Expert(s):
CTO and Founderfeature_status*/ ?>
Bugcrowd

Comments Dotted : 22
April 07, 2021

Expert Commentary On CISA Warns Of APTs Exploiting Fortinet Vulnerabilities
Networking equipment tends to be central to a company's operations.

Networking equipment tends to be central to a company's operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a  NSA/CISA advisory released in December 2020,

.....Read More

Networking equipment tends to be central to a company's operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a  NSA/CISA advisory released in December 2020, regarding advanced persistent threat (APT) groups’ use of N-day vulnerabilities on access software, like VPNs and edge content delivery networks.

 

As APT groups continue to target vulnerabilities within government, technology and commercial services’ systems, organizations across industries must recognize the need to accept the assistance of security researchers who are actively defending against a growing legion of adversaries. Even enterprises with in-house security teams can benefit from the hypervigilance of external security researchers — specifically their ability to provide continuous, 24/7 security testing and monitoring.

 

Although each of these vulnerabilities were known and patches were issued by the Fortinet, the responsibility falls on IT administrators to rapidly apply these fixes. By leveraging external security researchers, admins can rely on the insights of security researchers to provide contextual intelligence as to which vulnerabilities constitute the greatest —and therefore most urgent— risk to an organization. Active scanning for system vulnerabilities is a routine process after the release and weaponization of remotely exploitable common vulnerabilities and exposures (CVEs), from actors ranging from amateur to the very sophisticated.

 

Additionally, IT administrators can arm themselves with an extra layer of security to proactively identify and address such vulnerabilities before they are discovered and exploited by adversaries, such as these APT groups. This grants IT administrators a more generous timeline to address vulnerabilities and ensure proper security measures have been implemented. Speed is the natural enemy of security and the best way to improve an organization’s security posture and beat malicious adversaries is by thinking like one.

  Read Less
February 04, 2021

Expert Commentary: Several Thousand Addresses Leaked In FHKC Insurance Data Breach
Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data.

The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies and inevitably opened up a new attack surface for malicious cyber adversaries to target -- such as the 122,000 globally-connected internet assets within the top nine insurance organizations. With the increased pace of technology rollout, increased use of online health

.....Read More

The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies and inevitably opened up a new attack surface for malicious cyber adversaries to target -- such as the 122,000 globally-connected internet assets within the top nine insurance organizations. With the increased pace of technology rollout, increased use of online health service on account of the pandemic, and the active adversaries lurking, the insurance industry has become adversaries’ latest target.

 

FHKC was allegedly exposed by it's hosting provider, and a failure to apply patches -- which isn't an uncommon story. This highlights the need to consider and manage supply chain security, as well as to trust -- but first verify.


As the insurance industry continues to play an instrumental role in distributing the COVID-19 vaccine and providing basic healthcare amidst the pandemic, insurance organizations must look to up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before they can be exploited by adversaries. By doing so, insurance organizations can get ahead of malicious actors and proactively address vulnerabilities before they become a devastating breach.

  Read Less
January 27, 2021

Expert Commentary: Phishing Attack Impersonates UK NHS To Obtain Sensitive Consumer Data
Do not respond to calls or emails that request credit card information or any other means of payment.

The critical importance and widespread uncertainty around the COVID-19 vaccine put the global spotlight on government and healthcare organizations involved in distribution efforts. As the world waits with bated breath, the anticipation and anxiety around the subject of vaccination make it especially useful as a phishing lure for attackers who target unsuspecting citizens. This was most recently demonstrated by the ongoing phishing attack linked to the UK's National Health Service (NHS). The NHS

.....Read More

The critical importance and widespread uncertainty around the COVID-19 vaccine put the global spotlight on government and healthcare organizations involved in distribution efforts. As the world waits with bated breath, the anticipation and anxiety around the subject of vaccination make it especially useful as a phishing lure for attackers who target unsuspecting citizens. This was most recently demonstrated by the ongoing phishing attack linked to the UK's National Health Service (NHS). The NHS phish was a serious attempt - It used the pretext of existing NHS vaccinations campaigns, included "credible jargon" and NHS design mimicry to appear as legitimate as possible, and exploited loss-aversion through a fake "use it or lose it" message.

  Read Less
December 18, 2020

Cyber Security Predictions 2021: Experts’ Responses
Governments around the world will continue to adopt vulnerability disclosure as a default.
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence.....Read More
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.  Read Less
December 15, 2020

U.S. Government Victimized By Russian Cyberattacks – Expert Commentary
The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs.
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be.....Read More
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be more easily detected. The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs to maintain the integrity of the supplied software, as well as the systems and environments of all users of that software. What happened with Solarwinds could, and has, happened with open source software, and well as with other providers - The use of M.E.Doc in the NotPetya attacks in the Ukraine is a recent example, as was the 2011 attacks on the RSA SecureID authentication software. In this case, the breach of SolarWinds Orion’s code poses a major threat to the Federal Civilian Executive Branch agencies that were using its software, as well as the 425 Fortune companies in their client list, and many, many other organizations worldwide. The potential upside of this breach, as noted by Dmitry Alperovich, is that the incredible scope of its impact creates a dilemma for attacks when it comes to choosing what to exploit. This will shift the burden to incident response and threat hunting teams over the coming weeks to establish if the incident affects them, and if so, was the access provided by the breach used by APT29. Vulnerabilities exist in every platform and every company, and the number of exploitable and their potential impact compounds as developers innovate at unprecedented rates, in part due to the new demands of remote work and widespread access triggered by the COVID-19 pandemic. While there are still many questions remaining about this breach, government agencies must acknowledge the scale and distributed nature of the threats they face in the cyber domain, and realize that they need to accept the assistance of that army of allies who are offering to help defend against the legion of adversaries. Governments and private organizations around the globe have recognized the threats they face and are leaning into the benefit of well-run Vulnerability Disclosure Programs (VDPs) to roll out the red carpet to the digital locksmiths of the Internet, who work to counter and outsmart the adversary and - more importantly - to help create confidence in their constituents’ security ecosystem. The kind of security research and discovery of security issues that could frustrate the efforts of nation-states is happening whether there is an invitation or not, and the truth of this is making the implementation of a VDP an increasingly easy decision to make.  Read Less
September 23, 2020

Expert Commentary: New House Approved Legislation Risks Prosecuting Ethical Security Researchers
As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet.
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with.....Read More
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with - have an open field to exploit undiscovered vulnerabilities within voting systems. Another question that remains is whether this new bill will now make ethical security research of second hand and aftermarket voting equipment illegal by putting these machines into the protected computer class? If so, this bill will have practical impact on the ability for voting machine security research to be conducted in the first place/ As the legislation now awaits the POTUS’ signature for final approval, it would be remiss of cybersecurity industry leaders to ignore the fact that this legislation is a step in the wrong direction, as is any broadening of the scope of the CFAA. The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet it serves as a barrier for the betterment of our society by barring security researchers from doing their job. Every time that it is broadened, good-faith hackers unfortunately are the ones most affected. As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet. This legislation would not only outlaw but also derail the efforts of security researchers in helping identify and resolve vulnerabilities that could potentially destroy an organization within the voting infrastructure, impacting democracy as a whole.  Read Less
September 04, 2020

Expert Commentary: Voatz Wrongly Accuses Ethical Hacker
Congress originally passed the CFAA in response to growing threats from malicious actors.
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that.....Read More
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that the organization is unaware of, they cannot possibly provide legal access to test it. In this case, Voatz would be leaving their voting system vulnerable to attack. Unauthorized access is one of the main purposes of security research - by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win. Congress originally passed the CFAA in response to growing threats from malicious actors. Unfortunately, the law is so broadly written that it criminalizes acts that otherwise violate a website’s terms of services, from lying about your name on a web form to the socially beneficial security testing that ethical security researchers undertake. The purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions. A broader interpretation of "exceeds unauthorized access" in CFAA works directly against the goals of a safer and more resilient internet. Moving forward, security researchers must also pay attention to organizations’ bug bounties to ensure they have safe harbor language.  Read Less
August 24, 2020

Expert Commentary: Uber Covers-up Ransom Payment For PII Of 57M Drivers
I highly advise other industry leaders to consider the value of the ethical security researcher community.
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for.....Read More
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for misunderstanding. In extortion, it's the other way around, and the threat of data exposure puts pressure on payment. Unfortunately, this incident has also negatively influenced the public’s perception of the hacker community, and of bug bounties in general. Historically, hackers were strictly viewed as malevolent, but the industry's understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community. In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security posture. Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses legal lines into dark territory, and the kind of hacking which can be helpful. As leaders within the cybersecurity space, we have a moral obligation to support the next generation of Internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work. I highly advise other industry leaders to consider the value of the ethical security researcher community. As the Internet plays an instrumental role in both our daily work and personal lives, this community of cyber defenders around the world work to make the Internet a safer place for everyone.  Read Less
August 12, 2020

Expert Commentary: Unsecured databases exposes 3.1M+ patients’ data
Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place.
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall .....Read More
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall failure of both public and private sector organizations to cooperate with ethical security researchers. Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. This is because humans are prone to error and, when developers feel rushed to bring a new product or innovation to market, they will make mistakes along the way. Historically, NoSQL databases like Elasticsearch and MongoDB have been subject to bulk erasure and ransoming. That being said, exposed Elasticsearch instances on the internet will be found, and organizations with VDPs in place will have a greater chance of closing these up before they can be exploited by adversaries. With a VDP, organizations will be able to be proactively alerted of vulnerabilities by ethical researchers before they can be exploited in the wild. Speed is the natural enemy of security, and the best way to remain secure and beat attackers is by thinking like one – even organizations with in-house security teams can benefit from having outside help. In this instance, having a VDP would have allowed Adit to secure their database before it could have been deleted and the data possibly stolen.  Read Less
July 23, 2020

Expert Commentary: Apple iOS Security Research Device Program
Speed is the natural enemy of security in software development.
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s.....Read More
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s playbook and work with outside researchers. Speed is the natural enemy of security in software development, and no organization is safe, even companies with in-house security teams. The news is dampened by their legal battle with Corellium over copyright infringement, since Corellium developed and sold software that allows researchers to hunt for potential iPhone vulnerabilities, but is ultimately a good and exciting move by Apple.  Read Less