Newsletter

open source and cybersecurity news

December 22, 2023

It's 5:05, December 22, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Edwin Kwan: A recently discovered SMTP smuggling technique is allowing cyber attackers to sidestep email security protocols, posing a significant threat to organizations. The techniques exploit zero-day flaws in messaging servers, allowing attackers to send malicious emails with fake sender addresses.

Hillary Coover: In an effort to combat cybercrime, U. S. government researchers are embarking on a 30 month project to investigate whether computer code used in cyberattacks can reveal clues about the hackers behind them.

Marcel Brown:  December 22nd, 1882. Edward Johnson, an associate of Thomas Edison, has walnut sized bulbs made specifically for him to wire his Christmas tree with electric light. The eighty red, white, and blue bulbs formed the first set of electric Christmas tree lights in history.

Katy Craig: The SEC’s legal action against the former CISO of SolarWinds is a justified step towards greater accountability in corporate cybersecurity. It highlights the need for individuals in charge to diligently comply with federal safeguards and rules and to report incidents.

Trac Bannon: The charges against Joe Sullivan and Timothy Brown have dramatic ramifications for industry. There is the increased scrutiny of CSOs and CISOs. The precedent is set for personal accountability for both cybersecurity practices and disclosures. This means corporate security officers face scrutiny and legal responsibilities similar to CFOs and their responsibility for financial disclosures.

Olimpiu Pop: Whether we like it or not, we are at war. The CISO should stop preaching, and transform their slides into actions . Actions, translatable into automated tools that cannot be circumvented or ignored. More than that, as CISO, you should be the north star in terms of ethical conduct.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
SMTP Smuggling ByPasses Email Security Controls

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastA recently discovered SMTP smuggling technique is allowing cyber attackers to sidestep email security protocols like domain-based message authentication, reporting, and conformance, posing a significant threat to organizations. The method leverages vulnerabilities in Microsoft, GMX, and Cisco Secure Email Gateway servers, enabling attackers to spoof millions of email addresses for targeted phishing attacks.

This is Edwin Kwan from Sydney, Australia.

A security researcher from SEC Consult revealed that the techniques exploit zero-day flaws in messaging servers, allowing attackers to send malicious emails with fake sender addresses. The vulnerabilities in Microsoft and GMX have been patched, but the potential for misconfiguration in Cisco Secure Email remains unaddressed.

SMTP smuggling is part of the smuggling vulnerability family. Taking advantage of deferring interpretations of the SMTP protocol by exploiting how servers interpret the end-of- data code sequence, attackers can break out of the message data, specify arbitrary commands, and send fake emails. The technique makes malicious emails appear legitimate by bypassing checks from email protection protocols like DMARC, SPF, and DKIM.

Enterprises are particularly at risk, as attackers can use this method for targeted social engineering and spear-phishing attacks. The vulnerabilities were found in Microsoft Exchange Online, GMX, and Cisco Secure Email Cloud Gateway, affecting millions of SMTP servers. Microsoft and GMX have patched their flaws, but Cisco sees the issue as a feature. and won’t issue a warning to customers.

Security experts advise organizations to remain vigilant, conduct periodic awareness training, and perform regular security tests to identify vulnerabilities in their infrastructure. The incident underscores the importance of addressing default settings and implementing robust security measures to protect against evolving cyber threats.

Resources
– Sec Consult: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
– Dark Reading: https://www.darkreading.com/cloud-security/novel-smtp-smuggling-technique-slips-past-dmarc-email-protections

 

Hillary Coover
Researchers Seek to Unmask Hackers Through Code Analysis and AI

Hillary Coover, Contributing Journalist, It's 5:05 Podcast

In an effort to combat cybercrime, U. S. government researchers are embarking on a 30 month project to investigate whether computer code used in cyberattacks can reveal clues about the hackers behind them. This is Hilary Kuvert in Washington, D. C. The Intelligence Advanced Research Project IARPA, a federal research agency for the intelligence community, aims to create technologies that can expedite the identification of cyberattack perpetrators.

With a growing number of cyberattacks outpacing available forensic experts, small organizations often struggle to trace hackers who target them. While these new tools won’t replace human analysts, they will enhance efficiency by employing artificial intelligence to analyze cyberattack code. Law enforcement agencies typically take a long time to identify cyber attack culprits as hackers take measures to conceal their identities.

However, by analyzing the code, you may unveil behavioral traits that indicate a hacker’s origin or training. Challenges include using Challenges include the use of generative AI by hackers, potentially resulting in similar looking malicious tools. Concerns exist about how AI might hinder cyberdetectives, but it also offers a solution to cope with the rising number of cyberattacks.

IARPA’s research, coupled with AI analysis of code, could assist authorities in sifting through extensive data and connecting past cyberattacks addressing the manpower shortage in handling cybercrime investigations.

Resources
– WSJ: https://www.wsj.com/articles/intelligence-researchers-to-study-computer-code-for-clues-to-hackers-identities-e1d594a4

 

Marcel Brown
This Day, December 22, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown with your technology history for December 22nd and 23rd.

December 22nd, 1882. Edward Johnson, an associate of Thomas Edison, has walnut sized bulbs made specifically for him to wire his Christmas tree with electric light. The eighty red, white, and blue bulbs formed the first set of electric Christmas tree lights in history. Prior to this, people would traditionally decorate their trees with wax candles.

December 23, 1968. Astronauts Frank Borman, James A. Lovell, and William Anders become the first men to orbit the moon. Flying in Apollo 8, the men performed 10 total lunar orbits and test many of the procedures that will be used in future lunar missions.

Additionally, the men were the first humans to travel beyond low Earth orbit, the first to see Earth as a whole planet, and the first to directly see the far side of the moon. On Christmas Eve, the crew made a television broadcast from which they read the first 10 verses from the book of Genesis. It was the most watched television program ever at the time.

That’s your technology history for this week. For more, tune in next week and visit my website, thisdayintechhistory. com.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/22

 

We’re at the part of our show where each Friday our contributing journalists agree on a single story for discussion. This week, the topic is how the SEC case against SolarWinds and Tim Brown will affect CISO Accountability. Let’s start off with an overview from Katy Craig.

 

Katy Craig
CISO Accountability: Framework for Compliance

Katy Craig, Contributing Journalist, It's 5:05 PodcastToday, we’re discussing the groundbreaking legal action by the SEC against the former CISO of SolarWinds. In a move that underscores the importance of accountability and cybersecurity, the SEC has sued the CISO for failing to comply with regulatory standards, breaking rules, and neglecting to report critical security issues.

This is Katy Craig in San Diego, California. The lawsuit marks a significant shift towards holding individual executives accountable for cybersecurity lapses. It’s a clear message that neglecting security protocols and failing to report breaches can have serious legal consequences. The SEC’s action emphasizes that compliance with established cybersecurity rules is not optional.

Companies, and by extension their executives, are expected to adhere strictly to these regulations to protect stakeholders interests. It’s crucial to note that this case doesn’t force companies to adopt a specific set of security controls. Instead, it’s about ensuring that individuals at the helm of cybersecurity follow existing rules and are transparent about security incidents.

This lawsuit is a pivotal moment in cybersecurity governance. It sends a strong signal to all corporate executives, especially those in charge of cybersecurity, about the seriousness of their roles and responsibilities. It’s not just about implementing security measures, but also about maintaining compliance and being transparent in the event of breaches.

The SEC’s legal action against the former CISO of SolarWinds is a justified step towards greater accountability in corporate cybersecurity. It highlights the need for individuals in charge to diligently comply with federal safeguards and rules and to report incidents. This case could be a turning point, encouraging better compliance and transparency across the industry.

This is Katy Craig, stay safe out there.

Resources
– Reuters: https://www.reuters.com/legal/us-sues-solarwinds-court-records-2023-10-30/
– SEC: https://www.sec.gov/news/press-release/2023-227
– CSO Online: https://www.csoonline.com/article/657599/sec-sues-solarwinds-and-its-ciso-for-fraudulent-cybersecurity-disclosures.html

 

Tracy (Trac) Bannon
CISO Accountability: The buck stops… where?

Trac Bannon, Contributing Journalist, It's 5:05 Podcast

The SEC has charged SolarWinds and its CISO, Timothy Brown, with fraud and internal control failures. This comes a year after the FTC charged Uber’s former CSO, Joe Sullivan. Joe was convicted and it sent ripples through the cybersecurity community.

Hello, this is Trace Bannon reporting from Camp Hill, Pennsylvania.

The charges against Joe Sullivan and Timothy Brown have dramatic ramifications for industry. There is the increased scrutiny of CSOs and CISOs. The precedent is set for personal accountability for both cybersecurity practices and disclosures. This means corporate security officers face scrutiny and legal responsibilities similar to CFOs and their responsibility for financial disclosures.

These events mean that cybersecurity is finally elevated and part of corporate governance. Companies must give their CSOs and CISOs sufficient authority and resources to manage risks effectively. We will see a push for even greater transparency and accurate reporting of cybersecurity incidents.

There are also legal and financial ramifications to corporations, as well as their cybersecurity officers. I believe we will see more stringent internal controls and cybersecurity audits. This is an area where software architects can help. How? Applying DevSecOps principles, including continuous assessments being included in CI CD pipelines, as well as additional automated scanning and compliance checks.

DevSecOps embraces a culture of shared responsibility for cybersecurity, development, and operations. This is the type of culture shift needed for entire organizations. Issues, risks, and incidents must be openly communicated and discussed.

From all of this, we are seeing continued calls for clearer federal guidance and more explicit guidelines. The rapidly evolving threat landscape makes keeping guidance up to date very difficult. At the end of the day, why would CISOs and CSOs want to take on these roles with so much personally on the line? There are still people like Joe Sullivan and Timothy Brown who want to make a difference to their organization, and who love solving complex problems, and who are, by nature, strategic leaders.

Funny, that sounds to me like they are software architects. Something to noodle on.

Resources
– Reuters: https://www.reuters.com/legal/us-sues-solarwinds-court-records-2023-10-30/
– CSO Online: https://www.csoonline.com/article/657599/sec-sues-solarwinds-and-its-ciso-for-fraudulent-cybersecurity-disclosures.html
– SEC: https://www.sec.gov/news/press-release/2023-227
– Dark Reading: https://www.darkreading.com/vulnerabilities-threats/us-it-pros-data-breaches-keep-quiet-data-breaches
– CSO Online: https://www.csoonline.com/article/3697136/former-uber-cso-joe-sullivan-and-lessons-learned-from-the-infamous-2016-uber-breach.html

 

Olimpiu Pop
CISO Accountability: Compliance is not Security

Olimpiu Pop, Contributing JournalistThe SolarWinds incident entered a new era, the trial phase. This is a premiere in the industry. If you read the claim, it has nothing to do with the security itself.

Let’s look at the claims of the SEC.

SolarWinds promoted false public statements about its security practices.

– 1. SolarWinds promoted false public statements about its security practices.

-2. They made false statements about their cyber security practices in SEC filings.

-3. They didn’t disclose the red flags that led up to the sunburst attack.

-4. They didn’t fully disclose the impact of the sunburst attack once it happened.

-5. SolarWinds had multiple internal control failures.

They have nothing to do with the security practices themselves, but with the fraudulent conduct of the company and its representatives.

If you read Tim Brown’s bio, you have a feeling that you are reading the biography of a decorated cyber war hero. He doesn’t seem like the guy that doesn’t know what he should have done. Maybe he got too far up the ladder to remember what really happens in the trenches.

But the company is security compliant, you say. It bears the SOC2 compliance decoration. Yes, but we all know that is just bureaucratic nonsense that techies usually ignore. We know that if practices remain just in a file cabinet until the auditor comes, and it’s not reflected in a day to day operation, it’s pointless to say the least.

Whether we like it or not, we are at war. The CISO should stop preaching, and transform their slides into actions . Actions, translatable into automated tools that cannot be circumvented or ignored.

More than that, as CISO, you should be the north star in terms of ethical conduct.

If you know the results are dirty, don’t wash them just for the public. It’ll come back like a boomerang, with exponential impact. Stand up for the cybersecurity of your company. Even if you need to tackle the CEO for that. In conclusion, security standard compliance is not security.

Olimpiu Pop stated his opinion from Transylvania, Romania.

Resources
– SEC: https://www.sec.gov/news/press-release/2023-227
– National Law Review: https://www.natlawreview.com/article/sec-charges-solarwinds-and-solarwinds-ciso-fraud-and-internal-control-failures
– Medium https://medium.com/starting-up-security/lessons-from-the-secs-lawsuit-against-solarwinds-and-tim-brown-4199d547aaa7
– TechTarget: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
– Medium: https://medium.com/starting-up-security/a-blameless-post-mortem-of-usa-v-joseph-sullivan-a137162f7fc9

 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com. 5:05 is a Sourced Network Production, with updates available Monday through Friday on your favorite audio streaming platform.

Have a safe holiday weekend, and we’ll see you back here on Tuesday… at 5:05.

Contributors:

Comments:

Leave the first comment

Newsletter