Security Scene: April 2022 Edition
By Adair Thaxton - Internet2 Cyberinfrastructure Security Engineer
Security Scene is a monthly roundup of cybersecurity news highlights compiled by Internet2 Cyberinfrastructure Security Engineer Adair Thaxton. Adair connects recent headlines to security best practices, within the lens of the research and education community and our broader digital society. Plus, she’s got jokes!
OpenSSH has released version 9.0 (changelog), which has been updated to use NTRU Prime, a form of lattice-based cryptography, and X25519, a 128-bit elliptic-curve function. An attacker would need to break both in order to compute the shared key. I’m not a cryptography person, but I understand a handful of those words, and this seems like important work! They’re also changing “scp” from using SCP / RCP to using SFTP. Hopefully, this is fairly transparent for us and researchers in our community.
Dark Reading has two stories (one, two) about responding positively to cybersecurity oopses to cast the security team as allies instead of adversaries. They’re not advocating doing away with security training, just making it less drudgery and more fun. In large organizations (as many of you are!), that can be rather difficult, but perhaps the security team can work with one large department a month to come up with scenarios more realistic to their work, and have customized reward stickers for those who do well! I’ve said before that I’m a fan of the UK’s Cyber Games – they’re well done and fairly brief.
One of the submarine communications cables in Oahu had been subject to a remote access breach, which was recently disrupted by the Department of Homeland Security. There’s no indication of how long the breach was active, but agents were able to stop it before any damage was done. A related article notes there are eight submarine cables going from Hawaii to Asia, so path diversity could be used to route around a compromised fiber. Finally, the Council on Foreign Relations notes that as the number of undersea cables and the complexity of their management increase, the attractiveness of surreptitious access to these systems is becoming a national security concern.
Things that should not be new to our community? The ongoing threat of Advanced Persistent Teenagers! Teenagers are thought to be behind the LAPSUS$ hacks. They don’t need a lot of money, they try personal emails and phones instead of just company contact info, and they’re not above a little bribery. The 2020 hack of Twitter was accomplished by a teenager, after all! Darn kids …