A quick Saturday digest of cybersecurity news articles from other sources.
Interactive Fall Foliage Map
Fall is one of my favorite times of the year, when the are turns crisp and cold, and the trees show their fall colors. If you are day-trippiing or make color tour plans, this map will help you pick the optimal weekend
Attackers Hit Network Devices and More
Major cybersecurity events in the last week make clear that hackers just keep getting savvier — and security teams need to be vigilant to keep up.
Ransomware groups continue to exploit unpatched vulnerabilities. Remote code execution (RCE) vulnerabilities, such as those exploited by a pair of botnets, highlight the hazards of unpatched devices and the need for patch management. And a rather ingenious application of the Windows Container Isolation Framework demonstrates the potential vulnerability of endpoint security measures. Citrix, Juniper, VMware and Cisco are just a few of the IT vendors whose products made news for security vulnerabilities in the last week.
Collectively, these episodes highlight the need for comprehensive cybersecurity defenses and timely patch management for risk mitigation. More…
Eliminating passwords can reduce friction, phishing threats
Deloitte India’s Anand Venkatraman and Sabiha Hetavkar look at passwordless authentication and how it could be implemented for the workforce, customers and vendors/partners. “Passwordless authentication enables improved security, reduced risks associated with credential theft and phishing, and improved overall user experience by eliminating shared secrets and reducing the need for additional MFA,” they write. Full Story: ISACA
CISA Releases its Open Source Software Security Roadmap
09/12/2023 11:00 AM EDT
Today, CISA released an Open Source Software Security Roadmap to lay out—in alignment with the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan—how we will partner with federal agencies, open source software (OSS) consumers, and the OSS community, to secure OSS infrastructure. To that end, the roadmap details four key goals:
- Establish CISA’s role in supporting the security of OSS,
- Understand the prevalence of key open source dependencies,
- Reduce risks to the federal government, and
- Harden the broader OSS ecosystem.
See CISA’s Open Source Software Security Roadmap to learn more.
Scary New IT Admin Attack Exposes Your MFA Weakness
Identity and authentication management provider Okta has warned of social engineering attacks that are targeting IT workers in an attempt to gain administrative privileges within organizations’ networks.
“In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-Factor Authentication (MFA) factors enrolled by highly privileged users,” Okta says.
“The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.”
The threat actors already had some information about the targeted organizations before they contacted the IT employees.
“Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account,” Okta says.
“In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions.” The attackers also impersonated another identity management provider using a phony app.
“The threat actor was observed configuring a second Identity Provider (IdP) to act as an ‘impersonation app’ to access applications within the compromised Org on behalf of other users,” the company says. “This second Identity Provider, also controlled by the attacker, would act as a ‘source’ IdP in an inbound federation relationship (sometimes called ‘Org2Org’) with the target.
“From this ‘source’ IdP, the threat actor manipulated the username parameter for targeted users in the second ‘source’ Identity Provider to match a real user in the compromised ‘target’ Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user.”
Blog post with links:
https://blog.knowbe4.com/social-engineering-okta-credentials
From Bruce Schneier
Bots Are Better than Humans at Solving CAPTCHAs
[2023.08.18] Interesting research: “An Empirical Study & Evaluation of Modern CAPTCHAs“:
Abstract: For nearly two decades, CAPTCHAS have been widely used as a means of protection against bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAS have continued to improve. Meanwhile, CAPTCHAS have also evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAS, and how they are perceived by those users.
In this work, we explore CAPTCHAS in the wild by evaluating users’ solving performance and perceptions of unmodified currently-deployed CAPTCHAS. We obtain this data through manual inspection of popular websites and user studies in which 1, 400 participants collectively solved 14, 000 CAPTCHAS. Results show significant differences between the most popular types of CAPTCHAS: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the effect of experimental context specifically the difference between solving CAPTCHAS directly versus solving them as part of a more natural task, such as account creation. Whilst there were several potential confounding factors, our results show that experimental context could have an impact on this task, and must be taken into account in future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task abandonment by analyzing participants who start and do not complete the task.
Slashdot thread.
And let’s all rewatch this great ad from 2022.
Remotely Stopping Polish Trains
[2023.08.28] Turns out that it’s easy to broadcast radio commands that force Polish trains to stop:
…the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train — sending a series of three acoustic tones at a 150.100 megahertz frequency — and trigger their emergency stop function.
“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”
Even so, this is being described as a cyberattack.
Identity Theft from 1965 Uncovered through Face Recognition
[2023.08.29] Interesting story:
Napoleon Gonzalez, of Etna, assumed the identity of his brother in 1965, a quarter century after his sibling’s death as an infant, and used the stolen identity to obtain Social Security benefits under both identities, multiple passports and state identification cards, law enforcement officials said.
[…]
A new investigation was launched in 2020 after facial identification software indicated Gonzalez’s face was on two state identification cards.
The facial recognition technology is used by the Maine Bureau of Motor Vehicles to ensure no one obtains multiple credentials or credentials under someone else’s name, said Emily Cook, spokesperson for the secretary of state’s office.
When Apps Go Rogue
[2023.08.30] Interesting story of an Apple Macintosh app that went rogue. Basically, it was a good app until one particular update…when it went bad.
With more official macOS features added in 2021 that enabled the “Night Shift” dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Few of those supposed tens of thousands of users likely noticed when the app they ran in the background of their older Macs was bought by another company, nor when earlier this year that company silently updated the dark mode app so that it hijacked their machines in order to send their IP data through a server network of affected computers, AKA a botnet.
This is not an unusual story. Sometimes the apps are sold. Sometimes they’re orphaned, and then taken over by someone else.
Spyware Vendor Hacked
[2023.09.01] A Brazilian spyware app vendor was hacked by activists:
In an undated note seen by TechCrunch, the unnamed hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive’s servers and access its user databases. By exploiting other flaws in the spyware maker’s web dashboard — used by abusers to access the stolen phone data of their victims — the hackers said they enumerated and downloaded every dashboard record, including every customer’s email address.
The hackers said that dashboard access also allowed them to delete victim devices from the spyware network altogether, effectively severing the connection at the server level to prevent the device from uploading new data. “Which we definitely did. Because we could. Because #fuckstalkerware,” the hackers wrote in the note.
The note was included in a cache containing more than 1.5 gigabytes of data scraped from the spyware’s web dashboard. That data included information about each customer, such as the IP address they logged in from and their purchase history. The data also listed every device that each customer had compromised, which version of the spyware the phone was running, and the types of data that the spyware was collecting from the victim’s phone.
Cryptocurrency Startup Loses Encryption Key for Electronic Wallet
[2023.09.06] The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet — and the recovery key — and therefore $38.9 million. It is now in bankruptcy.
I can’t understand why anyone thinks these technologies are a good idea.
The Hacker Tool to Get Personal Data from Credit Bureaus
[2023.09.07] The new site 404 Media has a good article on how hackers are cheaply getting personal information from credit bureaus:
This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.
A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The tool 404 Media tested has also been used to gather information on high profile targets such as Elon Musk, Joe Rogan, and even President Joe Biden, seemingly without restriction. 404 Media verified that although not always sensitive, at least some of that data is accurate.
On Robots Killing People
[2023.09.11] The robot revolution began long ago, and so did the killing. One day in 1979, a robot at a Ford Motor Company casting plant malfunctioned — human workers determined that it was not going fast enough. And so twenty-five-year-old Robert Williams was asked to climb into a storage rack to help move things along. The one-ton robot continued to work silently, smashing into Williams’s head and instantly killing him. This was reportedly the first incident in which a robot killed a human; many more would follow.
You get the picture. Robots — ”intelligent” and not — have been killing people for decades. And the development of more advanced artificial intelligence has only increased the potential for machines to cause harm. More…
Share
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com