Virginia Advances Cyber Workforce Development; Bytecode Alliance Pushes Safe and Fast Software; Linux Kernel Vulnerability; Google Service Account Security Recommendation

The major browser vendors have been working collaboratively on WebAssembly since 2017, in an effort to have common standards for fast and safe binaries that run on a variety of processors on the web. Good to see the focus on “safe” being equal to the focus on “fast.”

John Pescatore

As the exploit is a read operation, it’s pretty much not-detectable from the network. Detecting reads of the /syscall procfs locally can generate a lot of traffic and false positives. The patch was merged into the codebase December 3rd and should be included in your Linux distribution as you apply updates. Double check if you’re running kernel versions 5.10-rc4, 5.4.66 or 5.9.8.

Lee Neely

Major distributions have patches available. Remember that this will likely require a reboot. Not urgent, but should be applied as part of your regular patch schedule / scheduled maintenance window.

Johannes Ullrich

Service accounts – essentially machine accounts that can’t do “human” things like enter a password or answer an authentication challenge – are often overlooked even as human authentication is strengthened. I like that Google starts off this guidance with the most important guidance: “Only use service accounts where appropriate.” There are many cases where service accounts are used just as hardcoded embedded passwords were used – simpler for both the developer and the attacker.

John Pescatore

This document provides good guidance on where to use service accounts versus human user accounts. Service accounts don’t use your interactive login services, and can be granted rights only t0 the specific services to which they need access, making monitoring and anomaly detection much easier and practical. Apply this model to your on-premise systems as well. Eliminate business processes which execute as an end user where possible, leverage published standards and best practices.

Lee Neely

The report reminds us that open source code is also targeted, not just code signing keys or suppliers code repositories. Develop a mindset that open source is someone else’s code and needs to be checked for security flaws and undesired extra functionality. When building your deployment environment, use unprivileged processes wherever possible to reduce the attack surface in that phase of deployment. Make sure that you have a formal C-SCRM program, which includes open lines of communication with suppliers, secure development and deployment practices, and equal scrutiny of products irrespective of origin. Read the report for added recommendations. Talk to your suppliers about what they are doing, and if that feels inadequate, re-assess the risk of that relationship.

Lee Neely

Supply chain security is kind of like information security overall in that we pretty much know what to do and there are many frameworks that list everything to do – the how to overcome real world business obstacles to making progress is the hard part. Most vertical industries with an ISAC have supply chain security working groups or ad hoc sessions at ISAC meetings. The InfraGard Electronic Security Industry Cross Sector Council has recently partnered with the FBI and private sector organizations to provide education, information sharing, networking and workshops on supply chain threats and security approaches.

John Pescatore

This document is more balanced than most of the recommendations in the space in that it addresses suppliers. However, it addresses the end users first. This problem cannot even be mitigated by end users. Some will fall victim and our already fragile infrastructure will be further weakened. We must take a supplier first strategy, prevention first. Suppliers must be severely sanctioned when they distribute malicious code.

William Hugh Murray

The FCC strategy for “slowing down untrusted vendors” points to the Secure and Trusted Communications Networks Act of 2019 that so far has focused on only Chinese telecoms vendors as being untrusted – Dahua Technology, Hangzhou Hikvision, Huawei, Hytera and ZTE Corp. products are the only ones on the list. National security priorities may indicate those vendors are untrusted but there are many, many other vendors that are major risks to supply chains. The UK approach to national telecoms security has long included active testing requirements for critical vendors.

John Pescatore

A "supplier first" strategy. Should include sanctions for suppliers who ship malicious code.

William Hugh Murray

When you make a mistake, own it, then clean it up, quickly. Not only did they withdraw the research paper for lack of permission and partnership, they also took it a step further to not set a precedent on how research should be conducted. It would be interesting to have a panel discussion of both sides to help others understand the intent, impact, and how the fence can be mended.

Lee Neely

The mitigation should include adding an ethics component to the curriculum.

William Hugh Murray

Have you checked for your email in HIBP lately? All of them? So if you find them, change the password for that account, enable 2FA if supported, make sure your endpoint protection is installed, auto-updated and licensed. While you’re changing passwords, this is a good time to update the ones you’ve been meaning to, particularly ones you reused or are easily guessable. Make sure your SOC has incorporated the Emotet Yara Signatures published by DFN Cert.

Lee Neely

Nice work by the researchers at Silverfort. They found a number of similar vulnerabilities in a wide range of equipment. Please update if you are using Kerberos to authenticate. Kerberos is quite old but still not well understood and bad implementations are sadly somewhat common.

Johannes Ullrich

Ask your CISO and CIO to read the report. It includes statistics and trend information you can use to help management understand the need to be adequately prepared for ransomware. While the recommendations include actions to be performed at the government levels, partner with your peers, ISP, hosting and cloud providers to better understand their protections and develop a plan of services to leverage and actions you can take to help you improve your readiness and build lines of communication in the event of an incident.

Lee Neely

Extortion attacks are increasing, demands are higher, and mitigation more expensive, whether or not the demands are met. A systematic approach is overdue.

William Hugh Murray

Look at your system interdependencies. If you had to shut down your data center, would you also be taking your phones and email offline or do you have enough isolation to allow you to shutdown impacted segments without taking all your enterprise services offline? Verify containment options of your outsourced and cloud based services as well to understand what their failure model looks like. Did you remember to include DR/Backup services or are you still waiting to fund those? Is the system you have sufficiently isolated?

Lee Neely

Whistler has grown from a ski resort with only the most primitive guest accommodations to a city with year round residents. It is probably no more or less vulnerable than any other city of similar size. All such cities need to step up their game; the population is simply too target-rich. However, as with supply chain attacks, we need a systematic approach to extortion attacks, one that includes taking the profit out of the equation and putting in effective investigation, prosecution, and punishment.

William Hugh Murray