NIST Retires SHA-1; Patch Old Cisco Vulnerabilities; FTC Fines Fortnite Maker Half a Billion Dollars Over COPPA Violations and Deceptive Charges

SHA-1 has known weaknesses and various PoC attacks have already been released taking advantage of SHA-1. However, remember that removing SHA-1 from legacy software will first of all take time, and secondly, depending on the use case, SHA-1 may not be a huge problem for some software. The 2030 deadline was implemented not because SHA-1 will all for sudden fail horribly in 2030 but because this is the earliest reasonable deadline for such a major change.

Johannes Ullrich

While SHA-1 has been cryptographically nullified since 2017, moving away from it requires active steps. You’re going to have to identify all the services which are still using it and move them to at least SHA-2. There are some easy wins here, e.g., update the certificate and reconfigure any certificate authorities to not use SHA-1; all certificates will have aged out well before 2030. Also stop publishing SHA-1 checksums so the issue isn’t perpetuated.

Lee Neely

Since collision attacks against SHA-1 were made real in 2017, waiting 13 years overall to ban government buying of a known compromised algorithm is too long. An earlier deadline with a defined waiver process now is a much better approach than pushing it out 8 years from now.

John Pescatore

Attacks against SHA-1 have been known for over 17 years. Replacement algorithms for SHA-1 have been available for well over a decade. Why not leverage the recent USG mandate to inventory assets [susceptible to quantum computer attack], to identify and replace SHA-1 with SHA-3 in the next year or two.

Curtis Dukes

Collisions are fundamental and inevitable. While collision attacks can be demonstrated, they are not cheap and do not appear "in the wild." That said, replacing SHA-1 with more robust algorithms, while not urgent, is efficient.

William Hugh Murray

There is no compliance regime or regulation that will give safe harbor to vulnerabilities of CVE severity 9.8 that have gone unpatched for years. If you have some obstacle that has prevented you from patching your Cisco products, show management any of the dozen or so NewsBites pieces we’ve published this year documenting large/business-significant fines levied on organizations that allowed customer data to be at risk due to lack of essential security hygiene such as patching high severity vulnerabilities.

John Pescatore

A finding of failure to employ reasonable data security measures has been used in recent court cases in both PA and NY. A lack of patching critical vulnerabilities falls within this finding. A standard of reasonableness is emerging that speaks to basic cyber hygiene as a test of reasonable security measures – fail the test, be held accountable by the court.

Curtis Dukes

Make sure you’re patching ALL your Cisco gear. Don’t overlook items “in the field.” While you’re at it make sure you haven’t overlooked lifecycle replacement planning.

Lee Neely

Fines in the half a billion dollars range are good examples to get management’s backing to make changes needed to protect customer data!

John Pescatore

While not the largest penalty (that was Facebook at $5 Billion in 2019), this should raise eyebrows around the C Suite to show the importance of privacy and cost of violations. Note the $500M is roughly half in penalties and half in reimbursement to affected customers.

Jorge Orchilles

Be aware of what you import. There is no vetting happening to add a package to PyPI. If you plan on using a vendor's API, double check if they offer or recommend a specific package. But also monitor sites like PyPI for your trademarks just like you attempt to watch out for phishing sites.

Johannes Ullrich

While we are all raising the bar on packages we’re downloading, expect our adversaries to raise the lie bar as well. Stay the course, make sure that you’re only using the qualified versions of packages from the correct repository, and make sure you have notifications to act on if things don’t jive.

Lee Neely

Not all instances of supply chain contamination will be, or are even intended to be, exploited, but all will weaken the infrastructure and reduce the cost of attack against selected targets.

William Hugh Murray

This is encryption at rest. You need to setup a key management service which will then be used to generate keys to encrypt your data at rest, preventing Google from accessing it. Be aware of what access the service provider has for key recovery anyone with that roll can decrypt your data. Even with this configured you still need to take added steps to achieve end to end encryption, (such as using S/MIME or PGP) allowing only the intended recipients to access your message.

Lee Neely

We know that persistent encryption of data is needed to minimize the impact of data breaches, so good to see Google joining Apple in pushing it forward. However, business use of persistent encryption requirements trustable identities (not reusable password-based), trustable directories, trustable backup processes and effective client side policy enforcement since network-based approaches to data policy enforcement can be blinded.

John Pescatore

LATAM is the new, hot target of ransomware operators. LATAM readers: leverage these stories to push for resilience. Build incident response plans and test them against your people, process, and technology.

Jorge Orchilles

Two observations from yet another ransomware attack: 1) Every enterprise, public and private is a target of cybercriminals; 2) You need to be prepared for the eventuality of compromise; the importance of regularly testing recovery plans cannot be overstated.

Curtis Dukes

Forgive the cliché, but ‘tis the season: the holidays are a time where users are distracted and need that extra support to remain vigilant. Make sure they are aware of both every day precautions as well as your reporting mechanisms. Make sure that your MFA deployment isn’t derailed or bypassed in the name of holiday without serious top cover.

Lee Neely

Not simply credit, but any commodity can be fraudulently redirected. Those processing transactions should pick up the phone. Management should ensure that multiple parties are involved in material transactions.

William Hugh Murray

Phishing is the number one attack vector used by cyber criminals. DNS filtering is one of the highest rated defenses against malicious websites. Offering free tools to automatically protect against both malicious email and malicious websites dramatically changes the cyber defense posture for these organizations. Let’s hope Cloudflare extends Project Safekeeping to other countries.

Curtis Dukes