Brad Smith recounts early days of the SolarWinds attack

In an excerpt from an upcoming book, Microsoft President Brad Smith reveals details about how the company acted during the initial discovery of the SolarWinds supply chain attack. Smith first became aware of the attack on November 30th from cybersecurity VP Tom Burt, who had been approached by FireEye to help it investigate its recent breach. Smith called the attack a “moment of reckoning” about the need to manage increasingly pervasive technology. Microsoft mobilized over 500 employees to respond and analyze the attack, convened nightly meetings with CEO Satya Nadella, and coordinated with SolarWinds and FireEye. What stood out to Smith was the scale of the attack and the patience of the threat actors, who methodically worked through third parties to get to ultimate targets within US government agencies. 

(Fast Company)

Internet Explorer zero-days are still something to worry about

Microsoft’s security team warned of the actively exploited zero-day, which impacts IE’s Trident browser engine. While IE has largely been deprecated, the engine is still used to render web-hosted content in Office documents. Attackers are using specially-crafted Microsoft Office documents targeting Trident with a malicious ActiveX control. Details of the attack specifics and impacted victims haven’t been released. A fix is expected next week as part of Patch Tuesday, and Microsoft recommends disabling ActiveX rendering to prevent the exploit. 

(The Record)

German police bought NSO Pegasus spyware

The German public broadcaster DW’s sources say the German federal government informed the Interior Committee of the Bundestag of the purchase in a closed door session. The version bought by police reportedly had some functions blocked to prevent abuse, although it’s unclear how these limitations impacted its use. Pegasus was acquired by the police in late 2020, and used in select operations concerning terrorism and organized crime since March. German police began negotiations for NSO Group’s spyware back in 2017, having previous utilized its own in-house surveillance software that was increasing outdated. 

(DW)

FCC chair vacant 8-months into the Biden administration

In a recent piece for the Washington Post, Cristiano Lima points out that President Biden has yet to nominate a new leadership for key federal telecommunications organizations like the FCC and the Commerce Department’s National Telecommunications and Information Administration, or NTIA. This is the longest time to name a leader for the NTIA since the agency was founded in 1978, and the longest time to name a new FCC chair since the Carter administration. Though both have acting chiefs, experts say they aren’t empowered to purse long-term policies, like reinstating net neutrality, given their interim positions. Not naming a fifth FCC commissioner has led to particular gridlock, with more controversial decisions locked in a 2-2 partisan split. There is also concern the delay will bog down disbursement of funds for broadband expansion from the upcoming infrastructure bill.  

(WaPo)

Thanks to our episode sponsor, Semperis

Have you fixed PrintNightmare yet? Ransomware groups including Vice Society are already exploiting this critical flaw in the Windows Print Spooler service. But you can fight back: Download Purple Knight, a free Active Directory security assessment tool that scans your environment for PrintNightmare and more than 70 other attack indicators. To download your free tool, go to Purple-Knight.com.

OpenSSL hits version 3.0

The new release was three years in the making after the release of version 1.1.1, requiring  17 alpha releases, two beta releases, and more than 7,500 commits. The developers warn that OpenSSL 3.0 isn’t fully backwards compatible, although most apps will simply just need a recompilation to use it. One major addition is a new Federal Information Processing Standards module, expected to be fully validated by 2022. It also includes a “Provider” concept, where different cryptographic algorithm implementations can be made available, with five included in the release. The release also almost doubles the available documentation for OpenSSL, hopefully making the rollout a bit easier on the backend. 

(The Register)

Twitter tests out a soft block

This feature is in testing on Twitter’s web app, letting users remove followers without blocking them. This is in testing on the web, and will have your content disappear from feeds without giving the removed follower a notification. Previously users could either report a follower for violating Twitter’s community guidelines, or block them. Both actions would notify the impacted party. The soft block feature is aimed at curbing harassment and retaliation for blocking while still removing content from their feeds.

(The Verge)

Howard University hit with ransomware

The university suspended online and hybrid classes for a second consecutive day this week, after a ransomware attack was detected on September 3rd. In-person classes resumed on September 8th after a one day disruption. The school shutdown its campus network to guard against the attack, and is looking to set-up alternative wi-fi service on campus. Though the investigation is in its early stages, the university says there is no evidence any personal information was accessed or stolen in the attack. It’s unknown what ransomware organization is behind the attack, or what demands they made of the university. 

(Gizmodo)

National committee to advise Biden on AI

This National Artificial Intelligence Advisory Committee, or NAIAC, will be formed by the Commerce Department, National AI Initiative Office and White House Office of Science and Technology Policy, designed to provide the President with guidance on AI competitiveness, viability, and scientific progress. This body will also address ethical issues like workforce equity and algorithmic bias. Members will come from across academia, the private sector, non-profits and federal labs. This will follow up on previous government AI initiatives, like the National Security Commission on Artificial Intelligence, which urged officials to treat AI as a major concern. It’s unclear how the committee will sway recent efforts to ban things like facial recognition technology in government. 

(Engadget)