Leaving the Shire: 3 Years of Exposing Systemic Cybersecurity Failures

by: Lari Huttunen

• What if the biggest cybersecurity threats aren’t the ones you read about in the headlines?
• What if the real vulnerabilities lie hidden deep within the systems we rely on every day?

Three years ago, I embarked on a journey to expose these hidden dangers. I launched Public Exposure with a mission to shine a light on the systemic failures that make us all vulnerable.

• 40 write-ups later, here we are! 🎂 🥂 🍾

It’s a mission fueled by a simple observation: the cybersecurity world is obsessed with the new and the flashy. Zero-days, ransomware attacks, the latest AI-powered threats - these grab the headlines and dominate the conversation. But what about the vulnerabilities and exposures we already know about? The ones that persist, unpatched and unattended, lurking in the shadows of our systems?

These are the dangers that truly fascinate me. The ones that don’t get the attention they deserve. Public exposure isn’t something you can see or hear; it’s a silent threat, a vulnerability hidden in plain sight. And that’s precisely why it’s so important to bring it to light.

Crossing the Bridge: Public Exposure’s First Steps #

I remember discussing the potential for publishing a blog back in 2007 with my former colleague Heikki Kortti while working for Codenomicon. Little did I know that it took me only fifteen years to realize this dream and actually get it going. One of the reasons of course had been the “writing fatigue” you develop during your studies and especially working on your masters thesis and the like.

The inaugural post on public exposure was the first attempt to shed light on the systemic challenge we have for talking about vulnerabilities in exposures in general. The mission is still the same: raise awareness on exposure as an additional thing you will need to pay attention to instead of just focusing on vulnerability management or threat hunting.

Little did I know what kind of an impact the blog would have on my thinking. having to focus each month on a topic either as the author or the editor has brought my understanding of the issues affecting all of us a bit further. I have helped bring light to at least the following aspects of cybersecurity:

• Public exposure cannot be patched.
• Management interfaces are inherently vulnerable and must not be exposed to the Internet.
• Man-in-the-middle attacks are discounted as more or less irrelevant, even if Visma red teamers Tomi Koski and Joona Hoikkala for example proved otherwise with their 0-day in FreshService (CVE-2022-36173 and CVE-2022-36174).
• The psychological aspect of cybersecurity is an important topic if we think about the well-being of an individual or how to find skilled persons to work for your organization.
• I’ve also talked about cyber early warning as an emerging topic which should be recognized in a similar manner as any of the other early warning topics recognized by the UN disaster risk reduction efforts.

Uncovering Systemic Issues: A Look Back #

If you have been reading the blog, you already know that it is hasn’t been a one man show, rather than 16 guest bloggers to date have contributed their insight on a monthly basis. I have envisioned myself as a “house dj” where I fill in the blanks when there isn’t a guest contribution on the table.

However, recruiting new writers and working with potential new contributions from the existing roster has also been a good deal hard work and promotion. The publishing schedule of 12 posts a year on each patch tuesday has been tougher than I originally surmised. Luckily, I have been able to secure some contibutors who have written more than a single write-up - Agnė Brilingaitė, Juhani Eronen and Tuomas Haarala to be specific.

In terms of topics, the range has been quite surprisingly diverse. One of the oldest guest write-ups from Antti Kurittu dealt with romance scams and where they might be heading. In retrospect his write-up is quite interesting as it was written before LLMs broke through into our every day workflows.

Audio deepfakes have also been a topic, where the PwC researchers Manuel Werka and Max Bineder have given us food for thought about the use and abuse of machine learning technology. On the other hand Laura Kankaala just recently, gave us a round-up of how LLMs are being used for audio deepfakes by cyber criminals. On the topic of AI, Mikko Hyppönen, wrote about he ongoing arms race between good AI and bad AI.

Most writers have opted to write in their own name, which is great for credibility, but recently I had a reason to publish a write-up on OSINT pseudonymously. OPSEC is a necessity when we start talking about helping the police bring down subversive activity leading into treason trials. In terms, OSINT write-ups, Dr. Bernhards Blumbergs did an excellent job in explaining us the intricacies involved in OSINT information collection and how your vantage point plays into it.

On the topic of OPSEC, Erno Kuusela delved into a quite an interesting avenue of inspection, namely how to protect your privacy and metadata from eaves droppers at large. This in turn reminds me of the basics of situation awareness, as exemplified by Jouni Ihanus. In the same vein, John Kristoff wrote about the impact of forgotten protocols, such as ISATAP — ripe to be exploited.

Even if crypto currencies are a debatable topic, Ben Weintraub’s work on researching systemic scamming taking place through modern front-running on Ethereum. This type of fraud is one of the few fraud-related write-ups that made me think about the volatility of that space in a new light.

My Contributions: Exposing the Overlooked #

In my 20th contribution to this blog, I continue to explore the hidden and overlooked through my research, which I’ve been conducting since 2018. My work delves into vulnerabilities and exposures on a global scale, often focusing on what I call OOPSIE: Outrageously Odd Problems and Security Issues Examined. It’s about shining a light on those systemic issues that hide in plain sight, the ones nobody seems to be paying attention to.

A good example of this kind of an exposure is my quest to get publicly exposed Windfarm Management Portals out of the reach of the miscreants. Working with NCSC Finland, there is a noticeable impact in Finland, but unfortunately elsewhere in the world, this problem keeps on giving. Nordex, the publicly traded windfarm manufacturer has not learned their lesson, despite even being targeted by a ransomware attack in the recent history.

I mean what could go wrong if the windfarm management system got into the hands of miscreants and they would start playing around with the rotation speed of the blades, for example?

Being a sysadmin, has given me the incentive to look at obsolescence, which in the form of end-of-life components is one of the termporal exposures that remains largely unnoticed or unattended to say the least. This in turn has been part of my life’s work as a taxonomy enthusiast to iterate over a data harmonization ontology used by tens of thousands of organizations in over 20 countries around the world.

The Journey Continues: Join the Conversation #

It is amazing how much you can accomplish by simply keeping at it as demonstrated by these forty write-ups to date.

Like Bilbo said:

I like to know where I’m going before I get there, if I can, he said. But I suppose it isn’t really a good sentiment.

In the future, I will strive to widen our fellowship of writers with another 16 if possible. To make it happen, however, I will need contributions from experts like you – and I’m not talking about the SEO experts who keep knocking at my door almost every week.

If you would like to contribute, please do not hesitate to:

… and propose a topic you would like to write about in this blog.

Credits #

• Hero image “Last Moments of Summer” courtesy of Lari Huttunen.

Stay Informed – Subscribe to Our Newsletter! #