Azure, BitBucket, GitHub, and GitLab revoke SSH Keys After GitKraken Vulnerability
Git software client GitKraken disclosed an SSH key generation flaw in a post this past Monday. The flaw was discovered in versions 7.6.x, 7.7.x, and 8.0.0 for releases available between mid-May to late-June this year. GitKraken uses the library keypair to generate SSH keys for connecting code repositories to the GitKraken App. The public SSH key was a weaker form than expected and could be vulnerable to key duplication. GitKraken published version 8.0.1 to rectify this issue, and major code hosting platforms such as Azure and Gitlab mass-revoked keys out an abundance of caution. The keypair library was updated as well.
Missouri Governor Confuses Public Facing HTML with Hacking
A journalist from the St. Louis Post-Dispatch newspaper followed the responsible standard procedure for data breaches. They notified the Missouri state Department of Elementary and Secondary Education about the public facing exposure of SSNs. This was then reported on by Post-Dispatch AFTER the department’s website administrators fixed the issue. More can be read about this at Trevor Collins Secplicity post.
EU’s Proposed Change to Domain Registrant Anonymity
The European Union is in the process of updating the EU Network and Information Security (NIS) directive for the European Union Agency for Cybersecurity (ENISA). The overhaul from NIS1 to NIS2 involves a collection of amendments to address the changing security environment since the first directive was adopted in 2016. Among those in the draft is Amendment 17 to increase transparency for registered domains. Domain registrars would be required to collect multiple details on the registrant that could then be used to verify their identity. Current requirements are minimal, and only require a name and address, but no verification. The ease for which someone can avoid accountability through the anonymity of lax registrant requirements has been linked to (but not wholly responsible for) the proliferation of short-term malicious domains. There are counterarguments to the changes, as it may stymy freedom of speech for those who require anonymity.
Microsoft Publishes their annual Microsoft Digital Defense Report (MDDR)
The report digs into the growing popularity of Ransomware-as-a-Service (RaaS). As the ransomware business model continues to mature, so will the need to counter it. Unsurprisingly, phishing attacks are still going strong, and Microsoft has seen an increase since June 2020. Additional details have been summarized here and for those looking to get into the details, the full 134-page report can be found here.
Federal Agencies will Require Sufficient Endpoint Detection and Response
Federal agencies will be required to host sufficient Endpoint Detection and Response (EDR) solutions. In a memo issued by the Shalanda Young, Director of the Office of Manage and Budget (OMB), the agencies will be required to coordinate with the OMB and the Cybersecurity Infrastructure Security Agency (CISA). The EDR data will feed into CISA to expand visibility. Any agencies lacking in EDR implementation will work with CISA to meet deployment guidelines.