Patch All Apple Software; Only Update MSI Products from MSI Site; Have You Tested Switchover Back to All Work at Home; Put Adoption of RPKI in Your Plans

You probably saw the update Friday with the innocuous looking CVEs, impacting macOS 13, Safari, iOS and iPadOS. Since then, Apple released macOS 12.6.5 & 11.7.6 as well as iOS 15.5.7, which should be hitting your "this is a big deal" alert before you even heard about this being a Zero-Day or the addition to the KEV catalog. Hopefully you can just push the update to your ADE devices and turn your attention to your macOS updates.

Given that both these vulnerabilities lead to remote code execution, the best defense is to patch. The good news is that Apple provides for free, new versions of their operating system. This has the effect of Apple users updating their devices more frequently. As we look to envision ‘secure by design,’ one component will have to be an automated patch management process for users.

With increased emphasis on firmware/secure boot attacks, keeping that firmware updated has to become part of your patch management cycle. As such, not only do you have to develop sufficient rigor to avoid bricking systems, you also have to be certain to only get legitimate firmware updates from the OEM. Resist the urge to just grab it easily off a claimed mirror or torrent site which may be dubiously affiliated with the OEM. Deliberate planned actions rather than knee-jerk reactions. MSI says the hackers would be able to both generate and sign a legitimate looking bogus firmware using the information purloined.

Since source code was obtained, the guidance about making sure updates only come from a trusted source is important.

While this appears to be a ‘routine’ ransomware attack, it could have been far worse. Attacks on providers of firmware/BIOS applications open up the potential for supply chain attacks. It is time that vendors that play a critical role in the ICT supply chain have a minimum cybersecurity standard that they must meet.

This is a good reminder that work at home support should be designed to be usable even if main data center systems are unavailable and that switchover tested regularly. Not just because of cyberattacks, but natural disasters and the next pandemic will have similar consequences.

Because I'm old school, my first thought was you could still have classes without Internet. Apparently, the dependency is far more than a convenience which can be worked around. Look at dependencies like this in your shop: can they be worked around, or do you need to send people home during an outage? What would it take to make up from that outage? For example, these students will likely have a bit of makeup school work, possibly an extended school year. Make sure you're all on the same page about this scenario talking it through fully at your tabletop.

Both the K-12 and healthcare sectors are primary targets of ransomware attacks. That really hasn’t changed in the last three years. Evildoers are taking advantage of their dependency on technology and the lack of resources to securely manage that technology. Until we find ways to automate security for the cyber underserved, students will continue to get a holiday from attending classes.

It is difficult to estimate the cost of not being able to conduct one's primary mission for a whole day, or even, as in the case of FAA NOTAM, for hours. In the face of good contingency planning, it should be possible to continue business, if only in a degraded mode, in the face of an IT failure or network compromise. What is your plan?

RPKI is an important security mechanism to improve BGP. For years, BGP has been considered one of the key weak protocols in use to hold the internet together. Cloudflare publishes some statistics around RPKI and allows you to verify if a particular prefix/ASN combination is protected by it: https://rpki.cloudflare.com/

RPKI should help limit the effect of bad BGP updates. Kudos to the Netherlands which already has a 78% adoption for government websites, and 75% for email domains. In the larger sense, there is only about a 41% adoption rate globally. Even so the trend is going in the right direction; it was 18% in early 2020, 27% in January 2021, and 33.5% at the beginning of 2022. Take a hard look at implementing RPKI in your shop to help raise the bar on BGP updates.

Adoption of RPKI is a good security measure that can eliminate the risks of man-in-the-middle attacks. Perhaps this action by the Netherlands government will increase the adoption of RPKI by other nations

This vulnerability has been abused by attackers for a while now to deploy ransomware. A patch has been available for about two years, so about time to get it applied.

While the patch for this was released in March of 2021, and a Metasploit module exploiting these vulnerabilities was released in September 2022, Mandiant is just now seeing active exploits of the flaws. If you're using Backup Exec, make sure that you're at version 21.2 or later. Don't assume.

With these vulnerabilities and the two by Apple, the KEV catalog now has 913 entries. That’s 913 entries over the last 18 months. Maybe that’s a small number, maybe it’s a large number. One does wonder though, about the effectiveness of the catalog given no linkage to FCEB Agency compliance, other than periodic GAO or IG cybersecurity audits.

Flipper Zero not being sold on Amazon is a weird move considering that it will probably just be sold through other markets. The Amazon Marketplace is not the only shopping site if someone is out to do criminal activities.

One initial effect of this ban appears to be a surge in demand as the Flipper Zero is also sold out on the Flipper Zero store. The device is designed as a pen-testing tool which can be used to experiment with and debug multiple devices using RFID, NFC, SRD, infrared, Bluetooth, etc. Hackers have shown it performing replay attacks, to open cars and garage doors, or clone digital keys. While it's not clear that it is actually capable of being a card skimmer, Amazon's restrictions are not new and include card skimmers, along with key duplicating, and shoplifting tools.

Yet another example of a tool that can be co-opted by evil-doers to enable close-access attacks. AMZ is certainly in their right to ban the sale of products on their platform for violation of their platform policy. For amateur hobbyists, the pen-testing device is still available from Flipper Zero website, and who knows, perhaps at a better price point.

I always consider this threat a bit over hyped. Yes, this is theoretically possible, but I don't think I have seen it “in the wild.” On the other hand, I am probably more afraid of badly wired USB chargers exposing the device to 110/220V. And if you carry a charging cable, it isn't that hard to also carry a charger. A more real issue is users willingly providing access to their devices from rental cars and other temporary connections.

A charging-only cable (prominently labeled) can make it safe to use public charging stations while avoiding denial-of-service due to dead devices. Those cables were popular give aways at vendor booths a few years ago when this first started to happen. A side note: Twitter is not any more trustable than public charging stations, but it seems like that was the only outlet for the FBI Denver warning!

Juice Jacking isn't a new threat, and updates to mobile operating systems now prompt users to trust a USB device which includes a data connection. In general, carry your own charger, don't trust unknown USB connections. If you want the convenience, purchase a charge-only cable, or an inline device which only forwards the power leads.

I don’t understand this alert. It feels dated, or we are missing information? Recommendation: bring your 110v charger with you…. Mostly because USB-C is not in the wall, and you won’t get a decent charge anyway. Who is it that uses these things? If I ever see someone using one, I may have to ask. If you are involved with a company planning a retail or shared area layout and this comes up, you should ask, why not just put in power?

One no longer needs to travel with a laptop and the chargers for mobiles are tiny. Prefer charging from 110V. That said, "any port in a storm." While some ports may be compromised, most are not.

Nexx claims this is a temporary change while they address the security issues. Given their lack of response after they were disclosed both by Sam Sabetan and Motherboard, for months and weeks, it's not clear what and when a fix will be released. You have two choices: either proactively replace the devices, or take a gamble to see if they fix the security flaws fully.

The recommendation certainly reduces the attack surface of the vulnerability, but it isn’t exactly a customer friendly response. I guess Nexx is ‘banking’ on users being apathetic and not switching out their smart home kit. Time will tell if this was a smart [pun intended] move on the part of Nexx executive leadership.