Rather than exploring a single topic, this article examines several recent cyber security-related reports and interesting issues that may be slightly under the radar and warrant additional exposure.
Here's what's happening in cybersecurity - just in case you missed it.
The ji32k7au4a83 Issue
Unfortunately, we are still using passwords to access computer systems, websites, etc. CISOs have cajoled, persuaded and coaxed their user base to use non-dictionary, hard-to-guess passwords. We enforce users to generate passwords that are at least eight characters in length and have a mixture of upper case, lower case, numeric and special characters. Rather than use passwords, we urge to construct pass phrase mnemonics like “1n33d@cc3$$”.
A December 2018 Gizmodo article cites “The 2018 Worst Passwords of the Year” as determined by SplashData who evaluated over 5 million passwords that have leaked online over 2018. The top two slots have been left unchanged for the fifth year in a row. They are, maddeningly, “123456” and “password.” The next five consecutive spots were other assortments of numbers (“123456789” and “111111”, for instance).
Following guidelines for creating secure passwords, you would think that “ji32k7au4a83” is a fairly secure password. It is more than eight characters and is a mixture of seemingly random alpha and numeric symbols. In fact, “ji32k7au4a83” “has appeared in 141 data breaches, as cataloged by the site Have I Been Pwnd? and spotted by Gizmodo.”
The obvious question is how are so many people using this one password?
The answer is that if one is using a “Taiwanese keyboard with the Zhuyin Fuhao layout, the string spells out 我的密碼, or “wǒ de mìmǎ,” which means “my password” in Mandarin. While ji32k7au4a83 (“my password”) has come up in 141 data breaches, au4a83 (which simply means “password”) has shown up 1,495 times. So much for a secure password!
Rather than a bovine afflicted with insects, BuggyCow is a MacOS security flaw uncovered by Google’s Project Zero Security Team. The security flaw's name is based on a “loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory.
Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory.”
Google advised Apple of the flaw in November 2018 and gave them 90 days to fix it. With no fix in sight, 94 days later, the zero-day vulnerability was released to the world. The flaw affects anyone with an Apple desktop or laptop but takes a great deal of technical expertise and access to exploit it. See the Wired magazine article for a complete description of the flaw.
In a February 27, 2019 press release, Akamai issued its 2019 State of the Internet/Security: Retail Attacks and API Traffic report. The report finds that hackers directed credential abuse attempts at retail sites more than 10 billion times from May to December 2018, making retail the most targeted segment studied.
The report also spotlights two other pressing security concerns, the preponderance of API-call traffic on the web and the apparent misrepresentation of IPv6-based traffic. You can access the complete report for more information here.
Y2K All Over Again?
Lurking on older Global Positioning Systems (GPS) is a Y2K-type hard-coded date rollover issue. The current week number is encoded into the signal message transmitted to GPS from satellites using a 10-bit field allowing for a limited, numeric week range from zero to 1023.
Starting back on August 22, 1999, the system will roll back to zero on April 6, 2019, when it will start counting back up to 1023.
While most modern GPS receivers shouldn't be affected by this (devices that conform to IS-GPS-200 and provides UTC will be fine), testing carried out by the US Department for Homeland Security (DHS) showed that there is a possibility that some will interpret this rollover as the date shifting back to January 6, 1980, or possibly some other incorrect date. CISOs for organizations using GPS should ensure their systems conform to the IS-GPS-200 standard. See this article for more details.
The US Senate Permanent Subcommittee on Investigations Released an Equifax Report
The report, titled How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach, provides a decent technical discussion of Equifax shortcomings such as:
- Not following their own system security patching policies
- Poor cybersecurity practices
- Failing to identify systems using Apache struts
- Not minimizing the impact of the breach
The report can be accessed for a complete information on the U.S Senate’s findings.
Symantec 2019 Internet Security Threat Report
ICYMI, the Symantec report is well worth reading. Symantec boasts that it has the largest civilian threat intelligence network with which it records events from 123 million attack sensors worldwide in more than 157 countries and blocks 142 million threats daily.
The latest common attack methodology is “form jacking,” which is simple and lucrative for criminals to exploit.
The RSA Conference took place at the Moscone Center in San Francisco March 4 – 8, 2019. Things started off badly for the conference when Adi Shamir, the “S” in RSA, could not secure a tourist visa to attend the conference!
There were numerous negative comments from conference attendees on LinkedIn regarding the exhibitors and the exhibition floor. Tech Crunch article, The Infosec Reckoning Has Arrived, states that “tens of thousands of security professionals will descend upon San Francisco, making their way through a labyrinth of security solutions on display at the RSA Conference in a quest to find a solution that fits their specific needs. In their way stand 650 exhibitors, a cacophony of booth distractions ranging from delightful to distasteful, buzzwords assaulting their eyes in hundred-point font offering a cure for the latest and most vicious threats – threats that are more likely fantasy than reality for most attendees.”
The issue is that there is a significant disconnect between the real-life problems facing security professionals and the solutions that most security vendors are supposedly solving.
Citrix Security Breach
Rounding out this ICYMI article is the recent security breach disclosure.
“March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network. While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security."
Hackers reportedly exfiltrated 6TB of data.
Remember: Stay Vigilant!
We are faced with a daily, never ending barrage of cyber security-related data: security product bugs, massive data breaches, latest attack trends, etc.
As CISOs, we live and work in an extremely interesting environment and landscape that changes by the minute!
Share This Article