ANOM Bust, Ransomware Solutions, NAC, & A PCI Deathmatch! – PSW #698

"We don't have a workforce shortage problem. What we have is an automation-in-the-wrong-place problem. It's not about training people to do traditional network security. What we need are mathematical models that meaningfully predict risk and provide pathways to reduce it. This lesson is easily seen in vulnerability management, but it's applicable to other fields. Think of it this way: The typical enterprise network has millions of vulnerabilities. On median, our research found that out of about 500 enterprises, IT teams fix 10% of those vulnerabilities, though some exceptional performers patch 25% on a monthly basis. If companies were to hire enough people to eliminate every vulnerability from their systems, they'd need to at least quadruple their workforce devoted to the task." - I disagree with Michael Roytman on all points. We do have a workforce shortage problem, as there is not enough talent across the board to fill roles IN ALL aspects of cybersecurity. Cybersecurity needs people in IT, development, policy, HR, legal and more. We need a fundamental structure that defines what roles need to be created and curated, then a system to develop talent in those areas. Yes, we need technical people, but more importantly we need people that understand cybersecurity (and that does not mean that your are a technical wizard per se). Also, the entire narrative that there are so many vulnerabilities and we should only focus on the ones that are weaponized does not represent the entire picture. Attackers don't always rely on vulnerabilities and exploits, that ship sailed a long time ago. Successful attacks are about targeted weaknesses. These weaknesses could be people, processes, technologies, or even better a combination of all three. Security is not just about patching your shit (but you must patch your shit). Security is not all about educating your employees (though you should do that too). Its more about building resilient systems and monitoring said resilient systems to enure they are working properly. Patching, configuration management, event monitoring, data security, etc.. are all part of that. You can patch all your shit, okay even patch all your shit that has exploits that are being used, and still get hacked because of authentication, social engineering, the fact that you just installed AD and did nothing else to secure it, configured cloud services and didn't apply any controls, etc...

Valid point? - "Speaking of cryptography, it’s not just about using proven technologies, but since your flying metal might be up there for decades, using beginning-of-life cryptography algorithms that are more resistant to quantum cryptographic cracking is a good idea. Large number AES (Advanced Encryption Standard) is quantum resistant, for example, while RSA isn’t."

This is actually a good article (based on title alone I was ready to shread it). I love this: "So, what is needed, say CIOs, are three things: Good security operations, Good security policy, Good security engineering and testing"

"Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Smart Install can be very useful for organizations, but it can also pose a serious security risk." - I actually have never seen Smart installs being used by enterprises, other than to allow people to hack your shit.

A few thoughts on this: While Phil was not a hardcore mathematician or cryptographer, his application of public-key systems was a notable change in computing history. His first attempt at cipher suite was called "Bass-o-matic" in PGP 1.0, and it was horrible. The article seems to leave this out! TO Phil's credit, he got with actual crypto people and swapped it out in version 2. The fact that we can all use cryptosystems today is amazing when prior to 2001 the US Government was not keen on allowing everyone to encrypt communications.

This is a great list.

"Using a transparent bridge. This is the implementation of Skip´s idea, which involves a device that - simply spoken - in a first instance just lets all the traffic traverse it by means of forwarding rules, being totally transparent to the network and all the participants. Next it does some tcpdump magic to sniff traffic like ARP, NetBIOS but also Kerberos, Active Directory, web etc., extracting the needed info to spoof the victim and the networks gateway to stay under the radar. With this info the needed rules in ebtables, iptables etc. are automatically created, and will allow an attacker to interact with the network mimicking the victim."

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets.

Attackers have been identified leveraging the new "Siloscape" malware for more than a year in attacks designed to compromise Windows containers in order to then compromise Kubernetes nodes and backdoor clusters, which allows them to later abuse the compromised clusters to conduct other malicious attacks.

Researchers have uncovered two vulnerabilities (CVE-2021-21000 and CVE-2021-21001) affecting WAGO industrial controllers that could be exploited by attackers to disrupt technological processes, which could result industrial accidents.

RockYou2021, the largest password compilation of all time has been leaked on a popular hacker forum, it contains 8.4 billion entries of passwords.

The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. 63.7 of 75 Bitcoins. DarkSide got 15%, Affiliate got 85% of the 75, this represents the affiliate's share.

DOJ has announced it will prioritize ransomware attacks similar to the way it prioritizes terrorism

A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges and hijack wireless communications on vulnerable devices.

UF Health The Villages Hospital UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT.

Hackers have been spotted actively scanning the Internet in search of VMware vCenter servers that have not been patched against a critical remote code execution (RCE) vulnerability (CVE-2021-21985) that could be exploited to execute commands on the system hosting the targeted vCenter Server.

A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information. (Faceprints and Voiceprints)

Financial software maker NSE has disclosed it suffered a ransomware attack during which attackers breached its internal networks and encrypted "essential business data."

Microsoft's June 2021 Patch Tuesday, comes fixes for seven zero-day vulnerabilities, six of which are known to be exploited, and a total of 50 flaws, so Windows admins will be busy.

A San Francisco hacker already serving a 13-year prison term has been charged with using a smuggled cell phone to loot consumer debit card accounts, then channeling the profits into smuggling which used a remotely-piloted drone to drop contraband into the prison yard.