Tag Archives: Zero Days

Cybersecurity News for the Week Ending April 1, 2022

How Many Times Do I Need to Say – Crypto is Software, Software Has Bugs, Your Money is at Risk

Decentralized Finance platform (DeFi) Revest Finance said that it lost $2 million due to a software bug and, oh yeah, (a) the can’t recover the funds, (b) they do not have the money to cover the losses and(c) they don’t have insurance to cover the hack. Unless we eliminate the software, we cannot eliminate all bugs. Credit: The Record

Russia Faces Internet Outages Due to Equipment Shortages

One of Russia’s tech unions says that Russian ISPs run the risk of Internet outages as the value of the Ruble goes down and foreign companies won’t sell them parts or new equipment. Right now the government is saying that is the Internet providers’ problem, but if it turns into widespread outages, they are likely to change their tune. Credit: Bleeping Computer

Cryptocurrency was Fun While it Lasted

EU Parliament committees have voted to require crypto exchanges to verify the identity of self-hosted wallets, meaning the end of anonymity for crypto transactions. The US Treasury (FinCEN) has also suggested that we do that, but it has not yet appeared in a bill. That means that the bad guys will need to do peer to peer crypto, minus the exchanges to deal in criminal activities. While this is harder than using exchanges, it is far from impossible. Given that the whole purpose (beside speculating) of crypto is to commit fraud, identifying yourself is probably not high on user’s wish lists. Credit: Vice

Senate Asks Companies About Hackers Creating Fake Warrants

Recently I wrote that hackers have figured out the the government’s search warrant process is as secure as, say, a screen door. Now that the facts have been outed and likely even more hackers will use that fact to steal even more data, a couple of Senators have started asked questions. That is a long way from Congress actually doing anything useful about it, but at least it is a start. Don’t expect anything to happen because it is a hard problem to fix. Credit: Brian Krebs

Apple Fixes More Mac, iPhone Zero Days

In case you haven’t noticed, the last 12 months have not been Apple’s friends when it comes to zero-day bugs. This week Apple patched two more that are actively being exploited in the wild and affect iPhones, iPads, iWatches and Macs. The versions you are looking for are iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively. Credit: Bleeping Computer

Bill Aims to Remove Fox From Hen House Guard Duty

The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber.  The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.

NSA, in its alter ego Cyber Command, is charged with defensive cyber.

What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.

The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.

Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find.  That process was voluntary.  After WannaCry, Congress is kind of wondering whether the process is not working.

The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA.  State, Treasury, Energy and the FTC would be involved when needed.  Homeland Security will chair the board.

That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.

Since this bill was just introduced, it has a long way to go before it may become a law.

Information for this post came from The Register.

Microsoft Battles Google – Can You Believe It?

OK, that subject, while true, was really just to catch your attention.

Here is the rest of the story (and sorry, this is a bit of a rant).

Google has a team that researches security vulnerabilities in all kinds of software.  The team, founded in 2014, is called Project Zero. While I am sure it finds bugs in Google’s own software (it does!), it seems to, frequently, find bugs in competitor’s software.  That usually includes Microsoft and Adobe, among others.

Google has a database of the vulnerabilities that it finds and it has a very strict protocol for disclosing these vulnerabilities.

Part of what Google wants to have happen is for the industry to fix vulnerabilities quickly.  To be honest, the industry as a whole has a horrible track record for fixing bugs quickly.

Part of the “battle” if you will, is that companies like Microsoft have software that they have to create, test on hundreds of different configurations, package and distribute and users have to download, test and install – think Windows, Office, Adobe Flash and others.  Google, on the other hand, is almost exclusively web based.

Web based offerings are inherently easier to patch.  Google controls every single server that their software runs on.  They know what the hardware looks like and if the software does not work on a particular brand or model of hardware they don’t use it.  In fact, Google BUILDS their own servers.  Companies like Microsoft can only dream about that.

Microsoft USED to release patches at random.  It drove system administrators crazy.  As a result, they now only release patches once a month and it usually takes them two or three months to get a fix through that release cycle.

Needless to say – and this is part of Google’s point – the hackers don’t have to follow that model.  As a result, the hackers win most of the time.

So what are Google and Microsoft battling about this week?

Google disclosed a flaw that it found October 21st (that is about 10 days ago) in Windows.  On that same day, Google also found a bug in Adobe Flash.  Adobe has fixed their bug.  Microsoft has not.

Google would normally give Microsoft at least 60 days to fix the bug (and sometimes adds extensions) before they announced the bug to the world, but in this case, Google says, the bug is ACTIVELY being exploited in the wild.  So Google had two choices – be quiet for three months while people’s systems were being attacked and allow Microsoft to work through it’s process or, alternatively, warn people and let Microsoft be a tad bit displeased with them.

The bug is a privilege escalation attack which allows a hacker to escape the Windows sandbox and do things that they should not be able to do.

Microsoft COULD have told people that there was a problem and provide them with workarounds or a possibly a temporary fix but they chose not to.  They did say, now, that users should upgrade to Windows 10 and use the Edge browser.  That doesn’t help the tens of millions of users of Windows 7 and Windows 8.

Instead Microsoft said that Google’s disclosure of hacker’s attacking Microsoft’s customer’s systems in the real world was irresponsible.  What would have been responsible, Microsoft says, is to keep people in the dark while attackers compromise their systems.    Somehow I have a problem with Microsoft’s reasoning.

Microsoft said that they are the ONLY platform committed to investigating security issues and providing updates as soon as possible.  While those of you who read this column know that I am not much of an Adobe Flash fan, I do give them a LOT of credit for releasing fixes sometimes the next day after a bug is found when hackers are exploiting it, so I think Microsoft’s claim is a bit self serving.

The bottom line here is that the industry – and it doesn’t matter whether we are talking Windows, Mac, Linux, Android, iPhone, Web, whatever – needs to be more aggressive at identifying and fixing bugs.  Not just the kind of bugs that we usually think of but also issues like the attack on DYN last week that took out Twitter and hundreds of other sites.

Attackers don’t care about collateral damage and they don’t care about following the rules.  WE as an industry need to get more effective about fixing problems.

At least that is the way that I see it.

Information for this post came from CSO Online.

Google’s Project Zero has its own Wikipedia page, found here.