Cyber Security Today, Week in Review for week ending Friday, April 12, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 12th, 2024. I’m Howard Solomon.

In a few minutes David Shipley, head of Beauceron Security, will be here to discuss recent news. We’ll talk about more hot water for Microsoft, a second look at the scare facing the Linux community, an alert to the healthcare sector on IT help desk scams and a warning to LG smart TV owners.

Before we get to the discussion, here are other highlights from this week:

LastPass released a report describing a deepfake audio call to an employee impersonating its CEO.

Classes at New Mexico Highlands University remain cancelled because of a ransomware attack that started April 3rd. Classes will resume this coming Monday, April 15th. Despite the loss of over a week of classes the university term won’t be extended. Graduation ceremonies will continue as scheduled.

On Tuesday the social media site that used to be Twitter began automatically modifying links in tweets that mention “twitter[.]com” to read “x[.]com.” It was another step in the re-branding of the service now called X. But the link modification strategy backfired. According to security reporter Brian Krebs, at least 60 new domains were quickly registered with names that end in “twitter[.]com.” The goal for some of these new domains was to scam internet users. So someone was smart enough — or devious enough — to create “fedetwitter[.]com”, which became “fedex.com” in tweets. Most of the new domains were registered by people who realized this mess was possible and wanted to prevent the domains from being created by scammers. But as a result of the mess X stopped truncating any domain ending in “twitter[.]com.”

AT&T is notifying over 51 million customers that personal information being pedaled on the internet came from the company. It had said in March that information on 73 million customers was involved. The difference, AT&T told Bleeping Computer, is that some people had multiple accounts.

The U.S. National Security Agency released an information sheet to help organizations implement a zero trust data protection strategy. I’m not going to repeat all of the recommendations, but it does remind IT leaders that a zero trust strategy is “centred on protecting an organization’s data through constant verification.” An essential element of this is effective cataloging, labeling and encrypting of data to limit data breaches. There’s a link to the document in the text version of this podcast at TechNewsday.com.

The U.S. Cybersecurity and Infrastructure Security Agency’s malware analysis service is now open to any IT department and security researcher who wants to submit suspect code. Until now the Malware Next-Gen portal was available only to governments and the U.S. military. You do have to register to use it.

Finally, Fortinet released security updates for multiple products including its FortiOS operating system, and the FortiProxy and FortiClient Linux applications. The vulnerability in FortiClient Linux is rated as critical and needs to be patched fast.

(The following is an edited transcript of the first of four discussion topics. To get the rest of the talk play the podcast)

Howard: Last week as, you may recall the Cyber Safety Review Board released a report highly critical of Microsoft into the ability of a threat actor to forge a counterfeit authorization token that was used to compromise Microsoft Exchange online email accounts. This week Microsoft was in the spotlight again, A cyber security company in turkey called SOCRadar discovered Microsoft employees had left an Azure storage server open to the internet that had Microsoft code, passwords and other sensitive material. It isn’t known how long the cloud server was unprotected or if anyone other than the researchers discovered it. David, there’s a couple of things here: Both of these incidents involve cloud services — the forged tokens let the attacker get into Exchange online. The open server was hosted on Microsoft’s Azure platform. What did these incidents say about cloud security in general and Microsoft security in particular?

David Shipley: Number one, cloud security is hard, even if you’re the person that makes and sells the cloud environment. That should be something we all take a moment [to think], ‘Even the people that can struggle with it.’ That’s just the reality of the situation. It is big, it is complex, and it’s also the nature of the threat environment and the ability to just find every single little flaw. Cyber is almost like that a mouse infestation in your house: You just can’t figure out all the different ways these these things can get in and just ruin your day.

I hope it’s part of the beginning of the end of the narrative that. ‘Just because it’s in the cloud it’s safer than on-prem.’

I think for Microsoft, let’s be clear — it’s easy to beat up on Microsoft. They’re the big kid in town. They’ve got the largest, most ubiquitous footprint. They’ve got the biggest target on their back. But it’s been very clear that with the great tremendous growth and success of Azure and cloud and Microsoft 365 has come with it a security liability, a cost that’s clearly starting to catch up. This is almost like a law of physics of modern day digital business: For every great business opportunity there seems to be increasingly an equal and opposite security and cost and liability side that is a tricky thing to balance. It’s a bad year for Microsoft. The hits just keep on coming, more that’s going to come out of some of these reviews, so they’re probably not going to get out of this year without a few more punches.

Howard: I’ll get deeper into Microsoft in a minute but first I want to note that the Cyber Safety Review Board Report had very pointed things to say about security to all cloud providers as well as those using cloud-based services.

David: This is not a unique problem for Microsoft. AWS has its share of problems, Google has its share of problems. We’re talking about massive, complex systems and levels of power and connectivity. We don’t really even have a track record to fully understand. It’s never been more important to fully and absolutely understand the shared responsibility model [for buyers and producers of cloud services] and to understand what your risk appetite is if you’re surrendering control over certain aspects of the threat pyramid to a cloud provider. Are you comfortable with that? Do you have the assurances from that cloud provider and the strategy of resilience if that cloud provider lets itself and you down?

Howard: On last week’s show Terry Cutler and I discussed the Cyber Safety Review Board report into the Microsoft forged token attack. As a reminder, the emails of about 500 people around the world — including the U.S. Commerce Secretary, the U.S. Ambassador to China and other important people — were compromised. The attacker downloaded about 60,000 emails over six weeks from the U.S. State Department alone. The Review Board had blunt criticism of Microsoft: It said the hack was preventable and should never have occurred. It calls Microsoft’s security culture inadequate and requires an overhaul. And it complained that Microsoft hasn’t been upfront with the public in that it still doesn’t know how or when the hacking group obtained the signing key that allowed this attack to happen. Was the board too gentle?

David: I don’t think it was too gentle. This is probably among the most severe call-outs I have ever seen from a group of a failure. But it’s not about blame. What I really love about the Cyber Safety Review Board model is it’s based off the aviation industry, which makes sure that we share transparently the key lessons learned from every air disaster. This was a cyber disaster, and we’re now picking up the pieces and telling the tale. What I thought was pretty harsh about the report was saying [to Microsoft], ‘Stop focusing on developing new features and your revenue funnel and your sales targets right now and clean your house up.’ For Microsoft this is probably one of the last off-ramps they’re going to get before they land themselves in some pretty serious heat that potentially could end up in antitrust territory around the conflict between their core businesses: Azure, Microsoft 365, the [Windows] operating system and their security business. Because there may come a time when large cloud providers like Microsoft need to be regulated because they have quasi-monopolistic levels of power. So they probably should face more additional scrutiny. Whether they should charging additional dollars for security products to fix what may in turn be fundamental flaws that should never have happened in their products in the first place, I’m going to leave that to smarter people than me. But I think if they if [Microsoft] they listen, if they act, if it’s not just a PR response to this, if they do what they did 22 years ago with Trustworthy Computing … and redo and re-plan and reinvest, they can come out of this. If they ignore this it will be at their peril.

Howard: What struck you as the worst of Microsoft’s failures in that incident?

David: The hardest part is it’s always the [failure to follow the]basics that get everybody … It’s a learning opportunity for all of us to say, ‘All of this [cybersecurity] is really, really hard and that we sometimes need to slow down how fast we’re running.’ We are running at breakneck speed to roll out new products, services, hit revenue margins. These are the pressures of running a business in a capitalist economy. But if we ignore these basics they always come back to bite us.

Howard: The incident where somebody left a server open without protection, that happens to many organizations: Someone creates and stores data in the cloud and they forget — or ignore — corporate rules on properly securing it. How how do we stop that?

David: You don’t. That’s humans and technology. You you try and create better processes, better procedures, better monitoring, better education for the people responsible for creating these things. But there is no technological silver bullet that can prevent a series of really dumb things happening because each of those dumb things on their own is likely very innocuous — and probably a very necessary part of the [business] process is to build systems and infrastructure. It’s just that sometimes we don’t even understand the full consequences of what we start and what it eventually becomes … The amount of hidden servers and data and other things that just get lost [it an IT environment] is stunning … Cloud asset and monitoring and permissions and tracking and all of this stuff isn’t sexy. It’s the basics. It’s paying attention to the details The fact that we don’t have a cyber code for companies with a set of basic standards and proof of due diligence leads to this continuous cycle.