Athletes”
The article I read this week was from the New York Times, and it describes a mandatory app athletes must have while participating at this year’s Winter Olympics in China. The app, which is used to report health & travel data, has serious encryption vulnerabilities according to researchers. It was found that portions of the app used to transmit Covid results & travel information failed to verify the signature used in encrypted transfers, or didn’t encrypt data at all. The app, MY2022, was designed to keep athletes in China from the greater Chinese population in order to control Covid spread. Concerns with the app’s design underscore the broader worries of Censorship in China. When security flaws with the app were disclosed to Beijing, an update did not fix the issues, as they likely violated China’s personal data protection laws. Issues of nonexistent encryption have long been an issue for China’s tech industry, as they have the duty of protecting consumer data while also sharing it with government censorship programs. This is also not the first time a Covid-related application has suffered issues, either. They are often not secure or transparent, or they are rushed, which can lead to public distrust in health initiatives. Issues with MY2022 include hackers being able to intercept data, and it’s messaging service failing to encrypt metadata. The main concern is whether or not these flaws were intentional, because once again proper encryption may interfere with the Government being able to “snoop”.
https://www.nytimes.com/2022/01/18/technology/china-olympics-app-security.html
-Alex Knoll
“‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts”
by Sean Lyngaas
3/26/22
To summarize this article, the United States Government is essentially worried that Russians could utilize cyber attacks to spread misinformation to United States citizens regarding Ukraine happenings. To quote cyber expert Jen Esterly, the director of the US Cybersecurity and Infrastructure Security Agency, “All businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity is something that the Russians are thinking about, that are preparing for, that are exploring options.” The Biden administration referenced the pipeline hacking that occurred in 2021, and they are wary about Russia’s cyber capacity. It is important that owner’s in charge of critical infrastructure are aware of this capacity, and that they are also investing in network defenses against such attacks.
https://www.cnn.com/2022/03/26/politics/jen-easterly-interview-russia-cnntv/index.html
-Alex Knoll
Cisco Umbrella default SSH key allows theft of admin credentials
Cisco Umbrella default SSH key allows theft of admin credentials (bleepingcomputer.com)
“Cisco has released security updates to address a high severity vulnerability in the Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to steal admin credentials remotely.” The vulnerability was due to a static SSH host key being present, which allowed for a man-in-the-middle attack that learns administrator credentials, changes configurations, or reloads the VA. There is no impact on default configurations as the SSH service is disabled by default.
Kenneth Saltisky
The battle over end-to-end encryption
The BBC article, “The battle over end-to-end encryption, is news to understand recent push by the UK and other agencies against Facebook Messenger. While I was reading this article, it also came to my attention that, WhatsApp, iMessage, or Signal protects user data with end-to-end encryption. However, the fact Facebook has not introduced this control for its messenger application becomes treat for young users to be victims of online predators.
In today’s digital world, I believe it’s important that our chatting apps protect our data with encryption methods where it scrambles data and makes it unreadable. Certain websites also use encryption connections between you and the website. The padlock sign on the browser represents the encryption and something you might need to check while browsing on the web. Especially, for confidential communication or banking websites, it’s even more crucial to make sure criminals cannot read your data while it travels over the internet.
Also, a good highlight comes from US National Center for Missing and Exploited Children, where they announced 21.7 million reports were made in the US in 2020 about child sexual abuse material being exchanged on social media.
https://www.bbc.com/news/technology-60055270
Miray Bolukbasi
Hackers Using Device Registration Trick to Attack Enterprise with Lateral Phishing
This article explains the email-based social engineering of criminals to spread spam emails and increase the infection pool. The user accounts that were not secured using MFA create a chance for attackers to steal credentials in target organizations and use them to expand their foothold.
Users started receiving phishing links (Docusign-branded); once they clicked the link, it directed them to a rogue website requesting Office 365 login credentials to enter. Using this phishing method, attackers accessed 100 mailboxes and implemented an inbox detection rule to users’ Outlook. Then the second phase started with attacker-controlled devices joining Azure AD. It helped attackers to expand their attack and move laterally through the network.
The Hacker News: https://thehackernews.com/2022/01/hackers-using-device-registration-trick.html
Miray Bolukbasi
Overcoming the 3 Biggest Challenges in System Hardening
As we discuss host and specifically server hardening this week, I thought this article would be interesting to think about some of the challenges that arise during the hardening process. The author Pollack explains that system hardening is changing the system’s default configurations (function-oriented) to make sure they are capable of protecting (security-oriented) the system. The system hardening is crucial for the firms because the threat environment becomes more and more challenging and establishing secure configurations will help protect against different attack techniques. Also, most organizations have regulations that require implementing a robust hardening policy.
So, now that we are aware of the importance of hardening and its three stages (policies, impact analysis, monitoring), it’s time to look at some of the challenges.
1. Generating an Impact Analysis Report
2. Policy Implementation and Change Management
3. Remaining Compliant
Every challenge listed above offers automated and non-automated solution approaches.
Link: https://www.infosecurity-magazine.com/blogs/biggest-challenges-system-hardening/
Miray Bolukbasi
Wordle Remains “Free” After NYT Acquisition, but Now Comes Bundled With Tons of Ad Tracking
This article mentions the world trending game Wordle. The game was originally designed and hosted by Josh Wardle before being handed to New York Times. Everyone was expecting a subscription or purchasing for the game in the future as it gets more popular, but instead, NYT added plugins for ad tracking networks. Also, the game is sharing data with third parties without our knowledge.
Because of uncertainty, everyone is worried about data security while playing the game. Basic contact and location information might be transferred, such as purchase records, email subscriptions, web browsing records, etc.
Miray Bolukbasi
US Passes “game-changing” Cyber Incident Reporting Legislation
This passage of cyber incident reporting legislation was quite a surprise for me as I would assume it was always required to inform CISA for incidents. However, this article digs deep into the requirements and reporting schedule as it will become mandatory soon for critical infrastructure companies in specific sectors. To apply the law accurately, CISA also reported 16 US critical infrastructure sectors including communications, manufacturing, defense industrial, emergency services, commercial facilities, chemical, and many more..
The purpose of the law mentioned is to deter organizations from making ransomware payments, provide more intelligence into cyberattack and threat actor plans, to assist in information sharing between federal agencies, to ensure a standardized approach to dealing with critical infrastructure cyber attacks.
As listed on CISA’s website, https://www.cisa.gov/critical-infrastructure-sectors, the reporting must include (1) relevant vulnerabilities, (2) efforts taken to mitigate the attack, (3) categories of data believed to have been accessed or acquired by an authorized person and any actor reasonably believe to responsible for the inside, (4) supplement organizations information as new or different information becomes available.
Article link: https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/
Miray Bolukbasi
Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation
Microsoft and other security vendors interrupted criminal actions from a botnet called Zloader, which operates a global malware-as-a-service operation that hijacks computers for theft and extortion, including the distribution of Ryuk ransomware in hospitals, schools, and homes. Zloader normally used financial theft operations (stealing online ID’s and passwords) in order to take funds from victims accounts. In order to resolve this issue Microsoft obtained a court order, allowing them to take down 65 domains used by Zloader and redirect them to a sinkhole which keeps botnets from operating compromised devices.
https://thehackernews.com/2022/04/microsoft-disrupts-zloader-cybercrime.html
Christopher Clayton
A school district in Chicago released details on its cyber-insurance, from $6,661 in 2021 to $22,229 in 2022. This massive spike is due to an increasing number of threats, their severity, & potential for costly disruptions. A key factor leading to these cost increases is due to ransomware and also encrypting attacks. The theft of data can significantly compromise school networks, employees, & students. Ransomware attackers target these small school districts because they are rarely well-protected enough to deal with them, and because they typically have active insurance polices, they are attractive targets. For this school district in particular, the insurer is requiring a district-wide implementation of MFA. The attackers typically use compromised user credentials to target systems, so MFA, for the most part, is enough to stop attacks before they can even start. This also prevents attacker’s from being able to tweak with backups. District 87, the district discussed in the article, is one of many that will have to deal with this burden on its annual budget, and that also stretches to apply to organizations such as hospitals, non-profits, & local governments. Attackers see these targets as “soft”, and in order to reduce these new insurance premiums, it begins with increased user awareness
https://www.bleepingcomputer.com/news/security/school-district-reports-a-334-percent-hike-in-cybersecurity-insurance-costs/
-Alex Knoll