Sloppy IT Migration Can Lead to Data Loss; Colonial Pipeline Advises 5000+ Customers Their Data Was Breached; Active Exploits Against Patchable PrintNightmare Vulnerabilities

Business interruption from accidents and other self-inflicted wounds isn’t as sexy as cyber attacks but is equally as likely to happen and equally as disruptive in many cases. Any talk of “resiliency” needs to include critical IT operations that can put data at risk, and the processes need to be tested – just like testing the switchover to UPS power or backup internet connections periodically to make sure they work correctly.

John Pescatore

Irrespective of how you are migrating, be certain you not only have backups, but also are able to restore them fully. Some technology is harder to restore and some restore operations don’t put files back where they originated. Run annual tests to make sure you really can restore the technology mixes in your environment. Lastly, make sure migration plans include a full function test before retiring the old.

Lee Neely

Even though Colonial paid the ransom, the data was still exfiltrated. The question now becomes one of do you report a data loss even after the ransom is paid and the attacker “promises” to delete your data. For sensitive data, err on the side of caution, notifying impacted parties and offering credit protection is the honorable thing to do. The compromised information, the company says, includes names, birth dates, contact information, driver’s license information, Social Security numbers, government-issued ID (such as military ID and tax ID), as well as health-related information, health insurance information included.

Lee Neely

In every large scale incident response investigation there will be tremendous pressure to provide rapid answers about the implications of a breach. Getting the analysis correct to provide informed answers takes time though, and it's positive to see Colonial Pipeline continuing their investigation so thoroughly.

Joshua Wright

Make sure that you’ve pushed out the fixes from Microsoft. Include checking for the fixes in your VPN posture check if possible. Triple check that you’re monitoring for IOCs and SMB is still blocked at the perimeter, to include Internet facing servers.

Lee Neely

Hospitals are organizing into groups in order to enjoy efficiencies of scale, both in medicine and management. IT in general, and IT security in particular, is just one area that may benefit. However, consequences increase with scale. Cost of attack must increase with scale or risk surely will. This is an illustrative case. Note that EHR detail will be lost forever.

William Hugh Murray

The fix was released August 4th, and firewall rules were released to the paid Wordfence version July 29th; free versions will have rules August 28th. The flaw, now fixed, was the REST-API code to verify access used a nonce which could be generated by any authenticated user, not just the intended authorized user group.

Lee Neely

I think Pearson UK’s recent annual profit has been in the $4-5M range, so a $1M fine is significant, but I think the SEC can go as high as $25M in institutional stock price manipulation fines. Those lists of risk in SEC reports have turned into the long lists of possible side effects for every new drug – corporate lawyers are happy but pretty useless information for anyone trying to make a decision. Bigger fines to make CFOs and boards more proactive in making sure the reporting is honest would be a very good thing.

John Pescatore

Affected Realtek hardware (and with that, software derived from its SDK) can be found everywhere. I see the list of affected vendors as a tip of the iceberg. Watch out for firmware updates for various WiFi gear like routers and cameras. Updates to this type of equipment are often not well advertised. Try to do a "Patch Day" a month, or at least once a quarter where you check for updates to your home network routers.

Johannes Ullrich

My personal experience as a pen tester for IoT technology has shown that SDKs are often problematic, creating systemic vulnerabilities for the vendors that adopt the underlying architecture. Product vendors need to remember that they are responsible for the security of the product end-to-end, not just the parts they develop internally but also for the third-party libraries, utilities, and SDKs they utilize. Static source code analysis (where possible) and penetration testing efforts are valuable for vulnerability discovery prior to product launch.

Joshua Wright

There is no way that end users can protect themselves from vulnerabilities originating far down in the supply chain. We must hold suppliers accountable.

William Hugh Murray

The breached data reportedly includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information – sufficient information for either identity theft or cloning phones. T-Mobile reports they have fixed the issue which lead to the compromise. If you are a customer, you need to make sure that you’ve implemented both available security controls on your account and identity protection.

Lee Neely

Maybe T-Mobile will learn that data isn't just an asset but also a liability. T-Mobile is asking for credit checks with all three major credit companies just to sign up for a wireless plan, collecting persona information to facilitate these checks. But maybe they will get away with it yet again.

Johannes Ullrich

According to Krebs, the damage borders on the catastrophic. T-Mobile is following e-Bay: "the less said, the better," rather than Target: transparency.

William Hugh Murray