Maine Hit by MOVEit Supply Chain Attack – Week 12

On November 9th, APNews reports that Maine has informed resident-users that a MOVEit attack caused a breach. In October, 9to5mac.com wrote about a MOVEit 0day that was making in-roads.

Ransomware is now implementing a double-extortion method to get victims to pay its ransoms. Normally, a company or organization might be able to restore from a backup and thereby avoid paying the ransom that was requested for them to restore their services; however, ransomware is now adding the threat of release of information, if that ransom hasn’t been paid.

In 9to5Mac’s 2023 State of Ransomware, the USA is considered the highest target with ransomware. It is 7x more likely to be targeted with ransomware than the next highest countries. Here’s Malwarebytes’ assessment on why CL0P is outpacing Lockbit:

The drive behind the sudden change? CL0P used separate zero-days in GoAnywhere MFT and MOVEit Transfer to gain an edge. This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale.

The use of zero-day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies, mirroring the adoption of the “double extortion” tactic in 2019.

Malwarebytes, https://9to5mac.com/2023/08/04/us-number-one-for-ransomware-attacks/

Unfortunately, I don’t foresee any of this easing up. With ransomware crews achieving successes, they’ll probably continue with this activity. In some areas online, I’m starting to hear that the best recommendation (due to these breaches of information) is to freeze your credit, and unthaw it temporarily when shopping. Why is this becoming a common recommendation? With so many breaches, it’s more probable that your information is available. It might also be helpful if the government would implement some protections with teeth to increase the deterrence.

Passkeys – Week 10

In recent news, Amazon is allowing users to adopt passkeys. I wanted to understand a little more about Passkeys, and how Passkeys are supposed to work.

What About Passwords?

Passwords are currently here to stay, and you should still exercise good password hygiene. Good password hygiene/protocol can be summarized as follows:

  • Create strong passwords
  • Avoid repeating passwords
  • Do not share passwords
  • Avoid leaving passwords in unsafe areas — don’t write them on a memo pad
  • Use a Password Manager, whenever possible

About Creating Strong Passwords

Strong passwords have entropy, basically the probability of a hacker determining the password. Password policies seek to curb users toward creating better passwords by increasing the symbol selection: letters, digits, and symbols. But that’s part of the battle. To decrease the chance of determining passwords, users should also create passwords over 8 characters, and they should avoid easily guessable ones as well.

How Passkeys Work

In the simplest explanation, it works similarly to public-key infrastructure whereby it uses asymmetric encryption. Asymmetric encryption works by using two keys: a private key and a public key. A real-life demonstration of asymmetric encryption is SSL/TLS used on Web sites connecting over HTTPS. The public key is used to encrypt the message and the private key decrypts the message.

So, since the Passkey system creates this asymmetric key pair, it alleviates the user of trying to formulate a strong cryptographic key. It is also very difficult for hackers to gain access to it since the private key is stored on the device’s keychain, and the Passkey system creates a new key pair during initial configuration. As it’s kept on the device’s keychain, it might be prone to loss of device or device failure, which is where cloud services can help by using things like Apple’s iCloud and similar for each mobile vendor.

Conclusion

Although I am optimistic of this new method of authentication, I do have apprehension, and I hope that the restoration methods are well-documented. I’m sure passwords and MFA (multi-factor authentication) will remain as a feasible restore procedure for a while.

One issue that is an omnipresent problem is user adoption and user education. Users have a diverse set of backgrounds, and the common user “just wants it to work” and they really don’t care how. Plus, there are users who will be apprehensive of adopting new methods of authentication, and additionally, they’re probably confidently locked (and/or obstinate) into their “tried-and-true method.”

The next hurdle is also adoption by companies deploying them. It takes training, and I’ve seen some really complicated deployments for something as seemingly simple as multi-factor authentication — for whatever reason, possibly poor design by the vendor?

Anyhow, it may be slow or fast adoption. Data breaches of client information may intimidate some to the switch, but not everyone will switch. We shall see how this goes.

DHS (Department of Homeland Security) Confirms Your Privacy Is No Longer Safe – Week 9

In ComputerWorld’s article, https://www.computerworld.com/article/3708251/homeland-security-confirms-your-privacy-is-no-longer-safe.html, they confirm that some Federal departments have not been successful at protections articulated in E-Government Act of 2002 and the Homeland Security Act of 2002.

There are no remediation yet; however, users can go into their Location Services and ensure that apps are only permitted access to Location Services, as appropriate. Ideally, you should work from a positive security model and lock them all down and return their permissions as they come up and are vetted, but that seems very challenging. I’m surprised, at this point, Google and Apple’s Cloud service doesn’t have an applet to modify certain privacy settings more easily.

Car Privacy Not Included – Week 3

Although I concede that this isn’t specifically cyber security, privacy is almost synonymous with security in general, and in that spirit, I encountered this review of Car Privacy Policies: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

In their conclusions, they summarize that consumers really don’t have choices among brands; “they’re all bad.”

Like we mentioned, all of the cars we researched earned our *Privacy Not Included warning label. All of the car brands we researched got our “data use” and “security” dings — and most earned dings for poor data control and bad track records too! We can’t stress enough how bad and not normal this is for an entire product guide to earn warning labels.

The worst problem is that the review could not conclude or even test how data is being secured on just the car, itself, or how companies are managing the data that they do collect. And the privacy policies are implicit since who reads the Privacy Policy of a car that they’re boarding. To add to the problem, Minnesota has enacted legislation in 2022: https://www.revisor.mn.gov/statutes/cite/169.475 that requires motorists to use hands-free connectivity with their vehicle, which compounds this issue because motorists are compelled to connect their smart phones if they intend to use it while the vehicle is in operation on motorways.

Many people have lifestyles that require driving. So unlike a smart faucet or voice assistant, you don’t have the same freedom to opt out of the whole thing and not drive a car.

Well – I am grateful that my car is most assuredly, “dumb.” In most cases, the on-board Bluetooth merely permits interoperability for hands-free operation, like making a phone call or changing audio tracks.

If you want to join Mozilla’s petition to get this fixed, you can do so: https://foundation.mozilla.org/en/privacynotincluded/articles/car-companies-stop-your-huge-data-collection-programs-en/