GitHub Notifies Victims of Third Party OAuth Token Theft; Patch Cisco Wireless LAN Controller Products; Draft Legislation Proposed to Drive US Government to Address Future Quantum Crypto Risks

OAuth is a great tool to create "valet keys" that provide CI/CD tools with just the access needed to do their job. But they still need to be safeguarded. Make sure your tools are able to rotate these keys periodically. From time to time, review which tools have access to your accounts. Services supporting OAuth should make it easy to review which applications have been approved for access.

Johannes Ullrich

To further protect users, GitHub revoked the tokens associated with their and npm's use of the compromised Travis CI and Heroku Dashboard applications. The attackers believed to be mining private repositories downloaded using the pilfered OAuth tokens looking for opportunities to pivot into other systems using additional discovered credentials. With OAuth keys being an essential component of remote/cloud based services, their use is a risk you need to actively manage to prevent malfeasance. Make sure you're auditing, monitoring and appropriately expiring OAuth keys to minimize abuse.

Lee Neely

This flaw will only affect you if you are using a non-standard configuration for Radius authentication. Review Cisco's bulletin to see if you are affected. But probably best to just patch in case you modify your configuration later.

Johannes Ullrich

If you have one of these controllers, with RADIUS compatibility mode set (check your macfilter summary) to other, you're vulnerable. The best move is to apply the update; workarounds entail changing the RADIUS compatibility to Cisco or free which may have operational impacts you'll want to test first.

Lee Neely

It may not be clear how much of a threat quantum computing will present in the future. But upgrading encryption algorithms takes time, and it is important to start the process well before the threat is apparent. Encryption isn't like a good wine, it doesn't get better with age. Always implement systems with the best possible encryption algorithms you can afford at the time you create software.

Johannes Ullrich

This type of legislation was needed back in the 1990’s to get the federal government moving around Y2K preparedness. Quantum computing security issues are much more complex technically and the lack of a hard deadline makes it too easy to keep kicking the can down the road. So, good to see this bipartisan legislation initiated.

John Pescatore

The trick is phasing out old cryptography, such as 3DES or SHA1, which often requires not only updated hardware, software, and applications, but also intentionally disabling the old crypto which is left for compatibility. This is exacerbated by external collaboration where getting agreement to no longer support that compatibility is neither a technical nor a cyber security decision. Enlist the C-Suite to move the bar, track the progress and record the risk decisions.

Lee Neely

Here is another emergency update for Chrome. If I'm tracking, this is the third for 2022 that also includes a Zero-Day fix. The updates to Chrome and Chromium, which address CVE-2022-1364 and CVE-2022-1096, are already available for deployment; make sure Edge, Brave and other Chromium based browsers are also updated. This is a good time to make sure that you're actively managing updates to all Chrome and Chromium based browsers in your environment. Don't overlook mobile.

Lee Neely

While the spotlight is currently on NSO Spyware, we should take these stories as a reminder that there are groups actively looking for weaknesses in the security of mobile devices. NSO are not the only threat actors at play here; they happen to be the one that has been recently caught out. As such, we need to ensure that we have appropriate security mechanisms and controls in place, be they technical, personal, and process driven, to secure mobile devices.

Brian Honan

Catalan is a community in north-eastern Spain and its economy represents a significant portion of Spain's GDP. This seems to be the latest step in the dispute between Catalan and Spain for full autonomy. Attackers used multiple initial attack vectors including HOMAGE or Kismet which leveraged a zero-click iMessage flaw in version of iOS 13, SMS and the 2019 WhatsApp exploit to deliver Pegasus. These weaknesses were fixed in newer iOS and App updates. Even if you're not a target, some off-target infections have been noted. Make sure that you're keeping your device and apps updated. Consider using loaner/burner devices when traveling to foreign countries of higher risk.

Lee Neely

On Thursday, the CISA also added the VMware exploit (CVE-2022-22954) is being used to deploy cryptominer payloads, which is good to know if you're a VMware shop. While this may feel like painting a bridge, if you filter out the products you don't have, and products you've already patched, this should give you a manageable list of things to make sure you've not overlooked.

Lee Neely

Ukraine has been inundated with various attacks against critical infrastructure, government and businesses. Many of the tools deployed so far are "wipers" created to just destroy data. But other malware, like credential stealers, has been seen as well with very targeted lures. A possible expansion of the Russian war effort to include countries supplying Ukraine may very well mean that these attacks will be attempted against a larger list of targets.

Johannes Ullrich

Imagine a burglar jiggling all the locks in the neighborhood looking for a way in. Then using a possibly unrelated entrance point to pivot to a higher value target using partnership or other trust relationships. Extend your definition of third-party risk to include the environments where you have remote workers as well as business partnerships, including cloud. Ask what added resources could access your network after you conceded to allow access to local resources on the far end such as printers and file servers, then look to means to minimize those risks.

Lee Neely

This attack relies on an infected MS Excel document which requests you to enable macros and then leads to the deployment of IcedID, aka BokBot. Being mindful of macros, particularly from external or unknown senders remains prudent. Disable macros unless you absolutely know that the document is not only legitimate, but also they are needed. Question macros that are there “because we always did it that way” or don't make sense, even from trusted sources.

Lee Neely

Crypto is still not insured, nor regulated for safety and soundness. That means increased reliance on the user, and when working with an exchange it also means you really need to read the EULA and other terms. In this case the target is those organizations you would be reliant on to properly manage the transactions, so you need a clear understanding of what happens if that is successful. As a developer, of any sort, one needs to always be careful of new and improved libraries bearing extra features, particularly when accompanied by alluring messages which lead you to think their deployment is urgently required. Make sure your staff is fully trained on detecting and thwarting social engineering attempts, as they can be compelling. If you have any doubt, visit a social engineering village at a conference and prepare to be amazed.

Lee Neely