At a glance.
- Notes on the ransomware summit.
- Japan's policy on cybersecurity develops with a view to Chinese threats.
- US guidance on cryptocurrency controls and sanctions.
- Huawei spinoff's position in the US.
- US Government moves toward new modes of multi-factor authentication.
- Comment on the US Joint Advisory on threats to water and wastewater treatment facilities.
Highlights from global ransomware summit.
As we noted last week, approximately thirty countries including the UK, Australia, India, Japan, France, Germany, South Korea, the European Union, Israel, Kenya, and Mexico, gathered at an international virtual summit hosted by the White House to discuss global strategies for fighting ransomware. Security Week offers some of the major takeaways from the meeting. The nations have vowed to collaborate on law enforcement operations to takedown attackers and cooperate to fight the illicit financial transactions linked to such attacks. It’s worth noting that Russia was conspicuously left off the guest list, not a surprise given that the majority of ransomware attacks targeting the US have been connected to Russian-speaking threat groups, but US officials say they’re communicating with Russia separately.
Japan to establish a new ministry to fight Chinese cybersecurity threats.
As one of his first actions in the role, Japan’s new Prime Minister Kishida Fumio has announced the institution of a new minister to fight cyber threats from China, Japan’s largest trading partner and greatest geopolitical adversary. The Diplomat discusses the nations’ complicated relationship, as threat groups linked to China’s military and intelligence agencies have allegedly been behind several espionage attacks on Japanese entities. As well, compromised code has been found embedded in tech originating from Chinese supply chains, and Chinese nationals working or studying in Japan with access to sensitive data can also pose a threat to national security. The new minister is the latest step in China’s evolving cybersecurity posture, which is shared by various government bodies including the Ministry of Defense, Ministry of Foreign Affairs, and National Police Agency, coordinated by the National Center of Incident Readiness and Strategy for Cybersecurity.
OFAC guidance on cryptocurrency.
The US Office of Foreign Assets Control (OFAC), an arm of the Department of the Treasury responsible for economic sanctions against targeted foreign entities seen as a threat to national security goals, has released guidance on sanctions compliance for transactions involving “virtual” currency, or cryptocurrency. The offers advice for businesses on evaluating sanctions-related risk and creating a sanctions compliance program based on those risks. There’s also guidance on preventing sanctions violations, and thwarting abuse of virtual currencies by threat actors.
US senators ask White House to add Huawei spinoff Honor to its proscribed list.
CRN Australia reports that a group of Republican US senators has asked the Biden administration to blacklist Honor, a spinoff of the controversial Chinese telecom leader Huawei, asserting the firm poses a threat to national security. In a letter sent to the White House, Senator Marco Rubio says that Honor, which he described as basically an "arm" of the Chinese government, has “effectively dodged a critical American export control" by gaining unlimited access to the US technology recently denied from Huawei when it was blacklisted by the Trump administration in 2019.
US Federal Government to phase out SMS and app-based multi-factor authentication.
Vice reports that the US Office of Management and Budget intends to work toward weaning Federal agencies away from SMS and app-based multifactor authentication methods.
Roger Grimes, data-driven defense evangelist at KnowBe4, approves of the Government's move away from SMS-base authentication in particular:
“It's great that the US government is trying to reduce the use of SMS-based phishing. It's well known and long established that SMS-based MFA is among the weakest forms and easiest to hack MFA methods. The US government, in their Digital Identity Guidelines (NIST Special Publication 800-63), back in 2017, even discouraged the use of SMS-based MFA for protecting valuable systems and data. If you go to MFA from passwords, why use the weakest form of MFA possible? Sadly, SMS-based MFA is probably the most commonly used MFA method on the Internet, and most people who have to use it don't have a choice as whether to use it. The vendor or site the customer is interacting with says, "Here, you must use this MFA!" and it just happens to be SMS-based MFA...because everyone has a phone, right? But it's very wrong to say that most of the MFA alternatives, including most of the hardware-based tokens can't be phished. That's utter nonsense! Probably 80-90% of all MFA, including most hardware-based solutions can easily be phished, simple as me sending what looks like a normal phishing email.
"If I, as an attacker, can trick you into clicking on the wrong link, it's game over, just like it is with passwords and SMS-based MFA. So, don't start jumping to conclusions that getting rid of SMS-based MFA and using hardware-based MFA is the answer. That's just setting yourself and others up for failure and disappointment. Every type of MFA can be hacked multiple ways. Pick an MFA method that is less susceptible to hacking...like FIDO2 (which is involved with the WebAuthn standard mentioned in the article below), but understand that they are and will always be ways to hack and bypass them. Pick a good solution that is less resistant to hacking and then educate everyone involved with your MFA project...senior management, sysadmins, the buyers, the implementers, the operators, and end-users, about the ways that the MFA method you selected to deploy can be hacked, and give education on how to avoid those types of attacks. You wouldn't send your end-users out there with passwords and not tell them how to prevent being attacked. But most MFA implementers don't give the same education and caution to their end-users and stakeholders, and that's just asking for trouble. You would be amazed how easy it is to hack or bypass most MFA solutions...and in the same vein be amazed how just a little education can go a very long way to preventing those hacks. You just have to do it."
Comment on the US Joint Advisory concerning threats to water and wastewater treatment.
Bill Lawrence, CISO of SecurityGate, wrote to express approval of the way in which Federal authorities warned of the threat to water and wastewater treatment facilities. He's gratified by, among other things, the public-private cooperation on display.
“It is heartening to see the FBI, CISA, EPA, and the NSA working together with the Water ISAC and Dragos to put this alert together. Adversaries are looking to use spearphishing (targeted phishing) and exploits against unpatched software or outdated firmware to execute these attacks. From a people, processes, and technology viewpoint, user training should have been the number one recommendation so as to recognize phishing attempts, thwart ransomware, or respond rapidly if it takes hold, rather than the last bullet in the ‘additional mitigations’ strategy and buried near the end. I had not heard of the Department of State’s Rewards for Justice (RFJ) program; reporting foreign government malicious activity against U.S. critical infrastructure could earn up to $10 million. That sounds so much better than recent legislation to penalize victims of ransomware for not reporting in a timely manner or when payouts are made.”