Security Leftovers

posted by Roy Schestowitz on Oct 07, 2022

• French open-source cybersecurity startup CrowdSec raises $13.7M

  Founded in 2019, CrowdSec offers an open-source security engine that analyzes the behavior of internet protocol addresses. The company’s platform focuses on real-time threat detection, security automation, data breach prevention, reputation and behavior analysis to respond to attacks and share signals across the community.

• Former Uber exec convicted in [breach] cover-up

  A former Uber executive has been convicted on charges that he obstructed a Federal Trade Commission (FTC) investigation involving two [breaches] of the company that happened in 2014 and 2016.

  A jury found Joe Sullivan guilty of obstruction of proceedings of the FTC and misprision of felony, which is taking steps to conceal a felony from authorities, on Wednesday after a four-week trial.

• Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors [Ed: Microsoft Windows TCO (Microsoft tops the list; 4 out of 13 for "Remote Code Execution")]

  CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) providing the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors. PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks, including software and hardware companies to illegally obtain intellectual property and develop access into sensitive networks.

• Wladimir Palant: Scirge: When your employer mandates spyware [Ed: Report them to authorities, quit the job, or get an entirely separate machine to put that spyware on]

  I recently noticed Scirge advertising itself to corporations, promising to “solve” data leaks. Reason enough to take a look into how they do it. Turns out: by pushing a browser extension to all company employees which could be misused as spyware. Worse yet, it obfuscates data streams, making sure that employees cannot see what data is being collected. But of course we know that no employer would ever abuse functionality like that, right?

  [...]

  There is no point searching for Scirge in any of the extension stores, you won’t find it there. Each company is provided with their individual build of the Scirge extension, configured with the company’s individual Scirge backend. The extension is then supposed to be deployed “automatically using central management tools such as Active Directory Group Policy” (see documentation).

  This means that there are no independent user counts available, impossible to tell how widely this extension is deployed. But given any Scirge server, inspecting extension source code is still possible: documentation indicates that the Firefox extension is accessible under /extension/firefox/scirge.xpi and the Chrome one under /extension/firefox/scirge.crx.

  The stated goal of the browser extension is to look over your shoulder, recording where you log in and what credentials you use. The idea is recognizing “Shadow IT,” essential parts of the company infrastructure which the management isn’t aware of. And you would never use your work computer for private stuff anyway, right?

• Blizzard tried to make it mandatory to have a phone for 2FA with Overwatch 2, and wasn't allowing people with cheap prepaid plans to authenticate. 2FA is kind of dumb if you use text messaging. | BaronHK’s Rants

  Blizzard tried to make it mandatory to have a phone for Two Factor Authentication with Overwatch 2, and wasn’t allowing people with cheap prepaid plans to authenticate.

  This is all getting pretty nasty, and rather stupid. Pretty much the only point of requiring a phone for 2FA is to force everyone to get cell phones whether they need one or not.

  There’s an authenticator application for GNOME that’s FOSS and works pretty much the same way any other authenticator application does.

  But a lot of Web sites demand SMS text messaging, which isn’t even secure.

  Someone can get around it via SIM card cloning, which doesn’t happen with authenticators, which don’t need cell phones.

  It’s totally debatable how much actual security 2FA even adds.

• When 'experts' speak, it's best to state their affiliations upfront

  Whenever there is a network attack in Australia — what some commentators call "cyber attacks" carried out by "hackers" — dozens of well-known and not-so-well-known commercial operatives literally fall over themselves in a bid to try and gain some advantage from the disaster.

  As someone who reports on incidents of this kind with alarming regularity, one is often at the receiving end of singularly ill-informed missives, all striving to get a few lines in, just as long as their names are attached to those meaningless words.

  However, there is nothing wrong with this particular form of narcissism, provided proper disclosure is made, so that the public, our ultimate masters, know what is driving those comments.

• iTWire - Maurice Blackburn files OAIC complaint over Optus data breach

  Law firm Maurice Blackburn has made a formal complaint to the Office of the Australian Information Commissioner in connection with the data breach which the telco Singtel Optus experienced recently.

  The OAIC can order Optus to pay damages to customers affected by the leak which was disclosed on 22 September.

  The representative complainant is Macquarie University academic Sean Foley, one of the millions whose data was compromised, Maurice Blackburn said in a statement on Friday.