National Public Data Breach Affects 3 Billion; NIST Releases Post Quantum Cryptography Standards; Microsoft Patch Tuesday; and Lots of Other Patches

First of all: This data was likely stolen multiple times before in prior breaches. Secondly: Why does any one entity collect that much data? I have seen a lot of less-than-brilliant advice to victims. Using strong passwords and running up to date antivirus will not help you if organizations aggregating your data without your knowledge are missing fundamental controls like that. The only option you have is to first of all freeze your credit, and secondly opt out of whatever data collection possible. Assume that your data was breached and be careful even if someone uses supposedly confidential data to attempt to establish trust. There have been a number of reports of more sophisticated law enforcement impersonation scams that used data like SSN, address, phone numbers and such to establish authority.

This is basically the OPM hack all over again but on steroids. It really calls into question the right of individuals not to have their personal information collected by data brokers. We sorely need a national data privacy law akin to the EU's GDPR.

The prudent position for most people today is to assume that all their PII is public, or at least on the Dark Web. They should freeze their data on the credit bureaus and be vigilant.

Legitimate background check companies exist to help companies, people, and law enforcement. While those companies do exist and require extensive credentialing to access those databases, there are also 3rd party downstream brokers that take these feeds and aggregate them. These 3rd parties need more well-defined practices and well. If what is said here is true, this broker, who appears to be a 3rd party downstream aggregator with an address located in a residence, may be one of these smaller brokers. Getting 280GB of structure data from one of these 3rd parties would have taken a long time, and this is potentially one of the biggest breaches in history. Given that there are only 350 million people in the US and the breach is supposedly for 3 billion people, I am wondering who the remaining 2.65 billion people are. Are these people who are no longer alive, or is it that are we looking at duplicate records? It's hard to say without looking at the data itself.

This is the largest breach since the Yahoo breach of 3 billion in 2013. It appears we are finding out about this breach due to the lawsuit rather than a notification by the company. The lawsuit was triggered by an alert the lead plaintiff received from his identity monitoring service. While we could pull the lack of notification thread, the better move is to make sure you have identity monitoring and that you've fully configured it to watch for issues. In this day and age, we need background check companies like this to support the integrity of our hiring process. That said, with ever growing collections of information, with increased fidelity, you need to be proactive in monitoring breaches of your own data.

The release of these new standards is an important first step to start implementing quantum safe encryption. Next we will need verified implementations. Judging based on experience with prior encryption standards, it will take a bit of time to get the bugs worked out. Expect some "not equal time" and "sidechannel" vulnerabilities. But start experimenting with implementations now.

Work is underway for hybrid encryption options to be built into protocols for using both standard and quantum-resistant crypto. It will be interesting to see how quickly any of these are adopted, as I still see TLS 1.0 being used. I always mention that TLS 1.0 and TLS 1.1 are theoretically weak, but practically, they are not weak. When was the last time someone broke through your TLS 1.1 system? This all goes out the window with Quantum. If someone does reach quantum supremacy where you can render certain algorithms weak, then TLS 1.1 and TLS 1.2 become insufficient. Does your threat model include that?

While quantum computing still has a huge error rate problem to overcome, AI, as it becomes more, well general AI, has the potential to leapfrog the mathematical constraints on current encryption and Optical or Photonic computing, introduce added threat-vectors which could arrive before Q-Day. Start working on how you'd cut over to post-QC encryption now, and test those plans so you can make the switch before technology makes it mandatory.

Most of the data in the Internet has a very short life. It will no longer be sensitive at the point in the future when breaking RSA becomes efficient. However, perhaps as much as one percent of the traffic in the Internet already uses PQC algorithms. This is to protect long-lived data from store now, decrypt later (SNDL) attacks. Those of you who deal in such data know who you are and know what to do. That said, converting all our systems to PQC is not a trivial task and will take years. We should move forward at a deliberate pace.

There were two "highlights" in Microsoft's patch Tuesday. First of all, the vague IPv6 vulnerability. Microsoft did not provide enough details to judge the risk of this vulnerability. It sounds bad (CVSS score of 9.8). But are exploit packets routable? Will common firewalls be able to block the exploits (once we know what to filter)? For now: Patch quickly, so you won't have to worry this weekend. The second interesting patch fixes a secure boot bypass vulnerability. Microsoft stopped applying the patch automatically, due to some conflicts with systems that do not have the newer secure boot CA data applied. Remember that these CAs need to be updated soon. The original secure boot CAs will expire in about two years and going forward, firmware will be signed using a new set of CAs.

A particularly bad month for Microsoft. It appears there has been an uptick in vulnerabilities [err, software defects] disclosed over the last few months across a variety of vendor products. Bottom line: we must reduce the patch cycle if we are to stay ahead of the adversary.

RCE is a common thread amongst the critical flaws fixed. Get these updates to critical services, and endpoints, then keep picking away at the rest until they are updated. Note there are fixes to both the OS and layered products such as Office, .NET, Visual Studio, Co-Pilot, Microsoft Dynamics, Teams and Secure boot. If you're still an IPv4 only environment, then you should be monitoring for unexpected IPv6 traffic. If you're transitioning (dual stack or full IPv6 cutover) make sure that you're monitoring for malicious or malformed packets as indication of potential unwelcome behavior.

This patch Tuesday is a doozy. Lots of critical bugs but the one that everyone is talking about is a wormable IPv6 one. If you are not using IPv6, disable it; if you don't wish to disable IPv6, properly route it. Either way, patch this one immediately.

I'll use this news item for a general comment on all the patching news in this issue: I think it is pretty clear that the time between releases of new versions of software (and AI model updates count as software) has shortened so much that Secure Software Development advances have not been able to keep up with the advances bad guys have made in finding non-trivial vulnerabilities. The patch curve will not flatten anytime soon; faster patching is already badly needed since the reality is that test time is not going to increase before vendors release new versions and enterprises move the insufficiently tested versions to production use.

Don't overlook these updates for Zoom, Adobe, Ivanti and Fortinet. Dealing with MS Patch Tuesday will likely distract your team from these added updates. Make sure you're checking for updated versions of all the products users are installing.

What can I say? Software needs to stay up to date. Inventory your items and keep things patched.

First and foremost a company must stand behind their product(s). Given the non-responsiveness of the China based company to patch a critical RCE vulnerability, the best thing for users is to switch out the device for one that is properly supported.

Updates aren't available yet. Another excuse to make sure that you're not exposing the management interface to the Internet, ever, let alone failing to review activities by others.

One hopes that those of you using this product know who you are.

The point here is not only were there shared credentials in use, but also those credentials had not been changed in at least a decade. Long-term credentials need to meet all of the 800-63-3 requirements, including breach monitoring and notification, minimum length and uniqueness. Even so, there is still no real substitute for phishing resistant MFA. If you need shared credentials, leverage a PAM type service to check them out when needed and change them immediately afterword.

If you think that you have no choice but to share credentials, please consider Privileged Access Management software. Sharing credentials comes at the cost of accountability, the most important control over privileged insiders.

The NY AG and NY DFS Director have been on a tear these last few years holding organizations accountable for not exhibiting a standard of reasonableness when it comes to protecting information. The is the latest installment. For companies wishing to stay out of the AG and DFS crosshairs, the Center for Internet Security recently published a 'Guide to Defining Reasonable Cybersecurity' that specifies what must be done to meet the standard of reasonable cybersecurity.

Initial estimates were that he'd defrauded the bank $5 million and this has since been reduced to $1.2 million, which he is expected to repay. The Justice Department is taking a zero-tolerance stance on selling stolen identities, and is upping cooperation with other law enforcement agencies to stop those attempting this type of activity.

We will continue to receive such reminders to use strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) until we get it done.

Congratulations to law enforcement. That said, with time already served, he has just over a year left. More interesting is whether the $1.2M will be repaid.