Safety well done: Celebrating infosec’s victories in 2021


Congratulations to the Tonga ccTLD, the United States Supreme Court and others …

Infosec headlines are generally dominated by data breaches, cyber attacks, vulnerabilities and other threats or incidents where human error often has a role to play.

The daily sip decided to restore the balance by highlighting some positive news highlighting the commendable actions of cybersecurity professionals and organizations, open source developers and maintainers, and even journalists and judges.

(We haven’t included any groundbreaking security research published in 2021 – we’ll leave that to Portswigger researcher James Kettle’s next annual roundup of the best web hacking techniques, a follow-up to the 2020 roundup.)

First Website Dedicated to Exposing Malware Vulnerabilities

The year began with the launch of a pioneering database that indexes the exploit code of malware security vulnerabilities.

Founder John Page said The daily sip that the repository could be “useful for incident response teams to eradicate malware without touching the machine” and “could potentially pit a malware-to-malware situation, who knows.”

Likewise, unveiled in March a platform for sharing and requesting indicators of compromise (IoC) associated with various strains of malware.

SolarWinds eliminates the complacency of the US government on cybersecurity

The SolarWinds attack that hit federal agencies and blue chip companies in late 2020 has served as a wake-up call to the White House.

An executive order signed by newly-elected President Biden in May set the tone for a busy year on the cybersecurity front.

New rules followed on reporting ransomware payments and securing critical transport infrastructure; an overhaul of the federal government’s software procurement practices; a series of 60-day “sprints” aimed at strengthening cyber-resilience; plans for US federal agencies to establish a system to quickly correct hundreds of known and exploited flaws; a “Hack the DHS” bug bounty program; and a first-ever vulnerability disclosure program for federal civilian agencies.

“The administration is making good progress as it sheds light on it, launches initiatives, hires a new CISA director, and starts a conversation with various other nation states about what we’re going to do about it,” Aaron Portnoy, senior scientist at Randori Attack Surface Management Specialists, said The daily sip in July.

DO NOT MISS Several new flaws discovered in SolarWinds software just weeks after high-profile supply chain attack

United States Supreme Court releases security research

The United States Supreme Court tipped the scales of justice decisively in favor of hackers, after issuing a ruling in June that effectively narrowed the scope of what constitutes “unauthorized access” under the Computer Fraud and Abuse Act (CFAA).

Infosec experts have long criticized the deterrent effect that the CFAA’s ambiguity about what constitutes good faith hacking has had on security research.

The move should reassure the civic-minded reporter who has been threatened with legal action by Missouri Gov. Mike Parson – to widespread ridicule – after responsibly reporting a serious vulnerability on a state government website .

However, many believe that the law, which dates back to 1986, should be completely replaced.

The UK announced a review of its own equivalent legislation, the Computer Misuse Act, in May, following an industry campaign.

OWASP Top 10 Gets a Long-Overdue Refresh

The Open Web Application Security Project (OWASP) updated its top 10 categories of web application threats in September for the first time since 2017.

There were three new categories – “Insecure Design”, “Software and Data Integrity Failures” and a designation for “Fake Server-Side Query (SSRF)” attacks – along with name changes for several others. categories.

The redesign reflects the ‘turn to the left’ of the software industry to focus more on secure design and architecture as well as threat modeling, ”said Tom Eston, director of corporate security practice. applications at Bishop Fox. The daily sip.

The refreshed OWASP top 10The refreshed OWASP top 10

HTTPS well almost everywhere

The discontinuation of the HTTPS Everywhere browser extension, announced in September, is a “mission accomplished” case according to its developer, The Electronic Frontier Foundation (EFF).

Released in 2010, the plugin automatically switched web connections from HTTP to HTTPS, if the latter was available, and has racked up over two million users in the absence of similar features built into popular browsers.

The open source extension will go into “maintenance mode” in 2022 amid widespread adoption of HTTPS, and after Google and Firefox enforced HTTPS by default, the plug-in has been mostly redundant.

The changes are part of a series of other browser security developments The daily sip highlighted throughout 2021.

Google offers a defensive shield against surveillance

In October, Google used some of its vast resources to protect journalists, elected officials and human rights activists from surveillance, persecution and imprisonment.

The tech giant has partnered with human rights and democracy organizations to distribute free physical security keys to more than 10,000 vulnerable people at high risk of being targeted by hackers supported by the nation-state through its Advanced Protection Program (APP).

Record bug payout demonstrates value for money

A record bug bounty payout in October clearly demonstrated the attractive ROI that can come from crowdsourcing security.

Despite the fact that the $ 2 million paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner for a ‘double-spend’ vulnerability was a tantalizing sum, that figure has to be compared to the losses potentially avoided.

The flaw actually meant that an attacker could multiply their cryptocurrency withdrawals by a factor of up to 233, with $ 3.8 million potentially turning into $ 850 million for example.

READ Lessons Learned: How a Severe Vulnerability in the OWASP ModSecurity Core Ruleset triggered a much needed change

Recognize and learn from mistakes

A serious and long-standing vulnerability in the OWASP ModSecurity (CRS) ground ruleset was a “blow in the ear” for project officials when it was discovered, said Christian Folini, co-head of the OWASP CRS. The daily sip in November.

Now fixed, the critical and complete rule-set bypass has prompted the ModSec team to implement new practices, guidelines, and a bug bounty program to further secure the technology.

To her credit, Folini took the blame for inadvertently introducing two bugs after her team took over the dormant project in 2016, and decided to “view it as a chance for growth and development.”

Quick fixes

With the time between vulnerability disclosure and exploitation in the wild shrinking to days or even hours, credit goes to vendors, maintainers, and end users who quickly released or applied patches throughout 2021. .

This includes Tonic, Tonga’s national top-level domain (ccTLD) registrar, which in December fixed a critical vulnerability in their website in less than 24 hours that opened the door to potential attacks against domains. operated by Google, Amazon and many others.

Kudos also to the maintainers of the ubiquitous Java logging library Apache Log4j for rushing a patch for the potentially ruinous Log4Shell vulnerability in Dacember, and, for its transparency in communicating high-severity security vulnerabilities, VMWare.

A commendation is also warranted for two eagle-eyed Irish citizens who denied scammers a golden phishing opportunity in July after spotting a typo in the URL of Ireland’s new Covid-19 recovery certificate portal and registered the correctly spelled domain.

READ Swig Security Review 2021 – Part I


About Author

Comments are closed.