Rob Price
May 16, 2022
Senior Specialist Solutions Consultant and Global Lead for Risk & Compliance
Snow Software

Once data is exposed, it can fuel future cyber-attacks if it ends up in the wrong hands. The fact that data such as names, schools, home addresses, and dates of birth have all been revealed is concerning, as it could be used for extremely targeted social engineering attacks on the families involved.

In the modern day and age, it’s crucial that all organisations work hard to ensure that sensitive data remains secure and protected. Organisations in every sector are now increasingly reliant on

.....Read More

Once data is exposed, it can fuel future cyber-attacks if it ends up in the wrong hands. The fact that data such as names, schools, home addresses, and dates of birth have all been revealed is concerning, as it could be used for extremely targeted social engineering attacks on the families involved.

In the modern day and age, it’s crucial that all organisations work hard to ensure that sensitive data remains secure and protected. Organisations in every sector are now increasingly reliant on digital technologies to deliver their services, and it’s crucial that staff are properly trained on how to use systems to help prevent breaches, and that their skills are regularly tested.  By participating in security awareness training, staff can learn to report possible security threats, follow company IT policies, and best practices and adhere to any applicable data privacy and compliance regulations such as the GDPR, PCI DSS and HIPAA – helping them to avoid incidents like this.

  Read Less
Wai Man Yau
May 16, 2022
Vice President
Sonatype

This highlights that it is not just standard cybersecurity training that is desperately required by more organisations but general data handling too. Serious privacy and security problems come from human error and this has been overlooked in multiple examples where organisations simply assume they can cut corners and hope their employees are up to date and fully aware of protocol or simply what is required from them in terms of data handling. Cybersecurity training shouldn’t be left to a

.....Read More

This highlights that it is not just standard cybersecurity training that is desperately required by more organisations but general data handling too. Serious privacy and security problems come from human error and this has been overlooked in multiple examples where organisations simply assume they can cut corners and hope their employees are up to date and fully aware of protocol or simply what is required from them in terms of data handling. Cybersecurity training shouldn’t be left to a simple tick in a box, once a year exercise and decision makers need to think about conducting it within the onboarding process as a priority.

  Read Less
Wai Man Yau
May 11, 2022
Vice President
Sonatype

Digital bank robberies are extremely rare but impressively lucrative should they pay off. When banks are targeted it is often thought they won’t be successful but this highlights the persistence of cybercriminals and what extents they will go to exploit any opportunity. Phishing is still the main attack vector and remains vulnerable on many levels. The human element within email manipulation clearly shows that we are still in a time where all staff need to be extra vigilant and cautious of

.....Read More

Digital bank robberies are extremely rare but impressively lucrative should they pay off. When banks are targeted it is often thought they won’t be successful but this highlights the persistence of cybercriminals and what extents they will go to exploit any opportunity. Phishing is still the main attack vector and remains vulnerable on many levels. The human element within email manipulation clearly shows that we are still in a time where all staff need to be extra vigilant and cautious of every email.

  Read Less
Brian Fox
May 11, 2022
CTO
Sonatype

When a cyberattack happens, guilt and blame often follow - but this is counterproductive. Openness, transparency, and speed are pivotal in effectively resolving a breach. It is generally a time of high stress and short tempers; however, as with most things in business, proper planning and processes are paramount.

Planning must include ensuring that an up-to-date roster of expert contractors is available, restoring critical infrastructure quickly, and taking care of staff wellbeing - both

.....Read More

When a cyberattack happens, guilt and blame often follow - but this is counterproductive. Openness, transparency, and speed are pivotal in effectively resolving a breach. It is generally a time of high stress and short tempers; however, as with most things in business, proper planning and processes are paramount.

Planning must include ensuring that an up-to-date roster of expert contractors is available, restoring critical infrastructure quickly, and taking care of staff wellbeing - both psychological and physical. Workloads will invariably spike, leading to people working longer hours with shorter breaks, and managers must be prepared to step in to monitor activity levels and ensure their staff members are not burning out as these instances can be marathons rather than sprints.

  Read Less
Wai Man Yau
May 10, 2022
Vice President
Sonatype

Falling victim to a cyberattack can leave those targeted often feel extremely vulnerable, and it can immediately affect their mental health. Many victims can often feel stupid for falling for such attacks, but it is only after the event that the scams become obvious and this can cause anguish. This can have a huge impact on someone’s life and it is apparent that more is needed to help protect people and to teach them the signs to look out for in amongst the ever changing, fast-paced world of

.....Read More

Falling victim to a cyberattack can leave those targeted often feel extremely vulnerable, and it can immediately affect their mental health. Many victims can often feel stupid for falling for such attacks, but it is only after the event that the scams become obvious and this can cause anguish. This can have a huge impact on someone’s life and it is apparent that more is needed to help protect people and to teach them the signs to look out for in amongst the ever changing, fast-paced world of digital crime.

We mustn’t ever stigmatise a victim but instead offer support and reminders about how to stay safer online. Quick easy wins such as the implementation of two-factor authentication and a password manager are the first simple steps to better protection online and a better online well-being.

  Read Less
Shahrokh Shahidzadeh
May 06, 2022
CEO
Acceptto

App developers using BIG-IP services should immediately take steps to mitigate the vulnerability until a patch is ready. Those steps include blocking access to the iControl REST interface of your BIG-IP system, restricting access only to trusted users and devices, and/or modifying the BIG-IP httpd configuration. Apps using BIG-IP can easily be discovered and targeted using a search engine like Shodan, so developers should expect attackers to exploit vulnerable systems in the near future.

.....Read More
iyare trez
May 06, 2022
network security specialist
icsi

Based on F5's knowledgebase, the port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Each port lockdown list setting specifies the protocols and services from which a self IP can accept connections. The system refuses traffic and connections made to a service or protocol port that is not on the list. F5’s vulnerable version of the iControl REST Service allows an

.....Read More

Based on F5's knowledgebase, the port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Each port lockdown list setting specifies the protocols and services from which a self IP can accept connections. The system refuses traffic and connections made to a service or protocol port that is not on the list. F5’s vulnerable version of the iControl REST Service allows an unauthenticated remote user to send an HTTP Request that contains an attacker specified IP address to update the self IP address. This is an example of an RFI attack.

One mitigation suggested by F5 involves using a configuration setting to lockdown the ability to change the self IP Address. This is a little too draconian since it will affect other services available on the Big-IP box.

A second mitigation recommended by F5 is to not allow untrusted users and devices coming over a secure network. Unfortunately, the Apache server used by the management interface does not allow users to block access by IP addresses.

A third mitigation recommended by F5 involves changing the Apache server’s configuration file using an “include” directive. This directive helps manage the state of an TCP connection and especially not accept traffic when the TCP connection has transitioned to the closed state. According to F5, this mitigation does not have any adverse impact.

A cyber security solution such as Virsec DPP that protects against RFI attacks would have protected the vulnerable iControl REST interface from being abused. Furthermore, Virsec DPP would have prevented any unauthorized code from running on the vulnerable F5 x86 workload.

  Read Less
Antti Tuomi
May 06, 2022
Principal Security Consultant
F-Secure

This is a great, proactive, further step in preparing the U.S. for the threats from sufficiently capable quantum computers. While no one, at least publicly, knows when the threat of quantum computers will be realised, we all know that it is sooner rather than later. Most quantum experts put the eventuality of quantum computers breaking much of today's cryptography at 10 years or less. I do not think anyone would be shocked if it happened in five years or less. Me, personally, I think we are

.....Read More

This is a great, proactive, further step in preparing the U.S. for the threats from sufficiently capable quantum computers. While no one, at least publicly, knows when the threat of quantum computers will be realised, we all know that it is sooner rather than later. Most quantum experts put the eventuality of quantum computers breaking much of today's cryptography at 10 years or less. I do not think anyone would be shocked if it happened in five years or less. Me, personally, I think we are talking only a few years. The question is if we and the rest of the world will be ready...and have quantum-resistant cryptography and systems in place before the quantum cryptographic break happens? Every single company in the world should right now be preparing to convert their systems to quantum-resistant protections. They need to start with taking an inventory of what important data is protected by what quantum cryptography and key sizes. Just that process alone will likely take most companies half a year to years to do right. They need to start NOW! And almost no company is doing anything. Most are not even aware of the coming problem at all. It is a problem. It is a growing problem as the clock continues to tick down to when the quantum threat becomes a realised problem. President Biden is taking a good step in declaring, "Get going!". But how many people are listening and understanding?

One big complication is the so-called post-quantum cryptography solutions that everyone will need to move to when they become standards because they have suffered some catastrophic setbacks in the last few weeks. The National Institute of Standards and Technology, NIST, was due to announce the new global post-quantum standards at end of last year or first quarter of this year. And literally days to a few weeks before they were to announce the three post-quantum cryptography standards that the world was going to use going forward, two of the three were announced as broken. It was good that they were caught and weeded out before they became official standards but being caught so late in the process...literally days to a few weeks before they were announced as what we were to use has caused a seismic trust issue with the process. And the only post-quantum encryption cipher to survive is fairly old and very inefficient as compared to the other candidates. No one wanted it to be what we had to use, but it is what we have got. The last minute disqualifications have made many wonder if we can trust any of the announced new post-quantum standards. The fear is they, too, will be discovered to provide inadequate protection to quantum attacks, but after the whole world has gone through the great pain of migrating to them. That is why whatever post-quantum cryptography we do get told are the new standards and that we migrate to, that all organisations and vendors work to make their solutions "crypto-agile"; meaning if a new replacement cryptographic algorithm is needed that it can be replaced with the least amount of effort. Right now, to replace our cryptographic standards requires a very heavy lift, often complete replacement of the hardware and software involved. A crypto-agile environment would just need to install the new ciphers and not a new everything. So, at the same time as everyone is pushing to read themselves for the post-quantum world, as it is called, they need to be pushing to make their environments crypto-agile and force all vendors to develop and deliver more crypto-agile solutions. Being crypto-agile is probably even more important than being quantum-resistant for the long run efficiency of the world. One protects you against the coming quantum attacks and the other better protects you against every future cryptographic threat possible...of which a quantum-threat is only one.

  Read Less
Wai Man Yau
April 28, 2022
Vice President
Sonatype

Whenever there is an Elon Musk story, there is usually a cryptocurrency scam not too far behind. Although these accounts usually show very obvious signs of being fake or generated by bots, just like any phishing or other scam, these only need to be successful a handful of times to make them worthwhile for criminals.

Requesting cryptocurrencies in exchange for double the value back in return may seem absurd to the vast majority, but some people get caught up in the moment and act upon their

.....Read More

Whenever there is an Elon Musk story, there is usually a cryptocurrency scam not too far behind. Although these accounts usually show very obvious signs of being fake or generated by bots, just like any phishing or other scam, these only need to be successful a handful of times to make them worthwhile for criminals.

Requesting cryptocurrencies in exchange for double the value back in return may seem absurd to the vast majority, but some people get caught up in the moment and act upon their greed before their due diligence.

Fake websites can be created in seconds to look authentic so it is vital that people verify their sources. It goes without saying to remain cautious of such scams and with digital asset thefts on the increase, it is also a timely reminder to keep your digital wallets and private keys safe from persistent attackers.

  Read Less
Jérôme Segura
April 28, 2022
Director of Threat Intelligence
Malwarebytes

Aside from what Stormous has disclosed, we know very little about the possible level of damage at this point and will have to wait for more details from Coke. Unfortunately, the supposed poll conducted by the group to determine which companies to attack seems more like the norm today. Coke likely spends tens of millions of dollars on security and employs world class security analysts to protect critical assets and they do outstanding work on a daily basis protecting one of the world's most

.....Read More

Aside from what Stormous has disclosed, we know very little about the possible level of damage at this point and will have to wait for more details from Coke. Unfortunately, the supposed poll conducted by the group to determine which companies to attack seems more like the norm today. Coke likely spends tens of millions of dollars on security and employs world class security analysts to protect critical assets and they do outstanding work on a daily basis protecting one of the world's most recognizable companies. With data breaches, it is a numbers game, and the goal for every company is to make it as hard as possible for hackers to succeed. Infrastructure breaches are inevitable, but information and material breaches are not! Aggressors will always find ways to compromise something out there, but that doesn’t mean they get to the crown jewels or can’t be stopped. Bricking a laptop, DDoS-ing websites or compromising identities will happen. However, a good security program will not let that turn into a material event. The goal is to stop this further and further to the “left” in the timeline. Attackers and cyber attacks can be stopped, blunted and made frustrating to the attackers. Infrastructure will have compromises, but material breaches are not a foregone conclusion It’s not strange at all. It is relatively new, but we’ve seen hacking groups like Lapsus$ use it. When it gets hard to communicate one way (or to process payments), the system is adaptive. Think of it as a fluid situation with actors making trade-offs among services in their toolkit. Telegram is on the rise, and surveys like this seem to be the new normal.

  Read Less