Why bother with new tactics and exploits when the old tricks are still effective?

Cybercriminals targeting the retail and hospitality industry are sticking to tried and tested threat vectors, such as credential harvesting and phishing, according to analysis by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

An ISAC is an industry-specific organization that acts as a centralized repository of information on threats affecting a specific industry sector. Member organizations share threat intelligence and mitigation information, with the idea that organizations can prepare their defenses better if they know the kinds of attacks their peers are experiencing.

The "RH-ISAC Intelligence Trends Summary," which encompasses information shared by member organizations from May to August, highlights shifts in the threat landscape for the retail, hospitality, and travel sectors. Credential harvesting was "by far the most prevalent reported threat," at 63%, according to the report. Suspicious domains were the second most prevalent, at 16%. Other threat indicators reported by members include malicious domains (3%), botnets (3%), and adversary-in-the-middle attacks (4%).

Ten malware families made up 81% of total reports the RH-ISAC tracked during the four-month period, of which Emotet was the most prevalent. While it's possible that the rise in Emotet-related reports could be connected to member organizations' focusing more on Emotet defense, it also suggests that Emotet activity is "once again steady after the group's reemergence earlier this year," the report says.

RH-ISAC isn't just about reporting threat indicators — member organizations also share information about specific threat topics. The "Top Sharing Trends" graph is an indicator of what kinds of threats organizations are most concerned about.

    

Credential harvesting remains the most common threat shared by members, at 43%, followed by phishing, at 16%. Information about malware attacks — namely Agent Tesla, Formbook, and Emotet — made up 31% of the threats shared by members.

The "Top Sharing Trends" graph outlines the frequency of sharing regarding a threat topic, while the "Top Reported Trends" graph shows the volume of threat indicators shared related to a given topic, according to RH-ISAC.

Credential Harvesting Is Retail Industry's Top Threat

A boom in artificial intelligence-powered detection and remediation tools pushes security spending to the top of the AI market, according to Forrester.

By 2025, the artificial intelligence (AI) software market will expand from 2021's $33 billion to $64 billion, according to a new report. And cybersecurity is the fastest-growing category of AI spend, experiencing a rise in spending of 22.3% compound annual growth rate (CAGR).

That's according to the "Global AI Software Forecast 2022" from Forrester Research. "Cybersecurity is the fastest AI software growth category, with a focus on the real-time monitoring of and response to attacks," the report states. The next two categories, customer and human capital management (22%) and process optimization, knowledge, and data intelligence (18.3%), also have cybersecurity elements, so the impact on security tool makers could be even more significant.

This comports with the emphasis companies have placed on their AI-enhanced software and services. For example, credit behemoth Visa revealed it has spent a half-billion dollars on data analytics and AI in the past five years. It's using those tools, along with conventional cybersecurity measures, to keep the fraud rate at what Visa calls historic lows despite e-commerce growth.

Organizations can deploy AI for cybersecurity anywhere there's repetitive actions and expected behavior, including attack surface management, extended detection and response (XDR), and user and entity behavior analytics (UEBA). Forrester calls out SentinelOne as a prime example of an XDR success story, pointing out the company's 120% year-over-year revenue growth in fiscal 2022. In March, SentinelOne added identity threat detection and response to its platform when it acquired Attivo Networks.

An AI tool can learn what normal activity from a particular device or account is and then flag when that endpoint is acting outside of the norm. Such automated detection is invaluable, considering the impossibility of staffing sufficiently to have human eyes watching every part of the network. And researchers are finding ways to apply large language models like GPT-3 to practical tasks, such as tracing networks of exploit forums. To provide some perspective on such developments, Dark Reading released a report in September, "How Machine Learning, AI & Deep Learning Improve Cybersecurity," about how to assess a vendor's AI claims and define its success criteria.

One hitch in AI's gallop is the challenge of setting up a system so that it flags what is necessary for human analysts to assess without creating alert fatigue. A survey earlier in 2022 revealed that almost half (46%) of IT security staff said their AI systems created too many false-positive alerts for them to address. An optimist would see the false-positive problem as an opportunity for growth, however, opening up a new market for fine-tuning services.

For more insights, visit the Forrester Research blog entry about the report.

Cybersecurity Will Account for Nearly One-Quarter of AI Software Market Through 2025

Current and former employees and members are being offered complimentary credit monitoring and
identity protection services as some personal information may have been accessed.

**ATLANTA, Oct. 7, 2022 /PRNewswire/** — The State Bar of Georgia announces that it  
experienced a cybersecurity incident that resulted in unauthorized access to its  
systems. Since learning of the incident, the State Bar worked to restore its  
systems safely and resume normal operations.

The State Bar investigated the incident, and a third-party cybersecurity firm  
was engaged to assist in that investigation. Law enforcement and regulators were  
notified. The investigation revealed that an unauthorized person gained access  
to the State Bar systems. Through its investigation, the State Bar determined  
that some personal information of its current and former employees as well as  
its members may have been subject to unauthorized access. Although the State Bar  
had security protocols and technology in place to help prevent unauthorized  
access, the unauthorized person was able to evade some of these defenses. The  
State Bar determined that the following personal information may have been  
accessed by an unauthorized person during the incident: name, address, date of  
birth, Social Security number, driver's license number, direct deposit  
information, or name change information.

The State Bar understands the concern this incident may cause for individuals  
whose personal information was involved. As a result, current and former  
employees and members are being offered complimentary credit monitoring and  
identity protection services through TransUnion. These identity protection  
services include credit bureau monitoring and $1,000,000 in identity theft  
insurance. For more information on TransUnion, including instructions on how to  
activate the complimentary membership, as well as some additional steps  
individuals may take to protect their personal information, please visit the  
State Bar website and look for the link to "Cybersecurity Incident":  
https://www.gabar.org/ . The deadline to enroll in the complimentary monitoring program is Jan. 31, 2023.

The State Bar encourages everyone to remain vigilant by reviewing their account  
statements and credit reports for any unauthorized activity. If individuals see  
charges or activity they did not authorize, please contact the relevant  
financial institution or the credit bureau reporting the activity immediately.

The State Bar has established a dedicated call center to help answer any  
questions customers may have about the incident or how to sign up for these  
services. Please call (844) 565-0052, Monday through Friday, between 8:00 a.m.  
and 8:00 p.m. Eastern Time (excluding major U.S. holidays) for more information.

The State Bar regrets any inconvenience or concern this incident may have caused  
and looks forward to continuing to serve its members. The State Bar takes its  
responsibility to safeguard the information entrusted to it seriously. Since  
learning of this incident, the State Bar has enhanced its security protocols and  
technology to prevent unauthorized access to its systems.

**About the State Bar of Georgia**

The State Bar of Georgia exists to foster among the members of the Bar of the  
State of Georgia the principles of duty and service to the public; to improve  
the administration of justice; and to advance the science of law. All persons  
authorized to practice law in the State of Georgia are required to be members.  
The State Bar has strict codes of ethics and discipline that are enforced by the  
Supreme Court of Georgia through the State Bar's Office of the General Counsel.  
Membership license fees and other contributions help the State Bar provide  
programs that are mutually beneficial to its members and the public.

**SOURCE:** State Bar of Georgia

State Bar of Georgia Notifies Members and Employees of Cybersecurity Incident

The bug is under active exploitation; Fortinet issued a customer advisory urging customers to apply its update immediately.

UPDATE

A Fortinet bug disclosed last week is now under active exploitation. 

Fortinet on Friday warned that users of its FortGate firewall and FortiProxy Web proxies should apply the latest updates to their products ASAP due to a critical vulnerability that could allow an attacker to bypass authentication to the products' administration interfaces. 

On Monday, the security firm updated the advisory to note that it's now aware of instances of the bug being exploited in the wild.

An exploit would in effect give an attacker administrative control of the network devices. The flaw, CVE-2022-40684, affects FortiOS versions 7.0.0 to 7.06 and 7.20 to 7.2.1, and FortiProxy versions 7.0.0 to 7.0.6 and 7.2.0, and could allow an attacker to use "specially crafted HTTP or HTTPS requests" to execute admin operations, according to Fortinet.

"Due to the ability to exploit this issue remotely Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its advisory, which was cited on Twitter.

SANS Internet Storm Center (ISC), which reported the advisory, provided additional advice: "If you have Fortinet products managed by a 3rd party, we also recommended you to cross-check with them to ensure the upgrade will be performed," SANS Interior Storm Center handler Xavier Mertens said in a post in the ISC Diary.

“We are committed to the security of our customers. Fortinet recently distributed a PSIRT advisory (FG-IR-22-377) that details mitigation guidance for customers and recommended next steps," according to a Fortinet media statement. "We continue to monitor the situation and have been proactively communicating to customers, strongly urging them to immediately follow the guidance provided in connection with CVE-2022-40684.”  

**_This article was updated at 2 p.m. on Oct. 10 to include information on the bug's active exploitation in the wild, and at 11 a.m. Oct. 11 to include Fortinet's media statement._**

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Patch Now: Fortinet FortiGate & FortiProxy Contain Critical Vuln

The group has been operating for over a year, promoting their tools in hacking forums, stealing credit card information, and using typosquatting techniques to target open source software flaws.

The LofyGang threat group is using more than 200 malicious NPM packages with thousands of installations to steal credit card data, and gaming and streaming accounts, before spreading stolen credentials and loot in underground hacking forums.

According to a report from Checkmarx, the cyberattack group has been in operation since 2020, infecting open source supply chains with malicious packages in an effort to weaponize software applications.

The research team believes the group may have Brazilian origins, owing to the use of Brazilian Portuguese and a file called "brazil.js." which contained malware found in a couple of their malicious packages.

The report also details the group's tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the alias DyPolarLofy and promoting their hacking tools via GitHub.

"We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from C2 servers," the Friday report noted.

**LofyGang Operates With Impunity**

The group has deployed tactics including typosquatting, which targets typing mistakes in the open source supply chain, as well as "StarJacking," whereby the package's GitHub repo URL is linked to an unrelated legitimate GitHub project.

"The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package's Git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity," the report stated.

The ubiquity and success of open source software has made it a ripe target for malicious actors like LofyGang, explains Jossef Harush, head of Checkmarx's supply chain security engineering group.

He sees LofyGang's key characteristics as including its ability to build a large hacker community, abusing legitimate services as command-and-control (C2) servers, and its efforts in poisoning the open source ecosystem.

This activity continues even after three different reports — from Sonatype, Securelist, and jFrog — uncovered LofyGang's malicious efforts.

"They remain active and continue to publish malicious packages in the software supply chain arena," he says.

By publishing this report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hack tools.

"Attackers count on victims to not pay enough attention to the details," he adds. "And honestly, even I, with years of experience, would potentially fall for some of those tricks as they seem like legitimate packages to the naked eye."

**Open Source Not Built for Security**

Harush points out that unfortunately the open source ecosystem was not built for security.

"While anybody can sign up and publish an open source package, no vetting process is in place to check if the package contains malicious code," he says.

A recent report from software-security firm Snyk and the Linux Foundation revealed about half of firms have an open source software security policy in place to guide developers in the use of components and frameworks.

However, the report also found that those who have such policies in place generally exhibit better security — Google is making available its process of vetting and patching software for security issues to help close avenues to hackers.

"We see attackers take advantage of this because it's super easy to publish malicious packages," he explains. "The lack of vetting powers in disguising the packages to appear legit with stolen images, similar names, or even referencing other legitimate Git projects' websites just to see they get the other projects' stars amount on their malicious packages pages."

**Heading Toward Supply Chain Attacks?**

From Harush's perspective, we're reaching the point where attackers realize the full potential of the open source supply chain attack surface.

"I expect open source supply chain attacks to evolve further into attackers aiming to steal not only the victim's credit card, but also the victim's workplace credentials, such as a GitHub account, and from there, aim for the bigger jackpots of software supply chain attacks," he says.

This would include the ability to access a workplace's private code repositories, with the capability to contribute code while impersonating the victim, planting backdoors in enterprise grade software, and more.

"Organizations can protect themselves by properly enforcing their developers with two-factor authentication, educate their software developers to not assume popular open source packages are safe if they appear to have many downloads or stars," Harush adds, "and to be vigilant to suspicious activities in software packages."

LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software

Today, the processing of mountain-high stacks of alarms is considered "security." That system is failing customers and the cybersecurity workforce.

In one of my first jobs, I worked as a file clerk. I would arrive early in the morning to be greeted by a mountain-high stack of manila folders to process. I would spend the day knocking down the pile, only to be greeted by a new one the next day. It was clear that I was never going get ahead in that job.

Recently, I read a cybersecurity provider's infographic that depicts the logs from 350,000 machines feeding a security information and event management (SIEM) system, resulting in a data lake consisting of 1.1 billion security events. An artificial intelligence detection layer, employing thousands of algorithms, processes those billions of events into an investigation layer and visualization platform.

My first thought was, it's that clerk job all over again! How can a security operations center (SOC) team possibly get ahead in this environment? At a time when SOCs are more critical than ever, SOC analysts have never been stretched so thin from the relentless, reactive, and "always on" mode their job demands. As a result, the cybersecurity industry is in danger of losing a generation of talented analysts because of low morale, crushing workloads, and new security products that are built upon outdated approaches.

There is already a well-documented shortage of qualified security personnel today. According to the "(ISC)2 Cybersecurity Workforce Study," the shortage is estimated to reach 2.72 million globally. Increased workloads are a major contributor to burnout in our industry. In a survey conducted last fall, 51% of professionals surveyed were kept up at night by the stress of their jobs, and nearly half were working more than full-time hours.

Security teams are drowning in a sea of alert fatigue, incident response workload, and false positives. In today's cybersecurity ecosystem, the processing of mountain-high stacks of alarms is considered "security." That system is simultaneously failing customers and the cybersecurity workforce. Indeed, a recent study shows 45% of all daily security alerts are false positives, and 75% of organizations spend an equal amount — or more — on false positives than on legitimate attacks. In a multicontinent survey of security experts, 74% claimed their volume of false positives was steady or rising and 26% shared they "turn off alerts because they are too noisy." It comes as no surprise, therefore, that in 2022, many IT professionals are leaving their jobs — and the industry entirely.

Cybersecurity professionals are charged with protecting vital business as well as personal and national interests. With the average cost of a data breach now at an all-time high of $4.35 million and 83% of organizations having experienced more than one breach, the impact these professionals bring to the business is clear. A dearth of qualified people will only make the challenges of maintaining our vital interests more difficult, creating a terrible cycle. Providing the best work environment possible to retain and attract highly skilled professionals must become our highest priority as it is essential for long-term business success.

**Better Tools**

The problem cannot be solved by raising a few salaries. Instead, a transformative new approach is needed in which cybersecurity professionals have access to better tools and technologies so they can apply their talents and energies to address their actual priorities instead of chasing seemingly endless false positives and security alerts that lead nowhere and do not result in better organizational security. Not only will such a cybersecurity workforce be more fulfilled, but they will also be able to maintain a realistic work-life balance as well as deliver tangible value to business. Without this twofold approach to industry reform, we will continue to see the best and the brightest reconsider their chosen field and look elsewhere for opportunity, resulting in a massive destabilization of infrastructure.

We must immediately embrace new approaches that focus on prevention at scale and offer technologies that dramatically reduce incident response and false alerts. As singer-songwriter John Mayer describes gravity, "Twice as much ain't twice as good." Reducing the flood of alerts will make room for much-needed focus. Embracing a preventative approach will free up cybersecurity professionals to address their real priorities: protecting their clients, defeating malicious attackers, maintaining secure business continuity, and delivering more business value.

Cybersecurity professionals should be outthinking and outmaneuvering adversaries rather than being mired in alerts. The resulting security and protection will provide even more benefit to their organizations. It is possible to create a future for the cybersecurity industry that allows professionals to lead balanced lives while maintaining fulfilling careers without sacrificing the safety of critical networks.

Even though cyber threats continue to evolve and increase, forward-leaning organizations that embrace new, preventive approaches are benefiting from superior security, better business results, and meaningful, impactful work for their talented cybersecurity professionals. Employ a new preventative approach. Reduce the noise. Create better outcomes. Retain your best talent.

We Can Save Security Teams From Crushing Workloads. Will We?

Some 400 mobile apps have posed as legitimate software on Google Play and the Apple App Store over the past year, and were designed to steal Facebook user credentials.

Facebook is contacting about 1 million users of its platform about their account details potentially being compromised by malicious Android or iOS applications.

In a blog post on Oct. 7, Facebook's parent company Meta said its researchers had detected 400 malicious Android and iOS apps over the past year that were designed to steal usernames and passwords belonging to Facebook users and to compromise their accounts. The poisoned apps were uploaded to Google's and Apple's app stores and masqueraded as legitimate games, VPN services, photo applications, and other utilities.

When users downloaded and attempted to use one of the malicious apps, it would prompt them to enter the user's Facebook username and password. If a user entered their credentials, attackers would gain full access to the individual's account, private information, and their friends on the social media platform, Meta said.

"This is a highly adversarial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores," David Agranovich, Meta's director of threat disruption, and Ryan Victory, malware discovery and detection and engineer, wrote in the blog post. 

Meta reported the apps to Apple and Google, and the researchers noted, "We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials and are helping them to secure their accounts."

**Posed as Legitimate Apps**

Many of the iOS and Android apps that Meta detected on Apple and Google's mobile stores purported to have some fun or useful functionality, like music players and cartoon image editors. A plurality (42%) posed as photo editors, some of which claimed they could turn a user's photo into a cartoon. 

About 15% purported to be business utilities, such as VPNs that claimed to help users access blocked content and websites or to boost their Internet browsing speeds; 14% were phone utilities, such as flashlight apps that purportedly helped brighten the phone's flashlight. 

Mobile games accounted for about 11% of the 400 or so malicious apps that Meta's researchers discovered. Fake reviews might have helped boost the reputation of some of these apps and helped hide potential negative reviews of these apps, Meta said.

Facebook did not say how many of the 400 apps were Android-based. But Apple said that out of the 400 total apps mentioned in Meta's blog post, 45 were on iOS — leaving 355 for Android. 

A Google spokesman says all the apps identified in the Meta report are no longer available on Google Play. "Users are also protected by Google Play Protect, which blocks these apps on Android," he said.

Apple also confirmed that the apps were removed from the App Store.

**An Ongoing Issue

The issue of malicious apps finding their way into Google and Apple's official mobile stores is by no means new. Both companies have been dealing with the problem for years and have implemented numerous mechanisms for vetting third-party applications published to their stores. 

However, malware authors have consistently been able to sneak their apps in anyway. One tactic that attackers have commonly used to bypass Google and Apple's testing processes has been to separate the malicious capabilities of the software from the benign and using a dropper to install the malicious code later once the testing is complete.

Over the years, numerous vendors have reported discovering malicious apps disguised as legitimate software on both stores. One of the more recent examples is BitDefender's discovery of 35 malicious apps on Google Play that together had some 2 million downloads. The security vendor found some of the apps, which were designed to serve ads, renamed themselves after installation to make detection and removal harder. 

In July, Dr. Web reported discovering and reporting to Google nearly 30 adware Trojans on Google Play with combined downloads of more than 9.8 million.

While attackers have tended to target Play more heavily, there have been numerous similar instances on the Apple App Store as well. In September, Human Security's Satori research team reported on a massive ad-serving operation that involved dozens of malicious apps on Google Play and at least nine on the Apple App Store. Together, the apps were downloaded about 13 million times since at least 2019.

**

Meta Flags Malicious Android, iOS Apps Affecting 1M Facebook Users

Test methodologies published today, and their scope includes security effectiveness, performance, stability and reliability, and total cost of ownership.

**AUSTIN, Texas, Oct. 6, 2022 / PRNewswire/** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, will begin testing Enterprise Firewalls and Data Center Firewalls this fall with group test scores and ratings to be released in 2023. Test methodologies have been published at CyberRatings.org and are provided at no charge.

CyberRatings invites all leading vendors to submit their offerings to be tested for free. Products with significant market share, as well as challengers with innovative technologies, will be included at CyberRatings' discretion. The scope of the methodologies includes security effectiveness, performance, stability and reliability, and total cost of ownership.

Enterprise Firewalls (also known as Next Generation Firewalls) are one of the largest and most mature markets in the industry, projected to grow 10% year over year. A firewall is the first line of defense that monitors incoming and outgoing network traffic. Its purpose is to protect the network by allowing or blocking data packets based on a set of security rules. Without a firewall, networks and data can be vulnerable to thousands of attacks.

"While Cloud Firewalls and SASE are new categories that garner a lot of attention, the Enterprise Firewall market is vast, and while mature, is still growing. Most firewalls remain at the enterprise perimeter or data center," said Vikram Phatak, CEO of CyberRatings.org. "Our test methodologies are designed to address the challenges faced by enterprise security and IT professionals in selecting and managing security products. We welcome feedback from the community about which firewalls should be tested."

CyberRatings.org test reports are primarily reserved for members with a paid subscription. In observance of Cybersecurity Awareness Month and courtesy of Keysight CyPerf, CyberRatings.org is making its recent Cloud Network Firewall test reports for Fortinet, Forcepoint and Juniper Networks available for free. Additional products are currently being tested with ratings and a comparative report to be published in the coming weeks.

If you would like to see an Enterprise Firewall or Data Center Firewall product tested, please contact us at \[email protected\].

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org.

**SOURCE:**  CyberRatings.org

CyberRatings.org Invites Industry Participation in Forthcoming Enterprise Firewall and Data Center Firewall Tests

The infosec conference named after the UK's calling code returned this year with a focus on building a healthy community.

44CON -- London — After a two-year break, information security conference 44CON returned to London, where passionate security evangelists were joined by architects and managers from leading technology companies to enjoy a two-day festival of cybersecurity research from global headliners. From Sept. 15 to 16, people came to meet, do business, talk, and learn, with the 44CON crew providing fun, great food, and cybersecurity-themed entertainment.

It was a bit like the Babylon 5 of the UK infosec community.

I asked Adrian Mahieu, the founder of 44CON and the driving force behind the conference's resurrection, what motivated him to start up again post-COVID. 

"I wanted to make a conference that I'd like to go to, with some serious, in-depth technical talks \[and\] a few interesting sponsors that are not the usual suspects you'll see at other technical security conferences," he said. "But most interesting for me is getting people talking and learning from each other."  

This focus was apparent even in simple aspects, such as the way conference organizers devoted a large communal area to tabled seating, allowing attendees to share coffee, enjoy some excellent food, or just have impromptu birds-of-a-feather sessions. People at all stages of their cybersecurity careers were present, from eager recent graduates making connections to industry leaders talent-spotting and team-building, as well as a good number of people who justify the descriptor "expert."

Multiple industry sectors were represented, including broadcast entertainment and cloud service providers. "I tell vendors that all they need to bring is a backdrop for their exhibitors table," Mahieu explained. "I don't want those big palatial booths taking up the communal space. I want everyone to feel free to talk together!"

The evening's entertainment included a security communications wargame designed and hosted by innovative game developers Stone Paper Scissors. Threat Condition simulated the problems and issues that ensue after a reputationally damaging cyberattack and highlighted the consequential organizational and communication challenges. SPS designed what I think may be the best tabletop disaster-recovery scenario wargame I have ever seen.

One thing that differentiates 44CON from other conferences is its COVID-19 precautions. 44CON installed high-powered air purifiers throughout the venue to provide clean, breathable air for attendees.

**Chatham House Chats**

Discussions were held under the Chatham House rule, allowing people to speak and share their research freely. In that capacity, I was able to have an in-depth conversation with one of the world's cloud security experts. We discussed the type of events he sees and which ones are the "fire-alarm" events.

"Identity is always first," he said. "Our CIRT responds in minutes to a credential leak on a public source-code repository." 

When considering identity-first security, the joiners, movers, and leavers problem gets writ large, as all the cloud service provider sees is a token. 

"We're faced with a choice when tuning the token lifetime — too short, and the user experience becomes sucky with overly frequent login challenges; too long, and the token becomes vulnerable in such cases as endpoint theft," he said. 

Risk-assessing every transaction from the endpoint is possible. But given the breadth of activity for any cloud service user, this quickly crashes into security's scalability barrier.

Always curious about how the insider problem is evolving, I took the opportunity to ask how leading cloud service providers are addressing traditionally tricky problems, such as data loss prevention, and how that migrates in a cloud environment. Many security practitioners still have trouble converting their legacy mindsets into a cloud-native one. 

My security expert was eager to illustrate: "We see a common problem where a business application user will exfiltrate information to personal AWS buckets. This means that the cloud log is in their personal bucket, and the business has no visibility of it. However, there is a simple answer — we advise business customers to create a service-aware policy that limits bucket access to corporation-owned buckets."

What this means is that many security practitioners are still limited to legacy thinking and architectural models, a key indicator of which is when practitioners try to filter based on IP address, basically trying to re-create their traditional data center in a cloud service environment. Cloud instances are ephemeral by nature, allowing savvy architects and devs to create and destroy instances on demand. IP addresses just don't matter in this context.

**Participating and Presenting**

Capture-the-flag (CTF) events are a staple for many cybersecurity conferences, but 44CON had its own spin. This year's CTF was organized by Trace Labs, a Canadian not-for-profit organization that partners with law enforcement agencies to leverage the power of crowdsourced OSINT collection to assist in ongoing missing persons investigations. Instead of hurling their exploit kits at a target, contestants were invited to "use their powers for good" and take real missing persons cases and hunt for missing pieces of open source intelligence, or flags. The more flags a team finds, the more points they get, all the while helping to make the missing-persons database more complete.

And saving the best for last — the talks! Headlined by James Forshaw of Google Project Zero, superb presentations allowed all of us to learn about the latest in vulnerabilities and exploitation, whether you are a red or blue teamer. Erlend Andreas Gjære, co-founder and CEO of security training adviser Secure Practice, talked about the need for a human touch in cybersecurity, and the mysterious stranger identified only as "cybergibbons" explained how he took control of cruise ships, oil rigs, and other merchant navy vessels in a talk called "I'm the captain now!"

Last but not least was an inspiring talk by Thinkst founder and CEO Haroon Meer, who closed the conference by exhorting attendees to unleash their innovation and create security products that the world needs. Meer observed how many of the products currently on the market are snake oil, peddled by people who you wouldn't leave alone in your home with your grandmother. He also pointed out that the path to a profitable software-as-a-security business is simply to find something that 1,000 people will want to use — possibly the best advice to budding entrepreneurs since Ron Gula's five-slide pitch deck.

Sharing Knowledge at 44CON

Exploit allows unsigned and unnotarized macOS applications to bypass Gatekeeper and other security, without notifying the user.

New details about a known vulnerability in the macOS Archive Utility have emerged, showing that a cyberattacker armed with just the right specialty archive could exploit it to execute a malicious application while bypassing security checks — without the user ever being notified. 

The vulnerability, discovered by Jamf Threat Labs and tracked as CVE-2022-32910, affects the Archive Utility, an Apple tool that allows users to easily create and send archives. The team said it discovered the flaw during research into general archiving feature security. 

"Although our testing was done with Apple Archives, the same bypass can be achieved with other archive formats such as .ZIP archives, in which case the .ZIP file could be created while within the app directory," the disclosure noted. 

The Jamf team reported the macOS bug to Apple on May 31 and said Apple issued a patch on July 20 — but it's just now releasing technical details. Out-of-date end users should update to the latest macOS version to avoid compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading