The need for BeyondCorp-type organisations; Threat Models and Breaches (2020: Week 44)

Photo by marcos mayer on Unsplash

IT moves to a zero-trust, decentralised model (Saturday)

Looks like Google were on the right track with BeyondCorp as Coronavirus has very succinctly put the “impenetrable border” approach to IT Security on notice. With millions of knowledge workers able to be productive from home, but failing to get access to resources as VPNs and Identity and Access Managements solutions struggle.

• Threat automation, decentralized architecture among emerging post-COVID cyber trends | SC Media

Checkpoint followed up a few days later with a series on videos on how their products could secure a remote workforce:

• 8-Part Video Guide: How to Secure your Remote Workforce - Check Point Software

Gaps in Microsoft’s Threat Matrix (Monday)

• Gadi Naor of Dark Reading called out that the Threat Matrix that Microsoft Published in April 2020 was missing a key aspect of operating Kubernetes on Azure:

One notable component Azure’s threat matrix leaves out is the “Command & Control” (C2) threat category

The threat model is invaluable to someone who does actually operate Kubernetes on Azure (AKS) in Production, the analysis even more so. Goes to show the value of peer review in the technology sector is critical.

• Microsoft's Kubernetes Threat Matrix: Here's What's Missing

Psychotherapy Clinic Hack Victims Blackmailed (Monday)

Despite an apparent armistice between the hacker community and healthcare providers, a Finnish Psychotherapy Clinic was hacked last week resulting in exfiltration of about 40,000 records pertaining to individuals. A subset of these users have subsequently be approached with attempts to blackmail them.

• Hackers rummaged about in Finnish psychotherapy clinic - now patients extorted with public data…

This is another example of how much damaged a small data loss may represent, and surely calls for more industry specific data protection advice and assistance for the Healthcare sector in general. Unfortunatly it doesn’t appear to be an isolated case:

• Dr. Reddy Labs discloses cyberattack soon after getting ok for final COVID vaccine trial | SC Media

Reverse Engineering Redacted Text (Tuesday)

via Schneier on Security

Fortunately we have come a long way from redactions simply being black shapes layered on top of text, allowing the redacted text to trivially be extracted with any PDF editor. Never under estimate how clever a suitably motivated person can be, as an example slate.com reverse engineered text of a deposition published in the US to reveal sensitive names:

• We Cracked the Redactions in the Ghislaine Maxwell Deposition

Amazon faces the consequences of a malicious insider (Tuesday)

Amazon recently experienced one of the biggest fears of an employer, the fact that an employee, or worse multiple employees, would abuse their position for personal gain. It appears that the employees in question disclosed e-mail addresses to a third party resulting in Amazon making a statutory disclosure and informing customers.

• Amazon Discloses Security Incident Involving Customers' Email Addresses

It’s not just Amazon though, it’s also BAE Systems, dealing with fall out from rogue employees:

• Software engineer leaked UK missile system secrets and refused to hand cops his passwords, Old…

Don’t blame the font (Wednesday)

Troy Hunt started a small twitter conflict but then called out that it’s easy to blame developers, typeface designers, UX engineers or even end users (victims) for malicious users but at the end of the day you can’t fix everything.

• Humans are Bad at URLs and Fonts Don't Matter

Scott Helme summed the response to “training users” very well:

Unusually large number of unpatched Windows machines in the wild (Wednesday)

In a odd turn of events there seems to be an unusually large number of hosts on the internet vulnerable to the Critical and Wormable SMBGhost. There doesn’t seem to be an obvious reason why though:

• InfoSec Handlers Diary Blog

Security and Defence Data Loss (Thursday)

There has been a few of these recently, combination of GDPR and increase threat landscape recently.

• Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

Tracking Waze Users (Thursday)

Given the user base of Waze this has quite an impact on consumers, good news is given Waze’s platform fixing the issue was less of a problem than, for example, if a in-car system was vulnerable.

• Tracking Users on Waze

Do you have a “Act of War” Clause? (Friday)

As it turns out Cyber Insurance often has an “Act of War” clause, which is perfectly normal. It’s not so normal that an attack against your business could be considered an act of war if perpetrated by a nation state actor.

• 'Act of War' Clause Could Nix Cyber Insurance Payouts

Company Name XSS (Friday)

Almost unbelievably it’s possible to register a company name in the UK that contains characters that could be used as a XSS attack. In this case someone tried it, but in the name of science, not crime:

• Why, yes, you can register an XSS attack as a UK company name. How do we know that? Someone…

New Let’s Encrypt intermediary (Friday)

Scott Helme (again) has posted a rundown on the new intermediate certificates in use by Let’s Encrypt; which are now cleaner and smaller, thanks to common sense and Elliptic-Curve Cryptography:

• Let's Encrypt issues new Root and Intermediate Certificates

Marriot fined (Friday)

The Information Commissioner’s Office slapped Marriot Group with a fine representing just 5p per customer. This isn’t exactly a win for data security, but hopefully “in-economy of scale” will make companies think twice about data security in the future.

• Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for…

• Marriott International Inc