* This newsletter is sponsored by Uptycs, the cloud-native security analytics platform with multiple solutions for EDR, CWPP, CSPM, asset insights and inventory, audit and compliance.
- I’m honored to be on the agenda for this year’s SecurityWeek’s CISO Forum, coming up on September 14-15, 2021. This year we’ll be talking supply chain, SBOMs, ransomware and cyber insurance.
Monday Blues.
The newsletter is late today, because Patch Tuesday. Over at SecurityWeek, I spent this morning writing about the 19th Windows zero-day attack so far this year, another Microsoft attempt to fix PrintNightmare, and Adobe shipping patches for critical flaws in the Magento e-commerce platform. These security defects are no joke and I recommend Windows users treat these updates with high priority.Speaking of security things with the highest of priorities, I saw a Black Hat presentation by hacker ‘Orange Tsai’ on new attack surfaces on Microsoft Exchange Server that was equally impressive and terrifying. On the heels of the March Exchange Server mega hacks, the researcher documented an entirely new attack surface that could will lead to a world of hurt down the road.
If you’re a Windows fleet admin, I’d start by carefully absorbing the warnings in this blog post on how the CAS (Client Access Service) in Exchange Server presents ripe hunting ground for malicious hackers. Orange Tsai documents how this massive new attack surface led to the discovery of eight vulnerabilities that were chained into three different attacks — ProxyLogon (pre-auth RCE), Proxy Oracle (plaintext password heist), and ProxyShell (pre-auth RCE exploit used at Pwn2Own 2021).
Orange Tsai, who has worked closely with Redmond to get these issues fixed, has hinted at future exploitation examples. See video of his Defcon presentation.
It’s even more disconcerting because of proven bug-discovery collisions and documentation that others — most noticeably the NSA and Chinese APT group HAFNIUM — are already poking around and finding success popping holes in this new Exchange attack surface.
A sobering reminder that Patch Tuesdays will never end.
_ryan
The Uptycs Security Analytics Platform offers one platform with multiple solutions for EDR, CWPP, CSPM, asset insights and inventory, and audit and compliance. Many organizations have a number of tools targeting their productivity endpoints, server endpoints, and cloud-native applications. Schedule a demo today.
The big story — Apple CSAM scanning concerns
The big story this week is the blowback against Apple’s plan to use a new hashing system on its platforms to detect and help limit the spread of CSAM (Child Sex Abuse Material). Here’s your catch-up reading material:
- Expanded Protections for Children is Apple’s web page with the problem statement and a description of its approach.
- A more detailed FAQ from Apple attempts to answer the more pressing questions around preserving user privacy.
- Here’s the most definitive technical summary of how the technology works.
- Apple’s Mistake digs into what’s really disturbing about the choices made by Cupertino.
- An Alex Stamos thread on this topic is required reading. As is this Youtube discussion by Stramos, Rianna Pfefferkorn, Jen King and Matthew D. Green.
- From Ars Technica: Apple says it will refuse any government demands to expand the photo-scanning tool beyond child-abuse material.
Black Hat recap
A subdued and weird Black Hat/Defcon week came and went with worries about Covid overwhelming all other concerns in Las Vegas. Still, the agenda was chock full of educational sessions, tools and utilities, and enough warnings to keep the industry afloat for another decade. Some highlights:
- The Record has a list of the most interesting and useful security tools released during hacker summer camp.
- I covered two Black Hat keynotes — Matt Tait on mobile platforms obstructing security and new CISO boss Jen Easterly introducing herself to the hacker community.
- John Leyden at the Daily Swig lists the top hacks from the conferences — attacking Lets Encrypt; FragAttacks, request smuggling on HTTP/2 infrastructure and hacking humans using AI as a service.
- By the way, Microsoft won the worst of the Pwnies.
- The Register’s Iain Thompson picks his top Black Hat Las Vegas stories and moments.
Tool of the week.
- TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs).
- ENISA, the European Union’s agency for cybersecurity, has new data on supply chain attacks. It’s not good.
- GitLab’s Package Hunter is a tool for detecting malicious code in your dependencies.
- Twilio’s Laxman Eppalagudem explains what the company did to solve dependency confusion in its code output.
- The all-important Project Sigstore has a nifty new website.
Tangentially.The list of vulnerabilities or design flaws Microsoft does not intend to fix includes a trio of PrintNightmare security defects
* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.