The Good, the Bad and the Ugly in Cybersecurity – Week 32

The Good

Cybersecurity is a team sport and requires collaboration between different parties. But for government and federal entities, playing with civilians and, especially, white-hat hackers, has always been challenging. Historically, security researchers that have found bugs in government and federal systems found it difficult to report these out of fear (breaking into federal systems is a serious offense) or simply because there lacked a proper vulnerability reporting mechanism.

This is why initiatives to facilitate collaboration are very much welcome. CISA has launched a vulnerability disclosure platform (VDP) in conjunction with Bugcrowd and EnDyna. The platform enables researchers to submit bugs related to numerous agencies, including the DHS, the Department of Agriculture and nine others, with ease.

Source: Twitter

Across the pond, the UK NCSC invited 26 security researchers to participate in a Bug Bounty program (in collaboration with US company HackerOne). The 30-day challenge is aimed at identifying and fixing vulnerabilities in cyber systems to strengthen security and to ensure better resilience. Christine Maxwell, Ministry of Defence Chief Information Security Officer said: “The MOD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process”.

The Bad

The Senate Committee on Homeland Security and Governmental Affairs has released a report named “Federal Cybersecurity: America’s Data Still at Risk”. The report follows a previous study released two years ago reviewing the state of cybersecurity at eight federal agencies. While all would have expected to see some improvement, the grades included in the report show otherwise, with four agencies earning a meagre “D”, three receiving a “C” and one a “B”. The report stated that it was “clear that the data entrusted to these eight key agencies remains at risk”, citing reasons such as operating without the required authorizations, using outdated (and sometime End of-Life) software, and failing to install security patches in a timely manner.

Source: CISA

Other issues included lack of proper inventory, access management records, numerous “Shadow IT devices”, serious vulnerabilities in public facing websites, and what is probably the worst finding of all, that seven of the eight agencies examined failed to secure PII properly. The Inspector General was able to extract hundreds of sensitive PII records from the Department of Education, including 200 credit card numbers, without the agency’s system identifying or blocking the attempt.

The report concluded that “it finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data”. Senator Rob Portman from Ohio said the report showed:

“a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers”.

The Ugly

Italy has fully vaccinated more than 60% of its eligible population, but it is facing a steady rise in cases and hospital admissions driven due to the Delta variant. In response, the Italian government has decided to double down on vaccinating the remaining population and is limiting access to activities such as indoor dining. However, just as these measures went into effect last Friday, Italy’s Lazio region, which includes the capital Rome, has suffered a ransomware attack. The attack affected the regions’ IT systems, including a public health website designated for scheduling Covid-19 vaccinations.

The website was offline from last weekend until this Thursday, resulting in delays for administering the vaccination.

Lazio Governor Nicola Zingaretti called it a “terrorist attack” and regional health councillor Alessio D’Amato said it was most serious cyberattack ever carried out on an Italian public administration. Italian news agency ANSA reported that the FBI and Europol were assisting in the investigation.

Source: BleepingComputer

It is yet unclear which ransomware operation was behind the attack. Some sources identified it as RansomEXX, while local security researcher JAMESWT claimed it was Conti. At the time of writing, it does not appear that the attackers have stolen any personal information or medical records.