More Information About Uber and LastPass Breaches; EU Cyber Resilience Act

A lot has already been written about this incident. But let’s remember that most initial information later turns out to be wrong or incomplete. Do not make decisions about your security options based on a single, not yet completely understood, incident.

Johannes Ullrich

While the Uber contractor’s account was protected by 2FA, the repeated login authorization prompts ultimately succeeded in an approval from the contractor. As tempting as it is to approve to “make it stop” it’s important to educate users to contact the security team when receiving unexpected or frequent access approval messages to ensure they are legitimate or that malfeasance is tracked. Note that Uber has taken several steps including not only re-authenticating their employee access to related tools, but also implementing stronger MFA authentication to mitigate the risks of recurrence. Uber reviewed their VDP dashboard and, at the time of the attack, no unmitigated vulnerabilities were listed. No sensitive data appears to have been accessed. Note that Uber encrypts sensitive data such as credit cards and personal health data.

Lee Neely

A primary driver of this breach was stolen credentials, to include tricking an employee into approving a MFA request. While MFA can dramatically reduce the risk of password attacks, the problem is we have made MFA both confusing (there are multiple different implementations) and requiring different types / levels of human interaction. This is why I’m so excited about Apple’s new FIDO Passkey deployment in the latest iOS / MacOS: it takes the entire authentication process away from people and simplifies it through biometrics.

Lance Spitzner

Kudos to LastPass for their transparency around this breach. Many of the headlines surrounding the initial breach talked about customers’ password vault being at risk, which is not the case. While it is not comfortable for LastPass to have their development environment exposed, this case is valuable lesson in ensuring you have the facts in place before deciding on how to respond to a news story.

Brian Honan

Kudos to LastPass for transparency. To include discussion of how they are preventing recurrence. While they have determined no malicious code was introduced into the development environment, the harder part will be determining what, of their code was exfiltrated and how to ensure that code cannot be leveraged to circumvent the security of their products. As such, make sure that you're watching for and deploying any LastPass updates proactively.

Lee Neely

We are all familiar with the mantra “We take the security of our customers’ data seriously” that many organisations trot out as a result of a breach. However, many won’t take security seriously until they are required to do so by regulations. We witnessed that with the introduction of the EU General Data Protection Regulation (GDPR) and to some extent with PCI DSS. The EU is introducing a raft of regulations around cybersecurity, such as the Cyber Resilience Act, which hopefully will make organisations take ownership of their responsibilities with regard to cybersecurity and not leave it a pure technical issue for the IT team to worry about.

Brian Honan

Note the scope - this covers most network connected devices while excluding medical devices for human use as well as “free and open-source software developed or supported outside the course of a commercial activity.” Electronic Health Record and “high-risk AI systems” are in scope. Manufacturers will have 24 months to come into compliance. The good news is that there will be clearly defined support expectations which will facilitate lifecycle planning, the bad news is that consumers may not factor replacement into items such as appliances, cars and toys, let alone their home computer. Consumers will easily be taught to seek the CE marking for secure devices, understanding that it includes expiration will be a far greater challenge.

Lee Neely

This emphasizes best practices the CFIUS was already performing, augmenting practices already set out in the CFIUS statute. While framed as illustrative, it’d be best to incorporate them as an SOP as having a written standard reduces the likelihood of future committee members not being aware of what is required. This is the first formal instruction on risks to consider since the committee was established in 1975. Standards or best practices should be reviewed regularly to ensure they keep pace with the emerging threat landscape. Even so, care must be taken not to neglect prior threats which, while not active or current techniques, are still viable.

Lee Neely

This is an interesting development as it highlights that in order for us to make a more secure world we cannot rely solely on technical solutions. Yes, technical solutions are important but so too is legislation and regulations, such as this and the EU Cyber Resilience Act (as outlined in this issue of NewsBites), in order to motivate significant change in those the produce cybersecurity solutions and those that purchase them.

Brian Honan

A big win here is that operational data relating to live cases was shared between countries. Working to achieve regional collaboration, across borders, will make the response easier. Additionally, INTERPOL is providing training courses on policing capabilities, digital forensics, OSINT, cryptocurrencies, and using the dark web to aid investigation. Empowering smaller nations with these tools will help reduce the success of future attacks such as occurred in Costa Rico in April of this year. One hopes to see similar events around the globe.

Lee Neely

BGP is based on mutual trust and doesn’t inherently have a security model to block disruptive changes, deliberate or mistaken. Add-ons to BGP are being implemented voluntarily, and already implementations of Resource Public Key Infrastructure (RPKI) is already making headway as a firewall to stop spreading BGP incidents. Also in use is BGPsec, but its success depends on a critical mass of global service provider adoption to be successful, and approaches such as Mutually Agreed Norms for Routing Security (MANRS) are more likely than BGPsec to get traction. What is needed is both an overall awareness of the need to secure internet routing and a framework of standard security controls that solutions can be measured against as well as effective solutions which aren't cost prohibitive.

Lee Neely

This is not the sort of overflow attack you’re thinking of. Improper authentication is a recurring theme these days, many providers are working to remedy once discovered. Hopefully the efforts aren’t swamping their team. Irrespective of the vulnerability remaining unmitigated, it’s still a good idea to make sure that you’re properly isolating these systems. Only allow connections from authorized devices and users, don’t expose them directly to the Internet, require a VPN and possibly a Bastian host, before allowing a remote connection. Implement MFA at entry points to the system. Monitor connections for unexpected behavior.

Lee Neely

The Akamai team recommends consulting CISA Security Tip ST04-015 (https://www.cisa.gov/tips/st04-015) for mitigating the risks of a DDoS attack. Make sure you are not only identifying critical networks and services but also having protections in place prior to an attack starting. Use reports of an attack like this to drive an exercise to see if you're prepared. Make sure the changing nature of the attack will not undermine your current response capabilities, to include staff.

Lee Neely

The Hive Ransomware gang is taking credit for the attack. Bell Technical Solutions installs Bell services such as telephones, WiFi and cable for customers in Ontario and Quebec. Data accessed appears to also contain booked appointment information (name, address phone number.) Bell Technical Solutions will be notifying affected customers. If you're a Bell Technical Solutions customer, be wary for unsolicited communications, attempting to get more information from you based on what was in the appointment system.

Lee Neely