Without proof that it was collected legally, purchased data can threaten an enterprise's security compliance and even expose the company to litigation.

Purchasing databases from data brokers can create a problem for enterprise security executives. While there are tools to scan the files for malware, there is no automated way to make sure that the data contained in the database is accurate and, even more importantly, was obtained with proper consent. Without that assurance, those files can pose a threat to the enterprise's security compliance and may even open up the company to litigation.

Consider this scenario: Business unit leaders perform an exhaustive due diligence effort before purchasing databases from a data broker. The data has been widely distributed within the organization's global systems. Six months later, law enforcement authorities move against the data broker and report that all of its data was improperly obtained. The organization now has a compliance nightmare on its hands.

The organization might want to delete all of that data to comply with regulations. However, if the team did not tag the data when it was initially loaded into the system, it will be difficult to track and remove it. Even if the data was tracked successfully, it could have become so interwoven with petabytes of other data that it is no longer viable to extract.

On top of this, some regulators may apply the legal concept of "the fruit of the poisonous tree." That doctrine is typically used when law enforcement is accused of not obtaining a search warrant properly. If a judge finds that they indeed did act improperly, the fruit doctrine would not only exclude any evidence found during the search, but also anything found as a result of what was found in the search.

In the case of data, a strict regulator might insist that not only must a company delete the data broker's information, but also any information that resulted from processing that data. In other words, the analytics done on that data might have to be deleted as well.

**Tracking Data as It Flows**

Another major complicating factor with data compliance is that the folders of information that come from data brokers often reflect work done over many years. That means much of it stems from a time, a place, and a vertical where the rules were different.

"Due to the increasing regulatory compliance framework regarding data collection notice and consent, there are data brokers that have huge subsets of their data that is not 'clean' and they cannot make reps and warranties about it to third parties that want to leverage that data," says Sean Buckley, an attorney with law firm Dykema who specializes in data privacy issues. "The risk to the data broker circles back to whether their data is 'clean' and whether they can prove it if necessary."

ClearData CISO Chris Bowen argues that data tracking is critical when dealing with purchased files, but it can also prove quite difficult — even impossible — if the organization didn't tag it sufficiently from the beginning.

"You need to closely track where the data lives and where it flows," Bowen says. "You need to tag the source of each field in the database. You need consistent links through petabytes of data, structured and unstructured."

Most security executives are not comfortable with this approach because dataflow analysis is outside of their usual remit, he adds.

"Where \[data\] flows and how it's distributed and how it is archived and destroyed, that's usually more the purview of the privacy office," Bowen says. "You need to protect and track the data through every element of its life cycle."

Critically, Bowen stresses that once new datasets are built on top of the data broker information, "it's darn near impossible to uncouple that data. It would take an act of AI to decouple and unwind all of that."

**Putting AI to Work**

That AI point is exactly where some other data specialists see this argument headed. They anticipate large language models (LLMs), such as ChatGPT, will be able to track the data through unlimited analytics efforts. In two to five years, the LLM approach may be effective enough for regulators to rely on it.

"Companies today use \[the difficulty of data tracking\] as an excuse to not produce the evidence. With the advent of machine learning models, that is no longer the case," says Brad Smith, a managing director at consulting firm Edgile.

Detailed tracking of the data throughout its life cycle is key to solving the data broker problem, he says.

"When you pull data in from an external organization, there is always going to be some level of liability. The solution is to maintain data lineage. Generally, when you move information, transfer or copy, or the data somehow morphs from one system to another, that lineage is broken," Smith says. "With the large language model, every piece of data exists in its original state. Those mappings exist in the neural network they have created."

The cloud also plays a critical role here, he adds.

"The only thing that they have to do is move their data into a hyperscale infrastructure," Smith says. "When regulators become aware of this and the \[enterprise\] hasn't sufficiently invested in Azure or AWS, they'll ask, 'Why haven't you moved to that platform?'"

**Avoiding Tainted Data**

Fundamentally, some believe that businesses purchase third-party data from data brokers too quickly and that they should first do serious examination of the data they already have or can collect directly.

"There is an open acknowledgement that the quality of third-party data is not good and that it's collected in a pretty dubious manner. Their definition of consent is spotty. Overall, the way data brokers get their data flies in the face of global privacy laws," says Stephanie Liu, a privacy analyst with Forrester.

"It's shocking how quickly we've normalized the aggregation of data that, just a few years ago, would have been considered an egregious intrusion of privacy," adds Rex Booth, the CISO for SailPoint. "Now the only delineation of right and wrong regarding brokers is whether they broke laws in gathering their data."

When figuring out the data broker challenge, CISOs must factor in how the data is being used now and how it will likely be used in a year," he says. "Is it being used to make decisions about who gets a loan or an apartment? Is the resultant data visible to customers, or is it entirely internal, such as data to help sales know who to contact?

Saugat Sindhu, a senior partner who heads the strategy and risk practice at consulting firm Wipro, says almost all data brokers provide deliverables in an anonymized fashion, but it often doesn't stay that way. "You can easily deanonymize an identity," he says.

In some cases, Sindhu says, the compliance remedy may go beyond data deletion to assessing revenue generated by the improperly created data: "You didn't do anything wrong knowingly, but you still made profits off of it and that may raise a fair trade issue," he says. "At the end of the day, tainted data is tainted data."

How CISOs Can Reduce the Danger of Using Data Brokers

CISA released the hunt and response tool to help defenders extract cloud artifacts without performing additional analytics.

The Untitled Goose Tool is the latest tool from the United States Cybersecurity and Infrastructure Security Agency to help enterprise security teams respond to attacks.

Developed in conjunction with Sandia National Labs, the Untitled Goose Tool “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA said in its announcement, which specifically listed Microsoft Azure, Microsoft 365, and Azure Active Directory. With this tool, defenders can run a full investigation by interrogating and collecting Azure Active Directory sign-in and audit logs, Microsoft 365 unified audit log, Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity, CISA said in its Untitled Goose Tool fact sheet. Defenders can also query, export, and investigate Azure Active Directory, Microsoft 365, and Azure configurations.

The hunt and incident response tool was designed to assist incident response teams export cloud artifacts after an incident for environments that aren’t ingesting logs into the organization’s Security Information and Events Management (SIEM) platform, CISA said on the Untitled Goose GitHub repository page. The defenders can then ingest the JSON results into an existing SIEM, web browser, text editor, or database, for additional analysis.

The Untitled Goose Tools was announced on the same day as the Pre-Ransomware Notification Initiative, which aims to warn organizations about ransomware attacks early enough so that organizations can block the attempt to steal or encrypt data. Earlier in March, CISA announced the Decider tool, which will help organizations map adversary behavior to the MITRE ATT&CK framework to find gaps in their defenses, as well as the Ransomware Vulnerability Warning Pilot, to warn critical infrastructure entities about flaws in their systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA Releases Hunt Tool for Microsoft's Cloud Services

After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

A vulnerability in a commonly used file transfer service called GoAnywhere has allowed the Clop ransomware group to breach about 130 organizations. Weeks later, details are still emerging about the sprawling attack.

Up until now, those details weren't coming from GoAnywhere parent company Fortra. It's been the victim organization making headlines with public data breach disclosures. GoAnywhere customers which have disclosed that they were breached through the GoAnywhere MFT remote code execution vulnerability, tracked under CVE-2023-0669, so far include Community Health Systems, Hatch Bank, cybersecurity company Rubrik, Hitachi Energy, and the City of Toronto, which, when totaled up, represent the exposure of millions of people's private data to the worst cybercriminal elements.

Clop cybercriminals were eager to provide details of their campaign, claiming on their leak site they used the exploit over the course of 10 days to breach more than 130 companies, according to reports.

For its part, Forta has remained publicly quiet about the steady stream of disclosures. But today, it gave Dark Reading a statement with reassurances that it's committed to helping its customers navigate what is evolving into a communications, as well as a cybersecurity, crisis for the company.

"On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution," Fortra says in a statement issued to Dark Reading. "We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch."

Fortra added that it remains committed to supporting its affected users.

"We are working diligently to notify customers who may have been impacted and we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue," Fortra's spokesperson's statement adds. "We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue."

**Fortra's Communications Under Fire**

First reports of the GoAnywhere zero-day were shared on Feb. 2 by cybersecurity news site KrebsOnSecurity, which, after finding the advisory stuffed behind a login page, simply pasted the information for the public to see. Days later a patch was issued by Fortra. Betting on patch lagging, in the ensuing days, the Clop ransomware threat actors were able to take advantage. On Feb. 10, the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities catalog. 

Nonetheless, companies have continued to get caught up in the ongoing campaign. And despite Fortra's assurances, cybersecurity analysts, experts, and watchers are widely critical of the company's lack of communication and slow response in offering guidance to victims and targets. The attack surface is broad, too, it should be noted: According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. And according to data from Enlyft, most of those are large organizations — with at least 1,000 and often more than 10,000 employees — mostly based in the United States.

"This one wasn't communicated well, challenging even the best security teams to respond," Heath Renfrow, co-founder of Fenix24 tells Dark Reading in response to the freshly issued statement from Fortra. "This is a good example of how it is necessary for security professionals to have multiple sources of threat intelligence — beyond just their providers — to cover every base. That said, it has been communicated now and anyone using the solution should patch immediately."

Slow communication can be especially detrimental in a software supply chain attack scenario, Dirk Schrader, vice president of security research at Netwrix said.

"To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened," he noted via email. "It helps other links in this chain to be prepared for an upcoming threat and minimizes possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner."

Dark Reading asked Fortra for a response to the criticism of its handling of the cybersecurity incident but has not received a response. Meanwhile, Forta's customer, the City of Toronto, when asked about its communications with Fortra regarding the breach, gave a simple response by email: "Fortra has been communicating with the City and continues to do so."

This isn't the first time users of Clop ransomware have pulled off a mass breach like this. Russian-based FIN11 used Clop ransomware in December 2020 to jump on a similar Accellion zero-day flaw.

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

Indicators point to Twitter's source code being publicly available for around three months, offering a developer security object lesson for businesses.

Some of Twitter's proprietary source code had been publicly available on Github for nearly three months, according to information gleaned from a DMCA Takedown request filed on March 24.

GitHub is the world's largest code hosting platform. Owned by Microsoft, it serves more than 100 million developers and contains nearly 400 million repositories in all.

On March 24, GitHub honored a Twitter employee's request to remove "proprietary source code for Twitter's platform and internal tools." The code had been published in a repository called "PublicSpace," by an individual with the username "FreeSpeechEnthusiast." The name is an apparent reference to Elon Musk's _casus belli_ for taking over Twitter back in October (a philosophy which has been unevenly implemented in months since).

The leaked code was contained in four folders. Though inaccessible as of March 24, some of the folder names — like "auth" and "aws-dal-reg-svc" — seem to give some hint at what they contained within.

    

Source: TorrentFreak

According to Ars Technica, FreeSpeechEnthusiast joined Github on Jan. 3 and committed all the leaked code that same day. That means, in all, the code was entirely accessible to the public for nearly three months.

**How Enterprise Source Code Leaks Happen**

Major software companies are built on millions of lines of code and every so often, for one reason or another, some of it can leak.

"Bad actors, of course, play a major role," says Dwayne McDaniel, developer advocate for GitGuardian. "We saw it last year in cases like Samsung and Uber involving the Lapsus$ group."

Hackers aren't always a part of the story, though. In Twitter's case, circumstantial evidence points to a dissatisfied employee. And "a good deal of it also comes from code ending up where it does not belong unintentionally, as we saw with Toyota, where a subcontractor made a copy of a private codebase public," he adds. "The complexity of working with git and CI/CD combined with an ever-growing number of repos to deal with for modern applications means code on private repos can become public by mistake."

**The Problem of Source Code Leaks for Enterprises**

For Twitter and companies like it, source code leaks can be a much bigger problem for cybersecurity than copyright infringement. Once a private repository becomes public, all kinds of harm can follow.

"It's important to remember that source repositories often contain more than just the code," notes Tim Mackey, principal security strategist for the Synopsys Cybersecurity Research Center. "You'll find test cases, potentially sample data along with details on how the software should be configured."

There may also be sensitive personal information and authentication information hidden in the code. For example, "for some applications that are never intended to be shipped to customers, the default configuration contained in the source code repository might just be the running configuration," Mackey says. Hackers can use stolen authentication and configuration data to carry out bigger and better attacks against the victim of a leak.

That's why "companies should adopt a more secure secrets management strategy, combining secrets storage with secrets detection," says GitGuardian's McDaniel. "Organizations should also audit their current secret\[s\] leakage situation to know what systems are at risk if a code leak does occur and where to focus prioritization."

But in cases where the leak comes from the inside — like Twitter's — even greater caution is warranted. It requires thorough threat modeling and analysis of an enterprise's source code management, says Mackey.

"This is important because if someone can trigger a source code leak, then they may also have the ability to change the source code," he says. "If you're not using multifactor authentication for access, enforcing limited access to only approved users, enforcing access rights, and access monitoring, then you may not have a full picture of how someone might exploit the assumptions your development teams have made when they secured their source code repository."

Twitter's Source Code Leak on GitHub a Potential Cyber Nightmare

From rising stars to veterans heading up research teams, check out our profiles of women making a big impact in cyber defense as the threat landscape expands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Women Leading the Charge in Cybersecurity Research & Analysis

Key vaults, aka key-management-as-a-service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.

As cloud infrastructure and compliance regulations become more complicated, companies are looking to simplify data security by adopting more pervasive encryption of sensitive data and consolidating key management into a single repository or service.

On March 22, email and file security firm Virtru became the latest data-protection firm to offer customers a single vault for key management, when it announced a private keystore that works with Google Workspace, Google Cloud, and the company's other products. The product manages encryption keys, configures policies, and allows audits of access to encrypted data.

Virtru had already offered encryption for email and files stored in the cloud, but the sensitivity of data and need for complying with government requirements led customers to ask for a "hold-your-own-key," or HYOK, capability, says Mike Morper, senior vice president of product at Virtru.

"We have customers that have come to us, who ... want to ensure absolutely no entity other than the intended recipient has access to \[a particular piece of\] information," Morper says. "We first started hearing this rooted in a lot of data-sovereignty conversations, particularly with some of our customers in Europe ... and it was paramount to them that they would have the ability to manage their own private keys."

As companies increasingly look to protect data with pervasive encryption, consolidated key management is coming into its own. Currently, 62% of companies have an encryption policy that is consistently applied, up from 50% in 2021, but more than half of companies still have trouble identifying all sensitive data, and 59% of businesses find key management to be very painful, according to Entrust's "2022 Global Encryption Trends Study."

Moreover, a set of headaches — including managing keys, limiting who can access data, and auditing that access — have grown more severe as companies need to comply with privacy regulations from multiple countries and ensure the security of data across multiple clouds, says Kevin McKeogh, vice president of product management for data protection solutions at Entrust.

"Encrypting data is easy. Managing the keys that are used to encrypt the data is what becomes increasingly challenging for organizations as they scale operations," he says. "With a growing volume of data now processed across distributed systems — on-premises and in multicloud environments — organizations need to maintain control of the keys to ensure data is protected and available to the applications that need to use the data, and to stay compliant to regulations."

**Key Management Plus Granular Access Control**

Take the move to multiple clouds — a significant operational challenge for data protection systems. By 2024, international data residency and privacy requirements will push more than 40% of organizations to adopt a third-party, multicloud key-management-as-a-service (KMaaS) offering instead of relying on the bespoke key management services offered by many cloud providers, states a Gartner report on KMaaS offerings commissioned by Thales, a data-protection provider.

The challenge of managing encrypted data, permissions, and access lists across multiple clouds and their associated key management systems has resulted in at least half of companies encrypting less than 40% of their sensitive data in the cloud, according to the "2022 Thales Data Threat Report."

"The typical enterprise has at least five different key managers deployed, so key sprawl is an issue," says Todd Moore, vice president of encryption products at Thales. "This complicates things like key rotation and retiring keys. The best practice is to have one centralized key management platform that can support the vast majority of your key management operations."

A central vault for sensitive keys can help make even complex situations simpler. This year, for example, at least 81% of companies are expected to use multiple cloud infrastructures, up from 60% in 2022, according to Forrester Research's "Unlocking Multicloud's Operational Potential" report, commissioned by secrets management firm HashiCorp. For those companies, encrypting data across cloud services and using a centralized vault to manage access to that data through keys allow for more control.

In addition, companies that rely on a single cloud provider's key management solution may be at greater risk. Privacy and data-protection regulations, such as the European General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), explicitly require — or heavily imply — that encrypting sensitive data is necessary and that self-custody of keys is preferred, says Andy Manoske, principal product manager for cryptography and security at HashiCorp.

"This is especially the case if data sovereignty requirements attempting to protect against a privileged adversary within a client's cloud service infrastructure are at play," he says. "While an adversary may not be able to compromise that key management system, they could render it inoperable if they have privilege within a single cloud hosting both data encryption and key management."

**Private Keystore or Key Management as a Service?**

While a private keystore is a solution, it is not the only one. Key-management services that provide HYOK can satisfy government regulations and business security requirements, while still giving companies the expertise and support they need to manage a complex task. Keys need to be protected, but defenders must understand the company's threat model and what types of attacks are likely in order to best select the appropriate encryption technologies.

Deploying encryption and maintaining a private keystore require some deep expertise within a company, Manoske says.

"Private keystores usually provide flexibility in how keys are retrieved and used for cryptography — a flexibility usually necessary when deploying cryptography within high-performance applications with significant automation," Manoske says. "This flexibility comes at the cost of usually requiring more sophistication from the defender in protecting against side-channel attacks — attacks that 'go around' the mathematical protections of cryptography to tamper with or steal keys."

While a company can retain ownership of critical keys, some KMaaS offerings can simplify the business' data security and provide necessary capabilities, such as access control and auditability, says Virtru's Morper.

"That's the hard part and, frankly, probably where the preponderance of adoption and friction come into play," he says. "So it really starts to become a balance for organizations. It's a security-policy decision and a business decision they need to make — what level of friction is appropriate and against what degree of risk?"

Drive to Pervasive Encryption Boosts Key Management

Don't assume stakeholders outside security understand your goals and priorities, but consider how you'll communicate with them to gain their support.

In the two decades I've spent in cybersecurity, I've observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization's security measures before attackers exploit them. We fight.

The combative mindset of security professionals finds its way into our interactions with colleagues within our organization. We witness and sometimes contribute to conflicting opinions regarding the urgency with which security issues should be addressed, and we disagree on the best ways to address security risks. And we fight for a share of the budget that might shrink if other departments' needs are prioritized above our own.

This cybersecurity vs. everyone way of operating is counterproductive because it contributes to security professionals being seen as detractors and distractors. To succeed in today's workplace, we must operate as business enablers, not blockers. We can do this by adjusting our mindset, developing empathy for the role and objectives of colleagues throughout the organization, and communicating security benefits in business terms.

**Collaboration: The Future of Security**

Security teams are often seen as separate entities by the rest of the organization. To increase integration and understanding, all teams at the company need to have open conversations about their shared goals and objectives. After all, each team may have different skill sets and roles, but both ultimately want the organization to succeed. 

Start here: Have those in each team define what success looks like to them. Then look at how that can be achieved within the context of broader business objectives. Differences are OK and expected, but finding the thread that ties us together is the only way to find common ground. Looking at wider business objectives makes it easier to understand how teams can work together to shift the organization closer to those goals.

Agreeing on shared objectives — while recognizing each team's unique roles and interdependencies — will allow everyone to collaborate more smoothly.

**Invest in Persuasion, Communication for Security Buy-in**

Like it or not, cybersecurity leaders often have to work harder than others to justify our presence and initiatives. Yet our initiatives often span multiple departments and depend on buy-in from other executives. Therefore, we need to put extra care into how we persuade and communicate outside the security team to get support for our efforts.

To gain others' support for a security request or project, there are multiple considerations.

*   **Who needs persuading?** Understand the dependencies of your security effort to determine which teams — and which specific individuals — are stakeholders in your effort. Depending on whether they'll be initially supportive or skeptical, you'll need to tailor your communications accordingly.

*   **What are their objectives?** Presumably, you already understand why you're pursuing a particular security project, but how does it support the needs of your stakeholders outside security? Understand what's important to them, so they'll be more inclined to support you.

*   **What do they need to know?** Some want to see technical details, but not everyone. Some people focus on costs, others on revenue, others don't think in financial terms at all. Present the information appropriate for the individual to get their buy-in.

*   **Why should they trust you?** Whether you're seeking funding, expertise, or time from others, consider how you'll demonstrate that their support will not go to waste. To signal credibility, present metrics from earlier security projects or point to your initiatives that succeeded in the past.  

Instead of assuming that others understand what you're looking to achieve and why the effort is important, consider what steps you'll take to persuade and communicate with non-security stakeholders to gain their support.

**Link to Business Needs in Budget Discussions**

The importance of positioning security in business, rather than technology terms is most important during budget discussions. While it's good news that cybersecurity is one area where spending remains fairly stable, any security leader needs to firmly justify their requests.

Start by answering the persuasion and communication questions above to establish the foundation for your budget discussion with the CFO or other relevant parties. 

Next, understand the business scenarios that the company is considering for its next year: Is the organization expecting its revenue to shrink? Will some product lines likely expand? Any changes in the geographic regions the company services? Can you expect business as usual, or will the company's activities likely to experience significant disruption?

Continue by outlining your security objectives, then link them to the company's business objectives. Since the exact future is unknown, be prepared to discuss how your requests might change based on the scenario in which your company might find itself. For example, if the firm might open an office in a new country, you might need to hire a security person to support that region. Or if your firm will introduce a new product, you might need to fund the training of your application security team in the corresponding technologies.

Be ready to not only clarify how the security expense item benefits the company but also why now is the time to invest in that project, person, or initiative. Explain how the company might be affected if that item doesn't get funded, but do so without spreading fear, uncertainty, and doubt, which often dominate security discussions with stakeholders.

Cybersecurity vs. Everyone: From Conflict to Collaboration

The joint partnership represents expanded market opportunities.

**BETHESDA, Md.****,** **March 24, 2023** **/PRNewswire/ --** Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to combine their unique offerings to address the rapidly increasing threat to critical infrastructures around the world. This partnership couples the CyberSecure IPS Manhole Protection System with Lockdown's suite of security devices to strengthen the Defense in Depth (DiD) critical infrastructure security portfolio. This combination presents a series of defensive mechanisms which are layered in order to protect valuable data and information. In the unlikely event one mechanism fails, another is triggered immediately to thwart an attack. This multi-layered approach with intentional redundancies increases the security of a system as a whole and addresses many different attack vectors.

"Our emphasis in developing time-tested software disciplines for the critical infrastructure/enterprise market is a natural fit for the products and services pioneered by LockDown. Our software already meets government-standards for the broad-based cyber-physical security sector. Working together with David and the LockDown team we can ensure current and new customers have access to the industry's leading capabilities, taking our customer focus to another level," states Scott Rye, CEO and Co-Founder of CyberSecure.

David Barton, VP of LockDown, continues, "Our company's founding and growth reflects a focus on solving customer problems at each turn. We see this strategic alliance as a springboard to expand our addressable customer market building upon our long history within underground infrastructure and government installations. CyberSecure's industry leading software solutions and Manhole Protection System will ensure that customers truly have confidence to meet the ever-growing requirements for best-of-breed security."

Scott concluded, "Aligning with LockDown as every area of critical infrastructure demands greater capabilities just makes good business sense. We together can now address Power systems, Chemical, Energy, Telecommunications and a host of critical infrastructure sectors in a way that brings complete one-stop solutions to the table for security officers and their Boards."

**About CyberSecure IPS**

A global leader in the cybersecurity space, CyberSecure IPS constantly innovates its suite of patented software and hardware solutions which integrate to bring the physical realm under constant surveillance and provide holistic protection. The most advanced national governments and biggest data centers worldwide look to CyberSecure IPS to protect their critical infrastructure. Learn more at cybersecureips.com.

**About Lockdown Inc.**

LockDown Inc. is the most trusted and installed provider of infrastructure security devices in the world. We have installed 100,000+ devices at more than 150 military bases and hundreds of other secure locations in 30+ countries. Since 1996, we have secured infrastructure at major universities, data centers, telecoms, municipalities, utilities, corporations and manufacturers. Our devices even secure the White House and the Pentagon. Learn more at https://lockdowninc.com

CyberSecure Announces Strategic Alliance

In two days, ethical researchers from 10 countries have unearthed more than 22 zero-day bugs in a wide range of technologies at the annual hacking contest.

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle's safety and other components.

One of the exploits involved executing what is known as a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla's Gateway energy management system. They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.

The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities that researchers from 10 countries uncovered during the first two days of the three-day Pwn2Own contest this week.

**Gaining Deep Access to Tesla Subsystems**

In the second hack, Synacktiv researchers exploited a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset to break into Tesla's infotainment system and, from there, gain root access to other subsystems. The exploit garnered the researchers an even bigger $250,000 bounty and Pwn2Own's first ever Tier 2 award — a designation the contest organizer reserves for particularly impactful vulnerabilities and exploits.

"The biggest vulnerability demonstrated this year was definitely the Tesla exploit," says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which organizes the annual contest. "They went from what's essentially an external component, the Bluetooth chipset, to systems deep within the vehicle."

Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. Tesla head units are the control unit of the car's infotainment system and provide access to navigation and other features.

**A Slew of Zero-Day Bugs**

Some of the other significant discoveries included a two-bug exploit chain in Microsoft SharePoint that fetched Singapore-based Star Labs $100,000 in rewards, a three-bug exploit chain against Oracle Virtual Box with a Host EoP that earned Synacktiv researchers $80,000, and a two-bug chain in Microsoft Teams for which researchers at Team Viette received $75,000.

The bug discoveries have fetched the researchers a total of $850,000 in winnings. ZDI expects that payouts for vulnerability disclosures will hit the $1 million mark by the end of the contest — or about the same threshold as last year. "We're heading towards another million-dollar event, which is similar to what we did last year and slightly larger than what we did at our consumer event last fall," Childs says.

Since launching in 2007 as a hacking contest largely focused on browser vulnerabilities, the Pwn2Own event has evolved to cover a much broader range of targets and technologies including automotive systems, mobile ecosystems, and virtualization software.

At this year's event, researchers, for example, had an opportunity to take a crack at finding vulnerabilities in virtualization technologies such VMware and Oracle Virtual Box, browsers such as Chrome, enterprise applications like Adobe Reader and Microsoft Office 365 Pro Plus, and server technologies such as Microsoft Windows RDP/RDS, Microsoft Exchange, Microsoft DNS, and Microsoft SharePoint.

**A Wide Range of Hacking Targets**

The available awards in each of these categories varied. Eligible exploits and vulnerabilities in Windows RDP/RDS and Exchange for example qualified for rewards of up to $200,000. Similarly, VMware ESXi bugs fetched $150,000, Zoom vulnerabilities qualified for $75,000, and Microsoft Windows 11 bugs earned $30,000.

Vulnerabilities in the automotive category — unsurprisingly — offered the highest rewards, with a total of $500,000 available for grabs to researchers who unearthed bugs in Tesla's systems, including its infotainment system, gateway, and autopilot subsystems. Researchers had an opportunity to try their hand against the Model 3 and Tesla S. Those who found ways to maintain root persistence on the car's infotainment system, autopilot system, or CAN bus system had the opportunity to earn an additional $100,000. The total offered payout of $600,000 is the largest amount for a single target in Pwn2Own history.

Ironically, the browser category, which is what Pwn2Own was all about in its early years, drew no researcher interest this year. "We're seeing about the same level of participation as in years past with the exception of the browser category," Childs says. "No one registered for that, and we can only speculate on why that is."

So far, in the 16 years that the event has been around, researchers have discovered a total of 530 critical vulnerabilities across a range of technologies and received some $11.2 million for their contribution.

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

GitHub hastens to replace its RSA SSH host key after an exposure mishap threatens users with man-in-the-middle attacks and organization impersonation.

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of the encryption scheme in an open GitHub repository.

While some may jump in alarm, assuming that the private keys were exposed due to the malicious intent of a threat actor, in truth, this occurred because of human error. There are private and public versions of SSH keys, and though public keys can be shared or published, it's essential that private keys are kept ... well, private. Though GitHub has not disclosed who published the keys or where they were published, administrators posted on their blog explaining the situation.

"This week, we discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes," GitHub stated in the blog post.

GitHub replaced the RSA SSH host key to protect their users from the possibility that an adversary had seen the private key. Threat actors could use it to monitor users' operations or impersonate GitHub for follow-on attacks. 

The blog post explained that the change does not affect any customer data, requires no change for ECDSA or Ed25519, or the infrastructure of GitHub — only the operations "over SSH using RSA."

If users see a warning message, they'll need to remove old keys by way of three options: manually updating the file to remove the old entry; running a new command that GitHub listed on its blog; or via automatic updates if those are turned on. Once users see the fingerprint that reads "SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s," they will have verified that their hosts are connected to the new RSA SSH key.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading