It was discovered that Puma incorrectly handled parsing certain headers.
A remote attacker could possibly use this issue to overwrite header values
set by intermediate proxies by providing duplicate headers containing
underscore characters.
Daily Archives: September 24, 2024
14 Million Patients Impacted by US Healthcare Data Breaches in 2024
SonicWall found that data breaches caused by malware attacks on US healthcare organizations have affected 14 million people so far in 2024
#GartnerSEC: Zero Failure Tolerance, A Cybersecurity Myth Holding Back Organizations
Cybersecurity leaders should prioritize response and recovery over prevention to effectively navigate the ever-evolving threat landscape, according to Gartner analysts
Citing security fears, Ukraine bans Telegram on government and military devices
The government of Ukraine imposed a ban on the Telegram messaging app being used on official devices belonging to government officials, military staff, and critical infrastructure workers, citing security fears.
Read more in my article on the Hot for Security blog.
Israel’s Pager Attacks and Supply Chain Vulnerabilities
Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.
Though the deadly operations were stunning, none of the elements used to carry them out were particularly new. The tactics employed by Israel, which has neither confirmed nor denied any role, to hijack an international supply chain and embed plastic explosives in Hezbollah devices have been used for years. What’s new is that Israel put them together in such a devastating and extravagantly public fashion, bringing into stark relief what the future of great power competition will look like—in peacetime, wartime and the ever expanding gray zone in between.
The targets won’t be just terrorists. Our computers are vulnerable, and increasingly so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.
The core component of the operation, implanting plastic explosives in pagers and radios, has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That’s what all of those airport scanners are designed to detect—both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.
The second component, assassination by personal device, isn’t new, either. Israel used this tactic against a Hamas bomb maker in 1996 and a Fatah activist in 2000. Both were killed by remotely detonated booby-trapped cellphones.
The final and more logistically complex piece of Israel’s plan, attacking an international supply chain to compromise equipment at scale, is something that the United States has done, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it not for destructive purposes but for eavesdropping. We know from an Edward Snowden document that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn’t the agency’s only operation of this type.
Creating a front company to fool victims isn’t even a new twist. Israel reportedly created a shell company to produce and sell explosive-laden devices to Hezbollah. In 2019 the FBI created a company that sold supposedly secure cellphones to criminals—not to assassinate them but to eavesdrop on and then arrest them.
The bottom line: Our supply chains are vulnerable, which means that we are vulnerable. Any individual, country or group that interacts with a high-tech supply chain can subvert the equipment passing through it. It can be subverted to eavesdrop. It can be subverted to degrade or fail on command. And although it’s harder, it can be subverted to kill.
Personal devices connected to the internet—and countries where they are in high use, such as the United States—are especially at risk. In 2007 the Idaho National Laboratory demonstrated that a cyberattack could cause a high-voltage generator to explode. In 2010 a computer virus believed to have been developed by the United States and Israel destroyed centrifuges at an Iranian nuclear facility. A 2017 dump of CIA documents included statements about the possibility of remotely hacking cars, which WikiLeaks asserted could be used to carry out “nearly undetectable assassinations.” This isn’t just theoretical: In 2015 a Wired reporter allowed hackers to remotely take over his car while he was driving it. They disabled the engine while he was on a highway.
The world has already begun to adjust to this threat. Many countries are increasingly wary of buying communications equipment from countries they don’t trust. The United States and others are banning large routers from the Chinese company Huawei because we fear that they could be used for eavesdropping and—even worse—disabled remotely in a time of escalating hostilities. In 2019 there was a minor panic over Chinese-made subway cars that could have been modified to eavesdrop on their riders.
It’s not just finished equipment that is under the scanner. More than a decade ago, the US military investigated the security risks of using Chinese parts in its equipment. In 2018 a Bloomberg report revealed US investigators had accused China of modifying computer chips to steal information.
It’s not obvious how to defend against these and similar attacks. Our high-tech supply chains are complex and international. It didn’t raise any red flags to Hezbollah that the group’s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries before being pieced together primarily in China.
That’s a hard problem to fix. We can’t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn’t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.
So what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network—very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack and how the group will respond.
But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.
This essay originally appeared in The New York Times.
US Mulls Ban on Russian, Chinese Parts in Connected Vehicles
The US Commerce Department wants to prohibit the sale or import of connected vehicles with Russian or Chinese-made hardware and software
Two men arrested one month after $230 million of cryptocurrency stolen from a single victim
Two men have been arrested by the FBI and charged in relation to their alleged involvement in a scam which saw almost a quarter of a billion dollars worth of cryptocurrency stolen from a single victim.
Read more in my article on the Hot for Security blog.
Cybersecurity Threats: Top Risks Facing Your Startup
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Delivering a unique value proposition, researching markets, and attracting much-needed starting capital requires all hands on deck for any hopeful startup. Data security, privacy protection, and incident response plans that cover what to do if and when your cyber defenses are compromised don’t seem like immediate concerns worth devoting resources to during such times.
Yet startups that neglect to cultivate their cybersecurity posture from the outset risk reputation damage, loss of investor trust, and financial setbacks that even more robust companies cannot recover from. Here are the five crucial cyber threats startups need to be aware of and the strategies they should employ to mitigate the dangers.
Phishing Attacks
Phishing is the most prevalent and potentially the most dangerous cyberattack affecting startups. It has evolved over the years from indiscriminate, poorly written emails that were easy to spot – to sophisticated steps that are often part of grander hacking campaigns. Either alone or as part of more advanced efforts, phishing is responsible for the vast majority of data breaches.
Since startups attract attention by actively engaging with potential investors and the public, it’s not hard to collect data on crucial employees, draft convincing emails that look like a trusted source sent them, and ask the recipient to enter sensitive information on an external website or download malware. Business email compromise (BEC) is even more insidious since it relies on stolen or spoofed email addresses to give the message extra legitimacy, resulting in potentially massive financial losses for the company.
Awareness and employee training are the best methods to combat phishing attacks. Spotting the telltale signs and habitually bringing suspicious emails to their supposed senders’ attention will prove invaluable to protecting your startup from data breaches.
Vulnerable Passwords
Many startups operate entirely within the digital realm, meaning they rely heavily on other companies and their products, each with a corresponding account requirement. Credentials quickly pile on, and we, as humans, aren’t good at keeping track of or securing our passwords.
Hackers count on this. In fact, a well-known operation is to acquire databases of previously breached accounts and use these username and password combos to try and access other common accounts. Before you know it, one hacked password can expose several accounts with the same password and all the connected data instrumental to your startup’s operation.
Implementing a trusted business password manager is the most straightforward and effective course of action. These tools can generate long and unique passwords that comply with stringent safety standards and replace old ones for as many users and accounts and as often as needed. Password managers also allow for secure credential sharing and can store other sensitive information inside encrypted vaults.
Malware
Malware is the collective term for a wide range of malicious software that can infect your company’s systems and cause damage in different ways. For example, cryptojackers will repurpose your system resources to mine cryptocurrency behind your back. Keyloggers save and send keystroke histories to their creators, potentially uncovering login credentials or company secrets.
Ransomware has become rampant. It encrypts system-critical files and makes your devices unusable, which its creators will only reverse if you pay the fee. On the one hand, ransomware is particularly harmful for startups since it can grind daily operations to a halt. On the other, paying up may put you in a financial bind that’s impossible to get out of, especially during the early stages.
Small startups may not have the IT staff to ensure operating systems, anti-malware protection, and frequently used programs are up to date on all company devices. Since this is the most proactive step towards identifying and mitigating malware, you may need to hire someone or consider an endpoint management solution.
Insider Threats
The hiring process at startups can be hectic, especially if you’re experiencing a growth spurt and rush new arrivals through the hiring process to meet increased demand. It’s also not uncommon for employees to leave a startup after disagreements or changes in vision. Both scenarios may introduce ill-intentioned individuals with the motivation and resources needed to do much damage.
Malicious insiders may do anything from exposing company secrets through manipulating data and accounts for their financial gain to creating backdoors they or their associates can use to access company systems at a later time. For example, a duo of disgruntled Tesla employees leaked the personal information of more than 75,000 employees to a German newspaper in 2023. The newspaper in question chose not to publish the data per the GDPR. However, a less scrupulous entity could have done a lot of harm with this information.
Preventing malicious insider activity is tricky since their regular duties may legitimately involve them with vulnerable data. However, regulating data access will limit the scope of such attacks and reduce detection time.
Using password managers like NordPass to provide everyone with unique logins for each account is a good start, but you should augment them with an access management system as well. This ensures you can implement Zero Trust and logging policies. The former limits employee access to the scope of their work, while the latter provides a well-documented activity trail indispensable for pinpointing incidents and identifying associated account activity.
Cloud & Third-Party Vendor Risks
The shift toward always-online service-based business models introduces vulnerabilities other than account sprawl. Lack of expertise could cause startups to misconfigure cloud storage, leaving data that should have the highest protection vulnerable to viewing and downloading by people with low clearance levels. There’s also the fact that each third-party vendor you work with represents a potential security risk, as you have no say in the cybersecurity measures they use.
The solution to both problems is to thoroughly vet cloud storage providers and other third-party vendors, ensuring that their features and security precautions meet your current and future standards. You’ll also want to make regular physical backups of your most important data and keep them off-site so you can get up and running fast, whether something befalls the startup itself or your storage provider.
Conclusion
The belief that hackers don’t concern themselves with startups and other small businesses has already led far too many of them to close up shop before they’ve even had the chance to prove their worth. We hope acting on the information presented here will prevent your startup from becoming part of the grim statistics.
Telegram Boss Agrees to Closer Police Cooperation
Pavel Durov says he will share details of “bad actors” and clean up Telegram’s search function
Europol: GenAI Offers “Treasure Trove of Possibilities”
A new Europol report argues that AI tools could revolutionize policing across the region