Check How Quickly You Would Notice Network Routing Problems; Google Extends Deadline for Stronger Cookie Privacy Controls; More Data Points of Benefits of Moving Away From Reusable Passwords

Never ascribe to malice what can be explained by a simple typo. Rostelecom owns 37.70.96.0/19 and rerouted 17.70.96.0/19 which is owned by Apple. Note the simple swapped digit in the beginning? Still, it would be nice if Apple would be able to roll out Route Origin Authorization, a feature that has made a real difference in some of these BGP route hijacks from causing more damage. And most of these “hijacks” are simple configuration mistakes. Change control is for people who can't do incident response.

Johannes Ullrich

When you look at which groups have responsibility for availability and integrity of critical services, IT ops and Network ops really carry the bulk of the responsibility and authority, not security. But many of the tools and services that security uses will detect misconfigurations before IT/Network ops does. Integrated SOC/NOCs bring many benefits, next best thing is common or at least integrated tools being used across the groups.

John Pescatore

Regardless of whether this rerouting was accidental or deliberate this incident is another prime example of the importance of end-to-end encryption for all communications.

Brian Honan

While there is no official statement from them, Apple did take action by advertising more specific routes to services during the time their traffic was being routed to Russia, which is about the only recourse you have when this happens. It's unlikely we will learn if this was deliberate, accidental, or a trial balloon for future activities. Make sure that you and your network team have a plan for this scenario.

Lee Neely

Latest Facebook financial numbers seem to indicate that the lack of the ability to track users has material impact on the ad industrial complex. Google tried to replace cookies with FLoC (Federated Learning of Cohorts) but failed. Now they are trying “Topics” as a new tracking standard to balance privacy with Google's need to accurately target and track the impact of ads it sells. We will see if that works, or if third-party cookies will stick around for a few more years.

Johannes Ullrich

The good news is even the Facebooks of the world and most US politicians are largely past the “privacy-denial” stage. The underlying revenue model for the Internet has to change from tricking people into exposing their personal information and then selling it. When cable TV needed more revenue that it could get from subscription services, cable TV introduced ads. The internet started with ads, and quickly moved to the selling personal info model to advertisers. However, many valuable services have found they can add subscription services for revenue and promise higher privacy as a large part of the consumer allure. It is very cool these days to see more software architects listing privacy as a key product requirement, and getting security involved vs. the other way around.

John Pescatore

Recall Google first tried their FLoC solution which went over like a lead balloon, then in January of 2022, they rolled out the Topics API, and now we have the Privacy Sandbox, which will be available in Chrome 104 Stable at the beginning of August. This gives you a little over a year to test and provide feedback.

Lee Neely

In 2019, Microsoft published a study of 200M logins that show even simple text message-based MFA prevented 99.9% of phishing attacks from succeeding. So, we really don’t need more evidence, but always good to highlight successes. But, just as “airplane successfully lands at airport, no drinks are even spilled” headlines wouldn’t get many clicks, the press has learned that any successful attack does. Always good in our field to highlight successes whenever possible.

John Pescatore

Is MFA perfect? No. Can it be bypassed. Yes. However, time and time again MFA has proven to be one of the single most effective controls people can enable to protect their digital lives and data. As a security awareness professional, if I could teach people only one single behavior to protect themselves, enabling MFA would most likely be it.

Lance Spitzner

While this anecdote highlights the importance of MFA in protecting against attacks, it also reflects the high number of targets available to criminals that they can readily drop one potential victim and move on to the next one with weaker security controls. It is analogous to the joke about not needing to outrun the bear but just needing to outrun the other potential victim. It's important that we continue to encourage organisations to adopt MFA where they can and that vendors, particularly cloud service providers, adopt MFA as a default setting.

Brian Honan

As the Palo Alto Unit 42 report shows, the number one thing to thwart attacks is MFA. Even if you have some form of MFA, make sure that you've chosen wisely, particularly if you have SMS or Phone based MFA, which is an awesome step in the right direction, you need to move to phishing resistant forms of MFA.

Lee Neely

The US Government’s 2023 fiscal year starts on October 1 and here’s my wish for their New Year’s resolution: *All* government agency reviews of IT systems for any reason should include cybersecurity requirements in those reviews. All entities accepting federal funds related to anything that runs software (firmware has software, too) should be subject to those requirements.

John Pescatore

There is nothing like an external review to shine a light on anything swept under the rug. While these systems should already be secure, publishing a mandate and specific required standards to follow will empower staff seeking management support to better secure their operations. This also means when competing for this business, companies will have to factor in the cost of meeting these requirements commensurate with the criticality and sensitivity of the data and service provided. Such requirements, including review expectations, should be SOP on any contract. Make sure that you're regularly monitoring your contracted/outsourced services are as expected.

Lee Neely

The Chinese are very patient, remember they think about actions taking fifty or more years, while we in the US tend to think in four-year cycles, as in election cycles. They target acquisition of intellectual property. Consider not only background checks on employees, but also repeating those periodically to make sure employees have not be co-opted.

Lee Neely

Nice attention grabbing headline. And there is some truth to it. But the real answer as so often is: It depends. We had exploits being used against vulnerabilities within minutes of the vulnerability becoming known as far back as the "Witty Worm" (still one of my all time favorites). But the real challenge nobody has a good answer for: How am I able to predict which vulnerabilities will be exploited quickly vs. which once will never be exploited? Gazillions of sysadmin tears will be saved if someone can come up with an absolute accurate way to tell which vulnerabilities are “patch now” vs. “don't bother.”

Johannes Ullrich

The top three contributors to attacker success are lack of MFA, EDR, and lack of patch management. While you've focused on endpoint and OS patching roll-out, don't overlook the application layer on endpoints and servers. Ask when you can expect to MFA all externally facing services, then internal services - and don't forget MFA on the desktop.

Lee Neely

Spain has a network of 800 gamma radiation sensors designed to detect and alert on excessive radiation from one of their seven nuclear reactors. The attackers took down 300 of these sensors using illegitimate access to the DGPGE network. While the specifics on he attack vectors are unclear, you can mitigate some risks by making sure that you expeditiously disable/delete accounts for non-active employees, to include monitoring for re-activation or recreation. Also make sure any external entry points are not only implemented using current security guidance, but also require MFA. Don't forget about physical access scenarios.

Lee Neely

Nomoreransom.org is a solid effort, but the Vice piece states $1.5B was saved across 1.5M people overall. I couldn’t find any backup for the math – that works out to $1,000 per victim, which seems odd. Could be skewed by a few big ones but need to know how much of the $1.5B was in previously ridiculously inflated “crypto currencies.” Still, a good effort to point your users to for education about how to avoid attacks at home and how best to deal with ransom demands if they do get hit.

John Pescatore

This project is a great example of how effective public/private partnerships can be in the fight against cybercrime. The No More Ransom project is a resource all in cybersecurity should be aware of, I know we have successfully used it over the past years to successfully recover several victims of ransomware attacks. The site is available at www.nomoreransom.org.

Brian Honan

To date, the group offers 136 free decryption tools for 165 ransomware variants including MAZE, REvil and GandCrab. Having a similar service supported by law enforcement worldwide would aid reporting and reduce likelihood of payment.

Lee Neely

The silver lining is this time end-users were not impacted, even though being blocked from performing admin actions is bloody annoying. Microsoft's preliminary response was, again, certain servers were performing blow acceptable thresholds and they are working to optimize performance. When monitoring your service delivery components, make sure that you are equipped to communicate and respond commensurate with both your SLA and user expectations.

Lee Neely

Service providers are high leverage targets for attacks. Use press coverage like this to show management that security should be involved in any procurement of 3rd party services, which includes cloud services.

John Pescatore

Many of us may have a simulation exercise to determine how our organization will respond to a ransomware attack, but have you considered what your playbook should be should one of your critical suppliers or cloud service providers become a victim?

Brian Honan

If you're using a MSP, make sure that you've had a frank conversation about what a compromise would entail. Would that expose your data or other customers' data as well. Make sure that you have the relationship and communication paths needed to not only handle incident communication but also verify that their security remains as promised.

Lee Neely