NJ US Appellate Court Rules Insurer Did Not Prove NotPetya Was an Act of War; Google Increases Support for Passkeys Over Passwords; Chrome Browser Replacing Lock Icon, Education Will Be Required

I hate to always be a nattering nabob of negativism about the lack of value delivered by cyberinsurance, but it is important to note that this ruling is based on the particular very large “All Risks” type of policy Merck had, not “vanilla” cyberinsurance. The court stated that type of policy is a “…special type of insurance extending to risks not usually contemplated, and recovery under the policy will generally be allowed…” Also, note that it took 5 years of legal actions to get to this judgement, which may yet be overturned. And this policy had a $150M deductible, in any case. Remember, NotPetya succeeded because the Windows flaw (CVE-2017-0144) that enabled the previous WannaCry attacks had not been patched – it would have cost Merck much less than the deductible, let alone the full incident, to maintain critical patch essential hygiene levels.

Excellent for Merck, and if you had a similar claim rejected on those grounds you may want to chat with your lawyer. More significantly, expect your cyber insurer to be updating their exclusions. When you get that updated coverage or renewal notice, make sure that you read it carefully, again engage your legal team: you want to be certain what is and is not covered and under which constraints.

This, in my opinion, is precedent-setting and will force insurers to rethink coverage limitations and cost to provide cyber insurance. I tend to agree with the appellate court finding in upholding the lower court’s decision: it was neither a hostile or warlike action directed at Merck. I would be remiss not to point out that the attack was only successful because Merck failed to patch a vulnerability that was several years old. Cyber insurance shouldn’t be a substitute for an effective patch management program.

The key lesson here is to ensure that you carefully review the terms and conditions, together with any exclusions, in your cybersecurity policies. Make sure that after the review, you are comfortable with what your policy covers and does not cover while remembering cyber insurance is more about covering the financial risk associated with a cyber-attack then managing the cybersecurity risk.

FIDO authenticators have been around for a while. But passkey adds some important usability upgrades to the standard. Synchronizing credentials and the ability to use devices in proximity to authenticate are just some of the important improvements that will hopefully make these credentials more common and easy to use. I hope Google's move will prod others to join in and implement passkey support.

Passkeys are a very exciting technology as they eliminate the pain and complexity of authentication and also improve the security of 2FA. The simplest explanation is Passkeys turn your mobile device into a FIDO key that you register against your Google account, strong authentication is now just a fingertip (or face shot) away. While I’m super excited about Passkeys, for it to be really effective websites around the world need to adopt it, and that will take time. More on Passkeys at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Google has also started to nudge Google account holders away from reusable passwords, which is a huge step beyond just offering stronger alternatives. Google is the largest consumer email service provider, hopefully Microsoft, Outlook and Proton Mail will raise the bar on nudging their customers.

This is really good news — another step in us transcending the scourge of passwords. Passwords are bad for all kinds of reasons, and I applaud Google and other tech companies for their work in creating alternatives like passkeys. YAY!

This is an excellent move for personal accounts. I tried this on a Google Workspace (paid) account, but this feature is unavailable. Just in case you wanted to try this at work.

PassKey is definitely a move in the right direction. You should opt in now; Google will be removing your existing security key December 1st. You can create passkeys on both mobile and desktop/laptop devices. And these can be synced using iCloud accounts and the iCloud Keychain or the Google Password Manager, both of which are end-to-end encrypted. The default behavior for Google Accounts will be to skip password when possible, which can be changed in your account settings. This behavior allows you to sign in with your passkey or a device prompt. If you're enrolled in the Advanced Protection Program you will only be able to use the passkey to skip your password.

Kudos to Google for providing passkey support on all accounts. Passkeys are the future for user identity authentication. Having the support of Google, Apple, and Microsoft with the FIDO alliance ensures that future. That said, we’ll still see passwords as the primary authentication method for another year or two or three.

This is good news and a positive step in enhancing security for accounts and improving the related user experience. There is an important caveat called out, “anyone with access to and the ability to unlock those devices will have access to the user’s Google Account," which reinforces that we should never rely on one layer of security but ensure that we have several layers in place.

The TLS "lock" icon suffered from the same issue as "verified account" blue checkmark symbols: TLS, in a limited way, asserts that you are talking to the correct endpoint, and the data is encrypted. It does in no way assert that the data transmitted across that connection is safe, or even authentic and authorized by the source. With TLS being the new-normal in web browser transport security, the need for a lock icon is diminishing.

I’m all for retiring the lock icon because of the security confusion it induced in many users. I’m not crazy about the “tune” icon, though, as it seems pretty confusing as well. It seems as though there’s just no good answer here, and the tune icon is a new less-bad answer.

Extended Validation Certificates came out over 15 years ago and since the SSL Certificate or browser vendors never invested in educated users about what Red/Yellow/Green meant, they only served to increase Certificate provider revenue vs. raise security levels. Google has committed to education around this move, but the CA Browser Forum group should “nudge” all members to do so.

With the changes to types of certificates, and issuers, the lock icon is not the security indicator it was when it was introduced in the 1990s on the Netscape browser. The new "tune" icon takes you to the site security settings the old lock icon provided, including the ability to view the certificate and it's status. If you're on Chrome Canary, you can see the icon by enabling Chrome Refresh 2023 - (chrome://flags#chrome-refresh-2023) note that it's likely to change as it's still under active development.

Eliminating the padlock icon removes the ambiguity around what was implied by the icon. That said, I don’t think the ‘tune’ icon is particularly informative. Just stick with the call-out box that warn users when a connection is not secure, that’s what users mostly pay attention to

I absolutely LOVE how Google is recognizing how the lock can confuse people as they perceive the lock as meaning the site is trusted when in reality it only demonstrates your connection is encrypted. This misconception is something many cyber criminals leverage when creating HTTPS enabled phishing websites. However, not sure if replacing one confusing icon with another is really going to help. After reading Google blog post about the “Tune” icon I’m still confused on the what / why of it.

This makes a lot of sense. The idea here was to provide us with a way of knowing which sites are HTTPS; now, the bigger question is which ones are not.

Kim Zetter has a pretty good history of really solid books on this topic. I suspect this article will be well worth the read.

This is a good read. You may find yourself wincing at mistakes made which could have easily been made by your team. I'm thinking it's a good time to review some SOPs to double check your own shop, to include making sure that the relationship with law enforcement won't go unexpectedly quiet as they have a hot lead or otherwise sensitive area. Understand the impacts on a case when details are leaked or published during sensitive intervals; find out how you can still get a status update without being ghosted.

There has been a lot of discussion around the arrest and now conviction. While it can have a dampening effect on traditional cybersecurity roles (CISO, CSO, CRO), in this case it was the right outcome. As a member of the executive leadership team, he has a personal responsibility to be forthcoming during a federal probe. That said, the former CEO also bears responsibility and should have been held accountable. Unfortunately, prosecution can sometimes be uneven in balancing the scales of justice.

[Neely] His conviction was the first criminal prosecution of a company official over a data breach, which made real prior implications of consequences, particularly when covering/hiding an incident, to include paying the hackers to keep it quiet. This probation replaces 15 months of jail time. Probation versus jail-time is as much a function of your legal team as anything else and can be rather costly. For the rest of us, jail time is more likely.

Municipal broadband is urgently needed in a lot of communities. The current situation is akin to each airline having to build its own airport to serve a particular city. Living in an urban area often red-lined by ISPs, the lack of connectivity choices isn't just a rural problem, but a problem suffered even in densely populated areas. Municipal broadband has had some great successes in cities that were able to overcome infrastructure monopolist lobbying and corruption.

It’s unfortunate that a country with such a large technology base, still has difficulty providing decent Internet service to all its citizens. Kudos to the State of Colorado bipartisan effort in replacing an outdated law, and enabling the delivery of digital services to its residents.

The local election requirement was to ensure the community was aligned with their local government’s desire to deliver the services. Of course those local elections were lobbied one way or another as any hot topic would be. In today's environment, having not only internet services but also high-speed connectivity has become necessary to remain competitive at many levels, but the question remains of who should be driving that and who funds which activities. One hopes the user wins here.

Privacy versus technology. The trackers are great, particularly as I get older and am more prone to misplace my keys, brain, etc. Having standards will help, but also being aware, paying attention to any alerts of an unwelcome/foreign tracker will still be needed.

It makes sense that Apple and Google would create such a specification given the ‘bad’ press they’ve both received over the last 18-months. As with most things, location tracking devices can be misused for nefarious purposes. Kudos to both Apple and Google for introducing the draft standard.

While this is a welcome move on protecting the privacy and safety of people, it irks me when I read of companies retrospectively addressing these concerns resulting from technology that they provide. We need technologists, developers, and manufacturers to proactively and address identify the threats to security and privacy risks their products will introduce to all those who will be impacted by those products.

The city has been isolating the impacted hosts and restoring services. City workarounds included 911 dispatchers hand-writing reports while their systems were restored while jury duty and jury trials were cancelled until May 3rd as those IT servers were offline. This is the Royal Ransomware, which prints its ransom notices on all network printers.

It’s unfortunate that the city of Dallas is experiencing the impact of a ransomware attack on its digital services. It was only four years ago a similar ransomware event affected the City of Baltimore. We each event, we have to take the lessons learned and apply them.