image Photo by Efe Kurnaz on Unsplash

I’ll just sneak this into your in-tray

Crafty sellers on the dark web have found a way to sneak e-mails into your inbox without sending them across the internet. This renders tools like Mimecast ineffective against this kind of attack; all is not lost however as the user would need to be phished before this could work.

Innovation has been rife this year within the cybercrime community, The Register called this out in their article on Monday Morning:

Overview of phishing

GreatHorn posted a good overview of the different types of phishing accessible in the wild, along with some tips on how to create a good phishing module in your Security Awareness training programme.

What is still hanging around

SANS came up with a handy reminder that just because we don’t talk about certain vulnerabilities any more doesn’t mean that they don’t exist. Many servers are still vulnerable to Heartbleed and BlueKeep, a fact that rarely gets a mention in the news.

Cyberspace code of conduct

The Global Commission on the Stability of Cyberspace has completed and published their final report in an attempt to get both state-sponsored and non-state sponsored threat actors on board to protect the confidentiality, integrity and availability of cyberspace. Not sure how well that’s going to go down with parties involved, but I appreciate the attempt at a common code of conduct.

Apple’s Big Sur OCSPpocalypse

Articles have been flying recently about Apple’s use of the online certificate stapling protocol as a potential for leaking privacy. Scott Helme has again written a good technical article on what is actually going on here, and equally what Apple (or any other vendor) could do about it.

As it turns out Apple is going to do something about it; although I’m still to be convinced that inventing a new protocol is the way forwards: in To: line faux pas

In an attempt to update it’s customers on the privacy policy; managed to violate their own Privacy Policy by including a long list of customers on the to line.

Brave response in the face of ransomware

Capcom could have have paid the ransom; however they did everyone a favour by standing firm and not paying out — the ramifications on their operation are still to be felt, but it discourages bad actors from targeting them in the future. Right decision Capcom, thank you.

Capcom have certainly separated themselves from the rest of the pack as new data from Dark Reading shows that there has been an increase in Cyber Insurance payouts:

Dark Reading (again) posted a Lawyer’s perspective on paying Ransomware and the negative legal consequences that are not necessarily obvious:

The Agile CISO Manifesto

The 68 words in the Agile Manifesto literally changed Software Engineering forever; many have attempted to emulate it’s success and info sec is no different. Personally I think it’s a good step, although the content is less important than the list of names of those onboard to make it part of their life.

Distributed Storage platform for Ransomware-as-a-Service

The as-a-service model has become prevalent with the advent of cloud; it’s not limited to cloud though — even Ransomware providers are developing commodity storage, just on the off chance you need an inexpensive way to host your ill-gotten gains.

Warning about Site Notifications from Brian Krebs

Brian Krebs has noticed something that has annoyed me for a while; sites requesting permissions to notify me in the browser. Krebs points out it’s more than annoying, as there are sites out there that are using the facility to push malicious content.

Firefox for Android can be used to steal all the things

Having access to cookies in the browser pretty much means game over; there is very little you as a website operator or end-user would defend against all of your cookies being picked up and used elsewhere — fortunately it’s been fixed.

Technical Debt in DevSecOps

David Habusha at Dark Reading points out that DevSecOps unlike other aspects of software engineering accrues technical debt in the form of a mounting list of vulnerabilities. The article also demonstrates the need to incorporate management these vulnerabilities needs to be a priority for DevSecOps teams and CISOs.

AWS APIs vulnerable to abuse

Researches have identified that multiple Amazon Web Services offerings are vulnerable to abuse; with the prevalence of AWS in the enterprise and SaaS vendors this represents a sizable attack surface area.

Abuse of cloud services isn’t unique to AWS; cloud services from both Microsoft and Google are vulnerable, albeit on a slightly different vector:

Using BeEF to exploit the browser

Attacks on Japanese interests linked to APT10/Circada

The register called out research from Symantec/Broadcom linking APT10/Circada to attacks on Japanese countries across the world. The working assumption that this group is operating out of China, the interesting aspect is that they also appear to operate on-shore in China — which is unusual as it would expose the group to higher risk of prosecution.

Sophos 2021 Threat Report

Sophos published their threat report calling out, amongst other things, that bad actors are leveraging COVID-19 as a force multiplier; something that has been called out on this blog a couple of times — good news, I’m not paranoid.

Dark Reading has tips on how to spend the cash you get next year too:

The new perimeter isn’t a big wall

Those familiar with BeyondCorp and Defence in Depth in general won’t be surprised to find out that the “big wall” mentality for cyber defending has fallen — Dark Reading have a great article about how Identity, Edge and Endpoint represent the new perimeter, or more accurately perimeters.

Troy Hunt loading more pwned accounts into HIBP

Troy Hunt has been doing his thing and loading accounts and passwords into HIBP; we got a bit more insight into his process here, it’s a fascinating read.

InfoSec professionals fear of falling foul of the Computer Misuse Act

Unless your chosen career is armed robber, would wouldn’t think that you could end up in prison for doing your job — unfortunately outdated laws here in the UK make Information Security Professional think that this could be in their future. Fortunately the are groups on hand to try and change these laws to be more compatible with the information age.

Build a ARP Spoofing tool

New AWS Network Firewall uses Suricata

The new [AWS Network Firewall] ( product appears to be based around Suricata, the same Network Intrusion Detection/Presentation System used in Ubiquiti’s range of Security Gateways (USGs)) this is great news as many security researchers will publish Suricata based rulesets when they find network level vulnerabilities. The really nice thing about this is it enables policy as code, rather than relying on detection rulesets from vendors as Zip files.

There is a lot of work still to do to realise true DevSecOps mindsets

SC Media points out that while frameworks such as STIX/TAXII and MITRE ATT&CK go a long way to automating the activities and interactions within Security Operations. As an example simply knowing a service is vulnerable doesn’t reduce the risk, analysis, response, quality assurance and deployment processes need to be engaged to close the gap.

New ACME CA on the market

For a long time there was only Let’s Encrypt, then there was Buypass, and now there is ZeroSSL — diversity in the market is excellent as it reduces our reliance on a single provider.