Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.

The Strategy is “Wait to get Hacked and then Panic”

As millions upon millions of IoT and Industrial IoT devices get deployed every month, we seem to have forgotten what we learned the hard way about our computers: if we don’t patch them, the hackers will invade.

#1: A set of bugs called Urgent/11 affected a network module that has been around since the 90s and is in use by a couple hundred million IoT and IIoT devices. No important devices, just ones that control factories and hospitals. While the vendor released a patch for the bugs, this software is buried deep in systems where the hospitals and factories have no clue it even exists and the vendor that they bought the system from stopped patching it – if they ever did – years or decades ago. As a result, millions of devices – possibly as many as 97% of the affected devices – are still not patched and likely never will be. Credit: Threatpost

#2: Amnesia 33 is another set of bugs, again in networking software. This time the software is open source meaning there is no vendor to go to for patches. The researchers have already identified over 150 vendors who used the software at some time. Again this affects millions and millions of devices like cameras, badge readers and factory equipment. And again, most of these devices will never be patched. Credit: ZDNet

#3 is the Ripple20 family of bugs. This family of 19 bugs discovered earlier this year. It affects, again, a networking software module that is used in IoT and IIoT devices. Again, the vendor has released patches but most devices will never be patched. The number of impacted devices is estimated to be “in the hundreds of millions”. Credit: ZDNet

The number of devices affected by these bugs is not much of a surprise given the estimate of 75 billion connected devices by 2025.

Given that software licenses provide a “get out of jail free” card to software companies, there is no reason to expect this is going to change any time soon.

Unless, maybe, if we have an attack similar to this week’s Solar Winds announcement which may have compromised the information of as many as 18,000 businesses and government agencies (I can just hear the class action attorneys jumping for joy).

In this case, a lot of sensitive information will be analyzed in Moscow and used against us for decades. The good news is that these organizations will close the hole. Granted it is after the horse is out of the barn and the barn burned down, but it will get closed.

But what if North Korea decides to use these IoT bugs to say, blow up factories. After all, the Russians blew up an oil pipeline in the Ukraine a few years ago because they were made at the Ukraine government. This is not so far fetched.

Or maybe the Chinese will decide to say, turn off all of the ventilation in hundreds of hospitals. Or worse. Certainly possible.

That probably (hopefully? maybe?) keeps the folks that run these businesses up at night and may cause them to do something about it.

But when it comes to consumers, to be honest, all they care about is the price and does it do what I want it to do.

Until it damages their home or apartment or car. By the way, insurance likely does not cover this sort of damage – ask your agent. So if a nation state decides to launch an attack on the consumer base and it damages your car or home or apartment, you may be facing a large bill.

There is no simple answer, but making sure that your vendor is going to patch your device FOR AS LONG AS YOU PLAN TO OWN IT (note that a one year warranty is not terribly useful for an appliance that you plan to keep for say ten years).

Something to consider before falling in love with that bright, shiny new IoT thingee. I just bought a new washing machine. It comes with an app for my phone. So that I can start the washer remotely. Really? Do I need that? Nope, not going to connect it.

Major Software Supply Chain Attack

Solar Winds Software Compromised – Potentially 18,000 Enterprises Affected

Last week FireEye filed a report with the SEC saying that they had been hacked – by Russia and not China – and that the hackers got away with FireEye’s entire suite of offensive hacking tools. This is not exactly what you would want your adversary to have, but I kind of filed that away in the “interesting” category.

Over the weekend, I heard that the National Security Council convened at the White House because, reports said, that hackers had compromised the email services (Office 365, but this is not Microsoft’s fault) at both Treasury and Commerce. Okay, this is getting a little more interesting.

Information came out late yesterday that the hackers had been inside the email and networks of these agencies for many months (6-9 months) undetected.

Then the bombshell hit. The CEO of Solar Winds, one of the biggest network monitoring tool companies in the industry, said that hackers had compromised their software update process and had, somehow, managed to get several malicious updates to the Solar Winds Orion software digitally signed and distributed to almost 20,000 companies including almost every federal government agency and 495 of the Fortune 500. Not a good thing.

Earlier today we sent out an alert to our customers giving them as many details as we had (the initial alert said the attack was tightly targeted and then the Solar Winds CEO blew up that theory).

Right now what we know is that multiple government agencies have been compromised and likely even more private companies have also been compromised. Now that this is public, likely more agencies and companies will admit that they have been compromised.

If you are running Solar Winds high end ORION product and you have support, meaning that you get software updates, or you downloaded a new version in 2020. YOU SHOULD ASSUME THAT YOU HAVE BEEN COMPROMISED.

Chris Krebs, former director of DHS’ CISA said “if you run this product, assume you have been compromised and stand up your incident response team”. Hopefully you have not been, but hope is not a strategy.

If you are running different Solar Winds products, at least based on what we know know, you are not at risk.

I have no evidence that the White House’s continuous downplaying of Russia as an adversary is the reason for this attack, but it likely made them more brazen. In a web briefing I just attended, the speaker said that the attack code did not even slightly try to hide itself, which is certainly an indication that they were not very worried. On the other hand, the communications from the infected systems to the command center, while not cloaked, was very minimal, indicating that the attacker was concerned that its communications could give it away.

I know I continue to harp on supply chain risk, but this is a perfect example of the problem and in this case, it likely caused major damage to the United States – both at the government level and the private industry level. If the Russians had months to wander through the files and email communications of more than 10,000 enterprises, that is a problem.

If you do not have supply chain risk on your radar, now would be a good time to add it.

If you have questions or concerns, please contact us.

Security News for the Week Ending December 11, 2020

Researchers Hack Apple Successfully

Between July and October, good-guy hackers worked on a side project to hack Apple. The results were impressive – if you are not Apple. 55 vulnerabilities found, 11 critical and 29 high. Apple paid the team a bug bounty of $288,000. The compromise would have exposed a lot of Apple’s internal systems and data. Several of the reported bugs were fixed by Apple in hours. Credit: Sam Curry

Hackers offer 250,000 MySQL Databases For Sale on the Dark Web

A hacker set up a dark web site to offer 250,000 MySQL databases stolen from 83,000 breached servers. He wants 0.03 Bitcoin for each database (about $500). The data comes from brute force attacks that resulted in the hacker stealing the data and then deleting off the victim’s server, just leaving a ransom note. Credit: bleepingcomputer.com

Now That Google has Won the Browser War, they Are Working to Kill Off Privacy

Now that all major browsers are based on Chromium, except for Firefox, Google doesn’t have to worry about competition. Google currently allows browser extensions to do way too many things, many of which are dangerous. As a result, they are redesigning the interface that extensions use, called Manifest, which, in concept, is not a bad idea. Purely coincidentally, these changes kill the ad blockers in all Chromium based browsers. Pure coincidence. It has nothing to do with the fact that Google makes most of its money selling ads. There is one ad blocker that will continue to work, Adblock Plus. Adblock Plus is paid by Google to allow their ads to pass freely through their ad blocker. Credit: The Register

Deadline for Sale of TikTok Passed and. Nothing

Trump issued an executive order months ago requiring the sale of TikTok or it would be shut down in the United States. But politics makes people make strange choices. Politicians do not relish ticking off 100 million voters by shutting down their entertainment during a pandemic, so they have kept moving the goal posts. But after moving the “deadline” time after time with no results to show, they just let the last deadline pass. Of course that doesn’t mean this is over, but it does question the government’s intentions. Credit: MSN

SBoM is NOT a Four Letter Word

I have been ranting about Software Bills of Material or SBoM for a while. This week I have two examples of why this is important – even critical.

The first story is about a TCP/IP network stack and the vulnerability is called Amnesia:33. It impacts four open source libraries – uIP, FNET, picoTCP and Nut/Net. Contrary to some opinions, these open source, free TCP libraries are not only NOT bug-free, they are vulnerable to remote code execution, denial of service, information leaks and DNS cache poisoning.

The impact of these vulnerabilities depends on how the device is used, whether it is publicly visible and other factors.

The code is used, THEY THINK, by at least 150 different vendors on an unknown number of products. The researchers at Forescout think that at least a million devices are impacted, but that, along with the number of vendors impacted is mostly a guess. The vendor count is likely much higher as these were vendors they were able to identify.

Since these vendors (and most others) do not have a Software Bill of Materials process – EVEN INTERNALLY TO THE COMPANIES -, most vendors are scrambling to figure out which products and which product versions use the impacted software. Credit: Forescout Research

In many cases, the IoT and IIoT devices are out of warranty and will never be patched and since the companies and people who bought these devices do not have a Software Bill of Material which would, at least, tell them if they have an affected device, so that they could decide if they want to replace the vulnerable devices, the hackers will have a field day.

The second case is for Gnu TLS. Gnu TLS is a free, open source TLS (HTTPS) library that has been around for 17 years and is used in a lot of software. It turns out that GnuTLS 3.6.x before 3.6.14 uses “incorrect cryptography”, which is a nice way to say that the crypto can be trivially bypassed.

So now all you have to do is figure out which of the hundreds of software products in your organization use this library. A few of the well known products that use GnuTLS are apt; cadaver, which is WebDAV, essentially; cURL; Wget; Git; GNOME; CenterIM; Exim; WeeChat; MariaDB; Mandos; Mutt; Wireshark; Rsyslog; slrn; Lynx; CUPS; gnoMint; GNU Emacs; Slapd; Samba; the Synology DiskStation Manager; OpenConnect; and a whole bunch of various VNC implementations.

So since everyone received a Software Bill of Material (SBoM) with the very most recent version of each product you use and that list is in a standardized form that you can import into a spreadsheet or database, it is each to determine which products use GnuTLS 3.6.x where x is less than 14.

Obviously, I am being sarcastic here. I know of no manufacturers that provide computer readable SBoMs to their customers, but there is help in the wings.

The federal government is working on an SBoM standard. While you say that might not help you, consider this. NIST is required to define standards for IoT and IIoT that the government buys. It is likely that SBoM will be one of those requirements. If a company like, say, Wireshark from the list above wants to continue to be able to offer their hardware to the government, they would have to provide an SBoM, assuming NIST goes this route. If they provide an SBoM to the government then you should be able to get a copy too. Credit: Security Now

These are only two examples from this month alone of the problem. The problem is massive and most companies are not prepared to deal with it.

Companies should create a SBoM plan, understanding that this is going to be a work in progress for a while. The first place to start is with ALL internally developed and custom third party software. Getting the information for these products should be easy. Something is definitely better than nothing and even a partial SBoM for a product is better than no SBoM.

If you need assistance, please contact us.