**Note: With the holidays coming up soon, this will be the last Security News posting (outside of possible one-off posts by other Project Hyphae authors) until the week of January 9th, 2023. Have a great holiday season and we’ll see you all again in the new year! 🙂
FBI Warns That BEC Attacks Now Also Target Food Shipments
- According to the FBI, FDA, and USDA, organizations in the food sector are now being targeted in business email compromise (BEC) attacks that aim to steal entire shipments of food. According to the advisory, recent attacks have shown threat actors targeting physical goods as opposed to solely money. In some instances, threat actors will not only receive the spoofed food shipments, but also repack and sell the goods they received from food providers.
- Tactics used to achieve this include spoofing email addresses and domains or using compromised email accounts belonging to legitimate companies to order large shipments of food products that never get paid. As a result, the advisory encourages both buyers and suppliers to take extra steps to protect their brand and reputation from malicious actors.
- The FBI, FDA, and USDA also offered up additional protective actions that can be taken to mitigate BEC-related threats. These include training employees on how to identify fraudulent email addresses and domains, implementing user training and phishing testing for employees, and conducting web searches of fraudulent websites being used to impersonate your organization.
- Joint Advisory: https://www.cisa.gov/uscert/ncas/current-activity/2022/12/16/fbi-fda-oci-and-usda-release-joint-cybersecurity-advisory
3.5M IP Cameras Exposed, With US in the Lead
- According to research conducted by Cybernews, which looked at 28 of the most popular IP camera manufacturers, 3.5 million IP cameras were identified as being exposed to the internet, signifying an eightfold increase since April 2021.
- Most analyzed brands (96.44% of the discovered cameras) force users to set passwords or generate unique default passwords on the newest models and firmware versions. While this is a good trend, it doesn’t mean that all the cameras are safe as many of the cameras comprise of older models or those operating with outdated firmware that are using default or weak passwords.
- According to the research, most public-facing cameras that might be using default credentials are operational in the United States, where Cybernews identified over 458,000 such devices. Following this were (in descending order) Vietnam, the United Kingdom, Mexico, and China.
Executives Take More Cybersecurity Risks Than Office Workers
- According to the software company Ivanti, who surveyed 6,500 executive leaders, cybersecurity professionals, and general office workers, 97% of leaders and security professionals reported that their organization is as prepared or more prepared to defend against cybersecurity attacks than they were a year ago. However, 1 in 5 don’t believe they can prevent a damaging breach.
- The report also revealed that leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
- Additionally, more than 1 in 3 leaders have clicked on a phishing link, nearly 1 in 4 use easy-to-remember birthdays as part of their password, leaders are much more likely to hang on to passwords for years, and they are 5x more likely to share their password with people outside the company.
How ChatGPT Can Turn Anyone Into a Ransomware and Malware Threat Actor
- ChatGPT, an artificial intelligence-based chat box created by OpenAI, hasn’t been out long, but security researchers have already started to test its capacity to generate malicious code, among other content.
- The central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand, democratizing cybercrime.
- While ChatGPT does offer positive benefits for security teams, such as allowing for code review, by lowering the barrier to entry for cybercriminals it has the potential to accelerate complexity in the threat landscape more than it can reduce it.
- Examples of malicious use include creating realistic-looking phishing emails, using the tool to review code for potential zero-days, and coding in various languages like Swift or C++. While services like ChatGPT have ways to prevent malicious use, like declining to create shell code or providing specific instructions on how to create shell code, these protections can be bypassed by rephrasing requests.
Top 5 Web App Vulnerabilities and How to Find Them
- Web applications, often seen as Software as a Service (SaaS), are now the cornerstone for businesses all over the world. While many CTOs have an excellent understanding of how to build highly functional SaaS businesses, they may lack the knowledge of how to secure the web apps that underpin them.
- Five common web app vulnerabilities highlighted in the article include SQL injection, cross-site scripting (XSS), path traversal, broken authentication, and security misconfigurations.
- To test for these vulnerabilities, it is recommended to use vulnerability scanners and penetration testing. By doing so, these concerns can be addressed before they are exploited.
- CISA’s Free Web App Penetration Testing: https://www.cisa.gov/cyber-hygiene-services
How Acceptable is Your Acceptable Use Policy?
- Work can take place almost anywhere, on any number of devices with employees never setting foot in physical offices. That’s why an acceptable use policy (AUP) is more critical than ever, not just to protect the organization, but to protect employees as well.
- An AUP needs to be auditable and enforceable, but it’s a tricky balance between protecting employees and making them feel like they’re working for an authoritarian regime. As such, it’s important to source feedback and have closer partnerships with HR and other functions in the business. Likewise, the AUP should be clear, concise, and easy to understand, not technobabble or legalese, which often comes down to word choice.
- While the security team should be the subject matter experts on what constitutes an infraction and the risk level of that infraction, disciplinary action should come from HR. Therefore, it’s vital for HR to be trained in and have proper understanding of aspects of privacy and security.
- Last, when an organization is updating or evolving its AUP, the focus shouldn’t just be on what employees should not be doing, but on what the organization as a whole can do to create a culture of security. Knowing what will cause less friction, yet still be effective, is vital to advancing an AUP.
NIST Says You Better Dump Weak SHA-1 … by 2030
- The National Institute of Standards and Technology (NIST) says it’s time to retire Secure Hash Algorithm-1 (SHA-1), a 27-year-old weak algorithm used in security applications. While NIST’s initial statement said that anyone relying on SHA-1 should move to SHA-2 or SHA-3 as soon as possible, the details specify that organizations should be completely rid of SHA-1 by December 31st, 2030.
- NIST deprecated SHA-1 in 2011 and disallowed its use in digital signature creation and verification with limited exceptions in 2013 as a result of a theoretical collision attack described in 2005 that became practical in 2017. By 2015, companies like Facebook, Google, Microsoft, and Mozilla were already planning to move from SHA-1. By 2017, the major web browsers stopped recognizing SHA-1 certificates. Microsoft finally dropped SHA-1 from the Windows update process in August 2020.
- Even if it’s not actively used often by larger organizations, SHA-1 remains widely available. NIST’s Cryptographic Algorithm Validation Program, which validates cryptographic algorithms for vendors, includes 2,272 cryptographic modules validated in the past five years that still support SHA-1.
Google Introduces End-to-End Encryption for Gmail on the Web
- Google announced that it’s adding client-side end-to-end encryption (E2EE) to Gmail on the web, allowing enrolled Google Workspace users to send and receive encrypted emails within and outside their domain.
- Google highlighted that users can use their own encryption keys to encrypt their organization’s data, in addition to using the default encryption that Google Workspace provides. Likewise, Google servers can’t access user encryption keys or decrypt data as the client-side encryption is handled at the client’s browser first.
- Gmail E2EE beta is currently only available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. Once enabled, users can toggle on E2EE for any message by clicking the lock icon next to the Recipients field and clicking “Turn on” under the “Additional encryption” option. From there, users can compose emails as per usual.