This week’s Cyber Security Headlines – Week in Review, June 6-10, is hosted by Rich Stroffolino with our guest, John McClure, CISO, Sinclair Broadcast Group
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Encrypted ZIP files can have two correct passwords
Password-protected ZIP archives are common means of compressing and sharing sets of files, but Arseniy Sharoglazov, a cybersecurity researcher at Positive Technologies has demonstrated that it is possible for an encrypted ZIP file to have two correct passwords. This vulnerability comes about when passwords are set at more than 64 characters, in which case ZIP uses an algorithm to hash the password. Sharoglazov showed that by trying a different password of more than 64 characters results in ZIP creating the same hash and therefore accepting the second password as legitimate. A full report on this issue is available at Bleeping Computer, who, incidentally were able to replicate this procedure.
White hat hackers broadcast through decommissioned satellite
A group of white hat hackers demonstrated at DEF CON how to take control of a satellite in geostationary orbit. The group used a satellite called Anik F1R, which had been decommissioned in 2020. The group was authorized to perform the hack and had also been given permission and access to an unused uplink facility which included the hardware to connect to a satellite. The group sought to demonstrate how easy it could be to physically take control of decommissioned satellites using software that costs just $300.
State-backed attacks excluded from cyber insurance
The insurance marketplace Lloyd’s of Lond will introduce exclusions for cyber insurance policies to not cover “catastrophic” state-backed attacks. These exclusions will begin in new policies in March 31, 2023. Lloyd’s warns that all insurance underwriters need to make it extremely clear in policies that state-sponsored attacks fall outside of coverage. This applies regardless of any declared war between two countries. This reflects that state-sponsored attacks often aren’t directly after financial gain, but often are the result of geopolitical consideration. This also comes as insurance providers shy away from ransomware coverage as costs increase.
Ex-security chief accuses Twitter of cybersecurity negligence
Peiter Zatko,Twitter’s ex-security chief who was fired back in January 2022, has blown the whistle on Twitter’s cybersecurity practices. Zatko filed a complaint with the US Securities and Exchange Commission (SEC) on July 6, alleging that thousands of employee laptops contained full copies of Twitter’s source code. He claims that one-third of those devices blocked automatic security fixes, had firewalls turned off and had non-approved remote access enabled. He also alleges Twitter failed to reliably delete user data after account cancellation. The complaint further states that employees repeatedly installed spyware on their work computers at the request of external organizations. Zatko said Twitter experienced roughly one security incident per week during his two-year tenure and indicated that he “reasonably feared Twitter could suffer an Equifax-level hack.”
Thanks to today’s episode sponsor, Code42
Code42 Incydr is an Insider Risk Management SaaS that provides a comprehensive understanding of your data exposure and shows which activities require security intervention. Learn more at Code42.com/showme.
Microsoft reveals Nobelium’s MagicWeb
Security researchers at the company discovered a technique used by the Russian-linked threat group to maintain persistent access to compromised networks. Dubbed MagicWeb, this uses a malicious DLL to manipulate claims passed in tokens generated by an Active Directory Federated Services server. This ultimately manipulates existing user authentication certificates. This required Nobelium to first have highly privileged credentials, gain access to a network, and gain admin privileges in Active Directory. Given these conditions, MagicWeb appears highly targeted.
Leaky NIC lights defeat air-gaps
Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center at Ben Gurion University, published a new way to exfiltrate data from air-gapped systems called ETHERLED. This uses the LEDs on NICs to send data out of the system up to hundreds of meters away. Data can be sent through simple Morse code or modulated over optical signals. This requires an attacker to breach the system and plant malicious code. In this case, the attack uses undocumented firmware commands to trigger the NIC lights. Suggested countermeasures for the attack include black tape to block the lights.
North Korean malware present at Black Hat
IronNet, a security firm hired to assist at Black Hat’s Network Operations Center discovered several active malware infections on the network including SHARPEXT, which has been attributed as having direct connections to North Korea’s top leadership. The threat hunters stated that during the conference, they observed numerous callouts from four unique hosts to three domains associated with the North Korean malware.” This might have been from someone who had SHARPEXT on their machine, bringing it into the conference, or picking it up while there. The SHARPEXT browser extension is typically installed on a victim’s Windows PC once it’s been compromised via some other vulnerability or infection route.
The Pentagon may require vendors to certify their software as free of known flaws
The House of Representative’s software vulnerability provision from within the massive 2023 National Defense Authorization Bill — passed July 14 — continues to divide the cybersecurity community. The debate boils down to whether the requirement is unnecessary and impossible to achieve or is a game-changing move that will begin holding software vendors accountable for selling faulty technology. The Biden Administration’s position is that the software industry should emulate the automotive industry, where “manufacturers retain ownership and responsibility” through the life of the vehicle, said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. But cybersecurity executive Dan Lorenc argues there’s no such thing as vulnerability-free software.