Archive for October 5, 2022

Guest Post: Google Chrome Is The Most Vulnerability-Ridden Browser In 2022

Posted in Commentary with tags on October 5, 2022 by itnerd

All internet users need a browser to access a vast variety of websites available on the World Wide Web. As a result, browsers collect a wide range of sensitive data — from online account passwords to credit card details and more. 

This is one of the key reasons why web browser security is so crucial. However, out of all software products, web browsers are the most affected by security vulnerabilities. 

According to the data presented by the Atlas VPN team, the world’s most popular browser Google Chrome is the most vulnerability-ridden, with 303 vulnerabilities discovered year to date. Google Chrome is also an all-time leader with a total of 3,159 cumulative vulnerabilities.

Next up is Mozilla Firefox, with 117 vulnerabilities, followed by Microsoft Edge, with 103 vulnerabilities discovered YTD — 61% more than in the entire year of 2021. That is an unusually high number for a browser with only 806 total vulnerabilities since its release.

In the meantime, Apple’s Safari browser has had some of the lowest vulnerability numbers in years. Safari, which has recently reached over 1 billion users making it the second most popular browser in the world, had 26 documented vulnerabilities in the first three quarters of 2022. In the meantime, its cumulative vulnerability number stands at 1,139.

Another major browser, Opera, has no documented vulnerabilities this year and only 344 total cumulative vulnerabilities.

While quite different in features, Google Chrome, Microsoft Edge, and Opera are all built on the Chromium engine. It means that Chromium vulnerabilities may impact all of these browsers.

Cybersecurity writer at Atlas VPN Ruta Cizinauskaite shares tips for mitigating web browser cybersecurity risks:

“Hackers have various techniques to exploit browser vulnerabilities. Fortunately, users can take steps to mitigate the risks of their browsers getting compromised. It is important to keep your browsers up to date, to be mindful of the browser plugins you install, as well as to educate yourself about phishing attacks, as it is one of the ways cybercriminals distribute  exploiting kits aimed at unpatched vulnerabilities in your browser.”

To read the full article, head over to: https://atlasvpn.com/blog/google-chrome-is-the-most-vulnerability-ridden-browser-in-2022

Leave a comment »

CISA Releases A Binding Operational Directive To Improve Asset Visibility & Vulnerability Detection On Federal Networks

Posted in Commentary with tags on October 5, 2022 by itnerd

Yesterday, The CISA or Cybersecurity Infrastructure Security Agency released a Government Binding Operational Directive (BOD), aiming to improve asset visibility and vulnerability detection on federal networks. The mandate directs agencies to perform automated asset discovery every seven days, and to identify and report suspected vulnerabilities on those assets every 14 days. Here’s what a binding operational directive means:

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C.§ 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Is this a good thing or a waste of time? To answer that question, I have gathered some commentary from three experts in the space.

Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel’s intelligence corps. Here’s what he had to say:

It will require a critical look at current tools and strategies and, in many agencies and organizations, an investment in dollars to update technology and processes. Agencies need the right tools for vulnerability detection and prioritization, and they need automated technology for remediation of those vulnerabilities so that they can be focused on more mission-critical objectives. Critical infrastructure in particular often operates with older, legacy technologies that cannot properly defend against modern day threats. With tight budgets, federal agencies and critical infrastructure organizations will need to do some reevaluation of where their time and dollars are allocated if they want to truly be able to manage risk today.

Going back to my comment about legacy technology, government agencies and critical infrastructure organizations are often behind when it comes to the tools they are using. But this establishes baseline requirements for agencies to use in identifying assets and vulnerabilities, and in order to accomplish that these types of organizations will need to invest in creating and using a Software Bill of Materials (SBOM) with dynamic capabilities so that they can see real-time changes in their assets. And they need to combine the SBOM and VEX and get  the actual risk present in their environment. VEX is a machine-readable artifact that tells you which vulnerable components in an environment are actually exploitable. The objective of the VEX is to provide information for organizations to use and prioritize their remediation efforts. This contextualization is provided by the software vendor with a machine-readable artifact with justification values of why a particular component is not affected by a specific vulnerability and therefore not exploitable. Organizations should use a Dynamic SBOM that combines a real-time SBOM and the VEX. 

Next is Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and an OT cybersecurity strategist at Nozomi Networks:

There is a constant drum beat of industry experts reflecting on government guidance, standards, and recommendations for cybersecurity that stipulates the federal government must do more to walk the walk on building resilience within federal systems and federal technologies before mandating industries to do better. This directive is a step in exactly that direction.

Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be both opportunistic, highly tailored, or a mixture of both.

The directive is crucial for two reasons. First, if network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality.

Second, vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.

The highly anticipated CISA cross-sector cyber performance goals (CPGs) are another step in the right direction, to help owners and operators of critical infrastructure  prioritize and implement the NIST cyber security framework.

It will also provide a benchmark or starting point for industry to self-evaluate their own cybersecurity practices and program maturity, prioritizing based on technology scope, costs, impact, and complexity.

Finally I have a comment from Ron Brash, VP Technical Research & Integrations at aDolus. He is a household name when it comes to ICS/OT cybersecurity and embedded vulnerability research:

This is stating the obvious, but the #1 resource that civilian agencies will need to be able to comply with the CISA directive is a solid deployment plan and enough staff (or contractors) to enact that plan. Assuming that is in place (a big assumption), the agencies will need to purchase and deploy the tools that can perform regular automated asset discovery scans and interpret the results from these scans. The initial effort to do this is never trivial, as building an accurate IT asset list almost always requires a lot of gumshoeing to correlate the results reported by the tools with what is actually in place. That said, it is a worthwhile endeavor as if you don’t know what you are actually trying to protect, it is hard to protect it. Plus, once the basics are done, it is much easier to keep your assets list up to date.

The real challenge will be the requirement to perform vulnerability scans “across all discovered assets, including all nomadic/roaming devices (e.g., laptops), every 14 days.” Again there are lots of tools available, but they tend to be focused on IT assets, not OT or IoT assets. As a result, agencies will likely run into a “Pareto Problem” — common IT assets like servers and workstations (the 80%) will be easy (20% effort), but then all the remaining non-traditional assets will take 80% of the effort. With the explosion in both OT and IoT products in the last decade, few agencies will escape this pain: think security cameras, badge readers, HVAC systems, and even soft drink machines as connected devices that will take a lot of effort to scan safely and reliably. Agencies with OT assets (such as air, water, or land monitoring and management) will have an even tougher time. 

This publication is a first step towards enforcing cybersecurity vigilance on connected assets. Even though software supply chain security and SBOMs are a core portion of Executive Order 14028, they are only mentioned in the background section in this guidance. In fact the Q&A section is telling: “Q: Why does the directive reference the software bill of materials (SBOM) in the Background section but not in subsequent sections?

A: SBOM is mentioned in the introduction to convey the Administration’s vision and describe our desired state in the long term. The directive focuses on very specific first steps that can be achieved within the next 6-12 months and are prerequisites for broader adoption of SBOM. Without comprehensive asset management, agencies will be unable to effectively use SBOMs to manage risk posed by asset components or libraries.“

SBOMs will require new tools to take advantage of all the new security capabilities they offer. They are also likely to expose a tsunami of previously unknown (but dangerous) vulnerabilities that will need immediate attention by staff. Those responsible for complying with this Operational Directive are getting an early warning from CISA: “SBOMs are becoming a mandatory security requirement in the next year so get your house in order now.”

So it sounds like that all of these experts agree that this is a step in the right direction. But it’s a step as part of a longer journey that hopefully will make us all safer as a result.

1 Comment »

A Rather Disjointed Email #Scam Is Making The Rounds At The Moment

Posted in Commentary with tags on October 5, 2022 by itnerd

It seems that today is scam day on this blog. Well, to be honest, I track so many scams and report them to you that every day can be considered to be scam day. But in any case, I have a new scam that I’d like to draw your attention to. It starts with this email:

So I am going to go out on a limb and suggest that this is an email based scam that is meant to get you to call in and perhaps have the scammer take control of your computer or something like that. We’ll get to that in a bit. But the vehicle for the scammer to get you to call them is that this is a email that purports to inform you that you’re being billed for a service that you were testing out. Now this is a somewhat effective means to scam you because a lot of us test out a lot of services and it is entirely possible that you might forget what you’ve tried out and fall for this. And remember, a scam doesn’t have to successful in volume to be successful. So if only 1% of the people who open this email call in, the scammers win.

In any case, one thing that you’ll note is that this email is all over the place. While it does use some product names in the email, there’s nothing that has this email wrapped around a brand. For example I’ve seen Best Buy themed scam emails in the past that use that brand to get your confidence. I suspect that this is deliberate as a like this one disjointed email like this one would be harder to filter out via a spam filter. The downside to that for the scammer is that it is likely that less people would act on it. But clearly they’re taking their chances on this.

This also ties into what happens when you click “see details” in the email.

This seems inconsistent with the content in the email if you read the email and compare it to this website. That may make it more likely that you’d call in and be more likely to fall for the scam.

Some other random observations:

  • The English used in the email is horrible as usual.
  • The email address that this email was supposedly sent from is suspect as usual:

All of the above should make you delete this email the second you get it. But in the interest of figuring out what the scam is, I called the number in the email. Which for the record is something that you should never, ever do. I was greeted by cheesy hold music. And messages that said that “all scammers representatives are currently busy. Please stay on the line. And your call will be answered by the next available scammers representative”. This to me seemed very much like the experience that I had with this scam which makes me wonder if the same threat actor is behind this scam, or this sort of setup to carry off a scam like this is now a thing. In any case, I hung up after 5 minutes without speaking to anyone as I had better things to do. But it is clear that this is an active scam that you need to be aware of and make sure that you’re not a victim of.

Leave a comment »

A Canada Post Email #Scam Is Making The Rounds

Posted in Commentary with tags on October 5, 2022 by itnerd

These email scams are multiplying like Rabbits. The latest one that I have for you involves Canada Post and looks like this when it hits your inbox:

Right off the bat, there’s no tracking number which should be the first hint that there’s something suspicious with this email. The other thing that should set off alarm bells is that it’s asking for payment “within 2 days prior to the validity period.” That’s not only to give the email a sense of urgency which will make you act upon it. But as usual, the English is poor. Finally, there’s this:

This isn’t sent by Canada Post as it clearly doesn’t come from a domain that is controlled by them.

All of this should say to you that you should delete this email upon receipt. But what is the scam that the email is trying to get you to fall for. Glad you asked. I tried to go down the rabbit hole on this one, but got nowhere as all this did was take me to a blank screen. So maybe this scam was shut down, or got shut down by the authorities. Either way, my guess is that given that the scammers were asking for payment to get your package, I am guessing that this was a scam to grab either your credit card details or banking details. Regardless, this is one email that you should instantly delete when you get it in your inbox.

Leave a comment »