Secure Software Development Lifecycle Process Still Lacking

In late 2015 Juniper announced that it had found two backdoors in the router and firewall appliances that it sells.  Backdoors are unauthorized ways to get into these systems in a way that bypasses security.  Kind of like going around to the back of the house and finding the kitchen door unlocked when no one is home. Researchers said that there were telltale signs that this was the work of the NSA, although they would never say, of course.  If these backdoors were the work of the intelligence community, lets at least hope it was OUR intelligence community and not the CHINESE.  Whether these backdoors were intentionally installed in the software with the approval of Juniper management at the request (and possibly payment) of the NSA is something we will never know (See article in Wired here).

At the time, Cisco, Juniper’s biggest competitor, said that they were going to look through their code for backdoors too.  They claimed that they did and that they didn’t find any.

Fast forward two years and now the shoe is on the other foot.

Cisco has announced the FOURTH SERIES of backdoors in the last FOUR months in May.  Possibly their code audit from 2015 is still going on, but if so, that would be going on for more than 30 months, which seems like a long time.

The most recent SET of bugs includes three bugs which are rated 10 out of 10 on the government’s CVSS3 severity ranking.

The first of the three is a hardcoded userid and password with administrative permissions.  What could a hacker possibly do with that?

The second provides a way to bypass authentication (AKA “we don’t need no stinkin passwords”) in a component of some Cisco software (DNA Center).

The third is a another way to bypass authentication in some of Cisco’s APIs that programmers use.

In fairness to Cisco, they do have a lot of software.

But to beat Cisco up – WHAT THE HELL WERE THEY THINKING TO ALLOW HARD CODED PASSWORDS IN THE SOFTWARE IN THE FIRST PLACE?

Source: Bleeping Computer

Okay, now that I am done beating up Cisco (actually, not quite, I have one more), what lessons should you learn from this?

First (the last time today that I am going to beat Cisco up), in order for a Cisco customer, who paid a lot of money to get the equipment in the first place, to get these security patches – patches that plug holes that should have never been there in the first place – that customer has to PAY for software maintenance.  If you let the maintenance lapse, you can re-up, but Cisco charges you a penalty for letting it lapse.   For this policy alone, I refuse to recommend Cisco to anyone.

Second, if you are a Cisco user, because of this very user unfriendly policy, you must buy software maintenance and not let it expire.  If you do, you will not be able to get any Cisco security patches.  Remember that, as one of the biggest players in the network equipment space, Cisco is constantly under attack, so the odds of bugs turning up is like 100%.

Third, no matter who’s network equipment you use, you must stay current on patches.  These flaws were being exploited within days and since hackers know that many Cisco customers do not pay for maintenance, those holes, which are now publicly known, will be open forever.

Only half in jest, my next recommendation would be to replace the Cisco equipment.  There are many alternatives, some even free if you have the hardware to run it on.

Okay, that handles the end user.

But there is an even bigger lesson for software developers here.

How did these FOUR sets of back doors get in the software in the first place?

Only one possible answer exists.

A poor or non-existent secure software development lifecycle program (known as an SSDL) inside the company.

AS AN END USER CUSTOMER, WHEN IT COMES TO SECURITY SOFTWARE ESPECIALLY, YOU SHOULD BE ASKING ABOUT THE VENDOR’S SECURE SOFTWARE DEVELOPMENT LIFECYCLE PROGRAM.  

IF YOU GET AN EVASIVE ANSWER, FIND A DIFFERENT VENDOR.  VOTE WITH YOUR CREDIT CARD.

As a developer or developer manager, it is your responsibility to make sure that customers don’t vote with their credit cards.

IMPLEMENT a secure software development lifecycle program.

CREATE and MONITOR security standards.

TEST for conformance with those standards.

EDUCATE then entire development team – from analysts to testers  – about the CRITICALITY of the SSDL process.

Advertisement: we can help you with this.

While Cisco is big enough to weather a storm like this, smaller companies will not be so lucky.  The brand damage could be fatal to the company and all of its employees.

 

 

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.

Complying with GDPR and California’s CCPA – Step 2

Last week I started a series on steps to comply with both the E.U.’s General Data Protection Regulation or GDPR and California’s new privacy law, the California Consumer Protection Act or CCPA.  To find Step 1, go to this post: https://mtanenbaum.us/complying-with-gdpr-and-californias-new-privacy-law-ccpa-step-1/  .

This week, on to Step 2 – CREATE A VENDOR CYBER RISK MANAGEMENT PROGRAM .

Some companies have a vendor risk management program.  For the most part, these programs focus on compliance – is the vendor appropriately licensed?  Do they have liability insurance?  Possibly, depending on your industry, are they on any of the Treasury Department’s terrorist watch lists?

None of this deals with cyber risk.  That requires a completely different set of questions and a completely new process.

The process starts with the VDI list created in step 1.

Using that list, you can then rank each vendor as to the cyber risk that vendor represents to the company.    The ranking can be simple – red, yellow, green or high, medium and low.

Now that you have the vendors sorted, you need to review the vendors based on that risk ranking.  Start with the high risk vendors.  For most companies, that alone will be a significant task.  Create questionnaires; send them out; review the results.   Some vendors will have certifications like our Business Cybersecurity Certification or the SSAE 18.  Those need to be reviewed.  For SSAE 16 and 18 certifications, you need to look for what areas of the business they excluded, although it may be a shorter list to see what areas they included.  You will likely need to follow up with vendors to get your answers back.

For some high risk vendors you may want to conduct a site visit, especially if they are critical to your business.

Once you have done that, you need to work with the vendors to remediate any deficiencies.  You need to set up a system to track each vendor’s progress or, possibly, lack of progress.

Once that is done with the high risk vendors, you can move on to other vendors, but plan on this first step taking a while.  Probably a long while.

The Ugly Version of Ransomware

As hackers are discovering that some organizations are opting to not pay the ransom after a ransomware attack, either because they have backups or they do not want to support criminals, the criminals are changing tactics – something we warned about months ago.

In this case, CarePartners, a home healthcare service provider in Ontario announced last month that it had been breached.  At that time it said that personal health and financial information of patients had been inappropriately accessed and nothing more.

This is where the ugly starts.

Since CarePartners was managing spin and, apparently, not telling the whole story, the hackers reached out the CBC News and spilled the beans.

They provided a sample of the data that was involved in the ransom and said that they were going to release it if the ransom was not paid.  Of course, there is no way to know if they will release it, even if the ransom is paid.

The “sample” includes thousands of patient medical records with phone numbers, addresses, birth dates, health ID numbers, detailed medical conditions, diagnoses, surgical procedures, care plans and medications.

Other documents shared include credit card numbers and related information.

Now CarePartners says the breach could affect up to 237,000 patients.

Since this particular ransom attack took place in Canada, the penalties would be governed by PIPEDA, the Canadian privacy law, which is pretty tough.

What does this mean for you?

First, you should plan for the worst case situation of a ransom attack where the attacker says that if you don’t give us the money, we are going to release your data publicly.  OUCH!

Second, be ready to figure out what the attackers took.  A month after the attack, CarePartners said that they have identified 627 patient files and 886 employee records that were accessed, but the “partial” data provided to CBC News contained 80,000 records.  HUH?!

Next, apparently, the servers did not have current patches installed.  They were two years out of date.

And then, the data was not encrypted.

When CBC News contacted some of the people matching the records that the hackers gave them, they said they were patients of CarePartners, but had not been contacted by them.

CarePartners is working with the Herjavec Group (as in the guy on Shark Tank and yes, they are a legit and well known security company).

CarePartners said that they take security seriously and they have outsourced their IT to someone else.  Apparently that third party isn’t doing a very good job and CarePartners will get to pay the fine,  deal with the lawsuits and have their reputation damaged.  In their case, they are a contractor to the local government, so they could have their contract cancelled as well.  Remember, you can outsource the responsibility but you cannot outsource the liability, so make sure that you are effectively managing any third parties that claim to be taking care of your security.  

Lets assume this breach costs CarePartners a couple of million dollars, which is reasonable.  They need to make sure that they can afford to pay that bill and that their outsource security provider can reimburse them for that cost – hopefully, in both cases, through adequate insurance.

Information for this post came from CBC News.

 

Sextortionists Shift Scare Tactics

Sextortion is the act of convincing vulnerable people, often teenagers, to provide the sextortionist with sexually explicit photographs and videos under the threat of releasing other embarrassing material, such nude pictures that may already privately exist in the victim’s email, text messages or private social media.

The attacker does this by convincing the victim that they have hacked into their victims digital life and already have what is there.

99% of the time, this is a complete scam,but scared people do desperate things – like sending (more) sexually explicit material to the attackers in the hopes of getting them to not publicly release material the hackers claim to have.  The hacker asks for a fraction of a bitcoin in payment.

One new tactic – including so called “legitimate” passwords to say, the user’s email account, in the pitch message.  These passwords are often legitimate in the sense that the user used it at one time.  This lends credibility to the pitch and the panicked victim does not think through how the hacker may have gotten that password. The attacker likely got the password from one of the thousands of cyber breaches.

So what should you do?  Well, there is before you get a request and after you get a request from a hacker.

Before, you should practice good cyber hygiene.  Install patches promptly for all software, stay away from sketchy web sites, choose good passwords, etc.

Second, enable two factor authentication – using either a text message to your phone as the second authentication factor, or, better yet, using one of the authenticator apps such as  Facebook authenticator or Google authenticator as the second factor.

For parents, talk with your kids about the risk of taking pictures that if, in the wild, would embarrass themselves or worse.

Finally, parents need to talk to their kids about sharing compromising pictures and videos with others, no matter how  much they think they are in love and no matter how many promises the other person makes.  Understand that kids may be under amazing social pressure to conform – do not underestimate that.

After the fact, kids need to trust their parents, even though they are embarrassed, confused and scared.  Parents need to work beforehand to get kids to understand that this is not something they can deal with by themselves.

Unfortunately, you may need to get legal advice and you should definitely not believe the hackers.  One suggestion:  ask for a sample of the photos that they claim to have.  If the hack is legit – likely it is not – then you need to decide what to do.  The police are going to say that you should go to them and that is probably an OK idea, but unless the hacker is someone you know, I would not get your hopes up.  

On the other hand, it may be someone your child knows.  In that case, you need to understand your options and a lawyer may be helpful.  Releasing so-called revenge porn is a crime in many states.

Certainly prevention is easier than dealing with something after the fact and there are no easy answers as kids, especially, tend to do unexpected things.  Discussing and planning is likely a good idea.

Source: Threatpost.

 

 

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.