WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology

In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment.  More…

CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain

11/09/2023 07:00 AM EST

Today, CISA, the National Security Agency (NSA), and partners released Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.

Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.

CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

Admins Continue to Use Weak Passwords

From Knowbe4

If anyone should know the importance of good password policy, it should be your Admins.  But a recent report suggests that may not be the case.

In an analysis of web pages identified as admin portals, some incredibly weak passwords were identified – and some of them are going to really surprise you.

We all know the general drill with admin passwords – make them complex and long. Simple right?

But a new analysis of admin passwords shows that IT admins seem to not be vigilant around good password hygiene. According to an analysis of 1.8 million passwords by security vendor Outpost24, the top 20 passwords they found are really terribly bad:

admin
123456
12345678
1234
Password
123
12345
admin123
123456789
adminisp
demo
root
123123
admin@123
123456aA@
01031974
Admin@123
111111
admin1234
admin1
Note that the number one password is “admin.” Seriously? In today’s cybersecurity climate, IT pros are still using these passwords? This shows that even IT pros need to be enrolled in continual security awareness training so they are reminded of the need for good password hygiene – which includes the use of properly secure passwords.

Articles by Brue Schneier

Child Exploitation and the Crypto Wars

[2023.10.23] Susan Landau published an excellent essay on the current justification for the government breaking end-to-end-encryption: child sexual abuse and exploitation (CSAE). She puts the debate into historical context, discusses the problem of CSAE, and explains why breaking encryption isn’t the solution.

EPA Won’t Force Water Utilities to Audit Their Cybersecurity

[2023.10.24] The industry pushed back:

Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups.

Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA — claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.

So now we have a piece of our critical infrastructure with substandard cybersecurity. This seems like a really bad outcome.

The Future of Drone Warfare

[2023.10.31] Ukraine is using $400 drones to destroy tanks:

Facing an enemy with superior numbers of troops and armor, the Ukrainian defenders are holding on with the help of tiny drones flown by operators like Firsov that, for a few hundred dollars, can deliver an explosive charge capable of destroying a Russian tank worth more than $2 million.

[…]

A typical FPV weighs up to one kilogram, has four small engines, a battery, a frame and a camera connected wirelessly to goggles worn by a pilot operating it remotely. It can carry up to 2.5 kilograms of explosives and strike a target at a speed of up to 150 kilometers per hour, explains Pavlo Tsybenko, acting director of the Dronarium military academy outside Kyiv.

“This drone costs up to $400 and can be made anywhere. We made ours using microchips imported from China and details we bought on AliExpress. We made the carbon frame ourselves. And, yeah, the batteries are from Tesla. One car has like 1,100 batteries that can be used to power these little guys,” Tsybenko told POLITICO on a recent visit, showing the custom-made FPV drones used by the academy to train future drone pilots.

“It is almost impossible to shoot it down,” he said. “Only a net can help. And I predict that soon we will have to put up such nets above our cities, or at least government buildings, all over Europe.”

Science fiction authors have been writing about drone swarms for decades. Now they are reality. Tanks today. Soon it will be ships (probably with more expensive drones). Feels like this will be a major change in warfare.