EU: DNS4EU Public Resolver Aids GDPR Compliance, Cyber Blueprint Clarifies Crisis Management; US: FAA Urges 21st-Century Air Traffic Control System

The DNS4EU public resolver is intended to address specific challenges posed by European regulations like GDPR and NIS2. Whenever you select a default recursive resolver, be aware that this resolver will be able to gain insight into your traffic patterns. Trust in the entity operating the resolver is most important. Performance is pretty close between all resolvers, and the performance of any filtering features if selected is also typically not significantly different between any of the free solutions.

Johannes Ullrich

I think having this as an alternative to the existing choices is a great idea, of course assuming that the services will be secure and scalable. Adoption may be low but making DNS information more private has many positives.

John Pescatore

This service is competing with Google (8.8.8.8) and Cloudflare (1.1.1.1) public DNS resolver, adding in GDPR privacy requirements, such as keeping the data within European borders and anonymizing client data, offering five different service options which range from unfiltered to bad site protections, ad blocking, and child protection. If you're in the EU, this may be an easy win, particularly for home users.

Lee Neely

Two ways to look at this. You either believe that the EU will save your data or you will believe that private corporations will safeguard your data. Either way there will be opposing views on either side. Personally, it's nice to see that there are alternatives for those who don't trust private companies.

Moses Frost

This is a very positive move by the EU particularly as many EU-based organisations are looking to improve their data sovereignty and reduce their reliance on non-EU technologies and technology providers. Something which I discussed in this recent opinion piece: https://www.irishexaminer.com/opinion/commentanalysis/arid-41639308.html

Brian Honan

This is a follow-on to the draft recommendation from February of this year which built upon their 2017 cybersecurity blueprint. If you're in the EU, or doing business with them, take a minute to read the 20-page recommendation as it includes preventative, reporting, and response recommendations which you want to start getting your arms around now, rather than waiting for a crisis or regulator finding.

Lee Neely

Consider this as a control system, not a general-purpose IT system. As such, replacing this system is going to be difficult; even though the agency has set a four-year timeline, the system is 24x7x365, and outages compromise aviation safety. They are also seeking to replace their radar system and move from point-to-point hardwired circuits to an IP based network. Consideration needs to be given to not only the security of the resulting system, encryption, MFA, monitoring, and maintenance, but also the use cases. For example, do operators individually login to workstations, or are shared accounts used due to the risks relating to logging in and out? That may be a scenario which cannot be changed.

Lee Neely

I can't help but point out that the last Ò21st Century FCC Air Traffic Control' push started in 2004É All I hope for this one is that the FAA will require phishing resistant multi-factor authentication for all access immediately so at least that might be in place for the next next-generation ATC announcement.

John Pescatore

It's hard to believe that well into the 21st century we are still using floppy disks to manage some of our critical infrastructure. Windows 95, I hope you still have four years left in you until the project completes, if it completes.

Curtis Dukes

Where do you begin when the operating system in vogue is from 30 years ago? I guess it's a testament to the fact that Windows 95, which is a very strange operating system when you look at its internal handling of process execution, is still running in use. I do wonder where they source floppy disks since those must be going bad by now? Also, what hardware is this on? With the amount of money we spend on certain things you would figure we could modernize this. Who knows, maybe the upgrade will be to Windows 7, that was a pretty good one too.

Moses Frost

This is disruptive and highly selective, representing a modification of broad disruptive behavior common to Russian APTs and is, not surprisingly, targeting Ukrainian critical infrastructure. PathWiper deployment is currently predicated on already having access to victims' systems. The takeaway here is to make sure that your threat hunters have the IOCs for PathWiper and your EDR and Email security tools can detect/block it.

Lee Neely

Rhode Island based UNFI is the primary supplier for Whole Foods and is considered the largest health food and specialty food supplier in the US and Canada. No ransomware gang is taking credit for this attack, nor has UNFI disclosed any breached data. Their response plan, while resulting in offline systems, has minimized impact to customers, suppliers/etc. In case you missed it, the food industry is being targeted, to include Sam's Club, JBS Foods, Ahold Delhaize USA, Dole, Sysco, Mondelez and Americold. This could be a chance to see how ideas you have for a response plan work in a real scenario.

Lee Neely

As we start building more factories in the US, I hope we can start to look at securing those environments from jump. I fear that we will probably just panic and connect everything to a flat network. A friend of mine used to say, never time to do it right, always time to do it over.

Moses Frost

Here's where details on the recent Marks & Spencer and Co-op cyber intrusions would be helpful. Was the root cause a missing patch or system misconfiguration? Is it a concerted attack on last mile food distribution companies, or just a target of opportunity? I suspect the latter and likely a ransomware gang at work.

Curtis Dukes

Of note here is that the phishing emails were sent from a previously compromised government email account, making them seem trustworthy. We need to help our users look beyond just the sending email address when determining message legitimacy, as well as support them with email security tools which automatically block bad sites and questionable messages. Make sure any password recovery services are using current validation processes; the old model of answering security questions isn't. HFS is providing users with guidance on how to file fraud alerts and freeze their credit rather than offering ID theft/credit monitoring services.

Lee Neely

I hope that 'Department of Innovation and Technology (DoIT)' is a typo and it is really Dept. of IT - recommending password resets and reminding users about phishing is *not* effective, let alone innovative. Use every phishing event to get backing to move to eliminate all use of reusable passwords.

John Pescatore

No amount of anti-phishing training is going to stop a momentary lapse in judgement by an employee. In 2021 with the release of version 8 of the Critical Security Controls, CIS elevated the importance of Data Protection, making it Control 3. Revisit your cybersecurity program and data protection safeguards using the CIS critical security controls as a resource.

Curtis Dukes

Another prime example of why MFA should be deployed as much as possible.

Brian Honan

That is amazingly quick. Kettering Health should be commended not only for having eradicated the ransomware but also for implementing improvements to prevent recurrence. The question is: will those improvements remain in place or be rolled back to operational necessities? Make sure you're incorporating operational use cases when making security improvements, enlisting top down support for cultural changes, to avoid a roll-back or do over. Even so, always have a Plan B in your hip pocket.

Lee Neely

Kudos to Kettering Health for their openness regarding this attack. Hopefully it highlights to many that the recovery from a ransomware attack, whether you pay the ransom or not, is a significant impact and takes a lot of time and resources to do properly.

Brian Honan

This attack no longer works, and requires both the Google account display name, from Looker Studio, and the 'forgot password' form to grab the masked phone number, which was used to derive the user's country, as well as phone hint (last two digits of phone number). Interesting was the time to brute force numbers which ran from 5 seconds for Singapore and 15 second for the Netherlands, to 20 minutes for the US. Once you have the number, you still need to complete a SIM swap attack to take control of the phone number, but with that the account phone number could then be used to reset any account password tied to it. Another reason to move away from SMS and phone-based user validation. Review accounts which still have the capability for opportunities to move to stronger options.

Lee Neely

I wonder how someone even discovers this in the wild. Is it by accident or did they just look at all manner of things? These are fascinating discoveries honestly.

Moses Frost

The evidence is in an irrefutable; bug bounty programs work and are quite the value proposition compared to the alternative. Kudos to 'brutecat' for doing the responsible thing and not selling out to the dark side for more money.

Curtis Dukes

Beware malware in NPM clothing. Make sure you include security testing and analysis to your SOP, whether you're getting packages from an external repository or using generated code. I still remember the call from a developer who accidentally initiated a privileged rm command from the wrong directory. Not a bad scenario to add to your tabletop, as you may find some gaps or missing steps in your recovery processes you wish to rectify.

Lee Neely

Patches for CVE-2024-21762, CVSS score 9.8, were released in February 2024, while fixes to CVE-2024-5559, CVSS score 9.8, were released in January of this year. Make sure you're on top of your Fortinet and other boundary protection device updates. With the impacts to many health care providers' systems, now is a good time to check to see if they are looking for help such as blood donations, needed to shore up and work around impacted services.

Lee Neely

It's a day that ends in 'y,' so that means ransomware groups are going after probably another zero day or unpatched vulnerability in exposed firewall/VPN products. I mean honestly this year it feels that way. It will be another vendor tournament at some point. Just wait for the pile on.

Moses Frost