Which passwords are attackers using against RDP ports right now?

Posted in Commentary with tags on March 18, 2025 by itnerd

A new research report reveals the 10 most common passwords attackers are using and analyzes their wordlists for the most common complexity rules and password lengths. Results of a similar analysis were completed in 2022, so this research is now refreshed and up to date for 2025. The launch of the report also coincides with the latest addition of over 85 million compromised passwords to the Specops Breached Password Protection service. These passwords come from Specops honeypot network and threat intelligence sources.

The key points in the report are:

  • 85 million compromised passwords added to Specops Breached Password Protection
  • Top 10 passwords being used in honeypot attacks
  • Welcome1 is an interesting one—emphasizes the need for secure employee onboarding as new passwords are set and maybe never changed, making them an easy target for attack
  • 24% of all honeypot attack passwords are solely numbers
  • Enabling push-spam resistant MFA to RDP connections adds a layer of protection, even if the password was to be breached
  • Keep Windows servers and clients patched and up to date to protect against CVEs 
  • Check for misconfiguration – ensure the TCP port 3389 is using an SSL connection and isn’t exposed directly to the internet 
  • Limit the range of IP addresses that can use RDP connections 

You can read the report here.

Leave a comment »

Apple’s QA #Fails Again With The Company Breaking iCloud Mail On iOS 18.3.2

Posted in Commentary with tags on March 18, 2025 by itnerd

I’ve been saying for years that Apple’s QA has become pretty bad as there’s been example, after example, after example, after example,  after example of Apple dropping the ball when it comes to their QA processes.

Well, they’ve done it again with iOS 18.3.2. While this update contains an important security fix that was actively exploited in highly targeted attacks. Which is good. It also breaks iCloud mail for many. Which is bad. There are complaints on Reddit from users who have discovered that iCloud email is not pushing automatically to their devices. Instead, you have to open the mail app and have them come down to your iPhone. Push email from other providers like Microsoft appears to be working fine.

There’s no known fix for this that I am aware of. So it’s on Apple to come out with a fix for this, which will likely be iOS 18.4 seeing as that’s due to be released in April sometime. But honestly, this issues should never have gotten out the door. And to add to that, the fact that this is happening with Apple’s own email service is downright embarrassing. I have to honestly wonder if Apple is trying anymore to make quality products that excite and delight people. It really doesn’t seem so.

Leave a comment »

Red Canary Threat Report uncovers 4x increase in identity attacks

Posted in Commentary with tags on March 18, 2025 by itnerd

Red Canary today unveiled its seventh annual Threat Detection Report, examining the trends, cyber threats, and adversary techniques that organizations should prioritize in the coming months and years. The report tracks the MITRE ATT&CK® techniques that adversaries abuse most frequently, and this year noted four times as many identity attacks compared to the 2024 edition. After debuting in the top 10 in 2024, cloud-native and identity-enabled techniques surged in this year’s report, with Cloud Accounts, Email Forwarding Rule, and Email Hiding Rules ranking among the top five.

Research highlights major shifts in the threat landscape

The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities. Each of the threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Red Canary’s 2025 report provides in-depth analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year. The total number of threats detected increased by more than a third compared to 2024’s report as a result of not only more customers, but also Red Canary’s expanded visibility into cloud and identity infrastructure. 

The analysis shows that while the threat landscape continues to shift and evolve, adversaries’ motivations do not. The tools and techniques they deploy remain consistent, with some notable exceptions. Key findings include:

  • Click, paste, compromised – One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In this attack, adversaries socially engineer users into executing malicious scripts under the pretense that doing so will fix something, like providing access to a video or document.
  • VPN abuse is rampant and difficult to detect – Adversaries constantly use virtual private networks (VPNs) to conceal their location and bypass network controls, but employees also rely on them for legitimate activity. Strikingly, organizations in the educational services sector accounted for 63 percent of all VPN use – a disproportionately high share given their smaller presence among Red Canary’s data. This highlights that environments from organizations in this sector are a potential hotspot for VPN-related security risks.
  • RMM exploitation is on the rise – The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This year, Red Canary saw malicious use of NetSupport Manager break its yearly top 10, highlighting the popularity of RMM tools amongst adversaries.
  • The not-so-helpful IT desk – Phishing remains prevalent in many forms. Email, QR code (aka “quishing”), SMS, and voice phishing attacks all increased in 2024. Often adversaries posed as IT personnel, asking victims to download malicious or remote control software. In 2024, Black Basta paired email bombing with social engineering, posing as IT personnel “helping” with the issue to gain access and install RMM tools.

The rise of LLMJacking to attack cloud infrastructure

While cloud attacks rose overall in 2024, the techniques adversaries abused have largely remained the same as in past years. However, adversaries have shifted more of their efforts to attacking and compromising cloud infrastructure and platforms:

  • Red Canary observed adversaries attempting to impair defenses inside cloud environments by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles. 
  • With the rise of LLM usage, cloud services such as AWS Bedrock, Azure OpenAI, and GCP Vertex AI have become prime targets for adversaries in an attack known as “LLMJacking.” Adversaries have reportedly sold access to these hijacked models as part of their own SaaS “business” and passed all LLM usage costs to the victim.

Info-stealing malware is the ultimate identity threat

In 2024, stealer malware infections were on the rise across Windows and macOS platforms. Adversaries use stealers to gather identity information and other data at scale. In 2024 there were some interesting variations in the use of infostealers, including:

  • LummaC2 was the most prevalent stealer detected in 2024, operating under a malware-as-a-service (MaaS), and selling for anywhere from $250 per month to a one-time payment of $20,000. Its growing popularity and expanded scope make it a major threat, exposing user credentials and enabling adversaries to gain initial access to organizations using legitimate accounts.
  • Adversaries commonly use LummaC2 to deliver NetSupport Manager, Red Canary’s seventh most detected threat detected in 2024 – giving them a gateway to deploy other malicious payloads as a follow-up to their initial attack.

Mac malware ran rampant

In 2024, macOS experienced the same phenomenon that Windows did: an exponential increase in stealer malware.

  • Red Canary detected 400 percent more macOS threats in 2024 than in 2023, including an exponential increase in malware driven by Atomic, Poseidon, Banshee, and Cuckoo stealers. Atomic Stealer was the most prevalent, appearing on Red Canary’s monthly top 10 threat rankings five times.
  • In September 2024, detections dropped off sharply after Apple remediated a popular Gatekeeper bypass technique abused by numerous malware families. 95 percent of stealer infections happened before September and just five percent occurred after, highlighting the dramatic and immediate impact that patching can have.

Recommended actions:

  • Limit unsanctioned VPN usage. Tighter policies around acceptable use of VPNs will mean that abuse is rare and becomes a potential signal of suspicious logins and other malicious activity when they are present.
  • Manage your centralized identity management solution. A central identity solution isn’t an excuse to kick back. Centralized identity solutions make organizations more secure, but they’re also a priority target for adversaries. Organizations should pay special attention to the evolving threat landscape and be careful to manage their identity infrastructure as safely and securely as possible.
  • Mitigate risk by making patching a top priority. It remains one of the best ways to protect yourself from risk. Unpatched vulnerabilities are one of the most common entry points for adversaries, making timely updates critical to reducing exposure.
  • Balance accessibility to cloud systems with protection. Verify that permissions and configurations are correctly set, and stay informed on how your organization uses cloud infrastructure. Distinguishing between legitimate and suspicious activity requires a deep understanding of what’s normal in your environment.
  • Assess and test your defenses. Look at the top threats and techniques and ask: ‘am I confident in my ability to defend each of these?’ Red Canary’s open source test library Atomic Red Team is free and easy to adopt. 

Learn more

About the Threat Detection Report

The full report is intended as a reference library for security practitioners to improve their ability to prevent, mitigate, detect, and emulate cyber threats. It offers detailed guidance on data sources that log relevant evidence of adversary behaviors, tools that collect from those data sources, insight into how security teams can use this visibility to develop detection coverage, and much more deeply actionable information.

The Threat Detection Report sets itself apart from other annual reports by offering unique data and insights, accompanied by recommended actions derived from a combination of expansive visibility and expert, human-led investigation and confirmation of threats.

Each of the nearly 93,000 threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Leave a comment »

MIND Reveals Traditional Data Loss Prevention Solutions Are Not Working for Most Organizations

Posted in Commentary with tags on March 18, 2025 by itnerd

MIND™ today announced the release of The State of Data Loss Prevention – Current Struggles and Future Expectations. The report examines trends driving the need for data loss prevention (DLP) solutions to secure sensitive information from unauthorized access, leakage and theft, and key challenges as enterprise security teams struggle with outdated or incomplete tools. The report’s findings underscore the importance of modernizing DLP programs so that organizations can efficiently scale sensitive data visibility, classification, detection, remediation and loss prevention.

The report found that enterprise environments are more complex and data stores are exponentially growing, further exacerbating security team difficulties, such as maintaining and evolving DLP policies, dealing with a majority of alerts that are false positives and lack of resources to address and investigate every incident. In fact, 78% of organizations report being challenged in administering and maintaining existing DLP technology solutions and policies, and 94% report using at least two tools and, on average, more than three tools with DLP capabilities, resulting in significant man-hours to administer and maintain multiple solutions. Additionally, nearly all organizations (91%) said it is important to reduce alert noise produced by their current DLP controls due to simple, poor and outdated classification schemes.

These challenges highlight the importance of adopting a future-ready DLP strategy that autonomously discovers and classifies sensitive data that matter, proactively detects issues with a context-aware and risk-based approach and automatically prevents and remediates data leaks. By delivering on these modern capabilities, organizations can expect to experience unprecedented visibility and understanding of their data risks, simplified solution management, dramatic reduction of false positives and efficient data loss prevention and issue remediation.

The report’s key findings include:

  • Persistent data leaks: Despite using multiple DLP tools, 53% of respondents reported two or more unstructured data loss events that they know of and, on average, more than four data loss events in the last 12 months. There were likely many more data loss events that are unknown.
  • Lack of visibility and understanding of data risks: Organizations report that more than 73% of their unstructured sensitive data has not been discovered and classified, leading to potential data risk landmines and unknowns.
  • Debilitating alert fatigue: Organizations are overwhelmed by DLP alerts, with 92% either deferred/left for inspection  after 24 hours or false positives/not remediated. 47% of DLP alerts that are inspected within 24 hours are false positive.
  • Administrative burdens: 68% of companies manage multiple DLP policy sets across their IT environments with disparate, siloed tools.

Download the full report here.

Leave a comment »

New KnowBe4 Report Finds Education Sector Unprepared for Escalating Cyberattacks

Posted in Commentary with tags on March 17, 2025 by itnerd

 KnowBe4, today announced a new report, “From Primary Schools to Universities, The Global Education Sector is Unprepared for Escalating Cyber Attacks”.

The education sector was the most targeted industry for cyberattacks in 2024, according to several reports, including one from Check Point Research. The sector has also seen a stark increase in cyberattacks.

Key findings from the report include:

  • Both primary and higher education institutions heavily rely on third-party vendors for software-as-a-service, cloud storage, and IT services. This creates a risk, as vulnerabilities or breaches within third-party systems could later affect all institutions using these services, which often goes on undetected.
  • An attacker’s search for an open door is helped by the fact that with limited resources, and increasing demands for modernization, schools and universities often mix modern and legacy IT systems, which can leave highly sensitive personal information on outdated and exploitable systems.
  • In its 2024 Data Breach Investigation Report (DBIR), Verizon examined 30,458 security incidents in total, of which 10,626 were confirmed data breaches. Of these, 1,780 incidents (17%) were attacks against the education system,1,537 (14%) with confirmed data disclosure; a figure that put education in the top five of all industries breached globally.
  • In 2023, Trustwave researchers monitored 352 ransomware claims against educational institutions. Phishing stood out in the Trustwave study as the most commonly exploited method for gaining an initial foothold in an organization.

The report demonstrates the significant impact of security awareness training on reducing human risk in educational institutions. Employee susceptibility to phishing attacks dropped dramatically from 33.4% to 3.9% in small educational institutions after one year or more of sustained training and simulated phishing evaluations.

To download the report, visit here.

Leave a comment »

Cl0p Pwns Western Alliance Bank

Posted in Commentary with tags on March 17, 2025 by itnerd

 Western Alliance Bank over the weekend confirmed that it notified 21,899 people about an October 2024 data breach that compromised info such as SSNs, Tax ID Numbers, DOBs, Passports, etc. The infamous ransomware gang Clop has claimed responsibility for the breach. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech,wrote: 

“Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. Its latest wave of claims mostly involve exploiting vulnerabilities in the Cleo file transfer software, which is used by many organizations. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it demands ransoms solely in exchange for not selling or publishing stolen data.”

“In 2024, Clop claimed nine confirmed ransomware attacks, plus 74 unconfirmed attacks that haven’t been acknowledged by the targeted organizations. 55 of the 74 unconfirmed claims are related to the same Cleo vulnerability used to breach Western Alliance Bank. In 2025, Cl0p has claimed responsibility for 332 unconfirmed attacks, the vast majority of which exploited Cleo.”

“Ransomware attacks on US finance can endanger clients and delay day-to-day operations until systems are restored. Banks and other financial institutions must either pay a ransom or face extended downtime, data loss, and putting customers at increased risk of fraud. In 2024, Comparitech researchers logged 61 confirmed ransomware attacks on the US finance sector, compromising more than 34.9 million records. The average ransom demand is $1.05 million.”

Clearly the fact that there’s a $10 million reward available for anyone who can serve up information on Cl0p has clearly not deterred them. Illustrating that crime does pay apparently. Speaking of rewards, if you do have information on Cl0p, this Tweet will help to get your info into the right hands.

Leave a comment »

KnowBe4 Sees 98% Spike in Phishing Campaigns Leveraging Russian (.ru) Domains

Posted in Commentary with tags on March 17, 2025 by itnerd

 KnowBe4 has observed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting. 

These Russian .ru domains are run by so-called “bullet-proof” hosting providers, that are known to keep malicious domains running and ignore abuse reports which is ideal for cybercriminals.  

Many of the phishing emails that we identified and investigated had passed through one or more security products including Exchange Online Protection, Barracuda Email Security Gateway, Mimecast, and Cisco Ironport. 

KEY FINDINGS 

  • 98% increase in phishing sites using .ru TLDs from December 2024 to January 2025 
  • 1,500 unique .ru domains identified as part of the campaign 
  • 377 new domains registered with “bulletproof” registrar R01-RU 
  • More than 13,000 malicious emails with the domain were reported 
  • 2.2% of observed emails from .ru domains were phishing emails  
  • 7.4 days average age of a .ru domain 

You can get the full details here.

Leave a comment »

Guest Post: What is Web Scraping?

Posted in Commentary with tags on March 17, 2025 by itnerd

By Geonode

Ever wondered how companies gather huge amounts of data from the internet without breaking a sweat? That’s where web scraping comes into play. Imagine having a digital assistant that tirelessly scours websites, picking up the information you need and organizing it into neat spreadsheets or databases. That’s essentially what web scraping does.

Web scraping involves two main players: the crawler and the scraper. Picture the crawler as a curious explorer, navigating the vast internet landscape, while the scraper is the diligent collector, picking up the data gems. Together, they turn chaotic web data into structured, usable insights.

While you can technically scrape data manually, it’s usually an automated game—think bots or scripts doing the heavy lifting. This automation is a game-changer in today’s data-driven world, empowering businesses to stay competitive. Companies use web scraping for a variety of reasons, like monitoring prices, generating leads, conducting market research, and aggregating content. However, it’s crucial to remember that web scraping isn’t a free-for-all; there are legal and ethical boundaries to respect.

The Legal Landscape of Web Scraping

Web scraping, though incredibly useful, can be a legal minefield. You could stumble into issues like copyright infringement, violating terms of service, breaching data privacy laws, or misusing scraped content. Staying on the right side of the law is key, and understanding the legal frameworks that govern web scraping is crucial.

Key Laws and Regulations

The Computer Fraud and Abuse Act (CFAA)

The CFAA is a cornerstone law in the U.S. that governs web scraping. Established in 1986, it criminalizes “intentionally accessing a computer without authorization” or “exceeding authorized access.” Some landmark cases have helped shape its interpretation.

Van Buren v. United States

In 2021, the Supreme Court ruled in Van Buren v. United States that “exceeds authorized access” should only apply when someone accesses parts of a computer system they’re not supposed to. This narrows the scope of what counts as unauthorized access under the CFAA, offering some relief for web scrapers.

hiQ Labs, Inc. v. LinkedIn Corp.

In another pivotal case, the Ninth Circuit Court ruled that hiQ’s scraping of publicly accessible LinkedIn profiles did not constitute unauthorized access under the CFAA. LinkedIn couldn’t restrict public access to the data, making this a significant decision for the scraping community.

Data Protection Laws

When it comes to personal data, regulations like the GDPR in Europe and the CCPA in the U.S. mandate businesses to obtain proper consent. Ignoring these laws can lead to hefty fines and legal troubles.

Digital Millennium Copyright Act (DMCA)

The DMCA prohibits circumventing technological measures designed to control access to copyrighted works. So, if you’re thinking about bypassing some tech barrier to scrape data, you might want to think twice.

Ethical Best Practices

To navigate these legal complexities, ethical web scraping is the way to go:

  1. Respect Terms of Service: Always abide by the terms of service of the websites you scrape.
  2. Obtain Consent: Ensure you have the necessary consent to collect and use personal data, in line with GDPR and CCPA regulations.
  3. Avoid Technological Barriers: Don’t bypass technical measures designed to protect content.

Ethical Concerns in Web Scraping

Web scraping isn’t just about legality; it’s also about ethics. You wouldn’t want to end up on the wrong side of a moral dilemma, right?

Privacy and Data Protection

Collecting personal data without consent is a major no-no. Ethical web scraping means obtaining necessary consents and complying with data protection laws.

Respect for Terms of Service

Web scraping often clashes with the terms of service of the targeted websites. Ignoring these terms can lead to legal battles and a loss of trust. Ethical scraping involves playing by the rules set by website owners.

Intellectual Property and Copyright

Scraping content without permission can lead to copyright issues. The DMCA and CFAA are pretty clear about this, and violations can have serious repercussions. For example, copying entire web pages or extracting data behind login credentials without authorization can breach proprietary rights.

Responsible Data Use

Misusing scraped data can lead to misinformation, spam, or other harmful activities. Responsible data usage means being transparent about your data collection practices and using the data ethically.

Best Practices for Ethical Web Scraping

  1. Respect Robots.txt and Rate Limits: Configure your scrapers to follow the robots.txt file and adhere to rate limits to avoid overloading servers.
  2. Legal Compliance: Stay updated on the legal landscape and comply with both local and international laws.
  3. Transparency and Accountability: Be transparent about your data collection methods and be accountable for the data you collect.

Case Studies and Precedents

Learning from real-world cases can help you avoid potential pitfalls.

Van Buren v. United States (2021)

This Supreme Court decision reshaped how we interpret the CFAA by narrowing its scope. It ruled that the CFAA’s definition of “exceeds authorized access” only applies when someone breaches a technical barrier.

hiQ Labs, Inc. v. LinkedIn Corp.

In this case, the Ninth Circuit Court ruled that scraping data from a public website likely doesn’t violate the CFAA, even if the website owner objects. This decision emphasizes a more restrained interpretation of “unauthorized access.”

By studying these cases, businesses can better navigate the complex web of laws governing web scraping, ensuring their activities are both ethical and legal.

Actionable Takeaways

Here’s how you can practice ethical and legal web scraping:

  1. Read the Terms of Service: Always check the terms of service of websites before scraping.
  2. Get Consent: Make sure you have permission to collect and use personal data.
  3. Follow Robots.txt: Respect the robots.txt file and adhere to rate limits.
  4. Stay Informed: Keep up-to-date with legal requirements and best practices.
  5. Be Transparent: Clearly communicate your data collection methods and purposes.

So, the next time you think about web scraping, remember to do it the right way—both legally and ethically. Happy scraping!

“Web scraping, if done ethically and legally, can be incredibly beneficial,” notes Josh Gordon, a technology infrastructure expert at Geonode. “With Geonode’s secure and reliable proxy solutions, businesses can access data without barriers, ensuring privacy and security.”

By following these guidelines, you can make the most out of web scraping while staying on the right side of both legal and ethical considerations.

Leave a comment »

PII Exposed Online in Healthcare Marketplace Connecting Facilities and Nurses Data Leak

Posted in Commentary with tags on March 14, 2025 by itnerd

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 86,000 records belonging to ESHYFT — a New-Jersey-based HealthTech company that operates in 29 states. This database contained 86,341 records including PII of users. A discovery that I previously covered here.

Erich Kron, Security Awareness Advocate at KnowBe4 had this to say: 

“Breaches like this are indicative of the problem with collecting sensitive data without controls to protect it. Not only is the information that has been stolen extremely useful if a bad actor wants to steal one of these individuals’ identity, but it also contains a lot of information that could easily be used in an even more damaging social engineering attack. By having access to information about past jobs, shifts, or similar private life events, a bad actor could easily use it to convince a potential victim that they are from a previous employer, or a potential future employer trying to recruit them. Scams related to employment opportunities are common and can be used to fleece the victims out of money and even more sensitive information.”

“Organizations that handle information such as this have a duty to protect their customers’ information. While it is a temporary inconvenience for an organization to suffer a data breach, the implications of information such as this being lost can impact the victims for a lifetime. Organizations need to address not only technical security controls, but also human risk, which can include misconfiguring security and permissions related to information storage and access, poor software coding practices, or even making unapproved copies of data, among others.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this: 

“There is no excuse for leaving such a sensitive database unprotected, and it has almost certainly been found and copied already by cybercriminals. Our honeypot studies show it takes just a few hours for hackers to find and target exposed databases like this one. Thankfully, none of the data poses a direct threat to data subjects or their finances.”

“Hospitals, clinics, and other healthcare companies are frequently targeted by ransomware gangs and other cybercriminals.  Comparitech researchers logged 146 confirmed ransomware attacks on US healthcare companies in 2024, compromising more than 24.8 million records. The average ransom was $1.05 million.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:

“Unfortunately, it seems like lately it’s another day, another data breach made easy by a misconfigured AWS S3 data bucket. There is simply no excuse for this happening. We’ve seen enough of these data breaches that are enabled by misconfigured data buckets that every database professional should be aware of the issue and they should have educated themselves as to how to better secure these data buckets. Until we see more educational efforts and efforts on the parts of IT professionals, we’ll continue to see these on a regular basis.”

Organizations need to make protecting PII their priority. And if they don’t take that responsibility seriously, then I say fine them and make it so expensive that they are forced to do the right thing. Because these sorts of events are not acceptable.

UPDATE: Martin Jartelius, CISO at Outpost24 had this to say:

“Do your attack surface management and track data leakage in it – otherwise someone else will. In this case someone who responsibly disclosed it later thankfully.”

Jim Routh, Chief Trust Officer at Saviynt follows with this:

“Thanks to Cybersecurity Researcher, Jeremiah Fowler for pointing out the obvious. Customer information for healthcare or any other sector must apply the right level of control to the appropriate data classification. Data classified as restricted or at the highest level must include encryption of data at rest and advanced multi-factor authentication at a minimum.”

Leave a comment »

FCC creates council to counter Chinese threats

Posted in Commentary with tags on March 14, 2025 by itnerd

The FCC announced it is creating a national security council to improve US defenses against Chinese cyber-attacks and in an effort to “[win] the strategic competition with China over critical technologies” such as 5G, AI, and quantum computing.

The new FCC chair Brendan Carr said he was establishing the council to focus on the “persistent and constant threats from foreign adversaries, particularly the Chinese Communist party”.

  “These bad actors are always exploring ways to breach our networks, devices, and technology ecosystem. It is more important than ever that the FCC remain vigilant and protect Americans and American companies from these threats,” Carr said.

Carr also mentioned that the council would “pull resources from a variety of FCC organizations” and target mitigating US vulnerabilities to cyber-attacks, espionage and surveillance and reducing supply chain dependence on adversarial states.

The new council is expected to shift focus from individual Chinese entities to a more sectoral approach due to US loopholes, such as a Chinese group changing its name, that allowed threat actors to circumvent punitive actions.

  “The US side, instead of playing up the so-called ‘China threat’, should adopt an objective and rational perception of China. It needs to work with China, under the principles of mutual respect, peaceful coexistence and win-win co-operation, for stable, sound and sustainable development of China-US relations,” said Liu Pengyu, the embassy spokesperson, in learning of the new council.

Evan Dornbush, former NSA cybersecurity expert had this to say:

The FCC announcement to build a China-focused response capability is only a few days old, so it may be too early to understand the first-order tactics (and their effectiveness). This is a bold step. The FCC owns the airwaves, and with so much technology leveraging wireless, from drones using GNSS, to cellular networks using foreign-made 5G routing, to mesh networks coordinating over the managed spectrum, it’s clear the FCC is crucially placed to have impact.

This also gives the FCC a “stick” to match its “carrot”. Over the summer when US telecom carriers revealed that the lawful intercept systems they are obligated to operate (due to CALEA, which is managed by FCC), were exposed to foreign adversaries. The resulting action? Congress gave a $3B hand out to “rip and replace” foreign-manufactured equipment. With that gone, telcos still have vast exposure from old legacy equipment likely vulnerable to both known and zero-day exploits.

What might it take for these companies to upgrade? The new authorities could increase audits and inspections. It could increase stricter fines or other penalties.

And this stick could apply to areas other than telcos. It is common practice for foreign companies to white label through US shell entities to get around various disclosures and other restrictions pertaining to license applications. Tightening up the authorization process to trace the supply chain can perturb aggressors trying to preposition deeply embedded malware.

The Chinese are clearly a threat as demonstrated by their past actions. Thus anything that can be done to counter that threat is a good thing in my mind.

Leave a comment »

« Older Entries
Newer Entries »