First officer's log - week 2

Exploring cyberspace is filled with perils and rewards. Here's the latest entry from our first officer.

Mike Parkin | May 30, 2022

First Officer’s log, Terrestrial date, 20220630. Officer of the Deck reporting. The mission continues, with our patrol in this sector encountering roughly the expected level of hostile forces. Fortunately, our hostile encounters were balanced by some interesting news from Fleet Command. 

Man Zooms into the middle 

What happened 

Multiple bugs, 4 of which are specific to Zoom, one affecting the Expatt library, came to light that let an attacker initiate a man in the middle attack against anyone in a Zoom call with them without requiring any action on the target’s part. 

Why it matters 

Ever since the pandemic pushed us into a work-from-home or hybrid work model, Zoom has become ubiquitous. It is the go-to platform for many people and has almost become synonymous with video conferencing, as Xerox became synonymous with photocopying. 

While the attacker needs to be on the call with their target, that’s not much of an impediment considering how many open Zoom meetings happen that don’t restrict their attendance. Fortunately, Zoom has corrected these issues. 

What they said

It didn’t take long before others turned on their mics.

See what they had to say here.

Good deeds can go unpunished 

What happened 

The US Department of Justice has announced that they will no longer use the Computer Fraud and Abuse Act (CFAA) to prosecute security researchers acting in good faith. 

Why it matters 

The CFAA put Legitimate security researchers into a situation where “no good deed goes unpunished” and they could face fines, or even jail time, simply for finding and reporting vulnerabilities. While it is a policy shift, rather than a change to the law, and can be undone by future administrations or ignored by local prosecutors, it should be seen as a step in the right direction for honest security research. 

What they said  

It’s safe to say that the news has been welcomed. Check out the response.

And then it happened again 

What happened 

QNAP reported an attack against some of their QTS and TS series devices using the Deadbolt ransomware. Unfortunately, QNAP has suffered several attacks and vulnerability exposures this year already. 

Why it matters 

This really highlights why it’s an industry best practice to keep NAS (Network Attached Storage) devices isolated from the public internet. Actually, it’s best practice to keep access to anything that doesn’t absolutely need to be exposed strictly controlled. The less exposure, the better. And, of course, apply security patches as soon as practical to help minimize the risk when you are exposed.  

What they said  

This got plenty of coverage. Read here

We can trust the NSA, right? 

What happened 

The NSA (National Security Agency) has some of the finest mathematicians and cryptographers in the world. Full stop. They are also involved in developing some of the cryptographic algorithms the internet depends on the work, day in and day out. 

While NIST (National Institute of Standards and Technology) is holding competitions to develop new standards for quantum-resistant encryption algorithms, the NSA has promised that they will not try and place any back doors into the new standards. 

Why it matters 

It’s fair to say that encryption is deeply ingrained in the modern internet, used for everything from VPNs and simple web browsing, to securing commerce and financial transactions. Quantum computing threatens to turn that on its head, and the NSA does have the skills and resources to help keep that from happening.  

However, there are long-standing and well-founded rumors of the NSA embedding back doors into encryption applications, operating systems, and hardware, and of modifying algorithms to make it easier for them to crack. As a national organization dedicated to making and breaking codes, it’s easy to understand why people might question how sincere the promise is. 

What they said 

There’s been some healthy skepticism around what the NSA will and won’t do. Read more.

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel  

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy