We’ve just released Chrome 97 (97.0.4664.104) for Android: it’ll become available on Google Play over the next few days. This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.
The Chrome team is delighted to announce the promotion of Chrome 97 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 97.0.4692.71 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 97.
The Extended Stable channel has been updated to 96.0.4664.131 for Windows and Mac which will roll out over the coming days/weeks. A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Microsoft Patch Tuesday Includes Fix for Wormable Vulnerability
On Tuesday, January 11, Microsoft released fixes for nearly 120 security issues. Nine of the vulnerabilities are rated critical and six were previously disclosed. Microsoft has also noted that one of the flaws fixed this month is “wormable,” meaning it can spread without user interaction.
- This is the second wormable vulnerability in http.sys in 12 months. CVE-2021-31166, patched last May, was never widely exploited and aside from some PoC exploit leading to denial of service, no actual remote code execution exploit was published. Exploit mitigation techniques in kernel mode drivers make exploitation difficult and may buy us some more time in this case as well. Little detail has been published so far about this vulnerability.
- The combination of disclosure and the RCE flaw in the HTTP stack means attackers are going to be working to discover unpatched systems and exploit them. Don’t make it any easier by neglecting to apply the entire bundle of patches, including the updates for Chromium Edge.
- The term “wormable” gains more visibility for quicker patching. The versions of Windows that have this feature enabled by default varies. More details on the ISC post below.
Read more in
- Microsoft Patch Tuesday – January 2022
- ‘Wormable’ Flaw Leads January 2022 Patch Tuesday
- Microsoft starts 2022 with big bundle fixes for 96 security bugs in its software
- Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed
- Microsoft: New critical Windows HTTP vulnerability is wormable
- Security Update Guide
CISA, NSA, and FBI Warn Russian Hackers Targeting US Critical Infrastructure
In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), and the FBI have warned that Russian state-sponsored cyberthreat actors are targeting US critical infrastructure entities. The advisory includes technical details about the activity as well as mitigations for organizations to implement.
- The bulletin explains what these threat actors target and how you can mitigate the risks. Don’t limit your scope of mitigations to just these products. Make sure that you’re keeping hardware and software updated, MFA on your entry points is comprehensive, monitoring is working as expected, verify your incident reporting chain. Now execute penetration tests to verify you’re not missing details.
- Critical infrastructure being targeted isn’t anything new. But increased tensions with Russia may lead to an increase in activity. Not all that activity may be tightly coordinated but historically, “hacktivist” groups often get involved. Also see the story below about attacks against Ukrainian government websites last night.
- This, like activities in Ukraine, are notable because of the current situation Russian state actors are likely to express displeasure online.
- It is interesting to note other countries, such as the UK, are also issuing similar alerts. Given today’s interconnected world and our dependencies on supply chains every organization, whether you are located in the US or the UK, should take heed of these alerts and actions on the threat intel within them.
www.ncsc.gov.uk: NCSC joins US partners to promote understanding and mitigation of Russian state-sponsored cyber threats
- For those who are actively involved in CTI or protecting against these specific, there is nothing radically new in these reports. However, joint reports like these are extremely helpful for several reasons. First, because it is a joint report from CISA, NSA and FBI, organizations don’t have to dig around different sites and dig out key information: it’s all provided to them by a combined trusted authority. Second, the report makes it very simple to understand who the threat actor is, the TTPs (mapped to the MITRE ATT&CK model) and what to do. Quite often the problem is cybersecurity is NOT lack of information, but being overwhelmed by information, data points and recommended actions. Reports like these cut through the noise and provide a single, actionable source. That is what I feel is a key role of government guidance, to help make cybersecurity easier for organizations to act on.
Read more in
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- Feds alert to ongoing Russian cyber threats targeting critical infrastructure
- CISA: Russian state-sponsored groups exploited vulnerabilities in Microsoft, Cisco, Oracle tools
- FBI, NSA & CISA Issue Advisory on Russian Cyber Threat to US Critical Infrastructure
Windows Remote Desktop Protocol Vulnerability
A recent CyberArk blog post by Gabriel Sztenjworcel explains how using named pipes with RDP sessions can be used to gain file systems access on client machines, view and modify clipboard data, and intercept smartcard data. The exploit takes advantage of RDP Virtual Channels; some are the main RDP graphical and input data and connected to the remote desktop service, while others, such as the clipboard and printer redirection are handled by separate processes. Virtual channel data is passed between these processes using named pipes. Exploitation doesn’t require privileges, just access to the RDP server. Microsoft released a patch for CVE-2022-21893 on January 11th.
- This is the biggest news of the week that honestly isn’t getting enough attention. If you’re running legacy RDP servers, don’t miss out on this one. While the CyberArk advisory says the vulnerability extends all the way back to Server 2012R2, Microsoft is pushing patches for Windows 7 and Server 2008R2 through its extended security updates (ESU) channel for those who are subscribers. If you are running RDP on a legacy server and aren’t getting patches, make sure you understand the threat. If the threat actor has access to the server, they can retrieve files from any connected client (e.g. the systems admin) and certainly use that to gain code execution on the remote client’s machine. The threat actor need not have full control of the RDP server either; they only need an authenticated RDP client. Finally, given the verbosity of CyberArk’s writeup, we should expect threat actors to weaponize this vulnerability quickly. These “client to client” and “server to client” exploitation channels are unusual and likely aren’t in the threat model of most organizations. Make sure they become part of yours.
- This isn’t a “huge” vulnerability, as it requires two users being connected (and authenticated) to the same RDP server. But it is interesting and should be patched quickly as it could easily be used to elevate privileges after obtaining a low privilege account.
- The attack leverages the FIFO behavior of named pipes, allowing an attacker to create a new pipe with the right name which will be used by a new connection before the one created for that connection. This exploit impacts at least Windows Server 2012 R2 forward. Apply the RDP patch from Microsoft. Make sure you’re not directly exposing RDP to the Internet. Monitor RDP servers to make sure that unexpected activity is not occurring. If you’re developing applications which use virtual channels, make sure they are also not subject to a similar compromise.
Read more in
- Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more
- Remote Desktop Protocol Remote Code Execution Vulnerability
- Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft
Microsoft Pulls Windows Server Updates After Users Report Problems
Microsoft has pulled Windows Server updates it released on Patch Tuesday after users reported that they were causing problems. The update reportedly breaks Hyper-V and causes domain controllers to keep rebooting.
- Microsoft has been on a months-long bad streak of being in the news for failed patches or needing to push out patches for software vulnerabilities (like the Y2K22 issue) that should have been easily avoided or detected pre-release. It would be good to see Microsoft publish some analysis to see if this is just a random concentration of issues or if something systemic at Microsoft needs to be addressed.
- Make sure you’ve pulled these from the list of patches you’re pushing out. Be prepared to roll back KB5009624, KB5009546 and KB5009557 (Server 2012R2, 2016 and 2019 respectively.) Even big shops like Microsoft can have QA issues, kudos for responding and pulling these back. Note to self, make sure code you tested/created in 2021 isn’t subject to Y2K22 issues, retest now.
Read more in
- Microsoft pulls new Windows Server updates due to critical bugs
- Admins report Hyper-V and domain controller issues after first Patch Tuesday of 2022
SonicWall Issues Fixes for Flaws in SMA 100 Series Devices
SonicWall has released updates to address several vulnerabilities in its Secure Mobile Access 100 series of devices. The most critical of the vulnerabilities is a stack-based buffer overflow issue that could be exploited to allow unauthenticated remote code execution.
- The update from SonicWall was published a month ago; make sure you’ve installed it. Make sure your edge devices are at the top of your security update list. The report from Rapids7 will fuel the fire of attempted exploitation. The flaw is also present in the SMA 200, 210, 400, 410 and 500v products.
Read more in
- CVE-2021-20038..42: SonicWall SMA 100 Multiple Vulnerabilities (FIXED)
- Make sure you’re up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out
- Rapid7 reports on five vulnerabilities in SonicWall SMA 100 devices, one an RCE
Maryland Dept. of Health Confirms Ransomware Attack
The Maryland Department of Health has acknowledged that their IT systems were hit with a ransomware attack in early December. Maryland CISO Chip Stewart says they have not paid a ransom. The December 4 attack was initially described as a network security breach. The department is still recovering.
- The MDH is following their COOP plan, purchasing, and deploying replacement systems smoothly and according to that plan. Make sure that your plan can be as smoothly executed, be sure to consider the impact of supply chain challenges similar to what we have faced recently.
- Another NewsBites, another reported ransomware attack. This threat is not going away and impacts most organizations. There are many resources to ensure your organization is prepared. Here is a recent article/interview: medium.com: Repelling A Ransomware Attack: 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.
Read more in
- Maryland health agency confirms December ransomware attack
- Maryland officials confirm ransomware attack shut down Department of Health
- Maryland Health Department Confirms Attack Was Ransomware
- Maryland Departments of Health and Information Technology Provide Additional Update on Network Security Incident Response (PDF)
CISA Adds Known Exploited Vulnerabilities to Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 new entries to its Known Exploited Vulnerabilities Catalog. CISA is directing federal civilian agencies to remediate three of the vulnerabilities – a VMware vCenter Server improper access control vulnerability, a Hikvision improper input validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN privilege escalation vulnerability – by January 24. The remaining 12 vulnerabilities must be remediated by July 10.
- BOD 22-01 requires agencies to review the catalog making sure that they don’t have any unmitigated software as well as report the results of the review and mitigation status. The catalog includes mitigation due dates agencies must meet. As this catalog is expected to continuously update, this review and report cycle will need to be operationalized and hopefully properly funded. For those in the private sector, a regular scan of the catalog to see if you’ve got any gaps in your current mitigations would be a good practice.
Read more in
- CISA adds 15 exploited vulnerabilities from Google, IBM, Microsoft, Oracle and more to catalog
- CISA Adds 15 Known Exploited Vulnerabilities to Catalog
Threat Actors Exploiting Cloud Services to Deliver RATs
Researchers from Cisco Talos have discovered a malware campaign that leverages public cloud infrastructure, like Amazon web services (AWS) and Azure Cloud Services, to spread three different remote access trojans (RATs). The campaign was first detected last fall.
- With the adoption of cloud services, most organizations are establishing trust relationships with service providers which can exceed, or cannot be limited to, the scope of subscribed services, allowing a direct path to malware stored there. Block access to the indicated domains, verify trust relationships are only in place for approved services, make sure both perimeter and endpoint protections are active and working, monitor for malicious activity.
Read more in
- Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
- New Cyberattack Campaign Uses Public Cloud Infrastructure to Spread RATs
- Amazon, Azure Clouds Host RAT-ty Trio in Infostealing Campaign
GAO Report on Federal Response to SolarWinds and Microsoft Exchange Incidents
The US Government Accountability Office (GAO) released a report on the federal response to the SolarWinds and Microsoft Exchange incidents. The “GAO’s objectives were to (1) summarize the SolarWinds and Microsoft Exchange cybersecurity incidents, (2) determine the steps federal agencies have taken to coordinate and respond to the incidents, and (3) identify lessons federal agencies have learned from the incidents.”
- The report met the first two objectives very well but is really weak on the lessons learned and recommendations. In general, the report focuses almost completely on response and not at all on detection/prevention in the period between when the compromised Solar Winds software was active but before private industry notifications came out. After 8 years of spending on Continuous Diagnostic and Mitigation solutions, not a single mention of CDM in the report. Some IG audits have started to focus more on threat hunting and active testing. I’d really like to see GAO reports like this focus on proactive detection and prevention actions at least equally to reactive post-compromise response.
- The report is big on response and coordination and highlights what did and didn’t work after the incidents. What is missing is steps agencies can take for improved detection and to mitigate the likelihood of recurrence. Make sure that your logging is sufficient in retention and separation to support forensic activities, that you have comprehensive detection and response systems, and you’ve verified your playbooks are operating properly. Reach out to your peers to keep that relationship current and healthy.
- I would add supplier accountability. The more privileged or powerful a process or user, the more important as a control is accountability.
Read more in
- Federal Response to SolarWinds and Microsoft Exchange Incidents
- Statutory restrictions hindered federal response to SolarWinds, Microsoft Exchange
Pegasus Spyware Found on El Salvadoran Journalists’ Devices
Digital rights organizations Citizen Lab and Access Now have published a report detailing their investigation into the use of NSO Group’s Pegasus spyware against journalists and civil rights activists in El Salvador.
- This is sadly unsurprising and continues to highlight that either NSO is incapable of policing its customers or (more likely) no commercial spyware company can ensure its software isn’t abused.
- The report sets the stage and background which lead to use of the spyware in that country and provides context for those actions. While these efforts currently target journalists and the NSO infection vector is a zero-click attack path, we still need to be vigilant, keeping our devices fully updated, keep them under our control, remove unneeded or unused applications, use loaner devices for high-risk situations and use caution with links and attachments.
Read more in
- NSO Group Spyware Targeted Dozens of Reporters in El Salvador
- Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware
Several Ukrainian Government Websites Compromised
On Friday, January 14, several Ukrainian government websites were defaced with identical threatening messages in Russian, Ukrainian and Polish. These defacements come after tensions between Ukraine and Russia escalated the day before.
- These types of defacements are often the work of hacktivists and it is not clear at this point if these attacks abused a specific vulnerability common to these websites.
- While it isn’t yet clear whether this is a state-affiliated attack, many have noted that the arrest of REvil ransomware operators may be top cover to get media attention away from these defacements. At this point, there’s no clear connection between these events. Kim Zetter reported that these attacks used a known CMS vulnerability, well within the reach of any script kiddie or hacktivist.
- While this isn’t new, it is news because of the timing. With cyber attacks on top of land and sea posturing (strikingly reminiscent of 2014!), Ukraine and its allies have plenty of justification for concern.
- While it can be argued that with sufficient time and resources any target can be compromised, don’t make it any easier than it has to be. Keep your services patched, make sure that only authorized accounts have access, and you’re using MFA for authentication.
Read more in
Salesforce to Require Multi-Factor Authentication
Software company Salesforce has announced that as of February 1, 2022, it will start requiring users to enable multi-factor authentication (MFA) to access the company’s products. Salesforce has an MFA FAQ page.
- This should be the norm for at least all cloud services, and really all logins. Microsoft data showed that using any form of MFA would have thwarted 99.9 percent of successful account compromises. Users are increasingly doing so with the home accounts on banking and even social media. Use of MFA allows security resources to be focused on the extremely clever 0.1 percent of attacks vs. drowning from the simple 99.9 percent.
- Great move. MFA is a must in particular for systems like Salesforce working with critical data. If you try to rely on other means to mitigate attacks against other critical systems (e.g. VPNs): Stop doing stupid things like relying on geofencing. Implement a solid MFA solution now.
- You should already have configured your IDP to require MFA when accessing cloud and other Internet accessible services. Where you are enabling SSO from trusted devices, ensure those devices require strong authentication, additionally disable the ability to login directly to accounts bypassing your SSO/authentication process. Read the FAQ, including the types of second factor which explicitly disallowed.
- Not only is this exciting from a security perspective (I’m a huge fan of 2FA / MFA) but it’s very impressive how Salesforce is rolling this out. Take a moment to read their MFA FAQ. It’s extensive, detailed, and well thought out. Some key things I found interesting: You have to use “strong” MFA, no SMS text messages or phone calls to obtain your one time code; you have to use technologies like local mobile authentication apps. Also, and this was a bit hidden, there are legal consequences if you don’t implement strong MFA. If you somehow work your way around the requirement and your data is compromised, you and NOT Salesforce are most likely legally responsible for any harm to your data. Is MFA perfect? Absolutely not. Will bad guys figure out ways around MFA? Absolutely. Security is ultimately about compromises and managing risk to an acceptable level. With passwords / accounts being a top two driver for breaches globally for the past three years (VZ DBIR), this is a step most organizations should be taking.
- MFA should be enabled everywhere. Hopefully this move by Salesforce, given their user base, pushes more adoption.
Read more in
FBI Warns of Attacks Using Malware-Laced USBs
In a recently-updates Flash alert, the FBI has warned of a ransomware campaign involving USB thumb drives. The threat actors have been sending the malware-laced drives through the US Postal Service and United Parcel Service (UPS), pretending to come from the US Department of Health and Human Services (HHS) or Amazon. The FBI says the campaign is targeting the defense industry.
- Fin7 did that back in 2020 as well. I guess it worked well enough for them to try again. For myself: I always wanted to have one of those USB micro controllers. If you work for Fin7 and are reading this: contact me for my mailing address. For everybody else: Sorry, no great defense against this in particular if people use their own systems in a home office environment.
- In the SANS 2020 Top New Attacks and Threats Report, Ed Skoudis highlighted “poisoned USB devices” as a threat vector. I had actually received one in the US mail from China earlier that year, trying to get me to insert it in my computer to get $500 in free PayPal cash. You can download that report from www.sans.org: SANS Top New Attacks and Threat Report 2020
- Don’t assume that risks of inserting the device will be offset by a media scan. Some NGAV products no longer scan media, rather they wait until an executable/dll/etc. is loaded into memory before analysis is performed. The USB thumb drive may be emulating a keyboard or network card. When in doubt, don’t insert it before you’ve fully vetted and tested, preferably on a system designed for that purpose. Consider requiring a kiosk to scan and transfer data from all externally provided media for your corporate systems.
- If you speak MITRE ATT&CK, this technique is called Hardware Additions and is part of the Initial Access tactic. It has been documented since April 2018 (attack.mitre.org/techniques/T1200: Hardware Additions). In recent updates, MITRE has improved the mitigations and detections sections to provide more actionable information.
Read more in
- Cyber criminals are mailing out USB drives that install malware
- FBI: Hackers use BadUSB to target defense firms with ransomware
Apache: Downstream Vendors Should Contribute to Open-Source Maintenance
In a position paper to be presented at a White House Software Security meeting later this week, the Apache Software Foundation calls out for-profit companies that benefit from open-source software but do not, for the most part, contribute to its maintenance.
- The ASF recommendations to businesses are solid: Know where you are using open-source components so you can patch them. Contribute some of your resource to skilled vulnerability testing and contribute to speeding the discovery of vulnerability in open-source software. In 2014, after the Heartbleed OpenSSL vulnerability, the Linux Foundation started the Core Infrastructure initiative to gain support for raising the bar on the security of widely used open-source components. Adobe, Bloomberg, HP, Huawei and salesforce.com were early supporters but not much happened. The CII has now become the Open Source Security Foundation with the goal of “… to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives…” Microsoft, Google, AWS, JP Morgan Chase, Redhat, many others are listed as premier members and on the technical advisory committee.
- When using open-source software, it’s expected that discovered vulnerabilities are reported back quickly. If you have fixes, report them as well. Apache has project teams which will respond immediately to reported issues. Once updates or fixes are released, typically in less than two weeks after the report, businesses need to jump on applying them.
- One promise of open source was that many eyes would improve code quality, It has not proved to be true. CISA has identified more than 3000 products the use log4J. Now this may not mean that the code was seen by the same number of sets of eyes, but it was certainly seen by many Instead what we have seen is that what is everyone’s responsibility is no one’s responsibility. We need better accountability.
Read more in
Millions of Vulnerable Versions of Log4j Have Been Downloaded Over the Past Month
Sonatype, the company that runs Apache Maven’s Central Repository, says they have observed four million downloads of vulnerable versions of Log4j since December 10. It is not clear why the number of vulnerable downloads is so high. Sonatype also noted that about 40 percent of the Log4j downloads over this past weekend were of the most recent versions.
- Speaking for my fellow developers: I know, we can’t help it. It is hard to break a habit. But please spend the extra time to actually read change notes and move on to a newer version of the libraries you are using. It is much easier to do so step by step as new versions are released vs doing a big “flag day” once a decade to move everything.
- Where your CI processes are downloading libraries regularly, make sure they are downloading the current approved versions. Make sure you’ve qualified the fixed versions such as Log4j 2.17.1.
Read more in
- Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
FTC’s Log4j Requirement May Prove Difficult
While the US Federal Trade Commission (FTC) has said it will pursue legal action against companies that fail to implement mitigations to protect customers from the Logj4 vulnerabilities, experts point out that identifying all instances of Logj4 is likely to prove difficult. And beyond that, in some cases companies may not have access to the vulnerable apps because they are hosted elsewhere or are on a SaaS platform.
- While the path the FTC wants to follow may be tricky, don’t count on that keeping you insulated. Be aware of which applications you have, both internally and outsourced/cloud services. Document risk decisions you have made and actions taken. Include supplier notices about Log4j applicability and remediation. Verify that your monitoring and defenses are operating as planned.
Read more in
NHS: Attackers Exploiting Log4j Flaw in VMware Horizon Servers
The UK’s National Health Service (NHS) says that an unspecified group of threat actors is exploiting a Log4j vulnerability in VMware Horizon servers “in order to establish persistence within affected networks.” The NHS cyber alert lists indicators of compromise and suggested remediations. VMware has released updates to address the Log4j vulnerabilities.
- The VMware advisory VMSA-2021-0028 (www.vmware.com: VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046)) covers all their products impacted by the CVE-2020-44228 and CVE-2021-45046 vulnerabilities including update and mitigation information. Make sure that you review the status for ALL your VMware products, taking appropriate actions where needed. Note some products still don’t have a released patch be prepared to implement the identified mitigations.
Read more in
- Log4Shell Vulnerabilities in VMware Horizon Targeted to Install Web Shells
- NHS Warns of Attackers Targeting Log4j Flaws in VMware Horizon
- NHS warns of hackers exploiting Log4Shell in VMware Horizon
- NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon
URL Parsing Library Bugs
Researchers from Claroty and Snyk discovered eight vulnerabilities in 16 URL parsing libraries. Most of the issues were due to the use of multiple parsers in projects or specification incompatibility.
- Parsing URLs is hard. And it isn’t made easier by ever changing, and in part conflicting, standards. Great paper and a must read for anybody doing web development.
- While the parsers have been updated to address the inconsistencies, due care is also required to make sure that you’re consistent in how you’re parsing URLs and that the returned information is the actual information you are seeking rather than a subset or omission of critical information. Consider standardizing on a standard library for consistent results.
Read more in
- Exploiting URL Parsers: The Good, Bad, and Inconsistent (PDF)
- URL Parsing Bugs Allow DoS, RCE, Spoofing & More
- Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
QNAP Warns NAS Users to Protect Devices
In a Product Security Statement on January 7, QNAP urged its customers to take steps to secure their devices to protect them from active ransomware and brute force attacks targeting network-attached devices. The statement offers instructions for protecting Internet-connected devices.
- Looks like QNAP now agrees with what I have been posting here in the past to similar vulnerabilities: Get your NAS devices off the internet (or get pwn3d, which may be fun too).
- Repeat after me: I solemnly swear not to expose NAS to the Internet. If you really must expose it, make sure that remote administration is disabled and follow the vendor guides for securing it. Monitor access, applications loaded and activity. Lastly, make sure you’ve got a disconnected backup in case it does get compromised, corrupted, or otherwise exploited.
Read more in
- Take Immediate Actions to Secure QNAP NAS
- QNAP: Get NAS Devices Off the Internet Now
- QNAP warns of ransomware targeting Internet-exposed NAS devices
Guidance to Protect Devices from Commercial Surveillance Tools
The US National Counterintelligence and Security Center (NCSC) and the Department of State have jointly published guidance to help people protect themselves from surveillance technology. According to the guidance, “Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools.” The advisory suggests several security practices to guard against surveillance tools, but notes that “While these steps mitigate risks, they don’t eliminate them. It’s always safest to behave as if the device is compromised, so be mindful of sensitive content.”
- Enforce encryption, OS updates, and password requirements with your MDM, refrain from installing applications or updates “on the road” and use a trusted VPN anyplace you are unfamiliar with your connectivity regardless of method. In addition to the guidance, consider using a loaner device when on foreign travel, particularly to high-risk areas.
- In the SANS 2020 New Attacks and Threat report (download from www.sans.org: SANS Top New Attacks and Threat Report 2020) SANS instructor Heather Mahalik detailed this type of threats to mobile phones and top mitigation approaches.
Read more in
- Protect Yourself: Commercial Surveillance Tools (PDF)
- U.S. Government Issues Warning Over Commercial Surveillance Tools
- US counterintelligence shares tips to block spyware attacks
WordPress Security Update
The WordPress 5.8.3 Security Release includes fixes for four vulnerabilities: two SQL injection flaws, a cross site scripting flaw, and an admin object injection issue. The vulnerabilities affect WordPress versions 3.7 through 5.8. Three of the vulnerabilities have been rated high severity.
- Automatic updates should have already taken care of applying this update. If not, you can update your site via the administrator dashboard. You can also check the version using the WordPress CLI. If you’re on an older branch, and not able to move to 5.8.3, review the WordPress download site to ensure you’re on the latest for that version, then kick of the project to move to the 5.8 branch.
Read more in
- WordPress 5.8.3 Security Release
- WordPress 5.8.3 Patches Several Injection Vulnerabilities
- WordPress 5.8.3 security update fixes SQL injection, XSS flaws
FTC Says Companies Could Face Legal Action for Failing to Mitigate Log4j Vulnerabilities
In a blog post, the US Federal Trade Commission warns, “It is critical that companies and their vendors relying on Logj4 act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The article cites the Equifax case, in which the company failed to patch a known vulnerability, exposing personal information of 147 million people. Equifax ended up paying $700 million to settle various legal actions.
- While some may pooh pooh the FTC’s cybersecurity related actions, it is telling that many attempts have been made by private industry to challenge their authority to do so. SANS gave the FTC a Difference Maker’s award in 2013 and the justifications for that award have held up over the years: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don’t protect their customers’ information. The FTC doesn’t seem to need new laws or more money, it just keeps fighting for its customers.”
- The FTC doesn’t want history to repeat itself. While a company could accept the risk of not addressing Log4j vulnerabilities, the FTC wants them to know that both the Gramm Leach Bliley Act (GLBA) and Federal Trade Commission act have specific directions to mitigate known software vulnerabilities. Long story short: update Log4j wherever you’re using it, make sure you’ve deployed your vendor updates, use a properly configured WAF if you can, monitor activity, and document actions taken.
- Organizations should not see this as a one-off vulnerability and invest in building a program to track assets, vulnerabilities, and patches. Vulnerability management is hard, it is a process, and there is no end state. Implementing lessons learned from Log4j, like those learned during the Struts2 vulnerability that affected Equifax, will be ideal for your organization when the next big vulnerability is inevitably disclosed.
- On the Log4J Issue, I am not sure how the FTC enforcement will fully happen. There are going to be a fairly large number of systems in which the actual code doesn’t exist, won’t compile, and is mission critical. I would imagine that this sets a very bad precedent, overall, but it’s not unexpected. We have been talking about regulation for years, and if the larger community does not regulate itself, someone else will. This is also compounded by the fact that Log4J may not even show up in the dependency chain directly but as a sub-dependency. We need to watch this carefully as this could start rolling down hill to the next “Exchange Vulnerability” that is not patched in time.
Read more in
- FTC warns companies to remediate Log4j security vulnerability
- You better have patched those Log4j holes or we’ll see what a judge has to say – FTC
- FTC to Go After Companies that Ignore Log4j
- FTC warns companies to secure consumer data from Log4J attacks
- FTC warns of potential penalties for firms that fail to fix Log4j software flaws
Attackers Exploiting Known Windows Vulnerability to Drop ZLoader
Hackers are exploiting a known vulnerability in Microsoft’s code signing process to install ZLoader malware. The campaign was first detected in November 2021. It uses legitimate remote monitoring and management software to gain initial access to the machine, and then uses a modified dynamic link library (DLL) file to install the malware. Microsoft released a fix for the vulnerability in its code signing process, Authenticode, in 2013. The fix was initially going to be pushed out to all users, but Microsoft decided to make it optional because of the risk of a high level of false positives.
- It’s easy to cast shade at Microsoft, but they’re right – this has an extremely high risk of false positives in many (if not most) environments. Even given the news of active use of the vulnerability, knee jerk implementation of fixes risks impacting system availability. It’s important to put this in context. This vulnerability does NOT allow threat actors access to systems. It only allows them to bypass intended code signing security checks *after* they’ve already accessed a system, meaning threat actors have already bypassed at least some security controls. To use a circus analogy, carefully consider whether enabling an additional safety net is worth blindfolding the trapeze artists. If you’re not sure and projected impacts are high, perform extensive testing first.
- There are currently two mitigations. Either apply the Microsoft Authenticode fix to check certificate padding with the caveat that it causes some installers to be tagged with an invalid signature, or disable mshta.exe which is how the embedded scripts are executed, provided you’re not using it in your environment.
- While this particular attack is to run unsigned DLLs, I would like to highlight that leveraging Microsoft signed binaries, scripts, and libraries (LOLBAS) has been around for some time and highlighted in RSAC Keynote by SANS in 2020: www.sans.org: The Five Most Dangerous New Attack Techniques
The LOLBAS project is maintained here: https://lolbas-project.github.io/
Read more in
- Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
- Hackers Are Exploiting a Flaw Microsoft Fixed 9 Years Ago
- Microsoft code-sign check bypassed to drop Zloader malware
- New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
- New Attack Campaign Exploits Microsoft Signature Verification
- ‘Malsmoke’ Exploits Microsoft’s E-Signature Verification
VMware Releases Fixes for Heap Overflow Flaw
VMware has issued updates for a heap overflow vulnerability that could be exploited to execute arbitrary code. The vulnerability affects the CD-ROM device emulation in ESXi versions 6.5, 6.7, and 7.0; Workstation versions 16.x; and Fusion versions 12.x. There is currently not a fix available for ESXi 7.0.
- Initially, I considered mitigating this issue by removing the CD-ROM device from workstations. But keep in mind that it is needed for example to install and update VMWare Tools. For VMWare Fusion and VMWare Workstation, you will likely not even have to upgrade. The fixed versions were released late last year (Workstation: Oct 14th, Fusion: November 18th).
- If you cannot apply the patch, or it’s not available, the workaround is to remove unused hardware from virtual machines. Note they need to be shut down to do this. It’s not a bad idea to make sure that you’ve removed unused hardware which may have been added for testing or other long forgotten purpose.
- We constantly see unpatched ESXi and unpatched vCenter in almost every customer environment on premise. The problem isn’t getting better – it’s getting far worse. Many companies that have a good desktop and server vulnerability management strategy fall flat in this regard. Patch where you can, segment where you cannot. We still see 6.5, 67, and 7.0. It would also be relevant for many of the Security Industry to patch their workstation builds.
Read more in
- VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)
- Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover
- VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products
Attackers Exploit Google Docs Bug to Send Phishing eMails
In a report, researchers from Avanan describe how attackers have been exploiting a flaw in Google Docs comments to send phishing emails. The attacks have primarily targeted Outlook users.
- This is a good issue to include in awareness training. Just because an email originated from a “trusted” entity like Google, or a link is located on Google docs, doesn’t mean it is safe.
- When you add a comment to a Google Doc which has an “@” reference to the user, regardless of the source of that document, an email is sent to the user, including any malicious links or text in the comment, with a Google originating email address, making it feel trusted/legitimate. If you’re using URL rewriting tools, make sure all external email is in-scope. Make sure that your endpoint or perimeter protections include blocking/denying uncategorized and malicious web site access. At core protection still depends on user hygiene, not clicking unrecognizable links and being sure the comments are truly from a document they are collaborating on with a recognized partner.
- Google has been slow to address this attack vector, which I think dates back as far as August 2020. This is one of those features that carry risks that can in many, probably most, cases be way more damaging than the benefit of the feature. Kinda like is anyone really missing Adobe Flash?
Read more in
- Google Docs Comment Exploit Allows for Distribution of Phishing and Malware
- Google Docs Comments Weaponized in New Phishing Campaign
- Attackers Exploit Flaw in Google Docs’ Comments Feature
Honda Y2K22 Navigation System Clock Bug Might Not be Fixed Until August
A bug in the navigation system clocks used in some Honda and Acura vehicles caused the clocks to reset to 2002 on January 1, 2022. The issue appears to affect vehicle models from 2004 through 2012. Some vehicle owners were told that the problem would not be fixed until August.
- Software development needs to consider the time a particular system is supposed to be in operation, and the entire life cycle should be considered. As cars adopt more “smart” feature, it is important to remember that cars are expected to stay operational for 10+ years, unlike smart phones which are often considered obsolete in less than half that time. Simple bugs like this Honda Y2K22 issue do not make me feel very good about how well systems like smart phone integration APIs will perform 10 years from now.
- It is easy to overlook the capacity of a variable being exceeded, in this case a signed int32 which cannot hold the date string for January 1, 2022. We should have learned this 22 years ago and documented these constraints, or better still chosen alternatives not subject to the limitations. Take a quick look through your application inventory to make sure you address systems with Y2K22 issues. One hopes that any Honda subscription services tied to the navigation systems will refund the charges until the issue is resolved.
- Wouldn’t it be nice if Honda said “All car loan payments to Honda will be suspended from January to August to make up for the impact to our customers who paid a lot of money to buy our products.”
Read more in
- Honda, Acura cars hit by Y2K22 bug that rolls back clocks to 2002
- Back to the future! Baffled Honda owners find the clocks on their cars are stuck 20 years in the past and displaying 2002 due to a tech glitch that won’t be fixed until AUGUST
CISA Setting Up Network of State Cybersecurity Coordinators
The US Cybersecurity and Infrastructure Security Agency (CISA) is helping states find hire cybersecurity coordinators. Because each state has its own IT organizational structure, the coordinators’ jobs will vary. The network of coordinators will communicate with each other to share problem-solving experiences. Thirty-seven coordinators have been hired and five more positions are in the selection process.
- This is a great first step toward helping the “under-resourced counties and municipalities.” Here’s hoping legislation from Senators Hassan and King enable more collaboration between other agencies (like the National Guard) that may actually bring more resources to the fight.
- Make sure you connect with your local CISA coordinator, they are a good contact for bringing resources, such as ransomware remediation, training, assessment tools, and advice at no added charge as they are taxpayer funded. It is easy to forget their mission includes both public and private sector.
- I’m excited to read about this as CISA is both taking what appears to be a leading role in helping organize US cyber defenses in one of the most difficult areas to defend, and creating a network for better coordination and sharing. My question: is this attempting to replace functionality with the MS-ISAC, better align with MS-ISAC or fill in a gap? The US government has a reputation for solving problems by creating new organizations instead of improving existing ones.
Read more in
Fertility Clinic and Online Pharmacy Both Disclose Information Security Breaches
Fertility Centers of Illinois (FCI) and online pharmacy Ravkoo have both notified current and former patients of data security breaches. FCI became aware of the breach in February 2021 and determined in August that patient data had been accessed. The Ravkoo breach occurred in late September 2021and learned a month later that patient data has been accessed.
- In the FCI incident no data was accessed in the electronic health record (EHR) system due to unspecified “security controls.” The disclosure notes that the data for almost 80k current and former patients was accessed in “administrative files and folders.” It seems likely that patient data, whether in scanned paper records or exported EHR data, was placed in locations that were accessible with AD domain logons. In my experience it’s also likely that all of this data wasn’t actually accessed by threat actors, but the organization lacks the auditing controls to know what specific data was taken so they reported everything in the accessed file shares. This not only increases notification costs, but also likely involved a substantial eDiscovery bill. Organizations handling regulated data should examine their filesystems for copies of regulated data and ensure they have appropriate auditing in place to detect access to that data.
- Beyond testing and securing your primary applications, make sure that any archives or other locations that data is stored are also secured, particularly any systems where you digitized the paper records to get rid of storage rooms full of boxes of them. Remember that plan to save a fortune by moving unused data to low-cost cloud storage? Did you ever get a report on how it would be secured, including a risk assessment? Did you verify the security was as planned?
Read more in
- Illinois fertility clinic, online pharmacy giant Ravkoo report data breaches
- US online pharmacy Ravkoo links data breach to AWS portal incident
New Mexico, Arkansas Counties Hit with Ransomware
Bernalillo County, New Mexico and Crawford County, Arkansas, are both dealing with ransomware attacks. The Bernalillo County attack began early on January 5, 2022. Some government systems have been taken offline and most government buildings are closed to the public, but emergency services are operational. The Crawford County attack began in late December.
- When responding to a ransomware incident, isolating/shutting down and/or disconnecting affected systems is a good step. Make sure that your forensic team has what they need before wiping disks to reinstall, such as logs or system images so they can work on root cause as well as determine what data may have been exfiltrated. Keep in mind the encryption step is often the last thing done on the way “out the door” as it were.
- Ransomware threat actors often don’t get payouts for attacks on municipalities. Attacks on municipalities in 2021 should generally be attributed to inexperience of the specific ransomware operators or desperation – neither of which bodes well.
- I don’t think anyone predicted that we would not see ransomware in 2022. It is here and organizations must train, test, measure, and improve their people, process, and technology to detect and respond to these attacks before impact. We often call this “left of boom” where boom is exfiltration and encryption.
Read more in
- County Assessing Extent of Suspected Ransomware
- Cyber attack ‘caused a mess’ with Crawford County computer systems
- New Mexico’s Bernalillo County Investigates Ransomware Attack
- Counties in New Mexico, Arkansas begin 2022 with ransomware attacks
- Bernalillo County, N.M., Systems Disrupted by Cyber Attack
Log4j Database Search Tool
A search tool is now available to help navigate the Cybersecurity and Infrastructure Security Agency’s (CISA’s) increasingly unwieldy Log4j database. The list of affected products has grown to nearly 3,000. The emergence of the Log4j vulnerabilities and the degree to which affected products can be difficult to determine have both fed calls for a Software Bill of Materials.
- As we see more data calls of the form “Check the list of affected products against your installed software list,” searchable repositories make that far simpler. Beyond reporting, this is useful for analysis of your current possibly impacted products, using either the hosted or downloadable version of this tool. The data includes notes, references, and links to the vendor advisory/fix guidance.
Read more in
- 4jfinder / 4jfinder.github.io
- Security experts develop search tool to make CISA’s (ever growing) Log4j database more user friendly
Chrome Update Fixes 37 Security Issues
Google has updated the Chrome browser to version 97.0.4692.71 on the stable channel for Windows, Mac, and Linux. The updated version of Chrome fixes 37 security issues, including a critical use after free in storage flaw.
- Chrome is the gift that keeps giving. Is Chrome the new Flash? According to W3Schools, over 80% of their traffic in 2020 & 2021 was from Chrome making these rapid updates all the more disruptive. These vulnerabilities can have grave impacts including data corruption or malicious code execution, bottom line, time to update (again.) These fixes also impact Chromium based browsers (Edge, Brave, etc.) The good news is updates are already available for those browsers and simply waiting for the user to relaunch their browser.
Read more in
- Stable Channel Update for Desktop | Tuesday, January 4, 2022
- Google Chrome update includes 37 security fixes
- Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities
Microsoft Releases Fix for Exchange Server Flaw that Disrupted eMail Delivery
Microsoft has released temporary fixes for a bug in Exchange Server that trapped email in transport queues. The issue, jokingly dubbed Y2K22, is due to a date check failure in the FIP-FS anti-malware scanning engine; the flaw affects on-premises Exchange Server 2016 and 2019.
- Representing dates properly remains a common problem. There are a number of standard solutions (e.g. ISO time formats or Unix timestamps), which are not foolproof but will beat and one-off implementation.
- An obvious failure in Microsoft’s software development lifecycle and pre-release testing. Hopefully, Microsoft’s testing in the future will now routinely include setting clocks forward during test…
- January 1st 2022 is when a signed 32bit Integer can no longer hold the date value, sometimes called a Y2K22 bug. There is a manual fix available from Microsoft which stops the FIP-FS scanning engine, removes old AV files, installs a new AV engine, and restarts services. A fully automatic fix is still being developed. You can download the Reset-ScanEngineVersion.ps1 script from https://aka.ms/ResetScanEngineVersion.
Read more in
- Exchange Server – Email Trapped in Transport Queues
- Microsoft releases emergency fix for Exchange year 2022 bug
- Microsoft Exchange year 2022 bug in FIP-FS breaks email delivery
- Microsoft Issues Fix for Exchange Y2K22 Bug That Crippled Email Delivery Service
- Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide
Kyoto University Research Data Lost in Supercomputer Backup Bug
In mid-December 2021, Japan’s Kyoto University lost 77TB of data when its supercomputer backup system deleted nearly all files that were more than 10 days old. The problem was due to a buggy software update from HPE. The incident deleted millions of files belonging to 14 research groups. The university says that data from four of the research groups cannot be restored.
- Doing backups well is hard and boring. Which means it doesn’t get done properly. Remember the old rule that data that doesn’t exist at least three times in three different physical locations (and at least one of them offline) should be considered already lost.
- The old trope of testing patches probably doesn’t apply since most organizations won’t have multiple large-scale storage arrays with which to test patches on. Even then, the “test” likely can impact production data. Second, although the article suggests the impact was backup data, that seems a bit misleading. In some scientific research contexts, data stored on device other than where it was generated is noted as “backup” data. While the 77TB lost was characterized as having been generated over a three day period, that doesn’t mean it can be reconstituted in three days. It was generated over a specific three day period. I’ve been involved in a few research situations where this three day loss could destroy months or years of work. In a typical situation, the data is generated and then processed from a high redundancy storage cluster (such as the one that had the errant software update). Aggregate data of a much smaller size is then stored longer term. It is simply infeasible to say “keep multiple copies with offline backups” when you’re generating this much data on a daily basis, that’s why the org invested in such a high performance (and obscenely expensive) storage system in the first place.
- HPC has graded storage, where data is migrated to slower and slower storage as the local on-line storage comes at a premium. The software which manages the migration of data, and ultimately deletion, is a critical component as it not only tracks data migration, but also maintains the working space needed for the system to continue to operate. The new script was deployed without quiescing the running scripts as well as fully testing the modified logic. The intention was to only remove log files more than ten days old. Recreating the lost data by re-running the experiments, in this case, may not be practical due to system availability coupled with the time and expense needed to prepare them to run.
Read more in
- University loses 77TB of research data due to backup error
- Japanese university loses 77TB of research data following a buggy software update
- Buggy HPE software update wipes 77TB of critical research from Japanese supercomputer
- [Supercomputer] Storage data loss (Japanese)
China Is Targeting Western Social Media with Surveillance Technology
According to a Washington Post report, China is mining Western social media for data about “well known Western media journalists [and] … key personnel from political, business and media circles.” China has been using surveillance technology domestically, but an examination of bidding documents, contracts, and company filings show that China has expanded its purview beyond its borders.
- Consider regular internal or contracted OSINT hunts. These should be deep dives for corporate officers and at least sweeps for all employees/corporate identities. Use some of the tools on https://osintframework.com/ for a self-checkup!
- China is not the only country doing this, and indeed your competitors may also be monitoring the social media activity of your key staff members. Start 2022 by running an awareness campaign to staff on how to secure their online social media accounts and how to better protect themselves and your business online.
- Don’t count on the data collection terms published by social media sites to protect your data. If you don’t want it viewed publicly, don’t post it on social media. Also, review your profile with an eye to how that information could be used to target you, your employer, or co-workers.
Read more in
Rhode Island AG Investigating Transit Authority Breach
Rhode Island’s Attorney General (AG) is opening an investigation into a data breach that affected the state’s Public Transit Authority (RIPTA). RIPTA disclosed the August 2021 breach last month telling victims that intruders had exfiltrated data related to RIPTA health plans. The AG’s office began receiving complaints from people who received a breach notice from RIPTA but who had no connection to the agency. It appears that the state’s former employee health plan administrator, UnitedHealthcare, was sending all state employee health claims bills to RIPTA, making the agency pick through to find the pertinent data. The Rhode Island AG is “reviewing this incident to determine whether the entities involved have complied with state laws regarding notification and safeguarding of personal information in their custody.”
- On the surface, sending all the state’s data to an agency and letting them figure out what was theirs, sounds like an easy fix which avoids omitting needed records. This also exposes data to an agency which they don’t have a need to know (regardless of regulation) for and adds liability to the receiving party to properly protect that data. Make sure that when you are sharing data, you only share the records which are in scope, and that both parties are appropriately protecting that data.
Read more in
- Attorney general will probe whether RIPTA’s handling of data breach complied with the law
- Government data breach in Rhode Island leads to AG investigation
CISA: Manufacturing Sector Facing Increased Cyberthreats
In an Insights report, the US Cybersecurity and Infrastructure Security Agency (CISA) says “the Critical Manufacturing Sector is at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” Factors responsible for expanding the attack surface include increased remote work and the use of robotics. CISA suggests mitigations such as “developing cybersecurity and operational knowledge within the shop floor environment is essential, given reduced crew density. Additionally, cybersecurity teams within firms must invest in training for security analysts to be capable of remote monitoring of manufacturing environments.”
- Well, pretty much every sector is “… at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” And, the report is pretty lightweight – mostly pointing out possible risks of moves to robotic process automation bringing increased Internet exposure. But, good to use as ammunition if your company is planning on migrating to RPA technology in the near future.
- When we entered the pandemic, we rapidly created remote management/monitoring capabilities for many systems, including some which may not be suited for it. We also stepped-up automation and other processes which allowed for operation with fewer humans. Take a pause and assess the security of those systems, making sure that only authorized devices and users can access those networks, be sure you can detect anomalous traffic and behavior. Assess for cases where you no longer need that access and remove it.
Read more in
- Cyber Threats to Critical Manufacturing Sector Industrial Control Systems (ICS) (PDF)
- Cyber agency warns of increased threats to manufacturing groups during pandemic
As of January 4, 2022, legacy services for BlackBerry 7.1 OS and earlier, BlackBerry 10 software, BlackBerry PlayBook OS 2.1 and earlier are discontinued. BlackBerry devices running these legacy services over WiFi or cellular networks will no longer be able to receive or send text messages, place calls – including 911 emergency calls.
- BlackBerry hardware running the Android OS are not impacted. In 2017 BlackBerry announced they would only support these legacy operating systems for two more years. The good news for the enterprise is if you have users who refused to upgrade because things were not broken, this is no longer the case; you can migrate them to a current supported device. The bad news is they likely want a replacement device asap; make sure you have some spare/loaner devices on-hand.
- Blackberry were once the industry leaders for secure mobile communications. It is sad to see them come to EoL but a reminder from a cybersecurity perspective that reliance on a single technology to be your main security provider is not a wise long term strategy and that you should regularly review the technological solutions you rely on.
Read more in
- BlackBerry 10 and BlackBerry OS Services FAQ
- BlackBerry Ends Service on Its Once-Ubiquitous Mobile Devices
- End of the line finally coming for BlackBerry devices
- Seriously, it’s time to get rid of that classic BlackBerry, for real now
Healthcare Supply Chain Association Releases Security Guidance Documents
The Healthcare Supply Chain Association (HSCA) has published two documents for medical device manufacturers, healthcare delivery organizations, and service providers. HSCA notes that “Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services as well as the healthcare delivery organizations (HDOs) that use them.”
- This document contains 50 requirements statements (search for “should”), 18 of which (the ones in the last two sections) are very good requirements to convince procurement to include in all RFPs and contracts for medical devices and services.
- The guidance includes important notifications, such as warrantee and lifecycle information, partnerships to resolve security incidents in a timely fashion, as well as breach/incident sharing with the appropriate ISAOs without non-disclosure provisions. The problem is the guidance needs to be implemented. Healthcare providers will need to push on their suppliers to ensure they are complying with appropriate security practices prior to signing contracts. Suppliers need to make sure the providers understand the needed security when deploying their products and services. Then healthcare providers need to actively assess their protections regularly.
Read more in
- New guidance tackles role of manufacturers in medical device security, patient safety
- HSCA Releases Cybersecurity Guidelines for Medical Device Manufacturers
- Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations (PDF)
- Recommendations for Medical Device Cybersecurity Terms and Conditions (PDF)
Broward Health Discloses Breach
Florida-based Broward Health has acknowledged that it experienced a data security breach that affects information of more than 1.3 million people. The incident occurred in October 2021. The breach appears to have been made through a third-party provider who had access to the Broward Health network.
- Indications are the third-party provider’s access was used to access another account which could access the exfiltrated data. In addition to resetting all passwords, Broward Health is implementing multi-factor authentication for all users as well as added minimum security posture requirements for devices they don’t manage connecting to their network. When providing remote services consider requiring not only MFA, but also VDI or similar protections to insulate your system from weaknesses in the connecting system. Only permit access to needed services, at all layers.
Read more in
- Broward Health Notification of Data Incident Involving Personal Medical Information
- Broward Health discloses data breach affecting 1.3 million people
- Data breach: Broward Health warns 1.3 million patients, staff of ‘medical identity theft’
iOS HomeKit DoS Vulnerability
A denial of service vulnerability in Apple’s HomeKit software framework affects iOS versions 14.7 through 15.2. Dubbed DoorLock, the vulnerability was discovered by researcher Trevor Spinolas and reported to Apple in August 2021. HomeKit allows users to control their smart home devices through iPhones and iPads.
- An interesting vulnerability, but it isn’t clear if it is exploitable in “real life.” To exploit this issue, the victim would need to install a rogue application and give it permission to access the HomeKit configuration.
- The flaw is triggered by changing the name of a HomeKit device to a string of over 500,000 characters. A partial fix is included in iOS 15 which limits the length of a name in a HomeKit device, which only works if all devices with access to that HomeKit are running iOS 15. When exploited, recovery requires restoring iOS devices and disabling Home Data until all HomeKit devices are renamed or removed from your iCloud account.
Read more in
Parallel-SSH is an asynchronous parallel SSH library designed to simplify large-scale automation. Uses the least resources and runs fastest among all Python SSH libraries. We likes it because “all you need is a file containing all your ssh hosts—which in hindsight is quite similar to ansible, in its simplest form.”
PDFescape is a surprisingly capable online PDF editor that allows you to annotate & modify PDFs, create forms, and more… entirely for free. Works with any modern browser, with no downloads or account required and no watermarks.
Bulk Crap Uninstaller is an uninstaller for removing the vast majority of crap applications that weigh down Windows, with little user input or technical knowledge required. Can detect most applications and games (even portable or unregistered), clean up leftovers, force uninstall, automatically uninstall according to premade lists, and more.
PSAppDeployToolkit facilitates the performance of common application deployment tasks, including interacting with users. It offers functions that simplify the scripting needed for deploying applications in the enterprise and that help create a consistent, more-successful deployment experience. Can be used to replace your WiseScript, VBScript and Batch wrapper scripts with a single versatile, reusable, extensible tool.
What is Reverse Telnet and how do I configure it? is a helpful post that explans how to telnet to a device and then console to another device from there so you can remotely recover a device that loses network access because of a boot failure or config error—without an expensive console server at each remote site. Shares, “I do this all the time… Ensure you set an ACL on your AUX line too, as it would be reachable once enabled.”
A SysAdmin Guide to Azure IaaS – 2nd Edition is a free 100+ page guide from Altaro that teaches how to set up and maintain a high-performing Azure IaaS environment. Covers the whys and hows of VM sizing and deployment, migration, storage & networking, security & identity, infrastructure as code, backup & replication, Azure Active Directory, Azure Arc, Automanage and more.
[PowerShell] Advanced HTML reporting explains how you can use some simple scripting to create feature-rich reports you can share. Author MadBoyEvo clarifies, “While it says in the title Advanced HTML reporting, it’s actually advanced in terms of what you can achieve, but not complicated to use.”
We offers a clever metaphor to explain the impact of latency to a non-technical individual: “A man got a job painting the white lines down the middle of a highway. On his first day he painted 10 miles; the next day six miles; the next day less than a mile. When the boss asked the man why he kept painting less each day, he replied: ‘I keep getting farther away from the paint can.'”
We offers this advice to reduce security risks associated with network print servers: “[T]his is not for print servers only, but really look into Micro Segmentation of your network – there is no reason why printers need to be exposed to the clients directly for example, or why the print server should see your HPC cluster.
It is vastly more effort to manage if you divide your network in many small subnets that are segregated via firewall, but the gain in security is about the biggest you can imagine (if the firewall rules are implemented strictly as needed and not what is convenient).”
Some sage career advice for the junior sysadmin: “Never EVER be afraid to ask! That’s how you learn! Maybe they are doing [whatever you are wondering about] purely out of habit and shouldn’t. Maybe they have found that after following all instruction from the maker of the software… for now, this is the “easiest way” to get things done. Be curious. Ask away. This is what gets a junior up to a senior level, gaining knowledge.”
We are making changes to the minimum operating system requirements for the Defender for Identity sensor and announcing end of support for Microsoft Defender for Identity sensor on Windows Server 2008 R2 domain controllers and Active Directory Federation Services (AD FS) servers.
Users reported when watching a video on YouTube for the first time on the day. While trying to access YouTube, Youtube’s Analytics, or after replying user’s comment, the “HTTP Error 429: Too Many Requests” message was prompted. The user is unable to reply to anyone else’s comment subsequently.
Many users reported “HTTP Error 429: Too Many Requests” happen on YouTube with similar questions as below:
- What does “HTTP Error 429: Too Many Requests” mean for YouTube app?
- Why does HTTP Error 429 occur on YouTube?
- How do I fix a network HTTP error 429 on the YouTube app?
Follow the below solution steps to resolve HTTP Error 429: Too Many Requests issue on YouTube.
Continue reading “Solved: How do I fix HTTP Error 429 Too Many Requests on YouTube app?”
Found a YouTube video that resonates with you, but YouTube won’t allow you to directly download its audio directly into your iPhone? Yes, YouTube can challenge our nerves at times by restricting its users from certain essential functionalities. However, there’s always a way around a problem!
Yes, you read that right! You can now download music from YouTube videos directly into your iPhone or other Apple devices. Using a YouTube MP3 downloader, you’re all set to convert YouTube videos into MP3 and save them for hours and hours of offline playback on your iPhone. And today, we’re here for just that.
Continue reading “How to Download Music from YouTube Videos On iPhone? iOS YouTube To Mp3 Downloader”
In this article you will learn why Pure Storage Rapid Restore using Pure Storage FlashBlade with snapshot technology, coupled with third-party data management solution integration, is the foundation for the ideal data availability solution. The purpose of our business is to deliver fast, easy, reliable, and scalable solutions to protect your vital Epic data and other clinical and business data.