As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.
Yesterday we showcased the year’s biggest fails – the security disasters, industry calamities, and the emergence of vulnerabilities so stupid they’ll make your eyes roll.
Today, we’re celebrating the times that organizations, governments, and the infosec community have shown laudable skill, judgement, and commitment to better securing the cyber sphere in 2022.
CCFA changes
This year saw major progress made in protecting ethical hacking from unfair legal consequences. Current laws worldwide often enable prosecution of security researchers motivated to protect rather than harm users, creating risks for ethical hackers in the course of doing their job.
In the US, the Department of Justice (DoJ) announced it will no longer prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.
The amendment, announced back in May, laid out changes to prosecution criteria under the Computer Fraud and Abuse Act (CFAA).
Good faith in this case refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.
Decriminalizing UK ethical hackers
Across the pond, UK legislators proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill back in June that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).
Critics argue that the law, which came into effect in 1990, is outdated and unduly prosecutes security researchers, ethical hackers, and pen testers who responsibly hunt for or report vulnerabilities.
Campaigners continue to call for legal clarification of legitimate hacking activities, which they argue include responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.
The UK government continues to hold talks on the proposed law changes. A call for information was closed in September.
Making disclosure smoother
Progress was also made in helping security researchers to make the vulnerability disclosure process smoother.
HackerOne encouraged customers to adopt its new standard policy, released in November, that goes further to protect hackers from legal problems.
The Gold Standard Safe Harbour agreement “is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”, said HackerOne.
“This standardization also reduces the burden on hackers for parsing numerous different program statements.”
Meanwhile, the maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference in November.
The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.
In defence of Ukraine
The Russian invasion of Ukraine dominated headlines this year, and as individuals across the world stepped up to help, so did the hacking community.
In March, Hackers Without Borders (HWB) a Geneva-based non-governmental organization (NGO), was launched to offer emergency infosec assistance to other NGOs and providers of critical services affected by conflicts around the world.
Staffed by volunteer hackers and infosec experts, the organization helps individuals or organizations handle the fallout of cyber-attacks, protect them from further assaults, and bolster their cyber-resilience – free of charge.
In an interview with The Daily Swig, co-founder Florent Curtet said: “We are here to be like firefighters for people, companies, institutions that don’t have the money, skills, or information to protect themselves from today’s digital threats.”
Also speaking in defence of Ukraine, WithSecure’s Mikko Hyppönen told the cybersecurity company’s first ever conference attendees this year that “Russia is trying, but it is largely failing”, in its efforts to ignite cyberwarfare.
Speaking at Sphere 2022 in neighbouring Finland, Hyppönen said: “Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.”
Back to Hacker Summer Camp
This year saw the return of in-person conferences, in particular Black Hat, which was held online in previous years due to the coronavirus pandemic.
In May, Black Hat Asia attendees in Singapore heard keynote speaker Samir Aran warn that “if democracy is to survive, technology will have to be tamed”.
At Black Hat USA, held in Las Vegas in August, former CISA director Chris Krebs also spoke out about geopolitical tensions, urging organizations worldwide to bolster their online infrastructure amid Taiwan tensions.
And at Black Hat Europe, held in London in November, renowned security researcher Daniel Cuthbert told attendees that a defendable internet is possible – “but only with industry makeover”.
The conferences also saw the release of various hacking tools built by the community for the community.
Securing the open source ecosystem
Finally, efforts to secure the open source supply chain were ramped up for 2022, with a number of new initiatives launched.
The Secure Open Source Rewards (SOS.dev) scheme was set up to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.
The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.
Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.
The Open Source Security Foundation (OpenSSF) also launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.
And a summit held at the White House resulted in a plan to better secure the government’s software supply chain, in the wake of the Log4j incident back in 2021.
Copyright 2021 Associated Press. All rights reserved.
Source: https://portswigger.net/daily-swig/security-done-right-infosec-wins-of-2022