image Photo by Andrey Trusov on Unsplash

Victim Blaming in Information Security

Starting off this week on a low note, in my opinion, is the disturbing revelation that in 2020 we still think shaming people is an effective strategy to defend against phishing attacks. A paper published on the 29th October seems to suggest that after doing a study of 142 employees in New Zealand that a name and shame approach would work.

This, unfortunately, is flawed thinking for two reasons:

  1. Psychological Safety: Even the threat of being shamed is sufficient to reduce the likelihood that an affected individual would raise a concern after becoming a victim. We can only foster a culture of collaboration and learning if people are able to make mistakes and learn from them.
  2. Scope: I strongly suspect there are two types of people in the world, those that have been phished and those that will be phished. Frankly, phishing is becoming so common that it’s only a matter of time before even the most savvy user has a bad day and clicks a link without considering the context or content fully.

At the end of the day, blaming the victim, is never an approach and not one the information security community should tolerate.

Legacy Device Timebomb

Scott Helme originally wrote about this in June, essentially there are a large number of Android phones out in the wild that have not been updated, and likely never will do. These devices are no longer going to be able to access a good proportion of the internet — depending on how you calculate it anywhere between 2% to 18% of sites use Let’s Encrypt which is no small number.

Exfiltrating passwords over a video conversation

Just when you thought you had got ahead of the curve when a bunch of researchers point out that they can use your shoulders and upper arms to infer your passwords. Probably best to use a password manager, or if not, don’t type your password while on Video Chat.

Ransomware on Linux

  • Davey Winder has been on fire this week with article upon article with news from the Information Security Industry. This time he points out that ransomware isn’t just a concern for Windows users. With the prevalence of Linux in the enterprise services space it probably isn’t surprising that bad actors would eventually jump on Linux as attack vector.

  • New Ransomware Threat Jumps From Windows To Linux-What You Need To Know

UK on the Cyber Offensive Disrupting Propaganda

Seems that the UK intelligence community has gone on the cyber offensive, not only it’s it sufficient to actively issue takedown notices; not GCHQ (technically NCSC at a guess) is now using encryption to attack propaganda sites, which feels very much like a ransomware attack without actually asking for any money.

  • Chris Lyne over at the Tenable Tech Blog posted a brilliant attack on TP-Link WiFi routers/switches that leverages the USB port and symbolic links to exfiltrate information from the device. Given that these switches are based upon OpenWRT I suspect other vendors are affected too.

  • TP-Link Takeover with a Flash Drive

Tim Berners-Lee Fixing the Internet

Tim Berners-Lee gave us the internet, he would be the first to admit that he made some mistakes. What I respect most about him is he admits this and is trying to fix it — he might not be able to get rid of www or the // but privacy is solvable.

The downward spiral of Cyber Insurance

Cyber Insurance is a big industry; unfortunately it suffers from the same problems that “kidnapping” and “ransom” insurance has. If the policy will pay out, it actively increases the probability of the policyholder being targeted by the bad guys.

More sidechannel attacks against physical processors

Intel isn’t having a great time; not only are they struggling to manage supply and demand, but another sidechannel attack has been identified in their platform.

SMS phishing attacks continue to rise

Phishing is profitable, sadly, SMS phishing is no different; with the prevalence of SMS it represents an easy target. The only way we are going to get past it is to stop using SMS for legitimate purposes. The aspect of this that makes me laugh is the fact that SMS was not designed for person to person communication, it’s a part of the specification for technical messaging to devices.

There are signs though that SMS is falling out of favour with CISOs:

Sophos went on to point out that SMS phishing which lead to compromise of an mobile (cellular) account could lead to much more serious fraud:

Microsoft Patch Tuesday

If Coronavirus hadn’t killed your corporate VPN there is a pretty good chance that this weeks Patch Tuesday will; with 112 patches in total links will become saturated.

It’s a bumper crop of patches, however there is nothing hugely concerning in there. It’s good to see Microsoft becoming increasingly pro-active about patching vulnerabilities — corporates need to catch up with the world though and start provisioning vulnerability management over the internet rather than VPNs.

Exposed Blob Storage in Azure

The SANS blog reminded us this week that vulnerability classes don’t care which cloud you use; this goes for Azure users laughing at AWS users when they have customer data exposed in S3 accounts — just because the most recent company used S3 doesn’t mean any other platform is immune.

New Threat-as-a-Service APT observed by Blackberry

This has been an interesting one; Blackberry posted a public service announcement describing their experiences with a new APT that appear to be operating in the “hacker for hire” space — this is a concern as Advanced Persistent Threats are harder to track and defend against if their “services” can be applied across industries and natation.

Security Awareness during the holiday season

It’s that time of the year where people are hitting the shops; due to COVID-19 we are mostly shopping on line; GreatHorn posted some great advice on how to stay safe online by being aware of these scams:

Pay2Key developing into a serious threat

The threat of not just losing access to your data but having some or all of it exfiltrated is a one-two punch to victims; it’s proving to increase the number of victims who are willing to pay out to regain access to their data and to avoid embarrassment.

Retailers will be targeted during the holiday season

Finally a warning to retailers, with many more people shopping online this Christmas bad actors will target you even further Dark Reading has good advice on how to avoid it, and the ICO provides a stark warning on the consequences of an attack.