{"id":29098,"date":"2023-08-05T12:40:51","date_gmt":"2023-08-05T19:40:51","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=29098"},"modified":"2023-08-05T12:41:11","modified_gmt":"2023-08-05T19:41:11","slug":"sb-2023-08-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/08\/sb-2023-08-05\/","title":{"rendered":"Security Bits \u2014 5 August 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Another twist in the NSO Group\/Pegasus story: <a href=\"https:\/\/appleinsider.com\/articles\/23\/08\/01\/embarrassingly-a-fbi-investigation-discovered-that-the-fbi-was-using-blacklisted-iphone-hack-tools\">FBI admits it accidentally used NSO Group tools \u2014 appleinsider.com\/\u2026<\/a> (The tool was <em>Landmark<\/em> not Pegasus, but it was after the US government&#8217;s import ban on NSO Group products, and the tool was used by a contractor doing work on behalf of the FBI.)<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 &#8216;Five Eyes&#8217; Report on Top Exploited Vulnerabilities in 2022<\/h2>\n<p>The relevant intelligence &amp; cybersecurity agencies from the so-called <a href=\"https:\/\/en.wikipedia.org\/wiki\/Five_Eyes\">Five Eyes<\/a> group of nations have jointly released a report outlining the most exploited vulnerabilities of 2022. In case you&#8217;re wondering, the Five Eyes are Australia, Canada, New Zealand, the United Kingdom, and the United States.<\/p>\n<p>What makes this report particularly interesting each year is that it doesn&#8217;t tell you about the scariest sounding vulnerabilities, or the most technologically powerful ones, but the ones attackers actually found to be the most useful \u2014 In other words, these are the vulnerabilities that really did enable the most damage in 2022.<\/p>\n<p>While the information in the report is fascinating, <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-08\/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf\">the actual PDF<\/a> is dry and boring looking \u2014 walls of text full of big words, big tables, and other than a few logos in the headers and footers, no graphics at all. Don&#8217;t let that put you off though, the report is short and the two parts I would recommend are the table of the top 12 most exploited vulnerabilities near the start, and the list of recommendations that starts on page 9.<\/p>\n<p>Translating the top 12 into a human-friendly form we get:<\/p>\n<ul>\n<li><strong>1<\/strong> \u2014 Login details leaking from a widely used and very expensive corporate firewall product (<em>FortiOS<\/em> &amp; <em>FortiProxy<\/em> from <em>Fortinet<\/em>)<\/li>\n<li><strong>2, 3 &amp; 4<\/strong> \u2014 remote code execution and the ability to bypass the login process in self-hosted versions of the most popular corporate groupware product in the world (Self-hosted <em>Exchange Server<\/em> from <em>Microsoft<\/em>)<\/li>\n<li><strong>5<\/strong> \u2014 remote code execution and the ability to bypass authentication in a commonly used Multi-Factor Authentication (MFA\/2FA) solution for servers and enterprise apps (<em>ADSelfService Plus<\/em> from <em>Zoho Manage Engine<\/em>)<\/li>\n<li><strong>6<\/strong> \u2014 Arbitrary code execution in the self-hosted versions of a very popular project management suite (<em>Confluence Server<\/em> &amp; <em>Confluence Data Center<\/em> from <em>Atlassian<\/em>)<\/li>\n<li><strong>7<\/strong> \u2014 Remote code execution in an exceptionally popular open source library used in many enterprise apps (the infamous <em>Log4Shell<\/em> vulnerability in the <em>Log4J<\/em> Java library)<\/li>\n<li><strong>8 &amp; 9<\/strong> \u2014 Remote code execution and privilege escalation in a very popular server virtualisation suite (<strong>VMWare<\/strong>)<\/li>\n<li><strong>10<\/strong> \u2014 The ability to avoid authentication in one of the biggest and beefiest edge firewalls in the world (<em>BIG-IP<\/em> from <em>F5 Networks<\/em>)<\/li>\n<\/ul>\n<p>So, looking at that list, what stands out to me?<\/p>\n<ol>\n<li>Attackers are targeting exactly the things you&#8217;d expect \u2014 the defences corporations place around their networks (firewalls, MFA, etc.), the day-to-day information that makes companies tick (email, contacts, calendars, project plans, etc.), and the kind of internal apps large organisations build to manage their own operations.<\/li>\n<li>There&#8217;s only one open source product on the list \u2014 Apache Log4J<\/li>\n<li>The companies on the list are almost all really really big names \u2014 Microsoft, VM Ware, Atlassian, F5 &amp; Fortinet (sorry Zoho, you&#8217;re not in the big leagues yet IMO )<\/li>\n<li>Five of the vulnerabilities are in the self-hosted versions of apps that are now available as a Software-as-a-Service (SaaS) offering, and the SaaS customers were not affected<\/li>\n<\/ol>\n<p>* <em>Office365<\/em> is Microsoft&#8217;s SaaS offering that includes <em>Exchange<\/em><br \/>\n* <em>Confluence Cloud<\/em> is Atlassian&#8217;s SaaS version of <em>Confluence Confluence Server<\/em> &amp; <em>Confluence Data<\/em><\/p>\n<p>The other interesting part of the report is always the advice it gives to organisations to defend themselves. I&#8217;m extremely fond of a slide Microsoft used on their 2021 annual threat report that put it very simply (paraphrasing) <em>&#8220;doing the cybersecurity basics well protects you from 98% of threats&#8221;<\/em>. That sure lines up with the advice this report gives. None of it is rocket science, though it is of course all easier to say than to do well<\/p>\n<p>My key takeaways:<\/p>\n<ol>\n<li>Make sure senior management is explicitly responsible for your organisation&#8217;s cybersecurity<\/li>\n<li>Everything you do must be secure by design and secure by default \u2014 you can&#8217;t just bolt security on later, and you can&#8217;t have things <em>fail open<\/em><\/li>\n<li>If you&#8217;re not on the <em>Zero Trust<\/em> train yet, get on it ASAP \u2014 the old <em>moat-and-castle<\/em> model is obsolete!<\/li>\n<\/ol>\n<p>* MFA everywhere always<br \/>\n* Make devices prove their identity before they get network access (AKA <em>Network Access Control<\/em>, or NAC)<br \/>\n4. Patch early and patch often (AKA <em>patch management<\/em>)<br \/>\n5. Proactively manage your configurations \u2014 capture them in an auditable way so you can detect when something gets changed, and fix it (AKA <em>secure baseline configurations<\/em>)<br \/>\n6. Proactively audit all privileged access (AKA <em>Identity Governance<\/em>)<br \/>\n7. Pro-actively scan your networks so you notice when something new appears (AKA <em>asset discovery<\/em>)<br \/>\n8. Log everything, send it to a central place, and harness the power of AI to alert you when something out of the ordinary happens<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/08\/03\/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities\">CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 \u2014 www.cisa.gov\/\u2026<\/a><\/li>\n<li>The PFD of the report \u2014 <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-08\/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf\">www.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Because of how dangerous data breaches can be to the financial health of companies, the US Securities &amp; Exchange Commission (SEC) have updated their rules to require publicly traded companies to <em>&#8220;any cybersecurity incident they determine to be material&#8221;<\/em> within 4 days of determining that such an incident has occurred \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/07\/31\/sec-demands-four-day-disclosure-limit-for-cybersecurity-breaches\/\">nakedsecurity.sophos.com\/\u2026<\/a> (As Naked Security point out, actually defining what is and is not a <em>material cybersecurity incident<\/em> is not at all easy!)<\/li>\n<li>No, ChatGPT did not find any Mac malware \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/did-chatgpt-find-mac-malware-on-the-dark-web-report-of-hvnc-macos-variant\/\">www.intego.com\/\u2026<\/a> \u2014 Joshua Long sums it up perfectly:<\/li>\n<\/ul>\n<blockquote><p>\n  &#8220;The research group essentially asked ChatGPT, <em>&#8216;Hey, do you think there\u2019s more Mac malware out there?&#8217;<\/em> And ChatGPT basically answered, <em>&#8216;Yeah, probably&#8217;<\/em>. Then the researchers were like, <em>&#8216;Okay, cool, we\u2019ll go back to doing our jobs now, and try to find some&#8217;<\/em>.\n<\/p><\/blockquote>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>Anyone who worked in IT or studied computer science in the late 90s and or early 2000s will instantly recognise what these covers are spoofing \u2014 <a href=\"https:\/\/phpc.social\/@davidbisset\/110814376003516082\">phpc.social\/\u2026<\/a>(found by Allison)<\/li>\n<li>A Handy Guide to Picking STEM Majors from Math With Bad Drawings \u2014 <a href=\"https:\/\/infosec.exchange\/@codinghorror\/110828740888574284\">infosec.exchange\/&#8230;<\/a> (found by Allison)<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Another twist in the NSO Group\/Pegasus story: FBI admits it accidentally used NSO Group tools \u2014 appleinsider.com\/\u2026 (The tool was Landmark not Pegasus, but it was after the US government&#8217;s import ban on NSO [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,1],"tags":[6024,50,569],"class_list":["post-29098","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-podcasts","tag-five-eyes","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=29098"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29098\/revisions"}],"predecessor-version":[{"id":29103,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29098\/revisions\/29103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=29098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=29098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=29098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}