Tech Firms Sign Secure by Design Pledge, TunnelVision VPN Bypass Technique Affects Most VPN Clients, Dell Customer Database Compromised; US Library of Congress Thwarted Cyberattack with MFA

A good show of faith by software vendors as well as good press coverage for CISA. That said, it seems like a relatively low bar for vendors to meet, and it is after all, voluntary. Why wouldn't we insist that software vendors publish their full secure development process and pledge that they will follow said process for all products and services? That would mean something, and likely have more impact than simply signing a pledge.

Curtis Dukes

The pledge is intended to cover SaaS and on-premises software, not IoT or consumer products. Some of the seven goals of the pledge are more difficult such as making updates easier and tracking their application or eliminating entire classes of vulnerabilities (such as SQLi). Part of the expectation is that you're not going to have to pay extra for logging, MFA etc. which will help us raise the bar in our own shops.

Lee Neely

I'd like to see some (most) (ok, all) of the decreasing and reducing in the pledge turned into eliminating decreasing vulnerabilities by 90% may sound great but it really only takes one easily exploitable vulnerability to be built in and it is game over. It is kind of like food vendors promising to reduce shards of metal in their products vs. focusing on eliminating them.

John Pescatore

At first glance this looks like just a publicity stunt for many companies. But I also like to think this was actually a good idea by CISA and could drive some change. First, this is a very public act and by these people / companies signing their names, that actually can drive behavior (Dr. Cialdini / Influence anyone) and help prioritize security more. Second, by seeing all the different companies pledging this initiative, prioritizing security is now perceived as becoming the norm (and a competitive advantage). Finally, this also can put vendors in bind. If these companies go back and make absolutely no security change, and basic vulnerabilities continue to be found in the future, this will only destroy their credibility that much more. Will this single act save cybersecurity? No. But I think initiatives like this can make a difference.

Lance Spitzner

While one has been a long-time advocate for improved software quality, "secure" by design is an over-constrained and ambitious goal. Improved quality is essential to a reliable and resilient infrastructure but it is not a silver bullet. "Safe out of the box," perhaps. Securable by design, probably. Elimination of the top ten repeated design and coding errors, surely. However, almost any product, regardless of how well designed and implemented, can be misconfigured, mis-operated, or misused. Clearly what we are doing is not working but over stating the objective will not help.

William Hugh Murray

This bypass relies on the attacker implementing a DHCP server on the network you're trying to use, most likely not your home network, and that your DHCP client implements option 121 (classless static routing). Once your client uses the rogue DHCP server, they change the routing to bypass your VPN. As much of that traffic is encrypted (HTTPS/TLS) the traffic is mostly going to provide insight about services used and potential trust relationships rather than exfiltrating data.

Lee Neely

There are two important steps needed to enable this attack: a rogue DHCP server and for the endpoint to accept the change. The simplest mitigation for end-users is to use a mobile hotspot with their VPN. Don't put any faith in an untrusted network (public WiFi).

Curtis Dukes

If you are using any VPN services or products, at a minimum query the vendor about mitigations/fixes they are deploying or that you should do.

John Pescatore

While there are CVEs related to this attack, some have suggested that the properties exploited are features, not bugs.

William Hugh Murray

I am one of the 49 million people who got this notification. One phrase stuck out to me: "We believe there is not a significant risk to our customers given the type of information involved." I would argue that Dell, or any other organization, are in no position to determine what the impact a breach of my personal data could have on me. If I am someone who has a threat model such as a journalist, someone having left an abusive spouse, or work in the security services, having my physical address leaked due to a breach could pose a "significant risk" to me. I urge companies to carefully review the language they use in any communications around a breach.

Brian Honan

The attacker claims to have information from about 49 million customers. If you've purchased Dell systems or registered them in their customer service portal, assume you're included. Be on the lookout for bogus offers of warrantees, accessories or replacement parts. While the Dell breach doesn't include email or payment card information, the information included could be useful to verify or augment other information from separate sources.

Lee Neely

If you are facing any resistance to eliminating reusable passwords and going to MFA, use this item as ammunition since this type of success story is happening constantly as phishing-resistant MFA is adopted. MFA does not mean security is over, but this library to library comparison of very different impacts demonstrates how MFA can provide damage avoidance and pay for itself very quickly.

John Pescatore

A success story that should be touted in demonstrating the value of MFA. What's equally interesting is the removal of legacy equipment. Far too often organizations hang on to EOL hardware and software, leading to it becoming the weak link in the cybersecurity chain. Bottom line: in additional to implementing MFA, plan for equipment obsolescence as part of your cybersecurity program.

Curtis Dukes

This is a great example of why sharing information on breaches and near misses is so important so that we can all learn from them and improve our defensive postures.

Brian Honan

The lesson for the rest of us is that we need not wait until we are attacked to harden or eliminate legacy hardware, systems, and applications.

William Hugh Murray

Wouldn't it be odd to learn that the one Federal organization that had done one of the best jobs monitoring their systems and locking down their accounts with MFA was the Library of Congress?

Lance Spitzner

Two outcomes from this work: First, added context and information to help you analyze the risk of a given vulnerability. Second, the enriched CVE entries are available in JSON format you can ingest into your existing tools/processes. While this is most useful in phase two, where that added CWE, CPE/etc. data will allow you to even better assess the applicability of a given flaw.

Lee Neely

An important project that increases the value of CVE information. My question: what is the intersection of the Vulnrichment project and the National Vulnerability Database (NVD)? Hopefully, the enrichment data will automatically be imported into the NVD, as the security community needs a common database for vulnerability information.

Curtis Dukes

At the time of the report, there was no evidence this was being exploited in the wild. F5 analyzed the vulnerabilities against their product set, and these only apply to BIG-IP Next Central Manger branch 20.x, and the fix is to update to version 20.2.0. Additionally, make sure that management interfaces are only reachable by authorized systems and networks, never exposed to the Internet, remember BOD-23-02 - mitigating risks from Internet exposed management interfaces.

Lee Neely

This flaw is reminiscent of Citrix Bleed (CVE-2023-4966), but not as likely to return sensitive information from memory. There is no workaround, and can be anonymously exploited, apply the update.

Lee Neely

Ascension is advising business partners suspend connections to their environment until the incident is resolved. The incident is also affecting clinical operations, causing them to fall back to manual processes, which has been problematic. You may want to do an honest assessment of how viable falling back to manual methods is for you, to include both availability of supporting supplies as well as training on how to use them.

Lee Neely

The incident bears all the hallmarks of a ransomware attack. What's interesting is the language used in the SEC 10-K filing: no material impact on company operations and currently does not expect that it will have a material impact. It appears that companies have found common legal language in addressing the recent SEC cybersecurity rule changes. For all the furor caused by the change, it doesn't appear to have made much difference in determining cybersecurity risks.

Curtis Dukes

The attack seems to be contained and service restoration is underway. DocGo is contacting affected individuals whose PHI data was compromised, and thus far, no threat actors have claimed responsibility for this attack. Hopefully those individuals already have credit and identity monitoring/restoration services.

Lee Neely

In today's modern business world where more services are being outsourced to third parties it is essential that you have appropriate risk management frameworks in place to identify and manage risks with such providers. Equally important is to look at how you can get appropriate assurances that your data is safe with that provider while it is one of your partners and that appropriate steps are taken for them to securely delete data should your engagement with them finish.

Brian Honan

The good news is the compromised system is not connected to the MoD network or the main military HR system. The bad news is the third-party provider is being called out for not implementing sufficient security. Beyond a self-attestation of adherence to the relevant security framework, such as NIST 800-171 in the US, make sure that your third parties are actively measuring their security posture. Schedule regular reviews to ensure that all parties are using optimal security practices, and updated process, such as MFA or SSO, are comprehensive. No gaps.

Lee Neely

Consider what information about your production environment can be gained by analysis of a test environment? Make sure that you're securing and monitoring all environments equally, regardless of data/use. With cloud-based deployments, this is a lot easier to do than with traditional on-premises systems.

Lee Neely

With a $10M bounty on one's head, it's only a matter of time until someone dimes you out.

Curtis Dukes