Friday Five 8/6
An increase in supply chain attacks, RDP brute force attacks explained, and a hacked hotel room - catch up on the infosec news of the week with the Friday Five!
1. Four-fold increase in software supply chain attacks predicted in 2021 by Jessica Haworth
Software supply chain attacks have commanded headlines for years but especially in the wake of last winter’s SolarWInds revelation. In case you missed it, Matt Tait, affectionately known as @Pwnallthethings on Twitter, devoted his entire Black Hat keynote to supply chain integrity on Wednesday. Things are going to get worse before they get better, a new report, issued this week by ENISA, The European Union Agency for Cybersecurity, suggests. The report, “Threat Landscape for Supply Chain Attacks,” looked at 24 supply chain incidents over the past year and a half and suggests that this year will see nearly four times as many attacks than last year. The report, for those interested, also provides tips on how customers can better manage supply chain security risk and their relationship to suppliers.
2. RDP brute force attacks explained by Mark Stockley
Not necessarily news but a helpful explainer blog post here courtesy of MalwareBytes on how RDP (Remote Desktop Protocol) brute force attacks work. Mark Stockley, the blog’s editor, gives you a quick crash course on what RDP is, why it can be useful, and how bad actors have exploited it to spread ransomware. More importantly, for those not keen, the blog also gives you some tips on how to prevent RDP attacks, namely by turning it off if you don’t need it. Like many things secured with passwords these days, using a robust password, or multi-factor authentication can limit brute force attacks as well.
3. NYU researchers speak out after Facebook disables their accounts by Issie Lapowsky
In case you missed some of the outrage on Twitter this week, Protocol’s Issa Lapowsky recaps how Facebook on Tuesday suspended some Facebook accounts belonging to a handful of NYU researchers, members of the Ad Observatory Project, who were using the social media site to better understand how the site handles disinformation. This was almost inevitable. Facebook sought to cut off access for the researchers last year, insisting their project violated its terms of service, specifically a provision that prohibits bulk data collection. Facebook went on the defensive Tuesday, reiterating that Ad Observatory’s actions were essentially scraping its website and that the researchers knowingly violated its terms of service. Facebook of course has had to reign in how outsiders access user data following 2018's Cambridge Analytica scandal but the thing here is that NYU wasn't gathering information on users, it was parsing advertiser data, data that companies have already consented to be made public. More to come on this we’re sure.
4. Watch a Hacker Hijack a Capsule Hotel’s Lights, Fans, and Beds by Andy Greenberg
Quick dispatch from Black Hat – at least from afar - here via Andy Greenberg in Wired on a series of vulnerabilities in internet of things systems found in a capsule hotel. While the details are scant - the hacker who uncovered the vulnerabilities wouldn't give his real name nor the name of the hotel - the bugs, along with the video featured, certainly seem legitimate. Using an iPod Touch, given to ther hotel's guests, the hacker, Kyasupā, says he was able to hijack the hotel system's lights, ventilation and even the beds in rooms. All Kyasupā had to do was crack the outdated encryption in the hotel’s router, something that was easy to do as they used WEP, a woefully weak security algorithm first used in 1997.
5. Pegasus Spyware: How It Works and What It Collects by Kim Zetter
A fantastic explainer, especially in wake of the work of the Pegasus Project, on the Pegasus spyware via Kim Zetter. In her Substack this week, she breaks down what exactly Pegasus is, what its capabilities are, how it infects mobile phones, and whether or not it can be detected on phones. The answer to the latter appears to be mostly no. “Detecting [Pegasus] is almost impossible,” Zetter says the company’s marketing brochure says. “The Pegasus agent is installed at the kernel level of the device, well concealed and is untraceable by antivirus and antispy software.” Speaking of Pegasus and the commodification of surveillance, also worth reading is this Claudio Guarnieri newsletter she flags. Guarnieri says he hopes the Pegasus Project is a wake-up call, "not only to how destructive the surveillance industry has become, but to how inadequate available protections are."