Cyber security aggregate rss news

Cyber security aggregator - feeds history

image for Cybersecurity in the ...

 Business

The recently released No Time to Die lowers the curtain on the Daniel Craig era. With that in mind, let’s run through all five of his Bond outings from a cybersecurity perspective — you’ll be shaken, but hopefully not stirred, by our findings. What unites the movies, aside from Craig himself, is a   show more ...

complete lack of understanding of cybersecurity basics by the movie’s MI6 employees. Whether the oversight is deliberate (highlighting the outdatedness of Bond and the whole 00 section concept) or due to the incompetence of the scriptwriters and lack of cyberconsultants is not clear. Whatever the case, here’s a look at some of the absurdities we spotted in the films, in order of appearance. Spoiler alert! Casino Royale In Craig’s first Bond movie, we see the following scene: Bond breaks into the house of his immediate superior, M, and uses her laptop to connect to some kind of spy system to find out the source of a text message sent to a villain’s phone. In reality, Bond could only do that if: MI6 does not enforce an automatic screen lock and logout policy, and M leaves her laptop permanently on and logged in; MI6 does not enforce the use of strong passwords, and M’s passwords are easily guessable; M does not know how to keep her passwords secret from her colleagues, or she uses passwords that were compromised. Any one of these scenarios spells trouble, but the third is the most likely one; a little later in the story, Bond again logs in remotely to a “secure website” using M’s credentials. Bond’s password attitude is no better. When he needs to create a password (of at least six characters) for the secret account that will hold his poker winnings, he uses the name of colleague (and love interest) Vesper. What’s more, the password is actually a mnemonic corresponding to a number (like the outdated phonewords for remembering and dialing numbers on alphanumeric keypads). It is effectively a 6-digit password, and based on a dictionary word at that. Quantum of Solace The least computerized of the last five Bond movies, Quantum of Solace nonetheless  includes a moment worthy of attention here. Early in the film, we learn that Craig Mitchell, an MI6 employee of eight years — five as M’s personal bodyguard — is actually a double agent. Of course, that’s an old-school security issue rather than the cyber kind. However, M’s carelessness with passwords, as seen in the previous film, suggests MI6’s secrets may well be in the hands of cat-stroking supervillains the world over. Skyfall At the other end of the cyberspectrum lies Skyfall, the most computerized of the five. Here, information security lies at the very heart of the plot. The cybermadness is evident from scene one. For convenience, we’ll break down our analysis chronologically. Data leak in Istanbul An unknown criminal steals a laptop hard drive containing “the identity of every NATO agent embedded in terrorist organizations across the globe.” Even MI6’s partners do not know about the list (which moreover does not officially exist). The very idea of such a drive is already a massive vulnerability. Let’s assume that the database is vital to MI6 (it is). What, then, was it doing in a safe house in Istanbul, protected by just three agents? Even if the drive is, as we’re told, encrypted and alerts MI6 of any decryption attempt? Cyberterrorist attack on SIS The first real cyberincident crops up a bit later: a cyberterrorist attack on the headquarters of the British Secret Intelligence Service. The attacker tries to decrypt the stolen drive — seemingly, according to the security system, from M’s personal computer. The defenders desperately try to shut down the computer, but the evildoers blow up the SIS building on the bank of the Thames. The ensuing investigation reveals that the assailant hacked into the environmental control system, locked out the safety protocols, and turned on the gas; but before doing so, they hacked M’s files, including her calendar, and extracted codes that make decrypting the stolen drive a question of when, not if. Let’s assume the alert from the stolen drive on M’s computer represented an attempt at disinformation or trolling (after all, the drive could not have been in the building). And let’s ignore questions about the building’s gas supply — who knows, maybe MI6 corridors were lit with Jack-the-Ripper-era gas lanterns; Britain is a land of traditions, after all. In any case, hacking the engineering control systems is perfectly doable. But how did the engineering control systems and M’s computer — supposedly “the most secure computer system in Britain” — end up on the same network? This is clearly a segmentation issue. Not to mention, storing the drive decryption codes on M’s computer is another example of pure negligence. They might at least have used a password manager. Cyberbullying M The perpetrators tease M by periodically posting the names of agents in the public domain. In doing so, they are somehow able to flash their messages on her laptop. (There seems to be some kind of backdoor; otherwise how could they possibly get in?) But MI6’s experts are not interested in checking the laptop, only in tracing the source of the messages. They conclude it was sent by an asymmetrical security algorithm that bounced the signal all over the globe, through more than a thousand servers. Such tactic may exist, but what they mean by “asymmetrical security algorithm” in this context is about as clear as mud. In the real world, asymmetric encryption algorithm is a term from cryptography; it has nothing to do with hiding a message source. Insider attack on MI6 Bond locates and apprehends the hacker (a former MI6 agent by the name of Silva), and takes him and his laptop to MI6’s new headquarters, unaware that Silva is playing him. Enter Q: nominally a quartermaster, functionally MI6’s hacker-in-chief, actually a clown. Here, too, the reasoning is not entirely clear. Is he a clown because that’s funny? Or was the decision another consequence of the scriptwriters’ cybersecurity illiteracy? The first thing Q does is connect Silva’s laptop to MI6’s internal network and start talking gobbledygook, which we will try to decipher: “[Silva]’s established failsafe protocols to wipe the memory if there’s any attempt to access certain files.” But if Q knows that, then why does he continue to analyze Silva’s data on a computer with such protocols installed? What if the memory gets erased? “It’s his omega site. The most encrypted level he has. Looks like obfuscated code to conceal its true purpose. Security through obscurity.” This is basically a stream of random terms with no unifying logic. Some code is obfuscated (altered to hinder analysis) using encryption — and why not? But to run the code, something has to decipher it first, and now would be a good time to figure out what that something is. Security through obscurity is indeed a real-life approach to securing a computer system for which, instead of robust security mechanisms, security relies on making data hard for would-be attackers to puzzle out. It’s not the best practice. What exactly Q is trying to convey to viewers is less than clear. “He’s using a polymorphic engine to mutate the code. Whenever I try to gain access, it changes.” This is more nonsense. Where the code is, and how Q is trying to access it, is anyone’s guess. If he’s talking about files, there’s the risk of memory erasure (see the first point). And it’s not clear why they can’t stop this mythical engine and get rid of the “code mutation” before trying to figure it out. As for polymorphism, it’s an obsolete method of modifying malicious code when creating new copies of viruses in the strictest sense of the word. It has no place here. Visually, everything that happens on Silva’s computer is represented as a sort of spaghetti diagram of fiendish complexity sprinkled with what looks like hexadecimal code. The eagle-eyed Bond spots a familiar name swimming in the alphanumeric soup: Granborough, a disused subway station in London. He suggests using it as a key. Surely a couple of experienced intelligence officers should realize that a vital piece of information left in plain sight — right in the interface — is almost certainly a trap. Why else would an enemy leave it there? But the clueless Q enters the key without a murmur. As a result, doors open, “system security breach” messages flash, and all Q can do is turn around and ask, “Can someone tell me how the hell he got into our system?!” A few seconds later, the “expert” finally decides it might make sense to disconnect Silva’s laptop from the network. All in all, our main question is: Did the writers depict Q as a bumbling amateur on purpose, or did they just pepper the screenplay with random cybersecurity terms hoping Q would come across as a genius geek? Spectre In theory, Spectre was intended to raise the issue of the legality, ethics, and safety of the Nine Eyes global surveillance and intelligence program as an antiterrorism tool. In practice, the only downside of creating a system such as the one shown in the film is if the head of the Joint Secret Service (following the merger of MI5 and MI6) is corrupted — that is, if as before, access to the British government’s information systems is obtained by an insider villain working for Bond’s sworn enemy, Blofeld. Other potential disadvantages of such a system are not considered at all. As an addition to the insider theme, Q and Moneypenny pass classified information to the officially suspended Bond throughout the movie. Oh, and they misinform the authorities about his whereabouts. Their actions may be for the greater good, but in terms of intelligence work, they leak secret data and are guilty of professional misconduct at the very least. No Time To Die In the final Craig-era movie, MI6 secretly develops a top-secret weapon called Project Heracles, a bioweapon consisting of a swarm of nanobots that are coded to victims’ individual DNA. Using Heracles, it is possible to eliminate targets by spraying nanobots in the same room, or by introducing them into the blood of someone who is sure to come into contact with the target. The weapon is the brainchild of MI6 scientist and double agent (or triple, who’s counting?) Valdo Obruchev. Obruchev copies secret files onto a flash drive and swallows it, after which operatives (the handful who weren’t finished off in the last movie) of the now not-so-secret organization Spectre break into the lab, steal some nanobot samples and kidnap the treacherous scientist. We already know about the problems of background checks on personnel, but why is there no data loss prevention (DLP) system in a lab that develops secret weapons — especially on the computer of someone with a Russian surname, Obruchev? (Russian = villain, as everyone knows.) The movie also mentions briefly that, as a result of multiple leaks of large amounts of DNA data, the weapon can effectively be turned against anyone. Incidentally, that bit isn’t completely implausible. But then we learn that those leaks also contained data on MI6 agents, and that strains credulity. To match the leaked DNA data with that of MI6 employees, lists of those agents would have to be made publicly available. That’s a bit far-fetched. The cherry on top, meanwhile, is Blofeld’s artificial eye, which, while its owner was in a supermax prison for years, maintained an around-the-clock video link with a similar eye in one of his henchmen. Let’s be generous and assume it’s possible to miss a bioimplant in an inmate. But the eye would have to be charged regularly, which would be difficult to do discreetly in a supermax prison. What have the guards been doing? What’s more, at the finale, Blofeld is detained without the eye device, so someone must have given it to him after his arrest. Another insider? Instead of an epilogue One would like to believe all those absurdities are the result of lazy writing, not a genuine reflection of cybersecurity practice at MI6. At least, we hope the real service doesn’t leak top-secret weapons or store top-secret codes in cleartext on devices that don’t even lock automatically. In conclusion, we can only recommend the scriptwriters raise their cybersecurity awareness, for example by taking a cybersecurity course.

 Incident Response, Learnings

Vladimir Dunaev, 38, was a member of a cybercriminal organization that deployed a computer banking trojan and ransomware suite of malware known as “Trickbot”, the Justice Department said.

 Trends, Reports, Analysis

Akamai released a study into the evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022.

 Trends, Reports, Analysis

The global electric utility sector is facing an increasingly dangerous cyberthreat landscape, even though there hasn’t been a publicly witnessed disruptive attack over the past five years.

 Security Culture

In the online training sessions, law enforcement officers learned about stalkerware and its installation methods along with different ways to detect it without compromising the safety of a victim.

 Malware and Vulnerabilities

Microsoft has reported new variants of WizardUpdate, a macOS malware, that has been upgraded once again with new evasion and persistence tactics. The evasion features cover its tracks by deleting created folders, files, and other artifacts on the targeted systems. Security analysts advise not to download any software or updates from a third-party download source to stay safe.

 Malware and Vulnerabilities

Cisco Talos warned against SquirrelWaffle malware that is spreading quickly via spam campaigns. Experts believe it has the potential to become the next big threat in the spam space. Hackers use the DocuSign signing platform as a lure to fool targeted users into enabling macros on their MS Office suite. Analysts   show more ...

suggest, Squirrelwaffle may be a new malware in town but has the potential to become a menace in the upcoming days.

 Feed

Ubuntu Security Notice 5126-2 - USN-5126-1 fixed a vulnerability in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Kishore Kumar Kothapalli discovered that Bind incorrectly handled the lame cache when processing responses. A remote attacker could possibly use this issue   show more ...

to cause Bind to consume resources, resulting in a denial of service. Various other issues were also addressed.

 Feed

Ubuntu Security Notice 5126-1 - Kishore Kumar Kothapalli discovered that Bind incorrectly handled the lame cache when processing responses. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service.

 Feed

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility, grep. It's comparable to other static analysis applications like RATS, SWAAT, and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

 Feed

Red Hat Security Advisory 2021-3915-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

 Feed

Google on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild. Tracked as CVE-2021-38000 and CVE-2021-38003, the weaknesses relate to insufficient validation of untrusted input in a feature called Intents as well as a case of inappropriate implementation in V8 JavaScript and

 Feed

A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group. Court documents showed that Vladimir Dunaev, 38, along with other members of the transnational, cybercriminal organization, stole money and

 Feed

An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. Notably, the global mobile

 Feed

Microsoft on Thursday disclosed details of a new vulnerability that could allow an attacker to bypass security restrictions in macOS and take complete control of the device to perform arbitrary operations on the device without getting flagged by traditional security solutions. Dubbed "Shrootless" and tracked as CVE-2021-30892, the "vulnerability lies in how Apple-signed packages with

 Feed

Winter is Coming for CentOS 8—but here is how you can enjoy your holidays after all. The server environment is complex and if you're managing thousands of Linux servers, the last thing you want is for an operating system vendor to do something completely unexpected. That is exactly what Red Hat, the parent company of the CentOS Project, did when it suddenly announced a curtailment of support for

 Guest blog

What did your kids get up to under lockdown? Were they in their bedrooms doing online schooling? Maybe playing video games and streaming TV shows? Or were they masterminding a "sophisticated fraud" that would net them millions of pounds worth of cryptocurrency? A British teenager who, under under lockdown from   show more ...

his bedroom, created a fake website which stole account details from unsuspecting internet users has had £2.1 million (US $2.89 million) worth of cryptocurrency seized by the police. Read more in my article on the Hot for Security blog.

2021-10
Aggregator history
Friday, October 29
FRI
SAT
SUN
MON
TUE
WED
THU
OctoberNovemberDecember