Archive for May 24, 2022

Summertime Safety Tips from TikTok

Posted in Commentary with tags on May 24, 2022 by itnerd

June is Internet Safety Month, and with family travel set to boom this summer, TikTok is encouraging families to have the “summertime safety and security talk.” 

As part of TikTok’s ongoing efforts to inspire the global community on ways to #BeCyberSmart, today they launched a dedicated Summertime safety tips in-app Discover page sharing basic safety tools and security tips from popular TikTok creators and leading organizations. Their goal is to help ensure that families have a safe, fun, and secure online experience — no matter where their summer travels or adventures may take them! 

More details are available via TikTok’s Newsroom.

Horizon3.ai Reproduces A Critical VMware Vulnerability That Grants Administrative Access

Posted in Commentary with tags , on May 24, 2022 by itnerd

The attack team at Horizon3.ai has successfully reproduced CVE-2022-22972 affecting multiple VMware products. The vulnerability allows malicious actors to gain administrative access to VMware Workspace ONE Access, Identity Manager and vRealize Automation. The fact that this was reproduced by Horizon3.ai is good for Horizon3.ai, but bad for anyone using the affected products as that means that threat actors can do the same. Then they can weaponize this.

Zach Hanley, Chief Attack Engineer, Horizon3.ai:

“Last week VMware released VMware Security Advisory – 0014 which details a critical vulnerability, CVE-2022-22972, which allows a remote attacker to bypass authentication for VMware Workspace ONE, vIDM, and vRA. This vulnerability can lead to attackers gaining administrative rights on the VMware applications and may also lead to root level access on the appliances if chained with CVE-2022-22973. 

“Coinciding with VMware’s security advisory, CISA announced an Emergency Directive mandating that all government agencies patch or mitigate affected products by May 23, 2022. This 5 day remediation window was deemed necessary given the critical nature of the applications and rapid weaponization of previous CVEs. Currently, no other proof-of-concepts have been announced and no reports of in-the-wild exploitation have been noted by threat intelligence organizations. 

“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet. Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.

“Organizations should address these issues by immediately following the guidance within the VMware Security Advisory. 

“We will likely be releasing the technical details at the end of this week. The technical details will include analyzing the patch to understand how an attacker may have previously abused this code path.

“Given that it took us about a week to develop a PoC, we fully expect motivated attackers to have already developed a PoC and began exploiting it. We also plan on releasing a minimal PoC at the same time.”

This issue received a fix last Wednesday as described above. I strongly advise that if you are running the affected VMware products, that you patch everything immediately if you haven’t already. The list of affected products are:

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

There is also a workaround detailed here for those who can’t patch all the things immediately.

Verizon’s Data Breach Investigation Report Makes For Some Interesting Reading

Posted in Commentary with tags on May 24, 2022 by itnerd

Verizon has dropped their latest Data Breach Investigation Report, or DBIR. Here’s some key highlights:

  • Attackers have four key paths to hack into an enterprise; credentials, phishing, exploiting vulnerabilities and malicious botnets
  • 50% of breaches revolve around remote access and web applications
  • 25% were contributed to by social engineering
  • Credential reuse was involved in 45% of breaches
  • Supply chain breaches are the “new hotness” for hackers

Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE added these thoughts:

The DBIR showed that threat actors continue to gain access to networks using a relatively small number of high-level techniques. Once in a network however, threat actors most often reuse the same set of post-exploitation procedures to perform system reconnaissance, privilege escalation, and lateral movement in the target environment. While organizations can’t realistically expect to keep all threat actors out of their networks, through CTI-led adversary emulation and detection engineering, they can ensure that  threat actors are detected as early in the intrusion as possible. When threat actors gain a foothold in their network, organizations should be able to ensure it never expands beyond that.

This year’s DBIR should be required reading for any enterprise as it will provide a roadmap as to how to protect your enterprise from getting pwned by hackers.

UPDATE: I have additional commentary from Artur Kane, VP of Product of GoodAccess:

Ransomware attacks are no longer limited to the large or the vulnerable. We are seeing government entities, healthcare institutions, or critical infrastructure operators fall victim to ransomware. But that is not all — small private enterprises and even individuals are finding themselves targeted. Size doesn’t matter; if you curate sensitive data, you are a candidate.

Organizations must realize that conservative cybersecurity approaches are no longer enough to keep them protected. They cannot rely on a secure perimeter to repel cyberattacks any more, because the perimeter is disappearing and move to the internet.

Many users now connect remotely, often from unsecured networks, and companies migrate their infrastructure to the cloud, which is removing critical assets outside of the trusted safe-zone and spreading them beyond the reach of legacy security solutions. Companies often do not have control over the devices that users are connecting with, nor the infrastructure they are on. 

The threat surface is simply enormous, and cybercriminals like to exploit it to gain unlawful access to internal systems and user data, often targeting unwitting users with phishing scams, spoofing attacks, or other methods to steal access credentials and infiltrate internal systems.

Once inside, there is little to stop them from doing damage or stealing sensitive data. Organizations must therefore implement security measures to tackle these threats.

Besides regular hardware and firmware updates and software patches, it is important to reduce the attack surface to minimize chances of initial intrusion. Organizations can do this by insisting on strong authentication of both users and devices, supported by multi-factor user authentication, and granting user privileges on a strictly need-to basis and allowing access only to a pool of strictly necessary systems and no further. 

This makes it more difficult for attackers to actually use the stolen credentials, and if they do succeed in penetrating the network, they do not get free access to the entire network, but only a segment, which makes it difficult for them to move laterally and escalate the attack. 

In addition, strong encryption should be employed on all connections, whether this is users, remote branches, or clouds. It is vital to conceal all company traffic from the eyes of potential attacker — they can’t steal what they can’t see.

But even with all these measures in place, compromises will happen, often through simple human error. Besides the aforementioned network segmentation by access privileges, it is also vital to have a real-time threat detection capability to expose threats in their infancy. Security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills.

Keeping continuous access logs can be an invaluable source of intelligence for tracing the journey of a cybercriminal through layers of security, which is vital for preventing similar attacks in the future. Also, regular backups are an absolute must, as post-breach data recovery can be very costly.

Last but not least, user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery.

Ransomware attacks can only be expected to rise in both intensity and severity, as both profit-oriented and nation-sponsored hacker groups intensify their activities amid the increase in global tensions. All organizations, both private and public, must adapt to this threat both in their own interest and in the interest of the society as a whole.”

UPDATE: Christopher Prewitt, Chief Technology Officer of MRK Technologies had this to say:

As expected credentials and phishing are the leading paths for breaches. As defenses improve, attackers have utilized credentials to walk right through the front door, even using phishing as means to acquire credentials.

As in years past, over 80% of breaches occur involve the human element. Attackers continue to target humans and their want to be helpful or can be tricked into clicking on something, opening a document, or providing their credentials to the attacker. With this, whatever we are doing for email security, it clearly isn’t working well.

Ransomware is a strong influencer to the DBIR data, where “Actor Disclosure” is over 50% for discovery method for breaches. Historically DBIR had shown that dwell time was North of 200 days. As ransoms become more common, its smash and grab effects have greatly reduced the dwell time. Ransomware attacks almost doubled year over year. Stolen credentials and phishing account for 70% of how ransomware is deployed.

With more and more investment in cloud and SaaS, it shouldn’t be surprising to see a significant increase in Basic Web Application attacks.

Supply chain isn’t only our consumer related industries. Almost all companies are reliant on a digital supply chain in order to transact, whether its with customers, suppliers, or partners. Supply chains are also a source of risk, with 90% of the supply chain incidents involve losing control of credentials or introducing ransomware.

Google Canada Unveils New Advertising Updates For Canada 

Posted in Commentary with tags on May 24, 2022 by itnerd

Today, Google Canada is hosting their annual Google Marketing Live event. Here’s some quick highlights from the event:

  • Ads on YouTube Shorts: Starting today, Video action campaigns and App campaigns will automatically scale to YouTube Shorts. Google has been experimenting with these ads in YouTube Shorts since last year, and they’re now gradually rolling that out to all advertisers around the world. This is an exciting milestone for advertisers, and a key step on our road to developing a long-term Shorts monetization solution for creators, which Google will share more about soon. Later this year, you’ll also be able to connect your product feed to your campaigns and make your video ads on YouTube Shorts more shoppable.
  • Performance Max: Google is announcing six new upcoming additions to Performance Max, expanding experimentation capabilities, cross-product support and advertiser eligibility for the campaign type.
  • Insights Page: Google is introducing three new reports that will roll out over the coming months, including attribution insights, budget insights and audience insights for first-party data.

You can find out more details on Google’s blog post on this year’s announcements here.

GM Pwned By Hackers…. Who Then Fraudulently Obtained Gift Cards

Posted in Commentary with tags , on May 24, 2022 by itnerd

GM has alerted customers of a data breach as a result of a credential stuffing attack last month which exposed some customers’ PI and allowed hackers to redeem GM reward points for gift cards. In a data breach notification sent to affected customers, GM stated that they will be restoring points for all customers affected by this breach. These breaches were caused by a wave of credential stuffing attacks targeting customers on their platform.

I have a trio of comments on this. The first is from Domnick Eger, Field CTO of Anjuna Security:

“With the ever-growing issues with PII being leaked by third-party sites, Credential stuffing is not an isolated problem; the data being leaked is being used on other sites, and in this case, GM was the target. This problem will continue as long as companies ignore the three most critical security models, including in-use, at-rest, and in-transit. Companies must focus on limiting the attack surface to avoid situations like this and most importantly, protect their customer data.”

The second is from Christopher Prewitt, Chief Technology Officer of MRK Technologies:

In web application with basic security measures in place, brute force attacks are likely to fail, while credential stuffing attacks can often succeed. The reason is that even if you enforce strong passwords, users may share that password across services, leading to a compromise. This is why developers should look to utilize CAPTCHA, rate-limit login attempts, and multi-factor authentication to prevent these types of attacks. In this case, this website isn’t critical to GMs core mission, however all web properties should be protected from basic attacks.

Finally, I have a comment from Matt Carpenter, Principal at GRIMM:

Credential Stuffing is only effective because users regularly break best-practice password rules; specifically, they reuse passwords between different sites (and let’s not talk about password longevity and guessability). I’m not condemning the reader (do you feel guilty?), I’ve been guilty of this as well, but that doesn’t take away the real risk of doing so.

Websites have been hacked and credentials stolen and posted, often first on the dark web and later in more public forums. Sometimes exceedingly large websites have been hacked (Facebook, TJX, Netflix, LinkedIn, etc….). In 2020, even a site that tracked stolen credentials was hacked to capture billions of credentials. (https://siliconangle.com/2020/11/04/billions-stolen-credentials-defunct-breach-index-site-leaked-online/)

These stolen credentials don’t just disappear. Google Chrome checks to see if passwords you have saved within Chrome have shown up in public forums, and Chrome relentlessly encourages you to change them.

One of the more harmless but initially troubling attacks these credentials have been used for is blackmail emails. You may recognize variants of “Hello, I’m a hacker, and this is your username and password: <real stolen password>. I’ve hacked your account and installed a trojan that has recorded you visiting porn sites; send me bitcoin, or I’ll share this video with <blah blah blah>.” The attacker most likely hasn’t done anything with your username/email and password except scare you into giving them money.

But of course, these stolen credentials can often be used more like a stolen credit card: to impersonate the owner of the stolen credentials and make use of whatever they provide the attacker. That’s what’s happened here.

Kudos to GM for identifying this activity and taking action on it. I don’t know when the emails notified consumers, but the letters were dated two and a half weeks after April 29th. Of course, the sooner consumers can be notified, the better, but GM “stopped the bleeding” by disabling the exploited feature, and they promised to restore any stolen credit (even though GM still had to pay out for the breach).

I’m basing some of my opinions on their letter, but it sounds like they handled this situation exceedingly well.

Passwords are dead. Long live passwords. While we still use passwords with sites that don’t use Multi Factor Authentication (like DUO or out-of-band communication like phone calls and emails/texting), I recommend using a password manager and keeping different passwords for each site.

GM requires affected users to reset their passwords before logging in to their accounts again. So if that’s you, I would make your password strong and unique to the site.

UPDATE: Lucas Budman, CEO of TruU had this to say:

As long as we are still relying on the use of a password as an identification and security means, we will continue to see these types of attacks. Yes, second factors like email, SMS, or mobile apps can add a degree of security, but these are all bypassable, too. It is time for the world to move forward and adopt passwordless technology.

Apple Music Is Now Available On Waze

Posted in Commentary with tags on May 24, 2022 by itnerd

Waze has announced that Apple Music will seamlessly integrate with Waze, so drivers can keep their eyes on the road while enjoying the ride. 

With a direct connection between the apps, drivers can now access Apple Music content directly from the Waze Audio Player and enjoy more than 90 million songs, tens of thousands of curated playlists, Apple Music Radio and more while they navigate.

Waze is thrilled to join forces with Apple Music to bring Apple Music subscribers their tunes while driving with Waze on iPhone. Here’s

Details are also available in this blog post: https://blog.google/waze/apple-music-is-now-available-on-waze/

Guest Post: Americans Have Their Sensitive Online Activity Exposed Over 700 Times Daily Says Atlas VPN

Posted in Commentary with tags on May 24, 2022 by itnerd

Real-time bidding (RTB) runs in the background on websites and apps and tracks what you look at, no matter how private or sensitive it is.

According to the data presented by the Atlas VPN team, Americans have their online activity and location exposed 747 times daily. On the other hand, Europeans have their data breached 376 times a day on average – almost twice less than the US figures.

A person in Colorado will have their online activity and location exposed 987 times every day. In 2021, the state’s governor signed the Colorado Privacy Act (the “CPA”), making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law. The CPA, which goes into effect on July 1, 2023, should give Colorado residents more privacy online.

Michigan internet users have their personal data sent to companies 913 times daily. A person in Illinois has their online activity exposed 912 times a day.

Now looking at the states with the least data broadcasts sent about a person, the District of Columbia emerges at the top. D.C internet users will have their online activity shared with advertisers 486 times a day.

Cybersecurity writer at Atlas VPN Vilius Kardelis shares his thoughts on online privacy:

“With each new data breach, customers are starting to realize that any time they disclose sensitive personal information to any company, that data may be exposed. As a result, people are increasingly demanding data privacy protection. Law enforcement is required to clamp down on data privacy violations.”

More privacy for Europeans

Due to the General Data Protection Regulation (GDPR) implemented in the EU, many European citizens have more control over their personal data.

A person in the United Kingdom will have their online activity and location exposed 462 times daily. Even after leaving the EU, the UK implemented its own variation of GDPR called UK-GDPR.

Polish internet users have their sensitive information shared with advertisers 431 times daily. Third are Spanish users, whose data is broadcasted to companies 426 times a day.

On the flip side, a person in Romania will have their data shared with advertisers the least amount of times in Europe – 149. Estonia is second to best, where users’ sensitive information is exposed 184 times daily.

To read the full article, head over to: https://atlasvpn.com/blog/americans-have-their-sensitive-online-activity-exposed-over-700-times-daily

Infosec Institute Named a Visionary in EMA’s Vendor Vision Report

Posted in Commentary with tags on May 24, 2022 by itnerd

Infosec Institute, a leading cybersecurity education company, today announced they were named a Visionary in the inaugural Vendor Vision report by Enterprise Management Associates (EMA), a leading IT and data management research and consulting firm. The report highlights the top ten preeminent security companies in their respective categories exhibiting during the 2022 RSA Conference at San Francisco’s Moscone Center, June 6-9. 

Recognized for delivering the right training to the right people at the right time, Infosec helps organizations strengthen their security posture, reduce risk and meet compliance by providing cyber-education for every role within an organization. Infosec Skills and Infosec IQ aim to meet learners where they are, providing them with timely and engaging content that works to fill the growing cyber skills gap. 

See the full list of vendors recognized in the report here. Infosec will be exhibiting at the RSA Conference in booth 3324 in the South Expo Hall, and more information regarding the conference can be found here.