PacMan to Passwords

Welcome to Security Bytes, a roundup of must-read articles and interesting news from around the cyber world.

In this edition, Jim Tiller, Nash Squared's Global Chief Information Security Officer and Head of Nash Squared’s vCISO Practice,?touches on:

MIT's PACMAN finds a hole in Apple’s new M1 chip – back to the drawing board? A CEO of a prominent security company writes a blog criticizing Microsoft, which will get you thinking about cloud security – again. Nearly 2 billion records exposed to the Internet because it wasn’t password protected, but there’s more we can learn here. WEF decided to crate a map of the cybercrime ecosystem; I’m not placing bets on it, but I admire the boldness. And finally, the largest supermarket chain in Africa gets – have you guessed? – ransomware.?

PacMan Without a Trace

Researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) recently found a flaw in Apple’s flagship M1 processor. One of the advances in the chip is called pointer authentication, which acts as a last line of defense control point for typical software vulnerabilities allowing the computer itself to essentially shutdown an attack - smart. However, the MIT team found a flaw using an attack they called “PACMAN” that defeats the pointer authentication without leaving a trace of evidence.

This changes the calculous concerning putting up a final fight against hardware attacks in the chip and will certainly impact developments. This is also interesting because many organizations don’t necessarily look into hardware types of attacks. Moreover, understand the vulnerabilities that exist in hardware that can expose, well everything. Who cares about your locked doors when I can drill into your foundation.

Links:

• MIT News: https://news.mit.edu/2022/researchers-discover-hardware-vulnerability-apple-m1-0610
• PACMAN attack: https://pacmanattack.com/

Fox Watching the Henhouse

This week, Amit Yoran, the CEO of cybersecurity firm Tenable, posted a scathing criticism of Microsoft for its recent response to two vulnerabilities affecting the Azure Synapse service. He highlights that they discovered and properly notified Microsoft of two vulnerabilities (one critical) in Synapse, which according to his post Microsoft quietly patched but has yet to notify it’s customers. This post is extraordinary; I highly recommend reading it. It starts to peel back and expose the reality that cloud services, while abstract to business, are built on platforms that have vulnerabilities just like any system but where consumers may not be privy to them. Of course, as we collectively move to the cloud we’re naturally consolidating our security capabilities – more eggs in one bigger basket – where this is a positive and potentially a negative.

For many the cloud can be a huge improvement to their security posture. But, it still takes focus, tenacity, and continuous sophisticated monitoring to ensure expectations are being met. Moreover, there are additional layers of abstraction creating barriers to visibility leaving room for interpretations in control effectiveness – and some are hard to test.

Links:

Post: https://www.dhirubhai.net/pulse/microsofts-vulnerability-practices-put-customers-risk-amit-yoran

Password: _____

The cybersecurity team at SaftyDetecives reported that they’ve found a massive data leak affecting a company called StoreHub, specifically their Elasticsearch server that was apparently left open without any password-protection or encryption. StoreHub is based in Malaysia and offers POS to more than 15,000 companies in Southeast Asia. According to the report, 1.7 billion transaction recorders were exposed representing nearly a million unique customers.

Let’s start with the obvious, protect systems on the Internet. Nuff said. From a business perspective this speaks directly to third party risk management, which really needs to be a the top of everyone’s agenda. With so many business application reliant on a web of plug-ins, modules, libraries, processing services, data enrichment services, compliance management services, etc. there is no single “application” as we used to know it.

Links:

Article: https://www.theregister.com/2022/06/16/storehub_data_leak/

Report: https://www.safetydetectives.com/news/storehub-leak-report/

X Marks the Spot

Kicked off by the World Economic Forum (WEF), project ATLAS seeks to provide a mapping of the relationships between cyber criminal groups and their infrastructure with the goal of helping the industry and law enforcement. Announced at RSA, ATLAS is a collaboration with a number of companies, Like Microsoft and Fortinet. At it’s core this is about attribution. Of course, this has been one of the more, ok most difficult aspects of cybersecurity since the Internet. Making a map (an atlas) of the cybercrime ecosystem relative to infrastructure is going to be challenging, fluid, and ultimately – you’re not going to like what you find. While criminal ecosystems are generally understood and we keep up with organizational dynamics, tying that to infrastructure could be interesting.

Links:

WEF: https://www.weforum.org/agenda/2022/05/disrupting-cybercrime-networks/

Article: https://www.theregister.com/2022/06/10/atlas_wef_rsa/

Ransom Food

Sadly, there’s so much news on ransomware. This week the largest supermarket chain in Africa, Shoprite Holdings, with nearly 3000 stores, was impacted by ransomware. Notifications went to customers in Eswatini, Namibia, and Zambia. The attackers that claimed responsibility, RansomHouse, went as far as posting slurs concerning the company’s handling of personal information of their 149,000 employees. My initial reaction to this is the downstream impacts to logistics in the near-term. Food and other household supplies can be difficult to get in the best of times – in all countries. Unfortunately, add this to the long list of examples concerning the social impacts related to ransomware attacks.

Links:

Article: https://www.techradar.com/news/africas-biggest-supermarket-hit-by-ransomware-attacks

Press release: https://www.shopriteholdings.co.za/articles/Newsroom/2022/possible-data-compromise.html

About

Security Bytes is a weekly newsletter produced by Jim Tiller and brought to you by Nash Squared, Where Talent and Technology Meet (https://www.nashsquared.com/)