Google Ramping Up Support for Phishing Resistant Passkey Authentication; Patch Your Fortinet Products; Apply Fixes For All Use of Zimbra

More progress away from reusable passwords is always a good thing. Password manager software products such as Dashlane have added passkey support, as well. VPN/remote access providers should accelerate rolling out standards-based passkey support as should all of the platform as a service providers (such as in healthcare and retail) to make broad adoption happen faster.

John Pescatore

Passkey is what most vendors are calling the FIDO based implementation of strong (or phishing resistant) MFA. Apple has already announced something similar, with Microsoft and other big vendors supporting the solution soon (if not already). This solution replaces traditional passwords and other versions of MFA with a public-key cryptography /biometric solution. While the backend technology can be quite complex, it greatly simplifies authentication for people as there are no passwords to manage, people simply authenticate via biometrics. To help me better understand all of this, I forced myself to write a blog explaining in very simple terms passkeys / phishing resistant MFA. https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner

As a transition to passwordless, these passkeys are essentially the public key that is verified by unlocking the private key on your device (e.g., android) using biometric authentication. Google is making these cross-platform and encouraging developers to include support for passkeys in applications to raise the bar on “standard” logins.

Lee Neely

I have concerns around passkey and it's Apple equivalent. The concern isn't the technology per-se, it's the extreme lock in. Say you have several hundred passkeys. How easy would it be to migrate between systems? Do developers have to keep adding more and more identity provider integrations?

Moses Frost

The excuses for the continued use of passwords are fast disappearing even as their contribution to breaches persists.

William Hugh Murray

There appear to be a lot of organizations unaware that they are using a vulnerable appliance. Please double check and scan your network for these devices. As usual: Do not expose admin interfaces to the internet (web or ssh). In our honeypots, we saw exploit attempts as soon as the details were made public.

Johannes Ullrich

Fortinet is actively reaching out to customers and urging them to apply the update or mitigations. If you have affected Fortinet gear, make sure that no unauthorized/unexpected changes have been made. Verify the update has been applied and review the Fortinet bulletin for other IOCs, make sure you're golden. Even if you don’t have Fortinet gear, make sure that you’re limiting access to the administrative interfaces of your boundary control devices.

Lee Neely

I know many vendors provided web based administration capabilities for their devices, but I believe the risks of such a solution far outweigh the benefits provided. My recommendation is configure any remote administration of a firewall or other security devices to use a VPN that is protected by strong MFA.

Brian Honan

On the surface, having your management interfaces exposed to the internet would normally be something we would consider a bad practice. This is until you realize that many enterprises will attempt to manage their sites using cloud-based management interfaces that require this configuration. The only current saving grace is that 7.0 and 7.2, which are the current vulnerable ones, are not yet widely deployed.

Moses Frost

Note that strictly speaking, this isn't a Zimbra flaw, but a cpio flaw. Some Linux distributions include a version of cpio that does not include an older security fix as it may interfere with other usage cases for cpio. The Zimbra patch makes sure that the alternative "pax" utility is installed, which isn't installed by default in some Linux distributions. In addition, the update fixes a few more security vulnerabilities.

Johannes Ullrich

This vulnerability is being actively exploited and builds upon a 2015 weakness (CVE-2015-1197.) After you apply the patch, go to the Zimbra support portal and review the additional hardening guidance there to ensure you have a complete fix to the vulnerability.

Lee Neely

Looks like once again reusable passwords enabled a breach at a service provider: “Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.” Make sure support for multifactor authentication/passkey support is a key requirement when your organization is looking at any third party services.

John Pescatore

As of October 13th, 90 percent of the affected sites were back online, a bit longer than the initial projection of seven to twenty-one days to recover. Interesting note is the recovery is expected to be on the order of 10x any ransom payment requested. When you include costs of hiring additional incident response expertise, staff to rebuild and re-assure systems, and add in costs related to loss of services to customers, 10x seems conservative. Point is - make sure that you’re truly prepared for the costs associated with a breach, talk through all the resources required and time expected, then consider doubling it.

Lee Neely

Critical infrastructure guidance has been released a few sectors at a time based on risk. Eventually all sectors will have coverage. This guidance will be voluntary at this time, which means it’s a good time to review it and figure out what works best as either sector or NIST guidance enters the comment phase for proposed required configurations.

Lee Neely

When internet access first came about, most newspapers and periodicals used to have strong segmentation between their printing operations and their office/news production networks. However, shortcuts have often been taken to both reduce the time and cost of having online versions of the print offering as well as for remote work. If you are in that industry, good item to use to drive a review of your actual (in practice, not just on paper) IT/OT segmentation.

John Pescatore

The fallback plan here is leveraging on-line versions of the newspapers, dropping paywalls to allow readers access as well as printing emergency copies at alternate facilities. Both approaches have been problematic as the systems needed to create or host the content are similarly impacted. Kudos to the publisher for leveraging multiple mechanisms to deliver information to the customer; consider this scenario as you conduct your tabletop, maybe asking a few more what-if questions, extending your definition of what's offline to augment your plan.

Lee Neely

Make sure that your Mac users have updated their client. The users should be prompted to apply the update when they launch Zoom, but it doesn’t hurt to scan and make sure. Zoom released two fixes - the client patch fixes CVE-2022-28762 and Zoom MMR fix for CVE-2022-28761.

Lee Neely

Read those numbers again. It is estimated that about 2 trillion dollars in illicit funds is laundered and less than 1% is intercepted and recovered. INTERPOL’s actions are an example of what can happen when police forces cooperate across borders.

Lee Neely

Well done to all involved in this operation. Running an operation involving law enforcement agencies from 14 different countries is no easy task, but this successful operation highlights how international cooperation between the law enforcement agencies is improving and becoming more effective. Good news for us all, except of course for cybercriminals.

Brian Honan

The arrests included not only the thieves, but also the software developers and resellers. The thieves replaced the original software in the vehicles, which allowed for remote start/unlock without the vehicle fob and to drive off the car without the engine stopping when the door was opened.

Lee Neely

India is learning the difficulty of sweeping regulation. While some larger organizations appear to be complying with the new rules, small to medium sized organizations are not as easily able to comply. One hopes that CERT-In is also considering modification to the requirements to make them more achievable, lest additional businesses either move out of India or find ways around the regulation.

Lee Neely