The 2022 Naughty and Nice List

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/12/27/the-2022-naughty-and-nice-list/

The 2022 Naughty and Nice List

It’s the holiday season when children all over the world cross their fingers in the hope that they don’t end up on a certain red-clad big man’s naughty list. Turns out, we at Rapid7 have a similar tradition, only we’re the ones making the list and there’s a whole lotta naughty going on (not like that, get your heads out of the gutter).

We’ve asked a few of our experts to share what in cybersecurity deserves to be on the naughty list, and what needs to be on the nice list. Some of these represent personal gripes, others are industry-wide, and still others are specific to certain aspects of what we do all day.

Obviously, we all lived through the many levels of Shell this year so we are taking that as the quintessential 2022 naughty entry. These are a few others that you may or may not have been tracking, but are worth thinking about as we put this year to bed.

Here, without further fan fare, is our non-exhaustive, thoroughly delightful, slightly deranged, 2022 Cybersecurity Naughty and Nice List. Enjoy.

The Naughty List

Virtual Private Nopes: I try, really hard, to take a charitable read on people’s motivations. So, normally, it takes a lot to get on my bad side. That said: I nominate the entire consumer VPN industry for this year’s Naughty List. This is based on a paper published by the University of Maryland titled, Investigating Influencer VPN Ads on YouTube, by Omer Akgul, Richard Roberts, Moses Namara, Dave Levin, and Michelle L. Mazurek.

Not to spoil the surprise, but the study shows that many consumer VPN influencer ads contain potentially misleading claims, including overpromises and exaggerations that could negatively influence viewers’ understanding of Internet safety. It also found that the ads’ presentation of information on complicated subjects of cryptography, networking, and cybersecurity in general is likely counterproductive and may make viewers resistant to learning true facts about these topics.

Naughty, naughty indeed. You can hear more about this on Security Nation, or if you’re feeling particularly ironic, on YouTube. – Tod Beardsley, Director of Research

When IoT Products Attack: There is a never ending flood of cheap white labeled IoT goods available for consumers to purchase online. Many of these devices have little or no security. Worse, most of these products don’t even have vendors backing them when vulnerabilities are found. As a result, many of the issues will never be fixed.

As this pile of garbage continues to grow, it seems we are just forced to wait and anticipate another Mirai-style botnet (or worse) to emerge and create havoc. – Deral Heiland, Principal Security Researcher, IoT

Ambulance Chasing in the Wake of the Uber breach: It is critical for cybersecurity vendors to react to cybersecurity events as quickly as possible and often in as close to real-time as we can get. From a marketing standpoint, this can be an opportunity to impart a timely, relevant message that showcases a security product in a positive light.

There’s nothing inherently wrong with that, but when vendors use it as an opportunity to tsk-tsk those who didn’t use their product they come off as unhelpful at best, and dangerously boastful at worst.

The Uber breach that hit headlines earlier this year is a good example of this where some of the most vocal vendors were also shown to be unable to stop the breach. Everyone should be proud of their products and their capabilities, but let’s stick to being helpful to the community rather than resorting to ambulance chasing and Monday morning quarterbacking. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

The Nice List

U.S. Government Agencies Pass New Cybersecurity Legislation: During 2022, the U.S. took some significant steps—in the form of regulation and legislation—to ensure proper disclosure of major cybersecurity incidents.

In March, President Biden signed new cybersecurity legislation mandating critical infrastructure operators report hacks to the Department of Homeland Security within 72 hours and within 24 hours of ransomware payments.

Additionally, the SEC voted to propose two new cybersecurity rules for publicly-traded companies. The first mandates reporting of material cybersecurity incidents in an 8-K form within four business days of the incident. The second requires companies disclose their policies for managing cybersecurity risks, including updates on previously reported material cybersecurity incidents.

In July, the House of Representatives passed two cybersecurity bills. The first requires the Federal Trade Commission to report cross-border complaints involving ransomware and other cybersecurity incidents. The second directs the Department of Energy to establish an energy cybersecurity university leadership program. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

Consumer Protections for IoT Devices: In October, the White House hosted a meeting with IoT industry leaders to start the process of developing an IoT Labeling system for consumers to help them identify products that meet a standard level of security.

Although this project will take time to complete, and the use of the labels will be voluntary for vendors, I do expect many vendors will embrace this labeling solution to help promote their products above their competitors. This project will be a major step forward for consumers, which will help them to make sound security decisions on what products to deploy in their homes. – Deral Heiland, Principal Security Researcher, IoT

Adventures in TOTP Token Extraction: I let backups for my phone lapse … for the entire pandemic. Oops. So, when my phone gave up the ghost, I lost the primary authentication device for 2FA (in addition to countless photos of my wife and I playing board games during lockdown). Oh no!

I was using a cloud-based TOTP token manager and was still authenticated and logged in on my desktop. So, “no problem,” says I, “I can just use the web UI to export these tokens to the new phone!” Well, not so fast—it turns out that it is super hard to grab these tokens and port them around. Which is infuriating.

Thankfully, Guillaume Boudreau published a completely hacky method to extract those TOTP tokens, which is totally nuts and also totally works. Yay! – Tod Beardsley, Director of Research, Rapid7

In Conclusion, We’ve Concluded

So, there you have it. A bit of naughty, a touch of nice, something about TOTP tokens, this blog post has it all. Thank you from the entire Rapid7 team for being with us throughout this wild year!

Top Ten Blog Posts of 2022

Post Syndicated from original https://www.backblaze.com/blog/top-ten-blog-posts-of-2022/

Every year we round up the best of the blog, and this year is no different. We like to look back on our posts that you, our readers, liked best and reflect on the content that resonated with the most folks.

How do we do that? Data! We gathered the analytics and sorted out the posts that got the most unique views over the course of the year. There are some mainstays that show up here year after year—our Drive Stats reports are a perennial hit. But there are always some surprises in there, too. Do you read all of our posts? Did your favorite one make the list? Read on to find out.

A Countdown of Top Blog Posts from 2022

10. How to Wipe a Windows SSD or Hard Drive

Coming in at the #10 spot is a companion piece to our ever-popular “How to Wipe a Mac” lest we neglect our PC-loving brethren. Check out this post if you need to securely erase your PC.

9. Don’t Get Trapped in iCloud

This post covers some of the pitfalls you might run into if you rely solely on iCloud to store your data as well as the method I, personally, use to back up my mobile devices.

8. The SSD Edition: 2022 Drive Stats Mid-Year Review

This year, we introduced a new report as part of our Drive Stats franchise focusing on SSDs, and it earned the #8 spot in our top 10. Read this one to find out how the SSDs in our data centers performed.

7. SSD 101: How to Upgrade Your Computer With an SSD

Lots of you searched for ways to take that old computer you have lying around and upgrade it with an SSD instead of donating or recycling it. This post explains the practicalities you should consider before doing so.

6. What’s the Diff: NAS vs. SAN

Network attached storage (NAS). Storage area network (SAN). If the acronyms weren’t confusing enough, the actual names of these two technologies certainly do the job. We explain the difference in this popular post.

5. How to Wipe a Mac Hard Drive

Still more of you are interested in how to safely and securely wipe your Macs. Especially as we come out of the gift giving season, many of you might be ready to dispose of or donate that old computer. Use this guide to make sure your data doesn’t make its way into the wrong hands.

4. Backblaze Drive Stats for Q1 2022

Our Q1 Drive Stats post, released on May the Fourth (be with you), is always a fun one. This year, Andy took inspiration from the “Star Wars” cinematic universe, organizing the post around notable quotes and delighting us all.

3. What’s the Diff: SSD vs. NVMe vs. M.2 Drives

Many of you were curious about the different kinds of SSD drives out there, putting this comparison post in the #3 spot. We spelled out the differences between SSDs, NVMe, and M.2 drives so you can figure out which is best for your use case.

2. Backblaze Drive Stats for Q2 2022

Our marquee franchise was unseated as the top post this year. Andy Klein, our resident Drive Stats storyteller, took it in stride. While Drive Stats may not be our top post this year, the reports hold three of the top ten slots, which is nothing to scoff at. Consistency is key!

1. The Python GIL: Past, Present, and Future

This little experimental post on a somewhat arcane feature of the Python programming language found a huge audience when we published it back in May. We reached out to Barry Warsaw, a Python core developer and contributor, and Pawel Polewicz, a backend software developer, to write a quick history of the Python global interpreter lock (GIL). Barry and Pawel blew us away with this deep dive on the GIL’s evolution that ended up becoming our top blog post of the year.

Thanks for Reading the Backblaze Blog in 2022

We’re glad you like reading about things like cloud storage, hard drives, and esoteric coding features like the Python GIL as much as we like writing about them. We want to thank you for tuning in here on the blog and sharing your thoughts with us in the comments and on social media. Did your favorite post make it into the list? Is there anything you wish we’d write about more? Let us know in the comments. We always love to hear from you.

The post Top Ten Blog Posts of 2022 appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

[$] The rest of the 6.2 merge window

Post Syndicated from original https://lwn.net/Articles/918146/

The world got a special Christmas present from Linus Torvalds this year in
the form of the 6.2-rc1
kernel prepatch. By the time the merge window closed, 13,687 non-merge
changesets had been pulled into the mainline for the 6.2 release. This was
the busiest merge window since 5.13 (which brought in 14.231 changesets) in
mid-2021, and quite a bit busier than 6.1 was — but comparable to the late
5.x releases. Just under 4,000 of those changesets were pulled after the first-half summary was written; there were
quite a few significant changes to be found in those late-arriving patches.

Arresting IT Administrators

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/12/arresting-it-administrators.html

This is one way of ensuring that IT keeps up with patches:

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.

Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software.

The next step would be to arrest managers at software companies for not releasing patches fast enough. And maybe programmers for writing buggy code. I don’t know where this line of thinking ends.

LastPass Breach

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:

While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

[…]

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

That’s bad. It’s not an epic disaster, though.

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)

Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)

My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.

News articles. Slashdot thread.

EDITED TO ADD: People choose lousy master passwords.

The collective thoughts of the interwebz