Review of SolarWinds Impact and Brief Technical Summary

An image of the sun exploiding.

General Details SolarWinds is a publicly traded company worth $5.4B dollars that developing IT infrastructure management software products for small and medium-sized enterprises. Two separate pieces of malware known as SUPERNOVA and SUNBURST worked against vulnerabilities in SolarWind’s product Orion. The malware known as SUNBURST potentially allows an attacker to compromise the server on which the Orion products run. The manner in which SUNBURST malware was used against its victims resulted in it being labelled a “supply chain attack,” a technique in which an adversary uses malware to disrupt a companies ability to produce or deliver it’s products to customers. Although the term “supply chain attack” a broad term without a universally agreed upon definition, theoretically, the intended target of a supply chain attack is not necessarily the company whose network was breached and disrupted. For example, if an attacker wanted to disrupt operations of a large retail target such…

Read more

Cyber-Security ETFs and Individual Stocks

Image of stocks rising

In a previous article the impact of cyber-breach on stock prices and the value of cyber-insurance to corporations was reviewed. Ransomware and IT breaches are increasing, and the expectation is that more companies will turn to cyber-insurance, and also increase their IT security controls. Here is a list of cyber-security listed ETFs and a list of all the companies included in those ETFs with duplicates removed, along with a company description. CIBR – First Trust Nasdaq Cybersecurity ETF Includes 40 individual stocks comprising $3.58 billion in assets Includes other industries, such as aerospace and defense (FactSet) Concentrated with 10 largest making up 47% of market cap Two stars rating by Morningstar HACK – ETFMG Prime Cyber Security ETF Includes 59 individual stocks comprising $2.04 billion in assets Modified equal-weight scheme (not concentrated) with 10 largest making up 28.5% of the market cap HACK has “a unique, cybersecurity-focused take on the…

Read more

Cyber-Security’s Impact on Corporate America

IT Security and Stocks

Tale of the Tape Hackers have kicked some big time ass against major American companies in the past 10 years. JP Morgan Chase, Capital One, Equifax, Uber, LinkedIn, eBay are just a few of the large corporate victims. Just in 2021 many corporate IT hacks have made the headlines with the Colonial Pipeline hack being the most recent. Well, that was, until JBS a major American meat processing plant revealed it had also been breached just days ago. Colonial Pipeline CEO confirmed the company paid $4.4 million ransom.  CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million after a ransomware attack. Information on whether Acer ended up paying the ransom for their breach in March 2021 seems hard to come by but, the initial ransom demand was $50 million and included a threat to increase the demand to $100 million. If Acer did…

Read more

The LockPicking Lawyer on Youtube is a highly skilled locker picking professional. His videos sure to amaze and are a wealth of knowledge to pentesters looking for physical penetration testing attacks. However, not all of his videos attack the keyway with a set of picks. His videos that use other technology to bypass locks and security devices tell a very interesting tale about the state of the art of technology. I have included some of his videos with a brief description, all of which demonstrate different aspects of lock bypassing. In the first video, you see a new device on the market which is specially designed to take images of the inside of a Kwikset Smartkey keyway. The product is from a company called LockTech LTKSD, and costs about $350 USD. The implication is that this could be used to quickly build a physical key that can work with a…

Read more

Privacy Protection From Big Brother (Google and Other Corporations) Google wants to know whether you change your underwear everyday. It’s that simple. They want to know everything about you. Part of your online security is not letting Google or others know everything about you. Why you may ask? Because they can sell that information to employers who want to conduct a background investigations, serve you targeted ads enticing you, and who knows what else.  While arguably this generates revenue to improve their products and services, it can also be considered an invasion of your privacy.  Individuals involved in activism, or other activities may have their physical security put be at risk (such as police informants). Your information being available online may be considered a high-risk. Geo Location Sniffing You may also notice some websites immediately requests to know your location when you visit them.  Well, the truth is that websites…

Read more

Everyone, their mom and dog has been confronted with Internet security. Everywhere in life; the mainstream media, workplace policies, and even casual social life includes news and warnings about cybersecurity. Facebook, Google, and Twitter are in the international news constantly being accused of privacy violations and of having a negative impact on younger people by changing their lifestyles to one of screen engagement. In addition to that, many people have had the personal experience of their online accounts or personal computer being hacked. On a national security level, just last week American oil pipeline company Colonial payed 4.4 million dollars to recover ransomed data. So, do we all need a deeper understanding of Internet / IT security? Yes. It’s is a big complicated field but also an important one for users to understand. So put your seat belt on and let’s do a deep dive into Internet security. What do…

Read more

Security Of The Alexa Top Sites

Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…

Read more

Chinese Intellectual Property Strategy

Chinese Intellectual Property Administration

Patenting Innovation Is National Power As the Center for Strategic and International Studies notes, innovation in an important factor in a nation maintaining global power. Patents secure the rights for companies and national economies to generate GDP by producing products that other countries will buy and import. So, patents are critical to securing income from innovation. However, patenting strategy, whether on the national or corporate level is also critical to directing resources efficiently and effectively. You can’t have a patenting strategy if you don’t analyze the landscape. China’s activity in global patenting is booming. Although it does not necessarily represent a drastic increase in novel innovation, it does signal desire to compete. Some have been very critical of the value of China’s Patenting… Center for Strategic and International Studies (CSIS) CNIPA National Patent Development Strategy explicitly equates patent generation with innovation and calls for government incentives to bolster the number…

Read more

How to mitigate against session hijacking attacks with HTTP Security Headers

Futuristic Graphic logo of two people eating a cookie.

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. … Our analysis of the Alexa-ranked top 1000 popular websites gives clear evidence that such risks are far from remote, as the HttpOnly and Secure flags appear as yet to be largely ignored by web developers. – CookiExt: Patching the Browser Against Session Hijacking, Journal of Computer Security (2015).   Summary of Session-hijacking attacks When you login into a website, the web-server creates a “session” to identify your identity by sending the client browser a session cookie. Cookies have functions other than sessions, but perhaps the most important use of cookies from a security perspective managing your “state” or “session-state”. This is because a single IP address may have many clients connecting to the server, so…

Read more

Safari Browser URL Spoof Vulnerability

cyber-criminal-graphic

Last week, Rafay blog wrote a short blog piece about the recently publicized browser URL spoofing vulnerability in Safari. To summarize, the browser bar is considered the only reliable security indicator to validate the authenticity of the website. Looking at the browser URL bar at the top of your browser, and checking that the domain contained in the URL matches the domain of the site you expect to be visiting. If it says “google.com” or “facebook.com” you should be able to reliably tell that you are on the correct website. However, in addition, all browsers include a symbol to show whether the SSL/TLS certificates have been properly validated to authenticate the identify of the server you are communicating with, as well as initialize an encrypted connection to protect your data as it transits the internet. Besides the recent publicized vulnerability in Safari, URL spoofing has been accomplished by attackers in…

Read more