Incident Response Stories – Bill Swearingen – PSW #793

The daily driver debate continues. It's a balance.

Okay so your Canon printer may store your Wifi network details (and credentials). I am just failing to see why this is such a big deal. You can change your password. Also, the likelihood of someone using this attack against you is pretty low. Sure they could pretty easily map the SSID back to your location (Wigle?), but then they have to be in physical proximity. Also, you can just change the password too.

"Unlike similar side-channel attacks like PLATYPUS and Hertzbleed, which require specific knowledge of the cryptographic algorithms running on the victim's machine, Collide+Power is claimed to be a generic attack that works on any modern CPU which allows co-location of attacker and victim data in the same memory cache space." - While slow, some estimates a month to capture a 40-bit key, we could still see this in the wild, though unlikely. I would not be up in arms about it.

"The exfiltration of data from air-gapped networks is a common routine for many APTs and targeted cyberespionage campaigns. And, despite the existence of a broad variety of exfiltration methods, in most cases threat actors choose TTPs based on infecting removable media." - No super-fancy exfil such as audio pulses from system fans or flashing HDD LED lights, nope. Just removable media. Because it works.

I want to be Super Admin, always: "While exploiting this vulnerability requires an existing admin account, it elevates you to a higher privilege level called "Super Admin." Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system. "By escalating to super admin, the attacker can reach a code path that allows them to control the address of a function call," - Then you could, potentially, pull off attacks that persist through reboots, OS upgrades, or even full re-installs of the OS.

Interesting story (and not new).

"Technically, the clock doesn’t start ticking on the four-day window for reporting until companies have determined a breach is material." - Yea, the meaning of "material" is a hot topic now, great thoughts here: "But these measures don’t fit every situation. “We have all seen instances where an organization missing forecasts, positively or negatively, impacts earnings per share by pennies, and their stock soars or sinks almost immediately,” he writes. “Calculation of the materiality can be a complex task and requires the use of professional judgment." (Source: https://www.extrahop.com/company/blog/2023/what-constitutes-a-material-security-breach/)

"The hidden security fixes pose a threat to the security and privacy of users, since attackers may exploit the undisclosed vulnerabilities to comprise the unpatched software systems." - I believe it is super important for users to know when a fix is security related (or not). The above links to the paper, here is a description of said paper: https://www.theregister.com/2023/07/26/pythonsilentsecurity_fixes/

Keep in mind there is a lot of maintenance with this method. Also, several techniques for keeping Linux more secure and private means you will have extra work and maintenance to keep things updated. Also, keep in mind when you do more work on your own it may not be that much more secure or private than trusting someone else. Its a balance.

Yep, this is the problem: "“Subtle changes in the Linux kernel introduced by Ubuntu many years ago have unforeseen implications,” explains Ami Luttwak, co-founder and CTO at Wiz. “We found two privilege escalation vulnerabilities caused by these changes and who knows how many other vulnerabilities are still lurking in the shadows of the Linux kernel spaghetti?" - And I hate this problem. Everyone thinks they are an expert. Problems get fixed upstream, but then are reversed when downstream maintainers make changes without regression testing. You don't just trust Linux, you trust everyone and anyone who has had a hand in the creation and packaging of the software. The more hands, the more likely issues will crop up.

I don't think this works.

Amit takes the gloves off when confronting MS: "What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought." - Do you agree? Also, read this article as well: https://cyberscoop.com/tenable-microsoft-negligence-security-flaw/

"I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly a FriendlyArm NanoPi R1S. The downside of these platforms is that you need to be in fairly close physical proximity in order to access the WiFi interface, or even closer to access Bluetooth. The NanoPi R1S can support an LTE modem, to give you much bigger range, but the downside to that is that it looks pretty clunky."

There's no such thing as final.

The U.S. Chamber of Commerce announced its opposition to a new Securities and Exchange Commission rule requiring public companies to annually disclose "material information regarding their cybersecurity risk management, strategy, and governance."

A sweeping partnership comprising nine government agencies and more than 200 nonprofits, corporations, colleges and universities will together build an organized “whole of society” approach to expanding the cybersecurity workforce, the Office of the National Cyber Director (ONCD) announced Monday.

U.S. Senator Ron Wyden, D-Ore., today requested the Justice Department, Federal Trade Commission and Cybersecurity and Cyber Safety Review Board investigate whether lax security practices by Microsoft enabled the recent Chinese government hack of multiple U.S. government agencies and high-ranking federal officials.

It's not just about "matching wits" with external attackers, but also establishing trust among patients, employees and families....

The average cost of a healthcare data breach is now $10.93 million, up from $10.10 million in 2022, according to a new report. Healthcare has the highest data breach costs of all industries — breaches are second costliest in the financial sector, where the average cost is $5.9 million.

A May data breach involving MOVEit Transfer software on Medicare contractor Maximus Federal Services’ corporate network may have exposed an estimated 612,000 Medicare beneficiaries’ personally identifiable information and/or protected health information, the Centers for Medicare & Medicaid Services announced July 28.

Do you think AI wrote this article?

According to the Cybersecurity and Infrastructure Security Agency (CISA), using improperly maintained legacy software is one of the most dangerous practices for organizations. Hmmmm...

Cybersecurity remains a critical focus for organizations worldwide. With an ever- evolving threat landscape and increasing sophistication behind cyber attacks, adherence to security regulations and standards is now more important than ever.

Drata, a continuous security and compliance automation platform, today announced it has been selected by KnowBe4 as the company's exclusive GRC partner. KnowBe4 is transitioning its KnowBe4 Compliance Manager (KCM) offering to a support-only model and endorses Drata as the preferred offering for migration. Note: I've just started using Drata in the past week. Ask me what I think about it.

"Another data breach, a new virulent variant of ransomware, burnt out employees, too little money, and too many threats -- the world of cybersecurity can seem grim. While there is no denying the prevalence of these challenges, there is reason to be hopeful." Is there now...