Uber CSO Indicted for Breach Coverup; CISA 5G Strategy; iOS SDK Malicious Code

There is a more subtle lesson here than the need to follow the rules. As security becomes more core to enterprise success, security practitioners will increasingly be caught up in decisions involving CEOs and attorneys. When the CEO believes that he does not need to follow the rules, the resulting culture of criminality corrupts good people by implicitly or explicitly threatening their high-paid jobs if they don't "go along." The bottom line: if you work for an executive who expects his/her people to break the rules, get out quickly.

Alan Paller

Over the past several years, Uber has become the poster child for dysfunctional management in many areas - not surprising to see security management being accused of being part of the problem. This is a good cautionary tale to use with CXOs, legal counsel, and boards to illustrate the high risks of trying to downplay or hide incidents.

John Pescatore

Sullivan reportedly received an email from the hacker informing him of the 2016 breach and, rather than report the breach, paid the attackers $100,000 USD in bitcoin via a bug bounty program and had attackers sign a non-disclosure agreement (NDA) asserting no data was stolen or stored.

Lee Neely

CISA is moving to raise awareness and reduce risks through these initiatives. By leveraging existing and new partnerships, they hope to maximize the capabilities and security of 5G. They include policy, including security, supply chain, partnerships, innovation and sharing of risk management information, which will result in a foundation that should be leveraged to reach these goals.

Lee Neely

Much of the discussion of 5G networks, led by the carriers, has focused on the high speed and low latency of the communication services they offer. However, this defensive strategy is about the "nodes," the devices and their applications, in the network rather than merely the "links." These are the responsibility of the developers and managers of the applications, not the carriers.

William Hugh Murray

By using method swizzling, the Mintegral SDK captures advertising activities, registering them as accesses to their advertising, in addition to the legitimate ad accessed. As the last registered click gets the attribution, their second registration wins, and they get the revenue. While the debate about the SDK also being used to capture privacy information continues, the new iOS 14 privacy disclosure prompts should allow users to identify the behavior and make informed choices.

Lee Neely

Apparently, the appeal of the Mintegral SDK is that it produces apps for both iOS and other environments, which, of course, the Apple SDK does not do. However, Mintegral denies any "fraud or invasion of privacy," claims that it uses an Apple API, and cites an Apple e-mail that states that Apple does not have evidence that Mintegral has "harmed users." Users should read the statements from Apple in the last two paragraphs of the ZDNet report.

William Hugh Murray

At this late stage in the game, continued vulnerability to ransomware is reckless. Resist corruption of your programs and data using "least privilege" access control and lateral compromises within the enterprise using strong authentication, structured networks, and end-to-end application-layer encryption.

William Hugh Murray

This is not the upgraded VPN you're looking for. Part of the trick here is they are calling users' cell numbers with a caller ID that maps to a corporate number. As the users are remote, your VoIP firewall can't intervene. Another component is processes enacted to eliminate in-person validation are being exploited. A prime target here is new-hires. When doing remote validation, make sure to include a video component, comparing the photo on government issued ID to the worker. Other mitigations include watching for look-alike domains, restricting VPN access to known (ideally managed) good devices, and restricting login times.

Lee Neely

Zoom has a service status page (https://status.zoom.us) which has information about updates as well as service interruptions, including past issues. Consider subscribing to their email updates for a more active notification. The total outage was about 4.5 hours, with the majority of users back online after about 2 hours

Lee Neely

Make sure that your apps are sanitizing input, separate from your WAF. Regular web application scanning can be used to ensure this remains implemented as well as reveal issues prior to an attacker doing so. Ideally scan with and without the WAF to verify its operation, as well.

Lee Neely

Checking inputs is difficult but essential, particularly in public facing applications. That said, the detection and elimination of SQL commands should be the "low hanging fruit."

William Hugh Murray