This article is more than 1 year old

DEF CON offers beginner-level Spot the Fed this year: He'll be on stage giving a keynote

Plus: Microsoft responds to another NTLM relay attack technique, and more

In brief DEF CON's "Spot the Fed" game is going to be a little easier than usual this year: the head of the US government's Homeland Security is giving a keynote.

On Friday, the infosec conference organizers confirmed Alejandro Mayorkas will give a talk on Friday, August 6. The news has left some DEF CON veterans perturbed.

While it's not uncommon these days to have government folks at DEF CON, it's usually people with technical chops. Mayorkas is a lawyer who ran Uncle Sam's US Citizenship and Immigration Services under President Obama, and some speakers are mulling cancelling their talks.

DEF CON and Black Hat are hybrid conferences this year. While some people will be attending in person in Las Vegas, the bulk of the conference attendees will be done online as COVID-19 variants rip through some parts of America.

Microsoft has responded to the emergence of a technique dubbed PetitPotam that can be used to gain over-the-network unauthorized access to Windows servers typically in corporate environments, depending on their configuration. Redmond's answer to this is: WONTFIX. Administrators are instead urged to take all necessary steps to thwart NTLM relay attacks.

"PetitPotam is a classic NTLM relay attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers," the Windows giant said. We'll take a closer look at PetitPotam this week.

Another proposed cybersecurity law for America

The Republican-Democrat deadlock in Congress seems insurmountable at times, but there's one thing both sides may agree on – security.

On Thursday, Senators Mark Warner (D-VA) and Marco Rubio (R-FL), the chair and vice-chair of the Senate intelligence committee, respectively, introduced the Cyber Incident Notification Act of 2021 [PDF] that would require federal agencies, government contractors, and critical infrastructure owners and operators to notify the US Cybersecurity and Infrastructure Security Agency (CISA) of an attack within 24 hours.

The benefit for businesses is that "the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy," the senators said.

"After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action," added Glenn Gerstell, former NSA General Counsel.

"We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem."

More critical Adobe patches

It wouldn't be a normal month without some Adobe out-of-schedule emergency patches.

On Tuesday, Adobe After Effects for Windows and macOS got a fix for four critical flaws that can be exploited to achieve arbitrary malicious code execution. A Media Encoder patch also fixed critical code-execution flaws.

The Photoshop giant hasn't said that the flaws are under active attack in the wild, though the timing of the release, so soon after Patch Tuesday, suggests a level of urgency is needed in any case.

Formbook malware menaces macOS machines

Formbook, a keylogger and data exfiltrator that's one of the more common pieces of Windows malware, has been ported to Apple Macs.

The software nasty was sold on underground forums by a character known as ng-Coder in 2016, and its code became rather prevalent. ng-Coder went dark in 2018. Last October a very similar bit of malware, dubbed XLoader, appeared for sale seemingly from someone else, and even works on macOS. For $49, you can get a one-month trial of the malware. Is there a connection between XLoader and Formbook? Checkpoint says it's seen evidence.

"Apart from technical similarities, we found evidence of a connection between XLoader's seller and ng-Coder, namely a message from xloader to ng-Coder saying, 'Thank you for the help'," Checkpoint's Alexey Bukhteyev and Raman Ladutska said. "We cannot say for sure if the thanks were for a one-time helping hand or if it was for continuous support."

From what we can tell, it's up to whoever buys a copy of XLoader/Formbook to infect a victim's computer with the spyware; be wary of dodgy downloads and attachments, as usual.

Multi-factor auth not popular among Twitter users

Twitter this month released its latest transparency report, covering July 2020 through December 2020, and there is good and bad news.

On the one hand, the use of two-factor authentication to lock down accounts from thieves is up 9.1 per cent from the previous period. The bad news is that only 2.3 per cent of people on the social media platform are actually using it – Twitter has about 200 million daily "monetizable" users – and nearly 80 per cent of them are using SMS, which isn't the greatest option given the SIM swapping that can happen.

Twitter handles can be desirable property: this week saw the arrest in Spain of someone who allegedly played a role in mass account hijackings, and the jailing of a teen who was involved in the fatal swatting of a Twitter user over their handle.

"Security keys, while the most secure form of 2FA, are still relatively new," the social network said. "Twitter has made numerous improvements to our security key support over the past year, and we hope to see the usage number grow in the next reporting interval." ®

More about


Send us news

Other stories you might like