Naked Security Naked Security

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches

Lessons for us all: improve cryptography, fight cybercrime, own your supply chain... and don't steal my data and then pretend you're sorry.

Even though it’s already Day 4 of Year 2023, some of the important IT/sysadmin/X-Ops security stories of the holiday season are only popping up in mainstream news now.

So we though we’d take a quick look back at some of the major issues we covered over the last couple of weeks, and (just so you can’t accuse us of sneaking out a New Year’s listicle!) reiterate the serious security lessons we can learn from them.


IS THIS THE LAST STRAW AT LASSPASS?

https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/

Lessons to learn:

  • Be objective. If you are ever stuck with doing a data breach notification, don’t try to rewrite history to your marketing advantage. If there are parts of the attack that you headed off at the pass, by all means say so, but take care not to sound self-congratulatory at any point.
  • Be complete. That doesn’t mean being long-winded. In fact, you may not have enough information to say very much at all. “Completeness” can include brief statements such as, “We don’t yet know.” Try to anticipate the questions that customers are likely to ask, and confront them proactively, rather than giving the impression you’re trying to avoid them.
  • Hope for the best, but prepare for the worst. If you receive a data breach notification, and there are obvious things you can do that will improve both your theoretical security and your practical peace of mind (such as changing all your passwords), try to find the time to do them. Just in case.

CRYPTOGRAPHY IS ESSENTIAL – AND THAT’S THE LAW

https://nakedsecurity.sophos.com/2022/12/29/us-passes-the-quantum-computing-cybersecurity-preparedness-act-and-why-not/

Lessons to learn:

  • Cryptography is essential for national security and for and the functioning of the economy. It’s official – that text appears in the Act that Congress just passed into US law. Remember those words the next time you hear anyone, from any walk of life, arguing that we need “backdoors”, “loopholes” and other security bypasses build into encryption systems on purpose. Backdoors are a terrible idea.
  • Software must be built and used with cryptographic agility. We need to be able to introduce stronger encryption with ease. But we also need to be able to retire and replace insecure cryptography quickly. This may mean proactive replacement, so we aren’t encrypting secrets today that might become easily crackable in the future while they’re still supposed to be secret.

WE STOLE YOUR PRIVATE KEYS – BUT WE DIDN’T MEAN IT, HONEST!

https://nakedsecurity.sophos.com/2023/01/01/pytorch-machine-learning-toolkit-pwned-from-christmas-to-new-year/

Lessons to learn:

  • You have to own your entire software supply chain. PyTorch was attacked via a community repository that was poisoned with malware that inadvertently overrode the uninfected code built into PyTorch itself. (The PyTorch team quickly worked with the community to override this override, despite the holiday season.)
  • Cybercriminals can steal data in unexpected ways. Make sure your threat monitoring tools keep an eye even on unlikely routes out of your organisation. These crooks used DNS lookups with “server names” that were actually exfiltrated data.
  • Don’t bother making cybercrime excuses. Apparently, the attackers in this case are now claiming that they stole personal data, including private keys, for “research reasons” and say they’ve deleted the stolen data now. Firstly, there’s no reason to believe them. Secondly, they sent out the data so that anyone on your network path who saw or saved a copy could unscramble it anyway.

    WHEN SPEED TRUMPS SECURITY

    https://nakedsecurity.sophos.com/2022/12/27/critical-10-out-of-10-linux-kernel-smb-hole-should-you-worry/

    Lessons to learn:

    • Threat prevention isn’t just about finding malware. XDR (extended detection and response) is also about knowing what you’ve got, and where it’s in use, so you can assess the risk of security vulnerabilities quickly and accurately. As the old truism says, “If you can’t measure it, you can’t manage it.”
    • Performance and cybersecurity are often in conflict. This bug only applies to Linux users whose determination to speed up Windows networking lured them to implement it right inside the kernel, unavoidably adding additional risk. When you tweak for speed, make sure you really need the improvement before changing anything, and make sure you really are enjoying a genuine benefit afterwards. If in doubt, leave it out.

    CYBERCRIME PREVENTION AND INCIDENT RESPONSE

    For a fantastic overview both of cybercrime prevention and incident response, listen to our latest holiday season podcasts, where our experts liberally share both their knowledge and their advice:

    Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

    Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.