100 Million Devices Vulnerable and Likely Never Patched

What could go wrong?

As we rush headlong to deploy billions of Internet of Things devices with no regard to security, that doesn’t make security problems go away.

Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

And, like all good vulnerabilities, it has a catchy name: NAME: WRECK.

While this particular bug does affect a lot of IoT devices, it also affects servers.  

The servers are likely to get patched relatively quickly.

The IoT devices?  Well, when was the last time you patched your TV?

Oh, yeah, these vulnerabilities also affect industrial control equipment – like maybe your local water treatment plant or your local electric utility.

According to the researchers at Forescout and JSOF, the bug affects the following TCP stacks:

FreeBSD – this one used used by a whole lot of servers and will get fixed very quickly.

IPNet (AKA VxWorks 6.6) – used the the real time VxWorks operating system, which is used in a lot of Internet of Things devices.

NetX – Part of the ThreadX real time OS.  It is open source, but maintained by Microsoft as the Azure Real Time OS.  

Nucleus Net – Part of the nucleus OS maintained by a division of Siemens.  It is used in medical devices, industrial control, aerospace, consumer devices and IoT devices.

Hackers who can exploit these bugs can take over the devices.  That means they could, potentially, disable alarm systems, mess with a water treatment plant or make all the elevators in a high rise office go crazy (they won’t likely crash;  that is controlled by a different system).  If the vulnerable software runs a city’s traffic lights, it could , possibly, turn all the lights red.  Or all green.

These are all speculative, but if the hackers control the system, they could do almost anything and even lock the real owners out of the system.

It looks like most of these software packages are maintained.  By big companies – Microsoft.  Siemens.  And while FreeBSD is not commercial it is super maintained.

The problem is this.


That is the problem.  The vast majority of these devices will never be patched.  Because people don’t even know they are vulnerable.  Some of those devices will be harmless, but others not so much.

Without a software bill of materials no one know what TCP/IP software is used in that smart TV.  Do you get the idea?

One thing that you can do is a really strong job of segmenting your network.  If you need help with that, contact us.

America’s Drinking Water-Easy to Poison

Well that is certainly not a comforting thought.

Last month the public water supply in a small town in Florida was hacked. Only PURE DUMB LUCK protected those citizens. Did the hacker use exotic unknown vulnerabilities to compromise the system? No. The city didn’t even have a firewall, was using software that was no longer being patched, and shared passwords that were never changed.

The mayor of the town declared victory. He said that the staff executed to perfection. In reality, they were lucky that an operator happened to see the hacker move the cursor on the screen after the hacker increased the amount of a poisonous chemical being added to the water by 100 times. This is not perfection. This is more like thankfully, we are not overseeing a mass funeral.

Experts say that these very basic protections are missing in many of the country’s 150,000 public water systems.

Admiral Frank Montgomery, executive director of the Congressionally chartered Cyberspace Solarium Commission likened it to a pilot landing after an engine caught fire in mid-air. Thankfully, we averted a major disaster.

The city claims that they have redundant electronic monitors at the plant to protect citizens. So did the utilities in Ukraine, but that didn’t stop the Russians from blowing up that pipeline several years ago.

The problem does get ugly from time to time (and smelly).

 In 2000, a former municipal wastewater contractor in Australia, rejected for a city job, remotely manipulated computer control systems to release 264,000 gallons of raw sewage, which poured into public parks, turned creek water black, spilled onto the grounds of a Hyatt Regency Hotel and generated a stench that investigators called “unbearable.”

This is not news.

As long ago as 2011, Homeland Security warned that hackers could gain access to American water systems using free and easily available Internet tools.

Booz Allen Hamilton said, in 2019, that America’s water utilities are a perfect target for cyberattacks.

And the Cyberspace Solarium Commission last year said that America’s water systems “remain largely ill-prepared to defend their networks from cyber-enabled disruption.”

But Congress fixed the problem in a 2018 law. Now every US water system serving more that 3,300 customers has to conduct a self-assessment of risks. That makes me feel better already. Oh, yeah, the assessments are not due yet, over two years after the law was signed. Tens of thousands of small systems are exempt. These utilities don’t have to do anything with the report. They don’t have to submit it to anyone. They just have to pinky-promise the EPA that they did one. And Congress allocated $30 million to fix any problems. For those that don’t have a calculator handy, that is $200 for each of the 150,000 public water systems. That should handle it.

The EPA is not much better. They said that drinking water systems need $472.6 billion in long-term fixes. But didn’t mention cybersecurity even once.

Part of the problem is money. Another part is an industry full of old timers who understand water but are pretty clueless when it comes to cyber. Finally, regulators are asleep at the switch. None of this bodes well for our safety.

Bottom line is that these water systems are crossing their fingers and hoping nothing happens. While the odds are good in the aggregate, I suspect public opinion will change the first time we kill a few thousand people because we didn’t think it was going to happen here. Credit: Propublica

Security News for the Week Ending April 9, 2021

Ubiquiti All But Confirms Breach Story

As the stories about Ubiquiti’s really bad attempts to save their reputation after a breach earlier this year swirled, they were completely silent, other than a very short statement. Now they have posted a statement on their user forum that says that they have no evidence that customer information was accessed or even targeted. They do not say anything at all to refute the claims that were made that the reason they have no evidence is, well, because there were no log files being created. If you use a cloud provider, I recommend reading this story because it points out the joint responsibility you have. In this case, it is alleged that Ubiquiti’s bad cyber hygiene practices put their customers’ networks at risk. Credit: Brian Krebs

Is This a Breach: Terabytes of OnlyFans Data Leaked Online?

OnlyFans is an online platform for content creators to share content for a monthly subscription fee. The content creators are typically so-called social influencers and adult performers (OK, no jokes, these two are not the same, although there certainly is some overlap). There is content from almost 300 creators/performers and at least of the folders is over 10 gigabytes, so it looks like maybe, in total, a couple of terabytes of content. Google will only take down files if the performer identifies a specific file and says that I own the copyright to it. A bit of a mess, but they say they were not hacked. Credit: Bleeping Computer

Police Say White Supremacists and Conspiracy Theorists Target Cell Towers

The New York Police Department says that cell towers and other critical infrastructure have become an attractive target for conspiracy theorists, especially after the recent election. The Police Department says that conspiracy theorists and far-right white supremacist groups increasingly target critical infrastructure to incite fear, disrupt essential services, and cause economic damage with the United States and abroad. Sounds like the definition of a terrorist to me. Right now we are seeing isolated damage, but it is costing tens of thousands of dollars per incident – that you get to pay to repair and also causing service outages. Remember, for the most part, the only thing between a terrorist and critical infrastructure is a chain link fence and a padlock. The most recent case of that was the terrorist in Nashville that blew up a telephone company office and cost tens of millions of dollars of damage. That is the most that is in their way. Credit: The New York Times via the Intercept.https://theintercept.com/2021/03/17/5g-white-supremacists-conspiracy-theorists-critical-infrastructure/

LG Promises 3 Years of Security Updates After Pulling Out of Phone Biz

South Korean phone maker LG, always an also-ran in the phone biz, called it quits this week. However, they plan to provide both version and security updates for up to three years, depending on the model. The updates are based on when you bought the phone, not when the model was originally released, so this is actually good news for LG phone owners. Credit: The Record

Ex-GCHQ Staff Recommends Banning Ransomware Payments to Kill Off Ransomware

Several ex-GCHQ Staffer (like our NSA) suggest a law banning insurance paying ransoms to kill off the ransomware market. That would probably have some positive effect on it, but it is unlikely to actually kill it off. The other half of that law, however, needs to make the government pay the difference in cost between paying the ransom and not paying the ransom. For example, if the ransom demand is $250k and to rebuild the computers, restore what data you have and replace the lost business for the data that you don’t have will cost you $2 million, the gov needs to fork up the other $1.75 million. While I am not a fan of paying ransoms, this is not the right solution. What we have started to see, but need to see more of, is insurance companies declining to provide coverage to companies with inadequate security. This does not require any laws and will make companies deal with the externalities (this is the insurance company’s problem, not mine). Credit: The Register

Credit Agency Says Cyberattacks Could Lower Your Credit Rating

Fitch Ratings, one of the big creditworthiness ratings firms for businesses, published an alert today regarding the impact of cyberattacks on an organization’s creditworthiness.

Their ratings affect an organization’s ability to borrow money because they are worried that unexpected events like cyberattacks could pose financial and operating risks that ultimately affect an organization’s ability to repay debt.

I am sure that this is purely a coincidence, but in the last 30 days a man was arrested after hacking into a Florida water system and raising the chemical settings high enough to kill everyone in the town who drank the water and also the feds indicted a Kansas man for hacking into a local water system in 2019 and attempting to poison the town.

Fitch, I suspect in response, said (connecting their dots, they were much more polite) that water and sewer districts might not be able pay back their debts if everyone in their town was killed by a hacker.

Or even if just some people were killed by the hacker.

Or even if they just had to spend a lot of money to make sure that everyone in the town wasn’t killed by a hacker.

You get the idea.

In this particular alert Fitch is talking about water and sewer districts, but the extension to other businesses is only logical.

Here is the rest of the Fitch story:

Event risks like cyberattacks are considered asymmetric risks per Fitch’s criteria, and are viewed through the lens of the response of management and sufficiency of governance systems and protocols to deflect or absorb the risk. Management and governance is typically neutral to credit, but could be considered credit negative if utilities lack capacity to adequately manage cyber risk or if there are concerns related to transparency, communication or reputational damage following a cyberattack.

Logically, you can replace the word UTILITIES with BUSINESSES.

Fitch continues:

Fitch assesses a utility’s financial flexibility and its relative capacity to repay debt and other liabilities. Therefore, unexpected costs related to cyber breaches could weaken liquidity metrics and constrain a utility’s overall financial profile assessment per Fitch’s criteria. Emergency efforts to combat cyberattacks could reduce cash reserves and/or increase operating expenses, decreasing funds available for debt service. Unanticipated debt financing to support cyber infrastructure or to capitalize cyber losses could also weaken leverage metrics.

Bottom line, the ratings agencies are starting to understand that the value of an organization can be materially affected by its preparation for a cybersecurity event. Banks and other lenders look to the ratings agencies to understand their risk as well, even if you are not specifically rated by one of the agencies.

While this shift towards factoring in cyber risk to credit risk is not going to shift overnight, the shift has begun.

Credit: Fitch Ratings

NSA Says They Have A Big Blind Spot

NSA Director General Paul Nakasone testified before the Senate Armed Services Committee about the recent SolarWinds and Microsoft Exchange hacks. He said that foreign hackers are taking advantage of the Intelligence community’s blind spot – adversaries working INSIDE the United States.

Our adversaries can come into the United States, set up shop on the web, do their damage and be gone before a warrant can be issued – before we can have actual surveillance by a civilian authority.

To be clear, a warrant does not need to take a lot of time to get approved, but the NSA don’t need no stinking warrant. What is different is the FBI and others, most of the time, do need to get a warrant and getting a warrant requires probable cause and probable cause takes time to find. That is a constitutional problem, however. After 9/11, we did a whole bunch of new surveillance and some of that was ruled unconstitutional by the Supreme Court, but not until years later.

The problem is that no one – neither foreign not domestic, seems to have had any visibility into what the hackers were doing. In fact, neither law enforcement nor the intelligence community actually detected these attacks.

Nakasone said that we can’t connect the dots because we can’t see all the dots. Unlike dictatorships, in the US, we have separation of responsibilities and that does make things more difficult for those people who are tasked with protecting us.

While the NSA can legally intercept almost any signals that they are able to see internationally, inside the U.S., the FBI and others generally require a warrant to access information.

Of course the FBI and the NSA do not need any warrant to intercept traffic inside the government because the government can give them permission to do whatever they like. Given that the government was a major target, that seems like an important piece of information. The executive branch could have collected as much data as they wanted to using existing laws. Did they miss something? Could they have done something differently? Would that have changed the outcome? I don’t know the answer to any of these questions, but they are useful questions to ask.

Some folks – notably NOT General Nakasone – have suggested that the NSA needs to be allowed to spy inside the United States. That presents some minor legal problems, most notably the fourth amendment to the US Constitution.

Other people have suggested that even if we had allowed the NSA to spy on Americans in America, there is no indication that they would have detected these attacks. They might have. Or might not have.

Of course, if the private sector had a way to share their intelligence with the government in a way that protects Americans’ rights and protects the companies that share their data with the government.

I don’t think there is an easy answer. Sometimes the hackers are good – especially when they using an unlimited bank account as is often the case with state sponsored hacking.

The feds have been talking about a bill that would require companies to tell the gov about an attack, but that would be after the fact and that probably would not have helped in this case.

Still, we have to put our collective thinking caps on and try to figure out a solution. After 9-11 we came up with some reactionary responses and we are still arguing about the impact of that twenty years later. This time we should probably think about the long term implications. But we do need to think. Credit: The Cybersecurity 202/Washington Post

Are You Ready for CCPA?

CCPA went into effect just over a year ago. Now we have some history on it.

DataGrail is a vendor that helps companies like OVERSTOCK and OKTA respond to those CCPA requests. They have fulfilled millions of “data subject requests” for their clients. Here is what they found.

46% of the requests were to tell companies that the consumer did not want their data sold to a third party (the so called DO NOT SELL MY DATA).

One third of the requests were to delete the consumer’s data.

The average business to consumer company received 137 requests per million identities. That is a tiny percentage – like .01 percent.

Side note: Gartner says that companies who manually process requests spend $1,406 per request.

Nearly half of the requests go unverified. Meaning that companies have to spend time and money – for nothing.

Organizations that use a form with a Captcha get significantly less spam.

DataGrail’s report says:

“The companies that are transparent and those that can win trust will be the big winners in the new privacy era,” noted Barber. “Proactively embracing good privacy practices doesn’t have to be a death sentence to profit margins. Forward-thinking companies have figured out how to make a strong privacy stance work for people and their business.”

Now that Virginia has its own version of CCPA and Florida and Texas are on the verge, this might be a good time to wrap your arms around privacy. Credit: Help Net Security

The report can be found at DataGrail