A Review of the Best News of the Week on Cybersecurity Management & Strategy
‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town (The New York Times, Feb 09 2021)
For years, cybersecurity experts have warned of attacks on small municipal systems. In Oldsmar, Fla., the levels of lye were changed and could have sickened residents.
SonicWall Zero-Day (Schneier on Security, Feb 08 2021)
“Hackers are exploiting zero-day in SonicWall:
In an email, an NCC Group spokeswoman wrote: “Our team has observed signs of an attempted exploitation of a vulnerabilitythat affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth.”
In Monday’s update, SonicWall representatives said the company’s engineering team confirmed that the submission by NCC Group included a “critical zero-day” in the SMA 100 series 10.x code.”
What’s most interesting about the Florida water system hack? That we heard about it at all. (Krebs on Security, Feb 10 2021)
“Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all.”
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Google Launches Database for Open Source Vulnerabilities (SecurityWeek, Feb 08 2021)
Google last week announced the launch of OSV (Open Source Vulnerabilities), which the internet giant has described as a vulnerability database and triage infrastructure for open source projects.
Ransomware Profitability (Schneier on Security, Feb 10 2021)
“Analyzing cryptocurrency data, a research group has estimated a lower-bound on 2020 ransomware revenue: $350 million, four times more than in 2019.
Based on the company’s data, among last year’s top earners, there were groups like Ryuk, Maze (now-defunct), Doppelpaymer, Netwalker (disrupted by authorities), Conti, and REvil (aka Sodinokibi).
Ransomware is now an established worldwide business.
NHS Staff Hit by Almost 140,000 Malicious Emails in 2020 (Infosecurity Magazine, Feb 08 2021)
NHS Digital figures highlight email threats faced by the healthcare sector
Mortgage loan servicing company discloses ransomware attack to multiple states (SC Media, Feb 05 2021)
A preliminary investigation identified data related to SN Servicing Corporation’s billing statements and fee notices to customers from 2018, including names, address, loan numbers, balance information and billing information such as charges assessed, owed or paid.
Beware of technical “experts” bombarding you with bug reports (Naked Security – Sophos, Feb 09 2021)
Beware pseudo-geeks bearing ‘gifts’.
Rethink your cybersecurity resiliency using a risk-based strategy (SC Media, Feb 09 2021)
Today’s columnist, Mary Braunwarth of NetSPI, notes that falling short on regulatory requirements can put companies on the hook for hefty fines, such as in the case of Citibank, which was fined $400 million by the U.S. Treasury Department.
U.S. Agencies Publish Ransomware Factsheet (SecurityWeek, Feb 09 2021)
The National Cyber Investigative Joint Task Force (NCIJTF) on Friday released a joint-sealed ransomware factsheet detailing common attack techniques and means to ensure prevention and mitigation.
UN Experts: North Korea Using Cyber Attacks to Update Nukes (SecurityWeek, Feb 09 2021)
North Korea has modernized its nuclear weapons and ballistic missiles by flaunting United Nations sanctions, using cyberattacks to help finance its programs and continuing to seek material and technology overseas for its arsenal, U.N. experts said.
Arrest, Raids Tied to ‘U-Admin’ Phishing Kit (Krebs on Security, Feb 08 2021)
“Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers.”
When it comes to vulnerability triage, ditch CVSS and prioritize exploitability (Help Net Security, Feb 10 2021)
When it comes to software security, one of the biggest challenges facing developers today is information overload. Thanks in part to the widespread proliferation and use of open-source code (a study by Red Hat showed that 36% of software in use at surveyed organizations was open source), as well as the increasing complexity of the average application, a given project can now be expected to have a massive amount of dependencies.
Antivirus Firm Emsisoft Discloses Data Breach (SecurityWeek, Feb 09 2021)
Antivirus solutions provider Emsisoft revealed last week that a third-party had accessed a publicly exposed database containing technical logs.
For SOC teams, the analytics and automation hype is real (Help Net Security, Feb 12 2021)
Tools for analytics and automation are providing today’s SOC teams with enhanced visibility, improved productivity, and unlimited scalability—and it couldn’t come at a better time. In the wake of the COVID-19 pandemic, security has become a top priority for nearly all organizations.
Real Bug Volumes in 2020 Exceed Official CVEs by 29%: Report (Infosecurity Magazine, Feb 12 2021)
Risk Based Security claims to have spotted 6767 more bugs than NVD
Nearly Two-Thirds of CVEs Are Low Complexity (Infosecurity Magazine, Feb 12 2021)
Similar number in 2020 required no user interaction, says Redscan
Illinois Is State Hit Hardest by Cybercrime (Infosecurity Magazine, Feb 11 2021)
Illinois has the highest concentration of cybercrime victims in the United States
Anne Neuberger coordinating Biden’s SolarWinds efforts (SC Media, Feb 12 2021)
The announcement came after Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., sent a letter to the U.S. intelligence services asking them to assign a leader for the response.
Ex-NSA Hacker’s First Hack Was Hiding a Backdoor in His High School Calculator (VICE, Feb 11 2021)
In the second episode of the My First Hack series, Patrick Wardle tells us about that time he used his hacking skills to help him with calculus.