Friday, January 12, 2024

🦆 Sitting ducks

Plus: Ivanti zero-day hacks 🚨 | Friday, January 12, 2024
 
Axios Open in app View in browser
 
 
Axios Codebook
By Sam Sabin · Jan 12, 2024

😎 TGIF, everyone. Welcome back to Codebook.

  • If you're hanging around ShmooCon in D.C. this weekend, come say hi!
  • 📬 But first: have thoughts, feedback or scoops to share? codebook@axios.com.

🚨 Situational awareness: In a letter shared first with Axios, Senate Finance Committee Chairman Ron Wyden (D-Ore.) is calling on the inspector general of the U.S. Securities and Exchange Commission to investigate how a hack of the agency's X account happened this week.

Today's newsletter is 1,641 words, a 6-minute read.

 
 
1 big thing: What makes our accounts so easy to hack
Illustration of a recursive tunnel of hands holding smart phones.

Illustration: Shoshana Gordon/Axios

 

Setting up a simple security feature on online accounts has become so convoluted and confusing that even a U.S. government agency and top cybersecurity vendor struggled to get it right.

Why it matters: Enabling multifactor authentication (MFA) — usually inputting a code sent to your phone or using an authenticator app to log in to your accounts — is go-to cybersecurity advice to fend off hackers.

  • But that advice is useless if no one knows how it works and websites keep changing their MFA implementation policies, experts say.

Driving the news: The U.S. Securities and Exchange Commission is investigating a hack of its account on X, formerly known as Twitter, that resulted in a cybercriminal posting a false announcement that national exchanges could list Bitcoin ETFs.

  • While the SEC has not commented on how this happened, X said Tuesday that it confirmed that the account didn't have MFA activated.

Meanwhile, Google Cloud's Mandiant said Wednesday that a hacker used a brute-force password attack to break into its X account last week.

  • "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the company said.

Zoom out: MFA is designed to help stop simple password-based attacks by linking someone's account to their phone number, an authentication app, or another form of authentication.

  • In theory, even if a hacker had compromised someone's legitimate password, their scheme would be halted without access to the user's phone.

The big picture: Each website handles MFA differently. Some require all users to have it, some offer only text-based login codes, and others still don't offer it at all.

  • For example, X made its most popular form of MFA — text-based login codes — a premium feature in March. If users wanted to continue to have MFA, they needed to download a separate application on their phones to get a code instead.
  • MFA adoption was already low at X before the change: Only 2.6% of users had any form of two-factor authentication turned on, as of a July 2022 report, and of those, about 74% used the text-based option.

What they're saying: "A lot of the sites that we leverage allow you to use them in an unsafe way without it being super clear that you are doing that," Rachel Tobac, CEO of SocialProof Security, tells Axios.

  • "I would like each site to think of themselves more like a car: How does your car tell you that you're currently driving without a seatbelt on?" she says. "It has visual indicators, it has audio indicators, it's not going to let you keep going sometimes."

Between the lines: In today's security landscape, it's usually up to users to turn on MFA on their accounts — and they just aren't doing it.

  • Many websites make it difficult to turn on the feature, leaving the option buried in account settings.
  • Some users also get frustrated when they have more barriers to logging in to an account.

By the numbers: Fewer than half (48%) of employers mandate employees use MFA at work, according to Barracuda Networks' State of MFA report in October.

  • Microsoft said in February that only 28% of its users were using MFA as of December 2022 — and 99.9% of compromised user accounts didn't have MFA on.

Yes, but: The kind of MFA that's available matters. A lot.

  • MFA that relies solely on a phone number is typically more vulnerable to attacks than MFA that is compatible with authentication apps offered by Microsoft, Google and others.
  • Hackers are able to overtake someone's phone number using a tactic called SIM-swapping, which would give them access to a text-based login code.

The intrigue: The technology industry can easily change this dynamic if companies work together to make MFA a requirement for their sites' user accounts, Tobac tells Axios.

  • Sites like GitHub and Google have already started to mandate MFA for user accounts.
  • "It should be at least extremely obvious and easy to turn it on, if not required," Tobac says.

Be smart: If MFA is available for your critical online accounts — such as bank accounts and email inboxes — turn it on now.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
2. Nation-state hackers' next unpatched target
Animated illustration of a siren flashing on top of a computer.

Illustration: Aïda Amer/Axios

 

Ivanti, a popular provider of enterprise work tools, confirmed that hackers are actively exploiting critical vulnerabilities in two of its products.

Why it matters: Ivanti has more than 40,000 customers, and attackers are believed to have been targeting customers for the last month before Ivanti discovered the problems.

Threat level: Researchers at cyber security firm Volexity suspect that a Chinese state-backed hacking group is actively targeting these security flaws to access companies' networks.

  • Ivanti has released new mitigations to make it harder to exploit these issues, but patches won't start to become available until the week of Jan. 22.

Details: The company said it's aware of fewer than 10 customers that hackers have targeted using the vulnerabilities.

  • The vulnerabilities affect Ivanti's Connect Secure VPN devices, formerly known as Pulse Secure, and its Ivanti Policy Secure tool.
  • Hackers can use the bugs to bypass user authentication protocols, as well as inject commands. Once inside, hackers have been able to steal configuration data and login credentials, modify existing company files, and download remote files, according to Volexity.
  • Volexity's researchers said in a blog post Wednesday that they believe hackers have been targeting the flaws since as early as Dec. 3.

The big picture: Hackers have gotten better at quickly identifying and exploiting so-called zero-day vulnerabilities, where a bug is exploited before a company has identified or patched it.

  • Experts anticipate that even more attacks will rely on zero-days in 2024.

Be smart: Ivanti has provided mitigation guidance to help keep hackers out of companies' networks until the full patches are ready.

  • Customers should also study their internal activity logs and other information for signs of an ongoing breach, Volexity recommended.

What we're watching: It often takes weeks or months for companies to identify when hackers used a zero-day vulnerability to access their systems.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
3. U.S., EU reach deal on cyber label programs
Image of the CES sign at the front of the expo floor at this year's CES 2024 conference in Vegas.

Photo: Tayfun Coskun/Anadolu via Getty Images

 

The Biden administration has signed an agreement with the European Union to align U.S. and EU plans to create cybersecurity rating labels for internet-connected devices, a senior administration official announced at CES on Thursday.

Why it matters: Device manufacturers have worried about navigating a patchwork of cyber consumer label certification processes as multiple countries start to stand up their own programs.

  • The new memorandum of understanding between the U.S. and the EU ensures both programs will have the same requirements for certification.

What they're saying: "Sometimes the way it's done in the past is that we each build our program and at the end say, 'How do we connect this?'" Anne Neuberger, deputy national security adviser for cyber and emerging technology, told Axios following the announcement. "We're starting that from the ground up."

Catch up quick: The Federal Communications Commission is spearheading a project to establish a voluntary label program that certifies that internet-connected devices meet a yet-to-be-defined cybersecurity standard.

  • The program is modeled after the Department of Energy and Environmental Protection Agency's Energy Star program, and the FCC is working to launch it by the end of 2024.
  • The White House has been hosting meetings since 2022 among industry groups, agency officials and university researchers to lay the foundation for what the program should look like.

The big picture: Singapore, the U.K. and other countries have already started exploring their own consumer cyber label for internet-connected devices.

  • But since manufacturers ship their devices around the world, each project could end up facing a long list of requirements to participate in the cyber labeling programs.

Details: Under the joint roadmap, the U.S. and the EU will work together to identify the same requirements for certification for their programs, Neuberger told Axios.

  • The EU is in the middle of creating a mandatory program, as required under the recently passed Cyber Resilience Act.
  • However, both the EU and the U.S. will recognize each other's certifications, meaning a U.S. manufacturer will need to participate in only one program to get both labels.

Yes, but: The U.S. program is still voluntary, and its staying power will rely on manufacturer participation.

  • However, Neuberger said she's seen a lot of excitement among top CEOs at CES about the new label, noting they're eager to see it on their products at next year's show.
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios HQ

AI trained on 1.2M examples of Smart Brevity®
 
 

Make your point quickly and clearly.

Smart Brevity Guidance — Axios HQ's top feature — helps you distill your message to its core without sacrificing substance.

Your employees, clients, and members, get shorter, clearer updates.

Learn more about our software.

 
 
4. Catch up quick

@ D.C.

🗳️ FBI director Christopher Wray warned that more countries — besides Russia, China and Iran — are likely to engage in election interference this year. (The Record)

👔 National cyber director Harry Coker says his office is working with the Office of Management and Budget to remove requirements for a four-year degree for some federal cyber contracting jobs. (CyberScoop)

👋 U.S. Army Gen. Paul Nakasone, head of the National Security Agency and the U.S. Cyber Command, is expected to officially step down in early February, following a delayed Senate confirmation for his replacement. (Bloomberg)

@ Industry

👀 A Chinese company is now able to crack the encryption surrounding Apple's AirDrop tool, according to China's Justice Bureau. (Axios)

💰 Cyber funding and merger-and-acquisition activity declined to $8.7 billion in 2023, a 40% annual decrease. (Cybersecurity Dive)

@ Hackers and hacks

🤖 A group of researchers say they were able to accept and reject job applicants and see sensitive information about customers after breaking into an AI chatbot operated by Chattr and used by fast food franchises. (404 Media)

🏠 Real estate service giant Fidelity National Financial says hackers stole data belonging to 1.3 million customers during a cyberattack in November. (TechCrunch)

🫠 Researchers have uncovered an infostealer malware that can hack someone's Google account even if they have multifactor authentication set up. (MalwareBytes)

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
5. 1 fun thing
Screenshot of a tweet from CISA Director Jen Easterly about a Jeopardy answer mentioning her agency

Screenshot: @CISAJen/X

 

I hope you all got this Jeopardy question right — or else, what are we even doing here?! 👀

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios HQ

AI trained on 1.2M examples of Smart Brevity®
 
 

Make your point quickly and clearly.

Smart Brevity Guidance — Axios HQ's top feature — helps you distill your message to its core without sacrificing substance.

Your employees, clients, and members, get shorter, clearer updates.

Learn more about our software.

 

☀️ See y'all Tuesday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.

HQ
Are you a fan of this email format?
Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.
 

Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content.

Axios, 3100 Clarendon B‌lvd, Arlington VA 22201
 
You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences.
 
Was this email forwarded to you?
Sign up now to get Axios in your inbox.
 

Follow Axios on social media:

Axios on Facebook Axios on Twitter Axios on Instagram
 
 
                                             

No comments:

Post a Comment

Welcome to Bernie Schaeffer's Award-Winning Option Advisor

Congratulations! By signing up for Option Advisor, you just took the first step towards becoming a successful trader and pot...