Just posted a new video discussing who is responsible for OpSec, risk, governance, etc.: CSP or Customer org.
Esperian makes credit info theft even worse
Brian Krebs wrote a great article in which he describes how anyone can get person’s credit lock PIN. All you have to do is enter information that was compromised by Quifax… among others.
In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.
After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.
It just keeps getting better.
Chrome 66 will no longer support Symantec certs
The following is from a 9/11/2017 Google blog…
Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018.
If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.
Some courts making ‘it might happen’ grounds for litigation
The U.S. appeals courts are split on whether the simple perception or belief that stolen data might be used is grounds for litigation.
A recent federal appeals court ruling in a putative class action lawsuit that says plaintiffs can sue even if there is only fear of, but no actual, damage from a data breach further deepens an appeals court split on the issue and enhances its chances of being considered by the U.S. Supreme Court, experts say (Greenwald, 2017)
This is interesting and concerning. All organizations are vulnerabile to an attack. No security framework is perfect. Prevention, detection, and response are all important actions taken by diligent organizations, so how these are implemented and conducted should be considered. Juries and judges are likely not to understand this.
I agree that negligence should is grounds for litigation. However, no organization that promptly and effectively responds to a breach should not be held liable. Thoughts?
NetSarang Computer Xmanager software backdoor
Kaspersky Lab discovered a backdoor in signed code from NetSarang Computer, a South Korean company. The software, Xmanager, is used to manage Linux/Unix applications on Windows platforms. According to Kelly Jackson Higgins in a DarkReading article,
The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer’s July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.
NetSarang Computer’s network was apparently compromised, resulting in distribution of trusted, signed code with embedded malware (Goodin, 2017). This is now patched, and customers should apply the patch immediately.
This is an example of an attacker-created vulnerability created by attacking the supply chain instead of actual targets. As in this case, customers have no reason to believe the vendor is malicious. NetSarang Computers is not a threat agent, but a vulnerability in its security resulted in weaknesses in many organizations.
As with any organization, no security framework is perfect. We have to believe that, as target organization security strengthens, attackers will start looking at supply chain attacks. Some organizations have hundreds, or thousands, of applications installed by IT and business employees. One or more of these vendors will eventually fall victim to an attack like that experienced by NetSarang Computer. Goodin writes,
The NotPetya worm that shut down computers around the world in June used the same tactic after attackers hijacked the update mechanism for tax software that was widely used in Ukraine. Supply-chain attacks that targeted online gamers included one used to spread the PlugX trojan in 2015 and the malware dubbed WinNTi in 2013.
In this case, blocking and monitoring for anomalous traffic would likely prevent or detect backdoor activity. However, software whitelisting is still one of the best ways to minimize the number of applications you have to watch.