Information Technology

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance’ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. 

ZDNet Recommends

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries. The NSA says it “fully supports the Zero Trust model” and offers recommendations for creating it, from installing routers and using multiple vendors to creating firewalls that reduce the potential of an exploit impacting one vendor’s product. However, the agency also notes that its guidance focuses on mitigating common vulnerabilities and weaknesses on existing networks. The Biden administration has given federal agencies until 2024 to implement zero trust architectures, so the NSA’s guidance joins recommendations from the National Institute of Standards and Technology’s (NIST) work to explain what zero trust is with key vendors such as Microsoft and Google. The UK is also pushing organizations to adopt zero trust. Among other things, the document focuses closely on Cisco and its widely used IOS networking software for routers and switches, including configuring its one to 15 levels of privileged access to network devices and how to store passwords with algorithms that Cisco IOS devices use. The NSA knows a lot about Cisco gear, as Edward Snowden’s 2013 leaks revealed.   NSA recommends that similar systems within a network should be grouped together to protect against an attacker’s lateral movement after a compromise. Attackers will target systems like printers that are more easily exploitable, for example. It also recommends removing backdoor connections between devices in the network, using strict perimeter access control lists, and implementing network access control (NAC) that authenticates unique devices connected to the network. Regarding VPNs, it says to “disable all unneeded features and implement strict traffic filtering rules”. It also specifies the algorithms that should be used for key exchanges in IPSec VPN configurations.     NSA says local administrator accounts should be protected with a unique and complex password. It recommends enforcing a new password policy and warns that “most devices have default administrative credentials which are advertised to the public”. Admins should remove all default configurations and then reconfigure them with a unique secure account for each admin. “Do not introduce any new devices into the network without first changing the default administrative settings and accounts,” NSA says.     The new report follows NSA’s guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more.”CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said.

ZDNet Recommends

The Windows flaw CVE-2021-41379 that joined CISA’s list was being used in attacks against customers in November. Cisco’s Talos researchers discovered malware that targeted the elevation of privilege flaw affecting Windows 11 and earlier. Microsoft rated it an “important” threat and a severity score of 5.5 out of 10.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Cisco’s router flaws, however, are a greater concern to patch given their severity rating of 10 out of 10. Cisco released firmware updates in February to address multiple critical flaws in its RV Series of routers. These were bugs that allowed attackers to execute malicious code, elevate privileges, run random commands, knock a device offline, bypass authentication, and more. They affected Cisco small business RV160, RV260, RV340, and RV345 series routers.  CISA’s list is important for US federal government agencies since officers are obliged, under the binding operational directive (BOD) 22-01, to act on CISA’s vulnerability alerts within a deadline. In this case, the due date for applying these updates from vendors is in March, suggesting how important CISA considers it that agencies respond swiftly.   “BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats,” CISA notes. It looks as though CISA is ordering agencies to do a thorough clean up of any old software flaws that may be still lurking on government systems.   The updated list of bugs to patch becomes part of CISA’s Shields Up recommendations, which it flagged this week as part of its response to destructive malware attacks against Ukrainian organizations. CISA is concerned that wiper malware like WhisperGate and HermeticWiper may soon target organizations outside of Ukraine because of US and European new sanctions against Russia. The list is also a valuable resource for all organizations outside the US. CISA has urged every other organization to apply the updates to reduce their exposure to cyberattacks.SEE: How Russia’s invasion of Ukraine threatens the IT industryAmong older bugs it’s added with a March 17 due date is a Microsoft Excel RCE flaw CVE-2019-1297, an old Exchange Server privilege escalation flaw CVE-2018-8581, and a bug in the browser scripting engine ChakraCore CVE-2018-8298 that Microsoft is killing off because of its switch to Chromium for Edge. There are also several older Cisco IOS and IOS XE software flaws disclosed in 2017 that now must be patched by 17 March. Even older bugs from pre-2018, such as those affecting Siemens SIMATIC Communication Processor (CP) and Adobe’s now-dead Flash Player software, are now on the list.  More

Bug bounty programs have become an invaluable channel for the disclosure and remediation of vulnerabilities, but like any industry, they come with their own set of problems. 

Ukraine Crisis

Bug bounty platforms, such as those operated by HackerOne and Bugcrowd, work with individual companies to launch and manage programs for external researchers to responsibility report vulnerabilities in software and online services. It was once common practice that vulnerability reports were made piecemeal; it may have been through a generic email or by telephone, and some organizations would be spooked by bug reports or would respond negatively.  This is still the case in some circles, where fear, a lack of concern, or a lack of education can cause a backlash. Emails sent to DK-Lok by ZDNet warning them of an unsecured server were simply sent to the trash bin (viewable as the server was open). Coalfire researchers were arrested by US law enforcement while conducting a penetration test the court system had requested.  In addition, who could forget Missouri Governor Mike Parson, who branded a journalist a “hacker” for viewing website HTML and reporting a serious data breach impacting the state’s educators.  Official bug bounty programs can streamline the process, at least when it comes to typical vulnerability disclosure. However, as shared by White Oak Security Staff Specialist Brett DeWall, there are common problems, in his opinion, that new bug hunters should be aware of.  Communication While penetration testers at the company attempt to disclose bugs, a frequent lack of communication are deemed a “time-consuming process.” If the organization doesn’t have an established bug bounty project, researchers can find themselves trying multiple channels ranging from LinkedIn and social media to generic email addresses and sales channels.  If a vendor doesn’t have responsible disclosure instructions on their website, opening up an initial line of communication can be even more difficult.  “Nowadays, companies are not always receptive to receiving news about security issues with their products or offerings,” DeWall says. “Most of the communication results in radio SILENCE…. This can be frustrating from a researcher’s standpoint that is trying to relay sensitive information in the most preferred method possible. The biggest takeaway here is to keep trying.” Scope “In scope” and “out of scope” bugs are common features of disclosure processes. For example, organizations may want to know about Remote Code Execution (RCE) vulnerabilities but will not consider issues that may be less severe — despite their exploitability or real-world impact — such as unsecured servers, Server-Side Request Forgery (SSRF) or Insecure Direct Object Reference (IDOR) vulnerabilities. DeWall says that White Oak has run into “multiple” examples of this when SSRF/IDOR bugs are ‘out of scope’ and, therefore, submissions are not accepted. This could be for many reasons, such as a limited number of staff able to verify reports and the time required to tackle flaws. DeWall commented: “The organization may not have the financial resources to pay the bounties or the number of employees required to keep up with the validation effort. If a high-risk bug is discovered that is “out of scope,” is it no longer exploitable? I would still strongly urge organizations who have bug bounty programs to accept (or provide a contact form) for any submissions that are “out of scope.”” Recognition According to DeWall, one of the “biggest” frustrations in vulnerability disclosure is not receiving any credit for finding and responsibly reporting a bug.  Whereas researchers want to be acknowledged for their work and may want to be able to list their findings as part of their portfolio, on the flip-side, organizations don’t want security flaws found in their products to be public.  If you want to encourage researchers to spend their time on improving the security of your products, a Hall of Fame – which does not have to reveal the technical aspects of vulnerabilities – could be the way forward as a fair compromise.  “Bug bounty hunting or security research is here to stay and won’t be stopping anytime soon (or ever),” the researcher noted. “However, the way we handle it can change – the researchers and organizations must work together.” HackerOne has put together an e-book with tips for those interested in becoming involved in bug bounty hunting.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Days after sending SpaceX Starlink internet terminals to Ukraine, Elon Musk is warning people there to “please use with caution.” As a non-Russian communications system, the Starlink satellite internet service has a “high” probability of being targeted during the ongoing Russian invasion, Musk said. 

Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution.— Elon Musk (@elonmusk) March 3, 2022

The SpaceX founder and CEO advised users to only turn on Starlink when needed and to place the antenna as far away from people as possible. He also suggested visibly camouflaging antennas. Some cybersecurity experts have similarly warned that satellite communications systems can put users at risk, particularly given Russia’s extensive experience targeting satellites. John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, noted on Twitter last weekend that “if #Putin controls the air above #Ukraine, users’ uplink transmissions become beacons… for airstrikes.”Additionally, the US National Reconnaissance Office (NRO) Director Christopher Scolese recently warned that Russia’s military can target satellites to disrupt satellite-based internet traffic, communications, and GPS services. Scolese said that if Russia feels it needs to, they will extend their war into space.While using satellite communications comes with serious risks, it does avoid the problems that come with conventional landline broadband. Global internet access tracker NetBlocks told ZDNet that connectivity in Ukraine is down 20% since the start of the conflict, following an increase in Russian bombing campaigns and rocket fire.

Ukraine Crisis More

Hackers who exploited a vulnerability in NFT marketplace Treasure began returning most of the “Smol Brain” and “Legion” NFTs they stole on Thursday.The people behind the attack were able to mint several NFTs for free thanks to the vulnerability.  Blockchain analysis firm PeckShield said more than 100 NFTs were stolen from several collections in the Treasure marketplace. 

The situation began on Tuesday, when reports emerged that the Treasure marketplace was being exploited. Treasure did not respond to requests for comment, but co-founder John Patten took to Twitter to confirm that the platform was facing a spate of thefts. “Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit—I will personally give up all of my Smols to repair this. I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community,” Patten said. “I vow to keep making free mints that make people happy even if this evil individual exploits every single one. This is just the beginning.”Treasure released its own official statement, writing that their team was “focused on finding the 50 NFTs that remain stolen and making buyers whole.”A number of people compared the issue to something popular NFT marketplace OpenSea also faced recently, where hackers gained the ability to re-list an NFT at a new price without cancelling the previous listing. 

Other experts like Harry Denley, a member of the security team at MetaMask, urged users to delist. Denley told ZDNet that the issue facing Treasure is different than the one that affected OpenSea, but noted that the end result was somewhat the same: NFTs being stolen for low, and sometimes $0, value.”The issue with Treasure was a logic flaw in their smart contract within the buyItem() function. The function did not validate the quantity of the listing you were buying from, so a bad actor could craft a transaction to call buyItem() to create a specific buy order with 0 quantity for a listing,” Denley explained.”Because of 0 quantity, the price to pay was 0 (price * quantity = 0), and if that was satisfied (as in the transaction sent the correct amount of money, which will always be $0, to buy the order at), the NFTs were transferred to the buyer. A simple sanity check was missing from the function.”

Denley added that he was unsure of the number of stolen NFTs and their value but noted that most have been returned to their owners. CoinDesk pegged the value of the stolen NFTs at around $1.4 million. Denley said the marketplace is in a “pause” state and explained that they set their Oracle to a “burn” address in transaction causing all interactions with the marketplace to fail. “After they have redeployed the contracts with the fix and hopefully have the contracts audited, then they’ll start opening up the marketplace,” Denley said. “I think it’s worth noting that it is still yet to be determined if this attack was a white hat or a black hat that had a change of heart due to their on-chain activity possibly being linked to their real-world identity. For example, 201 days ago, the exploiter received funds from a Binance account to their Ethereum main net address, which could be KYC’d or exposed identify somewhere on that platform,” he added, pointing to an address implicated in the attack.In Treasure’s Discord channel, developers said they identified and rectified the cause of the issue.”This was a basic bug arising from a prior fix that should have been identified earlier,” they wrote. “Once we have the full list of remaining impacted parties who did not receive back their stolen NFTs, we will propose a number of remediation options to ensure users are made whole.”Treasure is the biggest NFT marketplace on the Arbitrum blockchain.  More

By Ink Drop — Shutterstock
Under Twitch’s latest content policy update, the streaming platform said it will ban “harmful misinformation actors” from using its service.”We’re proud that Twitch can bring people together — but we do not believe that individuals who use online services to spread false, harmful information, have a place in our community,” the company said in a blog post. According to the company, it will apply a ban on users whose online presence is dedicated to persistently sharing widely disproven and broadly shared harmful misinformation topics, such as conspiracies that promote violence, whether it is on Twitch or not.”We will only enforce against actors who meet all three of these criteria, and our off-service investigations team will be conducting thorough reviews into each case,” the company said. Some content covered under the policy includes COVID-19 vaccines or harmful health information, and content that “undermines the integrity of a civic or political process” such as electronic fraud, and terrorist or extremist propaganda.  Twitch assured that it’s unlikely the update will have an impact on most of its streamers or viewers, and that harmful misinformation is not prevalent on its platform. But the company wanted to take the precautionary step to curb any potential harm. “Our goal is to prohibit individuals whose online presence is dedicated to spreading harmful, false, information from using Twitch,” the company added. Meanwhile, Reddit joins a growing list of platforms that have taken a stance against Russian state-backed media outlets amid Russia’s invasion of Ukraine. Reddit said in a blog post it will ban users globally from posting links to Russian state media outlets like Russia Today, Sputnik, and their foreign language affiliates.Additionally, it will continue to not accept advertisements that target Russia or originate from any Russian-based government or private entity, Reddit stated.Others that have also decided to remove content, restrict discoverability, or stop actively promoting content from Russia include Meta, Twitter, Google, Microsoft, YouTube, and many more. RELATED COVERAGE More

Multiple cities in Ukraine are experience power outages due to the ongoing invasion by Russian forces that started last week. Global internet access tracker NetBlocks shared data showing widespread internet outages across Mariupol, Sumy, and other regions of the country following an increase in bombing campaigns and rocket fire launched by Russian units. “Mariupol and Sumy are the main outage incidents we’re tracking today. Overall, at national level, observable connectivity is down some 20% compared to ordinary levels prior to the onset of conflict,” Alp Toker, director of NetBlocks, told ZDNet. “The reduction in connectivity is attributed to power outages and the destruction of infrastructure in most of the major conflict zones, and the figure also reflects population flight as people leave home and shutter businesses.”
Netblocks
Mariupol, which had about 400,000 residents before the invasion, began seeing widespread outages on Wednesday. Residents told the BBC that there has been “a relentless barrage of Russian shelling.”One resident said he has spent two days without light, heat, or water after filling up a bathtub before the water was shut off. They are now running out of food and medicine. The outages in Sumy began on Thursday. Netblocks and others wrote that residents were reporting massive blasts at the thermal power plant and electrical substation that they said “turned the sky ‘yellow and red’ for miles.” The town had about one million residents before the invasion began. 
Netblocks
“The incident marks the largest single region-wide disruption to telecoms service since the onset of the conflict, and is attributed to the destruction of the region’s electricity production and transmission infrastructure,” Netblocks explained. TVUA 24 editor-in-chief Olha Konsevych confirmed on Twitter that two explosions damaged the CHP plant and the electrical substation. “Residents say they have been left without heat, water, and electricity,” Konsevych said. A number of Ukrainians on Twitter confirmed the outages, noting that they or their family members were trying to figure out what to do without electricity. 

NetBlocks has also reported internet outages in other major Ukrainian cities such as Kyiv and Kharkiv. Tesla CEO Elon Musk has tried to help Ukrainians dealing with internet outages by sending Starlink terminals and making the Starlink service active in the country. 

Ukraine Crisis More

Following Russia’s invasion, Ukraine had asked the Internet Corporation for Assigned Names and Numbers (ICANN) to revoke Russia’s top-level domains (TLD), such as .ru, .рф, and .su be revoked along with the nation’s associated Secure Sockets Layer (SSL) certificates. The request came from  Andrii Nabok, ICANN’s Ukrainian representative, and Mykhailo Fedorov, Ukraine’s vice prime minister and minister of digital transformation.Now, ICANN has replied: No.The letter from Göran Marby, ICANN’s CEO and president, tried to soften the blow, “ICANN stands ready to continue to support Ukrainian and global Internet security, stability, and resiliency.” But, a no is a no.Fedorov had also asked that RIPE NCC, the regional Internet registry for Europe, the Middle East, and parts of Central Asia, withdraw Russia and its Local Internet Registries (LIR) rights to use their assigned IPv4 and IPv6 addresses and to block their DNS root servers.  RIPE had turned down this request earlier. The RIPE NCC Executive Board stated that “the means to communicate should not be affected by domestic political disputes, international conflicts or war. This includes the provision of correctly registered Internet numbering resources.”These moves come as no surprise. Earlier, people with both internet organizations and related groups had made it clear they didn’t want to ask. Andrew Sullivan, president and CEO of the Internet Society, warned that if ICANN has granted Ukraine’s request it might cause “‘Splinternet’ – the splintering of the Internet along geographical, political, commercial, and/or technological boundaries.” This fragmenting would have massive negative effects, while also setting dangerous precedents. Sullivan said: “The calls to cut Russia off from the Internet are a slippery slope, as the ‘Splinternet’ is the antithesis of how the Internet was designed and meant to function. We must resist these calls, no matter how tempting they may be.”Marby agreed: “Within our mission, we maintain neutrality and act in support of the global Internet. Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the Internet – regardless of the provocations.”While the internet’s official governors are staying out of the war, unofficial groups such as Anonymous have taken up their cyber arms against Russia. Anonymous has claimed to have taken down various websites, including Russian oil power Gazprom; Russian state news agency RT; and Russian and Belarusian government agencies, including the Kremlin.Numerous companies have also joined the right against Russia. For example, Microsoft President Brad Smith announced that the Windows giant would help Ukraine against Russian cyber attacks. Smith wrote that while “We are a company and not a government or a country,” Microsoft would protect Ukraine from cyberattacks.This is not a 20th-century war. No matter where you are in the world, you’re only an internet connection away from the cyber-frontlines. 

Ukraine Crisis More