DMCA Broadens Exemptions; More Adobe Patches; Google, Salesforce, Slack, and Okta Create Baseline Product Security Checklist, Malicious NPM Packages Masquerade as Roblox Libraries

Technology moves much faster than legislation. The Library of Congress seems to have done a good job of listening to public comment and expanding legal access while still trying to maintain a line between allowing fair use while maintaining legal protection against malicious access.

John Pescatore

According to Google, the Biden Administration and half the states are considering "right to repair" legislation, motivated in part by the unintended consequences of the DMCA.

William Hugh Murray

Adobe is still publishing security updates on the second Tuesday of the month (Microsoft's Patch Tuesday). However, for at least a year, Adobe has been releasing updates on other days as well. These updates are not necessarily more important and in this case, can be considered "regular" updates without a need to expedite patching.

Johannes Ullrich

Fortunately, this doesn’t include Acrobat, so it’s going to impact a smaller set of users. Even so, make sure they are applying the updates from Creative Cloud. Make sure that old versions are exited so the update can be applied. Hopefully, you’ll hear from your users, as I heard from my wife, “I applied all those updates yesterday.”

Lee Neely

Lists of minimal levels of required security controls are often pooh-poohed as “checklists” in security but they are a required critical starting point. Think about pilots before takeoff or NASA before a rocket launch. They always go through a structured checklist to make sure that minimum safety standards are being met – but obviously they don’t then sit back and say “my job is over.” The MVSP is a good starting point for supply chain security – should require really high level of approval for using any vendor that can’t meet those requirements.

John Pescatore

This provides an answer to the question of where we start assessing the security of a product. Review questions you’re using today to assess products to see if you have gaps. Schedule reviews of those baseline standards to see if you can or need to raise the bar.

Lee Neely

Typo squatting, or packages being taken over by malicious actors are an almost daily (maybe weekly) occurrence for NPM these days. I have not yet seen a solution I like. But start by figuring out what libraries you use. Then include any modules in your security scans. Do not just scan your own code.

Johannes Ullrich

Developers are responsible for the quality and integrity of all the code in their products, whether original or reused from other sources.

William Hugh Murray

Based on news reports, it sounds like someone paid attention to network traffic from these devices. Dealing with "black boxes" connected to your network is a common challenge faced by many enterprises. A skilled and well-instrumented network monitoring team is your answer and you shouldn't live without one. PCAPs or it didn't happen.

Johannes Ullrich

Monitoring detected packet sizes which were larger than necessary for PoS transactions as well as attempted connections to websites not included in their documentation, which triggered this investigation. Anomalous behavior detection like this is critical with today’s cyber threats. PoS systems remain a prime cyber target. Protection needs to include segmentation and allow network connectivity to services they need.

Lee Neely

There are decades of examples of national intelligence agencies convincing manufacturers to build malicious capabilities into commercial products. More modern times have added the ability of those nation states to also sponsor efforts (such as what happened to Solar Winds and others) to penetrate vulnerable company networks and insert such capabilities into commercial products. The bottom line is supply chain security and certification of high impact products needs to be focused on just as we had to learn how to do risk assessments, segmentation and monitoring when business units needed to allow third parties to directly connect to our networks.

John Pescatore

Malicious activity was apparently detected because of unexpected network traffic from POS devices. Is this something you could detect in your environment? Do you have network activity baselines to compare to? Does your pentest team do egress and DLP testing?

Christopher Elgee

This updated applies to all editions of Windows 10, versions 2004, 20H2 and 21H1. While you’re making sure your enterprise tools, application and support are ready for Windows 11, you can leverage the health check to verify hardware is Windows 11 capable before attempting to deploy the upgrade.

Lee Neely

Consider that small to medium businesses typically need four to six months to recover from a major attack, and in the case of ransomware, many never recover. Fortunately, Schreiber had an incident response plan ready to go. Having both an incident response plan and minimum cyber security posture are now acceptance criteria for most cyber insurers. Additionally, when reporting a claim, be prepared to demonstrate, to a review board, that you were following the cyber criteria agreed to in the policy.

Lee Neely

This is a targeted attack, likely nation state sponsored, taking the gas stations offline across the country as well as changing the displays on freeway billboards. The question is if you were under such an attack, would it take all your locations offline or have you employed isolations and redundant systems which would allow segmented/continuing operation?

Lee Neely

At one point it was reported the vulnerability could be used for site takeover. The “good” news is it can result in complete loss of site content. Not exactly what I’d define as good news. The better news is that the patched version was quietly released September 24, 2021, with Wordfence premium and free versions being provided rules August 25 and September 24 respectively. Double check to be sure you have the updated version.

Lee Neely

WordPress plugins continue to be source of vulnerability. They should be used only by design and intent, not to say necessity, and never by default. They must be carefully managed and policed.

William Hugh Murray

This plugin allows for quick and easy creation of sales campaigns, and uses API endpoints for integration. Unfortunately, the majority of the REST API endpoints were not securely implemented. The fully patched version was released October 7th, so you should be all updated. Make sure your automatic plugin updates are working. Wordfence premium and free versions being provided rules September 28 and October 28 respectively.

Lee Neely