How Long Does it Take to Fix Your Bugs?

The average time to weaponize a new bug is seven days. that means that you have about half that time to harden your system to that attack. Almost no one regularly patches serious bugs that quickly. In 2019 Threatpost said that it took organizations 102 days to patch (see link above). That was in 2019.

What has happened since then?

NTT Application Security says that the average time to fix is on the rise while the time for severe bugs is down a little bit.

NTT says the average time to fix vulnerabilities has dropped since last month from 205 days to 202 days.

Note that is basically double what it was in 2019. Down is a relative term.

That number is actually up since January 1. In January the average time was 197 days.

The average time to patch “high” vulnerabilities grew from 194 days in January to 246 days in June.

Remediation rates for critical vulnerabilities fell from 54% in January to 48% in June. The rate for high vulnerabilities fell from 50% at the beginning of the year to 38% at the end of June.

NTT is in the business of managing companies security, so they have a lot of actual data.

More than 65% of applications in the utilities sector had at least one serious bug throughout the year – exploitable bugs.

Given that it takes hackers no more than 7 days to figure out how to exploit bugs and it takes businesses 200+ days to deploy patches, it is not surprising that hackers can take down a gasoline pipeline or almost poison a water supply. Or ransom thousands of companies.

Even if the numbers were flat since January, which they are not, that still means 7 days for the hackers, 200 days for the defenders.

And the part about 65% of the applications in the utility sector were not fully patched during the entire year. That’s pretty scary.

Of course, there is almost no consequence for businesses to ignore the problem.

After all, they are the victims.

I’m not so sure.

Credit: ZDNet

How Does Your Lawyer Protect Your Data?

Law firms are a target for hackers. After all, what does a law firm do? They know where the proverbial bodies are buried.

Case in point.

Campbell Conroy & O’Neil, law firm to companies like Apple, Boeing, Exxon Mobil, Ford, Honda, IBM, Toyota and many others, suffered a breach.

They discovered the breach in February. They are not saying when the breach happened or how long the hackers were inside the company.

They are also not saying why it took them five months to report the breach. Depending on what states are affected, that could be a breach of state law.

They eventually figured out that they were hit by a ransomware attack. Possibly it took them several months to figure out what was taken. Maybe?

Among the data potentially stolen was names, dates of birth, driver’s license numbers, payment card info, medical info, health insurance info, biometric data and account credentials. Among other stuff.

Not to worry, however. The firm takes its responsibility to protect the data that they didn’t protect seriously.

And to show you how serious they are about your security, they are reviewing their policies and procedures and working to implement additional safeguards.

Of course, they are not saying what corporate information was taken that belongs to any of their Fortune 100 clients. They are not required to disclose that by law.

That brings me to the point of this post.

Your law firm or firms have a lot of sensitive information of yours. Potentially lawsuits, mergers and acquisitions, employee information, patent information and more.

Most law firms, in their standard boilerplate engagement letters say that security is hard and they are not responsible if anything bad happens.

Is that acceptable to you?

If not, then you need to be proactive.

Ask the firm about their security practices. Who is the firm is accountable for security?

How soon do they have to notify you if they have a breach? Five months is a long time. DoD requires their contractors to tell them within 72 hours.

Do they have cyber insurance? Who takes the lead in case of a breach?

There are lots of questions and, in many cases, law firms are either not prepared to answer your questions or don’t want the liability for their answers.

And, you want the answers in writing. Which they really won’t like.

Your call. How important is your information?

Credit: Campbell Trial Lawyers

Google Says They Don’t Sell Your Data – That is True, They Give it Away!

Google is being sued. Again. This is not news. What is news is why they are being sued.

Google says that they don’t sell your data. While that may be accurate, they do, according to a new lawsuit, give it away to anyone who wants it.

How does that work?

Google sells ads. While some of those ads are blind, meaning that the buyer does not know who it is being presented to, those ads don’t sell for much. My kids are fully grown. Showing me a diaper ad is not terribly useful to the diaper company. I am highly unlikely to buy any diapers any time soon.

Most ads are sold using Google’s real time bidding system. This bidding happens in a blink of an eye.

It works something like this.

You visit a web page. The site owner has a deal to buy ads from Google. While the page is loading, the site owner tells Google that it has a box that is so many inches by so many inches available.

They also tell Google everything they know about you. This includes everything the browser tells them like your system information and IP address and any other information the site owner has about you. Then Google adds information it knows about you based on other data they have collected from other sites you have visited and other data that they have bought.

So far, it would appear, they are not lying.

But they also have not sold any ads.

What happens next is this. Google provides all of this information to anyone who is bidding for ads at the moment. That entire collection of data is provided, free of charge, the lawsuit says, to all of the potential buyers.

In the blink of an eye, someone wins the bid and Google charges them and gives the ad to the website to display. This could be Facebook. Or your web site if you display ads.

But what happens to all that data that was sent to the losers?

According to the lawsuit, they get to keep it.

Some people bid on ads with the intention of NOT winning. All they want is your data. They offer to pay a penny knowing that they will never win. Maybe they have to shell out a few pennies if literally no one else bids.

After the bidding period (blink) is over, they can take that data, aggregate it and sell it. Or use it in some other way.

This is the crux of the lawsuit.

If there are a hundred bidders for that ad. Or a thousand – they all get to keep the data according to the plaintiffs.

You would think Google would care, but maybe, because they collect some much data every second, they don’t.

I guess we will see how this plays out in court. Credit: Law Street Media

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer