NewsBites Volume XXV – Issue 38

Top of the News

2023-05-11

GitHub Push Protection Now Generally Available

GitHub’s push protection feature is now available to all private repositories with GitHub Advanced Security and to all public repositories at no cost. Push protection provides an added layer of security by scanning commits for secrets before accepting git push operations. GitHub introduced push protection in beta 13 months ago.

Editor's Note

Very nice and useful feature. Once a secret makes it into a git repository, removing it can be difficult. Even better to offer this as a free feature to all (paid users get some customization).

Johannes Ullrich

This is free for public repositories, requires the use of GitHub Advanced Security licenses at a list price of $21 per user per month for private repositories. That $300 per GitHub user per year should be considered a mandatory cost for to claim you are doing the Sec part of DevSecOps.

John Pescatore

This is a free service to help detect any secrets you’ve inadvertently put in your repositories. Regardless of other mitigations you’ve implemented, adding one more, particularly one without a cost which is already integrated in the platform, is a no-brainer.

Lee Neely

Feedback on the GitHub’s beta protection feature for paying customers was very positive. GitHub is now extending that protection feature to its public repositories. This benefits the greater software development and delivery ecosystem. Kudos to GitHub for placing security over profits with this decision.

Curtis Dukes

Patch Tuesday: Microsoft

On Tuesday, May 9, Microsoft released fixes for dozens of security issues in its products. Two of the vulnerabilities addressed in the updates are being actively exploited: a Win32k privilege elevation vulnerability and a Secure Boot security feature bypass vulnerability. The Secure Boot flaw is being actively exploited through malware known as Black Lotus, which exploits a vulnerability in a patch Microsoft released in March.

Dragos Practices Transparency Following Cybersecurity Event

In a May 10 blog post, Dragos details a failed extortion attempt against the company following a data breach. Dragos writes that the threat actors “gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer.”

The Rest of the Week's News

2023-05-11

Lawsuit Challenges EPA’s Water Utility Cybersecurity Rules

The attorneys general of three US states are seeking to overturn an Environmental Protection Agency (EPA) rule requiring states to include cybersecurity assessments in their inspections of water systems. The lawsuit puts focus on the issue of the government’s role in regulating privately-held entities that are responsible for elements of the country’s critical infrastructure.

Editor's Note

In the filing, the state of Missouri says it does 800 water service surveys per year and the EPA requirement would add 2-6 hours per survey per year, or roughly a full-time job for at least one employee – even though Missouri states it already requires public water systems to publish cyber risk plans. If those plans were already actively being reviewed for sufficiency and actual implementation (vs. just a box being checked that the plans were created), seems like a high estimate of added cost.

John Pescatore

The lawsuits were to be expected; no one wants to give up their rights. But when it comes to critical infrastructure that protects the nation, it has to be shared responsibility. In a perfect world you would have a common, minimum cybersecurity baseline that every critical infrastructure sector agrees to and is measured against. Let’s move cybersecurity inspections from “do you have a plan?” to “I’ve implemented and actively monitor the baseline established.”

Curtis Dukes

Part of the challenge is the estimated impact of the new required regulations, particularly on staffing. When faced with new regulations which appear to have a big impact like this, make sure that you’ve made sure the impact is just from the change in regulatory requirements and not from existing requirements you were not meeting which would undermine the believability of your objection.

Lee Neely

Former Ubiquiti Developer Sentenced to Prison for Stealing Company Data and Attempted Extortion

Former Ubiquiti employee Nickolas Sharp has been sentenced to six years in prison for stealing company data, trying to extort money from the company, and spreading false stories about the company. Sharp, who was employed as a senior developer at Ubiquiti, was on the team that was responding to the incident. An internal investigation revealed that Sharp had exfiltrated sensitive data from Ubiquiti systems. In January 2023, Sharp pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to FBI. He was also ordered to pay $1.6 million in restitution.

NIST Taking Public Comments on Draft Guidance for Protecting Controlled Unclassified Information

The US National Institute of Standards and Technology (NIST) has published an updated draft of its guidance for protecting sensitive unclassified information. NIST will hold a webinar on June 6, 2023, that will “provide an overview of the significant changes” to the guidance. Public comments on the document will be accepted through July 14.

Leaked MSI UEFI Keys Cause for Concern

A ransomware attack last month against hardware maker Micro-Star International (MSI) resulted in leaked private Unified Extensible Firmware Interface (UEFI) keys. MSI refused to pay the ransom demand, and the attackers began leaking stolen data, including source code for MSI motherboard firmware. The trove of leaked information includes firmware image signing keys for 57 products and Intel Boot Guard private keys for 166 products.

Patch Tuesday: Siemens and Schneider

Siemens and Schneider Electric have released advisories alerting customers to vulnerabilities in their industrial control systems (ICS) products. Siemens published six advisories that address 26 security issues, including critical flaws affecting Siveillance Video and the Scalance local processing engine. Schneider’s four advisories address six vulnerabilities, including a high-severity flaw affecting PowerLogic power meters.

Sysco Discloses Breach in SEC Filing

Texas-based food distributor Sysco has disclosed a data breach that exposed sensitive information about customers, employees, and business operations. In the “Other Information” section of a US Securities and Exchange Commission (SEC) Form 10-Q filing, Sysco writes that they became aware of the breach in early March 2023 and believe the incident began in mid-January. They “initiated an investigation, with the assistance of cybersecurity and forensics professionals. The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data.”

Spain’s National Police Arrest 40 Linked to Phishing Campaign

La Policía Nacional (the National Police of Spain) have arrested 40 people in connection with a cybercrime campaign involving phishing, identity theft, bank fraud, and money laundering. The operation is believed to have netted more than €700,000 ($764,000) from its victims.