Sharing is caring, unless it's PII or a malware !

Sharing and raising awareness is a great way to do good in our heavily connected reality.

While it's not always the case, as when the cloud leaks sensitive and confidential information as we see everyday, and when someone shares a malware with you, not cool, sharing COVID virus...not cool.... so sharing is caring, when done right !

My way of doing good is sharing awareness, sometimes I'm told it's FUD (Fear, Uncertainty and Doubt), but if we stick to the facts, well it's reality. This newsletter is another contribution, a weekly catch up where you pick what you want.

Another way of sharing is participating in panels, speaking events and conferences, I've been lucky to be invited quite a lot lately, even yesterday, I had a chance to present a the ISC2 chapter of Montreal. These events trigger exchanges that are also a great learning opportunity for all, including the speaker.

In my case, Christophe Foulon in early 2020, brought my first big international speaking opportunity, and this opened my path to more sharing through conferences. So it's time to give back ! (no I'm not paid to share this, it's my very own will ;) zero BS as usual)

As a lot of persons ask me how to start in our field, well, if this is your case Christophe Foulon has developed books, programs, and coaching packages for those who are mid-career and looking to Break into Cybersecurity or leveling up their Cybersecurity Careers. He focuses on helping them to focus on their target ?? areas and grow.

I'd be very curious to know, please comment, how are you doing good on your side ? what brings you achievements ?

This was a very bad news, when a good practice (using password manager) turned to chaos when Passwordstate password manager hacked in supply chain attack ! Supply chain security management, security by design, devsecops are more critical than ever.

Speaking about security by design, we saw an interesting article about 5 Fundamental But Effective IoT Device Security Controls. IoT, the Internet of Threats (ok real name is Internet of things but it's quite less accurate), bring huge challenges, as we have much less controls on these, at configuration and firmware level.

I always say wireless is weak (in regards to security), so I did not miss this article about the fact that Apple AirDrop has “significant privacy leak”. The issue with wireless magic, is that you can't physically see when it's hijacked. So the wireless security is way more challenging, including regarding the physical attack distance. An attacker could be inside your network or device, but physically outside.

Back to the supply chain security issue, which is complex challenge, as we trust our providers, through secured and verified update processes, but, as with Solarwinds corruption, when the supplier is corrupted, all lower chain is compromised through their trust relationship. So it was sad seeing that HashiCorp is the latest victim of Codecov supply-chain attack, seeing the cloud more and more exploited in supply chains attacks.

In a very efficient and well coordinated law enforcement effort, we've been happy to see Emotet malware nuking itself from all infected computers worldwide ! The capabilities of the malware have been flipped to get itself removed. Very nice !

I shared this interesting take on The CSP/MSP’s Challenges in 2021, how rethinking security architecture can help you avoid breaches. Much of the challenges in 2021 are due to what happened in 2020. These five major events in 2020, discussed in brief, impacted the way we protect M365 accounts today

I urged again this week for people to enable MFA, I don't really care which extra factor you use, sure some are less secure than others, but enabling MFA, is already a great move. Today, not having MFA is really looking for trouble as 3.2 Billion Leaked Passwords Contain 1.5 Million Records with Government Emails.

The medical sector, and non technology field overall, don't really understand the risk of having unsecured devices as the internet of threats (IoT) strikes again, connected=killed. Connected medical devices brought security loopholes mainstream.

Meanwhile the cloud has been intensively sharing, bot the good stuff : Criminal leaks 20 million alleged BigBasket user records for free. Maybe some found it very good actually, a matter of perspective I guess :)

The high risk window of attack is between the time a vulnerability is made public, even more with an public exploit, and the time supplier release a fix, until you actually apply it. This can be quite a long time : Valve Finally Patched A Steam RCE Vulnerability That Waited A Fix For Two Years

Sharing is caring, unless Reverb discloses data breach exposing musicians' personal info.

SMS are a big issue, they are not secured, they can be forged, they are not bringing confidentiality, overall they should be treated as extremely risky channel. They are used in wide spread attacks : Flubot Spyware Spreading Through Android Devices

Also 16% of mobile devices in developing markets now infected with malware.

Accellion data breaches drive up average ransom price : These attacks set to USD $220,298 the average ransom payment in the first quarter of 2021. And this is only the cost of ransom, not speaking about operational loss, brand damages and more. The "TCO" of an incident is far more than the ransom, and the impact, is sadly much further the organization itself, all the stolen PII will affect customers, employees, suppliers, and the brand overall for years !

MacBooks, iOS and all apple stuff are not immune to malwares : Apple fixes macOS zero-day bug exploited by Shlayer malware

Nvidia Warns: Severe Security Bugs in GPU Driver, vGPU Software. One big issue with drivers, is that they run at the core of the system kernel, ring zero, the root. So when there is a security issue in a driver, this is immediately a huge issue, as drivers run at the deeper level of the OS. This is also why, picking drivers is a sensitive task, also heavily exposed to supply chain attacks.

The cloud failed this week, Apple iCloud Mail outage causing email sending, receiving issues. (do you feel I'm not a big cloud fan ? well truth is, I'm not a fan of the cloud claiming to be the golden standard, the magical solution to eveything, cloud deserve a risk assessment, and using it should be aligned with the risk posture and risk appetite of an organization. Sometimes it's less risky to use the cloud, but one should keep in mind that unless you encrypt data BEFORE sending to the cloud, there is no confidentiality.

What was I saying, oh yes, high risk window when a vulnerability takes time to be fixed : 6 years old vulnerability. You are hacked, you just don't know it yet. it's a cat and mouse game. CocoaPods RCE Vulnerability Could Risk 3 Million Mobile Apps Including Sign

Someone bought proofpoint ! Thoma Bravo to acquire Proofpoint in a $12.3B transaction. Big move !

A good move in regard to sharing threat intelligence : FBI shares 4 million email addresses used by Emotet with Have I Been Pwned

FloC made a flop

So, how can we fix the cloud ? Yes we can... The next big thing in cloud computing? Shh… It’s confidential. I told you ! Encrypt everything before it does reach the cloud. This way, the cloud provider can no longer mine your data. (Not saying they do, it would be very bad and not correct to mine/exploit your private data and sell to you and anyone else global intelligence reports out of your own data)

Don't pay the ransom, don't reach that no return point. Come talk to us before, and prevent these incidents ! Only 8% of businesses that paid a ransom got all of their data back.

New stealthy Linux malware used to backdoor systems for years. At least active for 3 years ! This is why all your systems need XDR that are not signature based, and this is why you need security by design, so as your workloads only communicate with entries in your allow list !

Did I tell you SMS are exploited non stop in cyber attacks ? SMS phishing scam lures Rogers customers with outage refunds

DigitalOcean data breach exposes customer billing information. Sad to see, digital ocean bring some great value in the GNU/Linux world, with a lot of great tutorials.

Sad days in the cloud.

IIoT Pivot | The Top 20 Cyber Attacks on Industrial Control Systems #12 | iSi. If you missed this post, a good resources on Industrial internet of threats, sorry internet of things.

Did I mention the cloud leaks sensitive PII information ? Experian API Leaks Most Americans’ Credit Scores. Got to love the cloud...

Maybe it's because we don't feel alone in the cloud : COVID-19 Results for 25% of Wyoming Accidentally Posted Online

Maybe it's my perception :D

Finally, Vulnerability In ABUS Secvest Connected Alarms Allowed Remote Disabling. Yes, why did you connect your home security system ? ... to allow attackers to remotely unlock it. Got it :D

Now that you are fully aware of some of the key facts of this week, and there are a lot, although these are just few, you may consider your risk posture with more interest :)

So I invite you to reach out if you look for actual cyber security solutions, through VARS (Yes I work with this amazing team !)

Feel free to follow VARS as well, I do post bunch on it too !

There is an amazing team there, lot of skilled people, and, there are some opening coming.

That's about it for this week, what happen today will most likely in next week share :D Such as SAMBA critical patch release that just came out, and Codecov releasing a new supply chain corruption detection tool.

Have a great week end all ! I hope you enjoy the content, please leave a comment, feedback is highly appreciated !