Newsletter

open source and cybersecurity news

August 9, 2023

- CYBERSECURITY HEADLINES TODAY -

Highly Accurate Acoustic Keylogger Attack
Top Vulnerabilities: Why don’t we learn?
Review of 2022
Vulnerabilities PoV - Log4j Still Dangerous Two Years Later
This Day, August 9 in Tech History

In this Episode:

Marcel Brown: August 9th, 1991. Astronauts aboard the Space Shuttle Atlantis, Mission STS43, use an Apple Macintosh portable computer to send what is considered the first email from space.

Edwin Kwan: Academic researchers from British universities have developed a deep learning side channel attack that can be used to steal data from keyboard strokes that are recorded using a microphone with an accuracy of up to 95%.

Trac Bannon: Cybersecurity agencies from around the world have co-authored an alert that is peppered with words like “routinely” and “frequently”. It’s interesting to note the distribution of vendors involved in the Top 12 routinely exploited CVEs and CWEs.

Katy Craig: The world of cybercrime mirrors, the laws of nature; adapt or perish. The choice of targets heavily influence the selection of vulnerabilities. Cyber actors with precision akin to surgeons opt for vulnerabilities more rampant within the network landscape of their targets.

Olimpiu Pop:   According to Sonatype, around a third of the related downloads from Maven Center are vulnerable. The main reason this happens is due to the shaky software supply chain. The report provides a couple of advices on how to decrease the risk of supply chain attacks.

From Sourced Network Productions in Washington, DC, it’s 5:05. I’m Hillary Coover. Today is Monday, August 9th, 2023. Here’s the full story behind today’s cybersecurity and open source headlines.

 

Edwin Kwan: Highly Accurate Acoustic Keylogger Attack

Academic researchers from British universities have developed a deep learning side channel attack that can be used to steal data from keyboard strokes that are recorded using a microphone with an accuracy of up to 95%.

This is Edwin Kwan from Sydney, Australia.

The audio can be recorded from a nearby microphone or through the device’s own microphone. The keystrokes can be recorded through a video or audio conferencing call, such as using Zoom or Skype, though the prediction accuracy drops to 93% when using Zoom and 91.7% for Skype.

The attack starts by recording keystrokes on the target’s keyboard, and using that data for training the prediction algorithm.

Such an attack has to potential of leaking sensitive information, including passwords to malicious third parties. The attack has proven highly effective, even against a very silent keyboard. Mitigation recommendations by the researchers include using software-based audio filter and continuing to use strong passwords as well as two factor authentication.
Resources
New acoustic attack steals data from keystrokes with 95% accuracy
Keyboard sounds can reveal secrets: researchers – Security – Hardware – iTnews

 

Hillary Coover:

And now our story for the week featuring Tracy Bannon, Olimpiu Pop, and Katy Craig with their perspectives on the top vulnerabilities that continue to be an issue for organizations. We’ll start with Tracy Bannon .

 

Trac Bannon: Top Vulnerabilities: Why don’t we learn?

A global coalition recently published detailed findings highlighting that the most commonly exploited vulnerabilities, CVEs in 2022, were older software issues. The bad guys have figured out that we don’t seem to learn from history.

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

Cybersecurity agencies from around the world have co-authored an alert that is peppered with words like “routinely” and “frequently”. The authors include both USA’s CISA and FBI and leaders from Australia, Canada, New Zealand, and the UK. Using 2022 data, the coalition found that older, well-documented and well-known software vulnerabilities are the most commonly exploited. Examples include the earth shattering Apache Log4Shell exploit that was first reported in 2021, and the Fortnet SSL-VPN credential exposure exploit.

It’s interesting to note the distribution of vendors involved in the Top 12 routinely exploited CVEs and CWEs. Four of the top are associated with Microsoft, two with Atlassian and two with VMware. The types of software cover the gamut from email to software development and collaboration to infrastructure virtualization.

The coalition didn’t stop their research with the Top 12. They provided an extended list of over 25 routinely exploited vulnerabilities. Most importantly is that these vulnerabilities are well documented, both the vendors and the users have actions to take.

Why then, are these still an issue? One theory is that organizations are overwhelmed with the constant influx of new vulnerabilities. Another documented factor is the public availability of sample or proof of concept code about software vulnerabilities or vulnerability chains. Nothing like handing an exploit recipe card to the bad guys.

These POCs are necessary to help the good guys and the end users as well.

What are the recommendations of the CISA led coalition? The recommendations target two groups of readers, those who design and deliver software, and those who use software. To those who design and deliver software, implement secure by design and secure by default principles, including following the Secure Software Development Framework, SSDF, also known as NIST SP 800-218.

End user organizations need to patch, patch, patch. Did I mention patch? There are resources, guides, and training materials to help. Please head over to 505updates.com for links to the resources and to hear in-depth reports on specific CVE exploits.

Something to noodle on.

Resources
2022 Top Routinely Exploited Vulnerabilities | CISA
2022 Top Routinely Exploited Vulnerabilities | CISA
Security-by-Design and -Default | CISA
Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default
SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities | CSRC
Secure Software Development Framework (SSDF) Version 1.1

 

Katy Craig: Review of 2022

The year 2022 unraveled a distinct pattern of penchant for older software vulnerabilities. Amidst the labyrinth of digital defenses, cyber malfactors honed in on the chinks in our armor, exploiting the familiarity of outdated vulnerabilities more than newly surfaced ones. But what drives this preference for the past?

This is Katy Craig in San Diego, California.

One crucial factor lies in the visibility of these vulnerabilities. Many of them come with proof of concept code publicly accessible, an offering that’s akin to a toolkit for cyber criminals. The sweet spot for exploiting vulnerabilities is within the initial two years of their disclosure. Beyond this window, the value of these vulnerabilities wanes as systems get patched or upgraded.

Timely actions such as patching significantly undermine the potency of known vulnerabilities, creating a hitch in the cyber actors giddyup. It forces them into exploring more intricate resource intensive techniques like zero-day exploits or supply chain hacks.

Severe vulnerabilities with the global reach are the crown jewels of the bad guys exploits. These vulnerabilities commonly known as CVEs, wield significant influence due to their widespread impact. Crafting tools to exploit these vulnerabilities becomes a low-cost, high impact investment for these cyber miscreants, sustaining their efficacy over several years.

The world of cybercrime mirrors, the laws of nature, adapt or perish. The choice of targets heavily influence the selection of vulnerabilities. Cyber actors with precision akin to surgeons opt for vulnerabilities more rampant within the network landscape of their targets.

But there’s a twist in this narrative. The malicious web requests, the digital arrows, these actors sling at vulnerabilities, are not invisible. They bear unique signatures that can be caught in the dragnet of deep packet inspection, a vigilant measure that raises the bar for their exploits.

As we navigate the digital frontier, the revelations of 2022 serve as a compass. They point to the age old wisdom of timely action; patching the virtual walls, fortifying defenses, and thwarting cyber assailants in their tracks.

This is Katy Craig. Stay safe out there.
Resources
2022 Top Routinely Exploited Vulnerabilities | CISA

 

Olimpiu Pop: Vulnerabilities PoV – Log4j Still Dangerous Two Years Later

The effects of log Log4Shell still ripple almost two years after its discovery. There should be no surprise that this vulnerability family can be found in the 2022 Top Routinely Exploited Vulnerabilities Report published by CISA in partnership with other cybersecurity agencies. In a nutshell, an actor can exploit this vulnerability. The actor can then steal information, launch ransomware, or conduct other malicious activity.

Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December, 2021, and continued to show high interest in CVE-2021- 44228 to the first half of 2022.

Yes, you should care even today. According to Sonatype, around a third of the related downloads from Maven Center are vulnerable. The main reason this happens is due to the shaky software supply chain. The report provides a couple of advices on how to decrease the risk of supply chain attacks.

1) Reduce the number of third party dependencies. Exceptions should be made only if required to support business critical functions.

2) Ensure contracts require vendors and third party service providers to

– Inform you of security incidents and vulnerabilities within decent timeframe.

-Provide SBOs with all products.

-Are transparent on their Secure by Design program and how they’re working to remove classes of vulnerabilities and to set secure default settings.

As I reported heavily on this one, the resources section is packed with links from different sources. You can listen to more content on other threats. In today’s episode of 505updates.com

Olimpiu Pop reported from Transylvania, Romania.
Resources
2022 Top Routinely Exploited Vulnerabilities | CISA
NVD – CVE-2021-45046
Apache Log4j Security Vulnerabilities
Learn to Fight Cyberattacks in 2023: Steve Poole’s Call to Action at Devoxx
Log4Shell Defenses: Java Agents in Conversation with Contrast Security’s Arshan Dabirsiaghi
Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit
Azul Joins the Effort of Improving Supply Chain Security by Launching Vulnerability Detection SaaS
https://www.kaspersky.com/blog/log4shell-still-active-2022/46545/
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
https://www.wired.com/story/log4j-log4shell-one-year-later/
https://nvd.nist.gov/vuln/detail/CVE-2021-44228/span>
CWE-20: Improper Input Validation (4.12)
CWE-400: Uncontrolled Resource Consumption (4.12)
https://cwe.mitre.org/data/definitions/502.html

 

Marcel Brown: This Day, August 9th in Tech History

This is Marcel Brown dropping some technology history for August 9th.
August 9th, 1991. Astronauts aboard the Space Shuttle Atlantis, Mission, STS43, use an Apple Macintosh portable computer to send what is considered the first email from space. Using the Apple Link online service, Atlantis astronauts, Shannon Lucid and James C. Adamson sent the following message:

“Hello, Earth. Greetings from the STS43 crew. This is the first Apple Link from space. Having a great time, wish you were here. Send Cryo and RCS. Hasta la vista, baby. We will be back.”

The Apple Link software on the Macintosh was specially configured to connect to NASA’s communication system, which allowed the shuttle to interface with Apple’s proprietary network from space. The Macintosh portable itself only had very minor modifications to operate in space.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.

Resources
http://thisdayintechhistory.com/08/09

 

Hillary Coover

That’s our update for today, August 9th, 2023. I’m Hillary Coover. We’ll be back tomorrow… at 5:05.

Contributors:

Comments:

Newsletter