Tag Archives: logging

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Best Practices for Office 365 Monitoring

Logging, monitoring and alerting is probably the single biggest weakness that most organizations have.

Office 365 is also likely the single biggest vulnerability.

So what actions should you be monitoring in Office?

According to AT&T’s Alien Vault division, here is the answer.

  1.  User access – who is there normally; what is your user baseline.  Are you seeing more failed logins than normal?
  2. Administrator actions – a hacker will likely try to become an administrator, assuming the account they hacked doesn’t belong to an administrator already.  Any change in patterns could be a warning sign.
  3. Changes to Office policies –  if the attacker wants to get away with something would normally normally not be allowed, they will want to change the policy to let them do it.
  4. Current threat intelligence – use your threat intel sources such as the FBI, Secret Service, public alert feeds and others to tweak what you are alerting on based on attacks that the industry is currently seeing.

What are the details (see the link for even more detail)?

  • Logins – both success and failures including time and location
  • New users, deleted users, permission changes
  • Changes to logging rules
  • Access –  to Sharepoint,  One drive and other resources
  • Changes to Sharepoint and One drive permissions
  • Changes to O.365 policies including spam, DLP and other policies that might allow an attacker to get data out or malware in
  • Contact with known malicious IPs (see indicators of compromise from various alerts)
  • File uploads of file types known to be used in ransomware attacks (exfiltration of data)

You do need to review the alerts that you get in real time and that will take some resources, but you should be able to train lower level staff to perform first level triage.

This is not simple and it will take resources.  However, being hacked, having a breach or dealing with a ransomware attack is not free either.

Source: AT&T Alienvault