Check for 14 Year-Old Python Flaw in Your Libraries; Microsoft Enables More Security On By Default Settings; Cyber Insurance Companies Trying to Verification Self-Assessment Responses, History Says Policyholders Will Bear the Cost

The vulnerability is very typical for software that blindly unpacks compressed directory structures. In some ways, the "fix" done by the package maintainers to warn developers not to unpack untrusted files, is appropriate, but I am sure there are many developers who will overlook this note. Hard to tell if the number of affected projects is realistic as it appears to be more of an eyeball estimate.

Johannes Ullrich

The developer of the tar module put a note in the documentation advising what not to do, which means the code can still be abused. Trellis has built a free tool, Creosote, which scans for this vulnerability. Additionally, Trellix is publishing fixes to projects, forking them and issuing a pull request. If your project is provided fixed code, examine it carefully to ensure it still meets your expectations.

Lee Neely

If vulnerability exists in the forest but no one wanders by, is the forest really vulnerable? A resounding “Yes!” An attacker will surely wander by sooner or later – luckily, in this case a security researcher was the first wandering explorer. Points out the need for community investment in exhaustive testing of public libraries and the open source software supply chain – at least to the level of detecting unpatched CVEs.

John Pescatore

The promise of Open Source that “many eyes” would improve code quality has proved to be ephemeral. That is not likely to change until we hold developers accountable for the quality of all the code in their products, regardless of its source. Given our tolerance for poor quality in general, one is not hopeful.

William Hugh Murray

If you think back, protests against making a higher level of security the default almost invariably overhyped the potential disruption to real business operations and the protests quickly dissipated. Now is a great time for all software vendors to raise the bar and make real gains in security and privacy that will NOT impact productivity.

John Pescatore

Note this is Windows 11, starting with Insider Build 25206 and Windows Server Insider builds. This is off by default on the Server builds and needs to be enabled with the following PowerShell “Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n “. The interval must be in increments of 100, between 0 and 10,000. Also, make sure the local firewall li it’s SMB access appropriately.

Lee Neely

Peter Capek, who introduced me to the idea of rate limiting some forty years ago, recommended increasing the time between failed attempts exponentially, until reset by a successful attempt. This would resist most attacks without a noticeable impact on legitimate users.

William Hugh Murray

It has been enabled for all new accounts for a while now. So this just brings “legacy” accounts up to the more current configuration. But I like how Microsoft keeps improving the default configuration.

Johannes Ullrich

If you’ve explicitly disabled tamper protection in your portal, it will not be altered. This will not only detect tampering with systems but also attempts to disable threat protection measures. If you’re using Defender, make sure this is enabled.

Lee Neely

Historically, and with few exceptions, vendors have resisted secure defaults. It is good to see Microsoft taking the lead. On the other hand, changing the default late is analogous to “locking the barn after...”

William Hugh Murray

Some insurance policies already require third-party assessment or at least spot checking of self-attestations. But the cost of doing so often is close to equal to the prices of some small contracts. This issue is similar to “low or no-doc” loans that crashed the economy around 2008 and is what has derailed cybersecurity industry grown projections for the last 15 years. Good piece to show CXOs, especially the line that captures it all: “…organizations should not expect a payout for poor cybersecurity policies and practices…

John Pescatore

This makes a lot of sense and is in line with other insurance products that often require some form of inspection before a policy is issued, or may void a policy if after an incident undisclosed deficiencies are found.

Johannes Ullrich

Regardless of context, if you’re self-attesting, be brutally honest and have supporting documentation to support your conclusion. While you could still be challenged, you will be in a much stronger position. If challenged, control the fist of death and embrace the opportunity to learn and explain, strengthen the relationship for the future.

Lee Neely

It would have cost Morgan Stanley much less than $35M to make sure themselves that the devices were wiped, or at least to check up on the moving company (who had never done this type of thing before) rather than just checking the box.

John Pescatore

Make sure you have media sanitization policies for any media being released or reused to ensure there is no information which exceeds the need to know for the new owners. Even cloud or outsourced services should have clear information disposition processes which you can verify.

Lee Neely

Device level encryption is useful during the time the device is in use and will reduce the cost of secure disposal.

William Hugh Murray

Suffolk County staff are using pen and paper to handle emergency calls. Reverting to manual means is not uncommon with ransomware attacks, but be sure to understand how long that is viable. In this case they are reaching to NYPD for coverage until they are back online. While not viable in all scenarios, make sure this approach is included in your disaster plan preparation processes.

Lee Neely

Events like this are reminders that our DR/BCP programs must be up to date and tested, but there’s a deeper issue. Organizations mistakenly focus all of their resources on preventing compromises through known vectors. It’s easy to understand why; this is a problem it’s easy to create a product for. Unfortunately, it leads to a false sense of security since it prevents organizations from developing truly effective detection capabilities. Without the capacity for effective detection of unknown threats, we will always be caught flat-footed trying to recover after the damage is extensive.

David Hoelzer

For the rest of us, the lesson is that in the event of a breach, we may have to pay for outside assistance. The cost of such assistance must be included in consequence component of the calculation of risk.

William Hugh Murray

Dwell time continues to vex cyber defenders. Mitigations in the CISA alert go beyond segmentation and MFA; make sure that you’ve looked at all the areas, not only to reduce the likelihood of compromise but also empowered your defenders to detect, block and remediate when the breach comes.

Lee Neely

It would be naive and dangerous to assume that, post SolarWinds, that one does not have “lurkers.” Think “zero trust,” at a minimum network segmentation, to resist the damage they might do.

William Hugh Murray

One of the challenges with mandated security improvements is how to fund them. Funding must be provided not only to implement added security but also operate it. Often funding for licenses ends after three years on the assumption that base budgets will be increased to absorb them, partly on the belief the new capabilities will be more cost efficient negating this gap. Effort is required from all parties to ensure they are prepared to operate after the funding ends, otherwise there is no value in initiating the change.

Lee Neely

Read the report to understand how and what OT systems are targeted. Also note information regarding how the inner workings (including weaknesses) are generally available. Recall that information about which OT systems you have may be published inadvertently, such as capturing it in publicity photos celebrating accomplishments, so you cannot assume this information is proprietary.

Lee Neely

At this point Optus has already contacted affected users. Optus both left administrative interfaces to systems available to the Internet to facilitate remote maintenance and failed to change default passwords. Make sure that remote maintenance uses VPN or other secure access mechanism, requires MFA, and that all default passwords are changed. Never assume an adversary cannot determine the default password, no matter how tightly you feel that information is held.

Lee Neely