Security Flaw Tunnel Vision Compromises VPN Effectiveness, Small Businesses Voice Concerns Over CMMC

[00:00:01] It's Wednesday, May 8th, 2024 and I'm Dave Sulp. Four things to know today. A security

[00:00:07] flaw tunnel vision compromises VPN effectiveness, researchers warn. Small businesses voice concerns

[00:00:14] over CMMC implementation and compliance hurdles as we review a list of regulation moves. Microsoft

[00:00:21] unveils Zero Trust DNS Preview for enhanced Windows security and EVBox enhances EVCharging

[00:00:28] solutions with an EVA Global Managed Services partnership. This is the Business of Tech.

[00:00:37] Security researchers have discovered an exploit called tunnel vision that can render any VPN

[00:00:42] useless, allowing attackers to snoop on unencrypted data and potentially gain valuable data from

[00:00:48] it. The researchers suspect that the exploit may have been used for years and they notified

[00:00:53] VPN makers about their findings. Fixing the issue is challenging as removing DHCP-supported

[00:01:00] VPNs would cause connectivity problems and other proposed fixes still leave room for de-anonymized

[00:01:06] traffic. The vulnerability assigned CBE 2024-3661 has been available for exploitation since 2002

[00:01:14] but has no known cases of active exploitation. Mitigation measures include using network

[00:01:21] namespaces, configuring VPN clients to deny non-VPN traffic, ignoring DHCP option 121, connecting

[00:01:30] via personal hotspots or virtual machines and avoiding untrusted networks. VPN providers

[00:01:36] are encouraged to enhance client software to block risky DHCP configurations. The researchers

[00:01:43] warn that relying on compromised networks with VPNs could have serious consequences,

[00:01:48] especially for individuals who rely on VPNs for safety such as journalists and whistleblowers.

[00:01:55] Why do we care? This is a significant problem. Heads up for infrastructure and security

[00:02:01] teams to get up to speed and mitigate the problem the best you can.

[00:02:07] President Biden has signed the Report Act into law requiring websites and social media

[00:02:12] platforms to report crimes related to online sexual exploitation of children to the National

[00:02:17] Center for Missing and Exploited Children's Chiber Tip Line. Companies that fail to report

[00:02:22] child sex abuse material may face hefty fines and evidence must be held for a longer period.

[00:02:28] The new law aims to make the assessment of reports more efficient and protect vulnerable

[00:02:32] children from online exploitation. New federal rules from the Equal Employment

[00:02:38] Opportunity Commission provide stronger protections for transgender and non-binary employees

[00:02:43] in American workplaces, prohibiting misgendering and denying access to restrooms based on gender

[00:02:50] identity. The guidance the first in 25 years follows the landmark Supreme Court case, Bostock

[00:02:56] vs. Clayton County, establishing LGBTQ plus workers protection from workplace discrimination.

[00:03:03] The new rules also address remote and pregnant workers and while not legally binding,

[00:03:09] they inform the EEOC's interpretation of harassment cases. A 3-2-2 vote approved the guidelines,

[00:03:16] significantly impacting an estimated 3.6 million employees.

[00:03:21] The Cybersecurity and Infrastructure Security Agency has extended the public common period

[00:03:25] for the proposed Cyber Incident Reporting Rule under the Cyber Incident Reporting

[00:03:30] for Critical Infrastructure Act. The extension was granted in response to requests from

[00:03:35] industry leaders and the common period will now close on July 3rd. The regulations aim

[00:03:39] to enhance the government's ability to track cybersecurity incidents and ransomware payments.

[00:03:44] CISA hopes to receive high-quality feedback from critical infrastructure organizations

[00:03:49] to ensure the final rule is effective and aligns with the program's intent.

[00:03:54] The Small Business Administration's Office of Advocacy has expressed concerns about

[00:03:58] the impact of the Cybersecurity Maturity Model Certification, or CMMC, on small businesses.

[00:04:04] While the Pentagon has changed the program to ease the burden on smaller companies,

[00:04:08] there's still concerns about compliance, costs, and the availability of certified third-party

[00:04:13] assessment organizations. The Office of Advocacy has called for further clarification

[00:04:18] and guidance from the Department of Defense to ensure that small businesses can meet

[00:04:22] the standards and timelines set out in the CMMC program.

[00:04:27] A Senate bill sponsored by Senator Ron Wyden would require online collaboration tools vendors

[00:04:32] like Zoom and Slack to enhance their security. The bill aims to establish standards through

[00:04:38] the National Institute of Standards and Technology and ensure compliance through Homeland

[00:04:42] Security. The bill also seeks to promote interoperability between platforms.

[00:04:48] Why do we care? The headlines are a new law and a new set of federal employment

[00:04:54] rules. It's the rule set that likely impacts more of this audience.

[00:04:59] Have concerns about cyber incident reporting or CMMC 2.0? This is your time to speak up

[00:05:05] to the relevant agency, and if you're not up to speed now's the time to do so, I've

[00:05:09] warned you so you can express your concern. We'll be back right after this message.

[00:05:17] Data migrations are complex and irritating, creating days of frustration from setup

[00:05:22] to cut open. Movebot was built from the ground up to fix that.

[00:05:27] Movebot is the simplest and fastest data moving tool there is, fully hosted with no infrastructure,

[00:05:33] no virtual machines, none of that. Sign up, connect, scan, and you'll be moving data

[00:05:38] in minutes. Techs of all levels can now move terabytes per day with Movebot.

[00:05:44] The magic lies in how Movebot simplifies and auto-scales your migration with modern

[00:05:49] cybersecurity technology, handling proprietary dock types, filename sanitization,

[00:05:54] permissions and cut over with detailed reporting and alerting at every step.

[00:05:59] Start moving data like a pro at movebot.io.

[00:06:05] Microsoft has introduced a preview of its Zero Trust domain name system for Windows,

[00:06:10] which aims to enhance security using encryption and authenticated connections.

[00:06:15] The system allows administrators to restrict which domains the servers will resolve.

[00:06:20] While there are some limitations, such as the need for MDM management and potential

[00:06:24] complications with administrative privileges, experts generally view the ZTDNS positively

[00:06:31] for organizations implementing Zero Trust architecture.

[00:06:35] Why do we care? Well, I want to inform you of the significant product development here.

[00:06:40] This is a new security product to consider.

[00:06:44] EVbox has partnered with EVA Global, a managed services provider to improve support

[00:06:50] for its electric vehicle charging infrastructure.

[00:06:53] As part of the partnership, EVA Global will handle level one customer support,

[00:06:57] offering 24x7 support in multiple languages.

[00:07:00] This move is part of EVbox's strategy to enhance services support,

[00:07:04] including remote diagnostics on public charging stations.

[00:07:08] The partnership will flex a larger EV charging network industry trend

[00:07:12] to improve reliability, availability, performance, and user experience.

[00:07:17] Why do we care? I did not have EV charging management on my list of potential

[00:07:23] service offerings, and I shouldn't. This is a reminder that maintenance

[00:07:27] is often an overlooked significant portion of most technologies

[00:07:31] and continues to be an opportunity.

[00:07:36] Thanks for listening. National Coconut Cream Pie Day is today

[00:07:40] and also National Animal Disaster Preparedness Day.

[00:07:44] Those seem very specific. We can make it easy with National Give Someone a Cupcake Day

[00:07:49] also today.

[00:07:51] Have a question you want answered? I do take lists or questions.

[00:07:54] Send them ideally as a voice memoir video to question at MSBRadio.com.

[00:07:58] I answer lists or questions live each week on our Wednesday Live show on YouTube and LinkedIn.

[00:08:03] Got a comment or a thought? Put it in the comments if you're on YouTube,

[00:08:06] or reach out at LinkedIn if you're listening to the podcast.

[00:08:09] I'll talk to you again tomorrow.

[00:08:39] Bye our Why Do We Care Merch at BusinessOf.Tech.

[00:08:43] Finally, if you're interested in advertising on this show, visit MSBRadio.com

[00:08:48] slash Engage. Once again, thanks for listening to me,

[00:08:52] and I will talk to you again on our next episode of The Business of Tech.