- 1. Biden signs school cybersecurity act into law
So much this: "While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won't be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place," Bambenek said."
- 2. Cyber-security threat hunters seek legal protections
"Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit." - A slippery slope for sure. The trick is to allow researchers to do their thing, but prevent criminals from doing their thing. While private legal action is different from criminal prosecution, what if the situation arises where it's in the public best interest to keep details secret. Then, what if, the researcher does not want to cooperate? Also, if we continue to get sue happy against researchers, they just won't tell the vendor and sell the exploits to criminals.
- 3. Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly
Very important to revoke credentials, and change all known credentials, when an employee leaves: "The owner of Flight Circle found that the records had been tampered with by someone who logged in with the credentials of Melbourne Flight Training's current Flight Operations Manager, according to the document. Police investigators then obtained information related to the IP address used to access that account, and found that it belonged to Hampton Lide. The investigators also subpoenaed Google for information about a Gmail account used to log into the Flight Circle app, and found that the email address belonged to a user with the name "The Lides." Hampton Lide would later tell investigators that this was the family's email address, according to the document."
- 4. Microsoft October 2021 Patch Tuesday Squashes 4 Zero-Day Bugs
- 5. Researcher Disclosed Telegram Vulnerability, Refused Bounty For Staying Quiet
"Specifically, Dmitrii reported the bug to Telegram in March 2021, which the firm even acknowledged. However, it didn’t fix the bug for several months despite recurrent updates for the Telegram client. The researcher kept reminding of the vulnerability to telegram officials. Eventually, the service fixed the bug in a subsequent beta version released in August 2021 that the researcher confirmed. Nonetheless, problems began when Telegram tried to restrict the researcher from disclosing the vulnerability at the time of rewarding the bug bounty, even after the fix. In response, the researcher sent some questions to Telegram regarding the agreement he was supposed to sign, but Dmitrii never got a response. The researcher even noticed a lesser bounty offered to him (Euro 1000) for the bug than what the service offered previously for a similar flaw (Euro 2500). Eventually, the researcher went ahead for full public disclosure for this vulnerability CVE-2021-41861."
- 6. Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability – Krebs on Security
"The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code." - WTH? This is a really great point: "Mackey [senior staff attorney at EFF] said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals."
- 7. Vulnerability Spotlight: Use-after-free vulnerability in Microsoft Excel could lead to code execution
- 8. Ongoing Cyber Threats to U.S. Water and Wastewater Systems
"The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats." - Easier said than done...
- 9. SS7 Signalling
- 10. ThreatMapper: Open source platform for scanning runtime environments
Sounds neat, and its free! - "Mapped topology of applications and infrastructure: Using lightweight, easy-to-deploy and non-invasive sensors, ThreatMapper auto-discovers and maps services, containers, cloud resources and third-party APIs within your infrastructure by passively observing network traffic. Continuous discovery of vulnerabilities: ThreatMapper scans online hosts, containers and serverless environments for known vulnerable dependencies, augmenting any “shift left” vulnerability scanning you may do in your development pipeline. Ranked vulnerabilities by attack surface: ThreatMapper ranks discovered vulnerabilities, identifying the highest-risk threats and the order in which they should be addressed by utilizing runtime traffic and cloud context."
- 11. VirusTotal Shares Analysis of 80 Million Ransomware Samples
The takeaways: "First, while big campaigns come and go, there is a constant baseline of ransomware activity that never stops. Second, attackers are using a range of different approaches, including well-known botnet malware and other RATs. Third, in terms of ransomware distribution attackers don’t appear to need exploits other than for privilege escalation and for malware spreading within internal networks. Finally, as noted earlier, Windows accounts for 95 percent of the ransomware targets, compared to 2 percent for Android. "
- 12. Apple silently fixes iOS zero-day, asks bug reporter to keep quiet
"In total, Tokarev found four iOS zero-days and reported them to Apple between March 10 and May 4. In September, he published proof-of-concept exploit code and details on all iOS vulnerabilities after the company failed to credit him after patching the gamed zero-day in July." - This is just silly. Apple is just shooting itself in the foot. How much effort does it take to 1) Credit the researcher and 2) Properly disclose vulnerabilities? I believe it is far more damaging for Apple to hide under a veil of secrecy than to just credit people and come out with it. I'd respect Apple so much more if they'd just admit, like everyone else, that their software has security flaws and give credit to researchers that deserve it.
- 13. A Pentagon official said he resigned because US cybersecurity is no match for China, calling it ‘kindergarten level’
"But Chaillan quit on September 2. In his departing LinkedIn post, he cited the Pentagon's reluctance to make cybersecurity and AI a priority as a reason for his resignation. Speaking to the Financial Times in his first interview since leaving, Chaillan said China was far ahead of the US. "We have no competing fighting chance against China in fifteen to twenty years. Right now, it's already a done deal; it is already over in my opinion"
- 14. GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117
"keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output."
- 15. Kim Zetter on Twitter
If you read Countdown to Zero-Day: "A. Q. Khan has died from COVID. The Pakistani scientist is known for stealing centrifuge designs from a Dutch company and using them to launch Pakistan's illicit nuclear program and selling the designs & centrifuge parts to Iran, Libya and North Korea."
- 16. IoT Hacking and Rickrolling My High School District
This story is amazing. A high school student discovered security flaws in the AV systems used in the entire school system. Eventually, they worked as a small team to rickroll the entire district after the last class was completed for the day. You can hear students singing and even see teachers dancing. First off, this could have likely gone wrong and the students could have been expelled and/or faced criminal charges. However, they did wait until after they graduated (LOL) to pull off the attack. Also, it would be difficult for the school to prove damages as the students were very careful not to disrupt classes, exams, or damage any systems, and even removed software they installed after the prank was completed. The way they tested the prank was amazing, using a webcam on a computer to observe the AV system in action, after hours when there were no classes in session. They also created a very detailed report and presented it to the administration. The one thing they did not do was get permission, a big no-no. But, if they had sought permission, would the school had let them rickroll everyone?