All posts by Buster5252

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.

The Strategy is “Wait to get Hacked and then Panic”

As millions upon millions of IoT and Industrial IoT devices get deployed every month, we seem to have forgotten what we learned the hard way about our computers: if we don’t patch them, the hackers will invade.

#1: A set of bugs called Urgent/11 affected a network module that has been around since the 90s and is in use by a couple hundred million IoT and IIoT devices. No important devices, just ones that control factories and hospitals. While the vendor released a patch for the bugs, this software is buried deep in systems where the hospitals and factories have no clue it even exists and the vendor that they bought the system from stopped patching it – if they ever did – years or decades ago. As a result, millions of devices – possibly as many as 97% of the affected devices – are still not patched and likely never will be. Credit: Threatpost

#2: Amnesia 33 is another set of bugs, again in networking software. This time the software is open source meaning there is no vendor to go to for patches. The researchers have already identified over 150 vendors who used the software at some time. Again this affects millions and millions of devices like cameras, badge readers and factory equipment. And again, most of these devices will never be patched. Credit: ZDNet

#3 is the Ripple20 family of bugs. This family of 19 bugs discovered earlier this year. It affects, again, a networking software module that is used in IoT and IIoT devices. Again, the vendor has released patches but most devices will never be patched. The number of impacted devices is estimated to be “in the hundreds of millions”. Credit: ZDNet

The number of devices affected by these bugs is not much of a surprise given the estimate of 75 billion connected devices by 2025.

Given that software licenses provide a “get out of jail free” card to software companies, there is no reason to expect this is going to change any time soon.

Unless, maybe, if we have an attack similar to this week’s Solar Winds announcement which may have compromised the information of as many as 18,000 businesses and government agencies (I can just hear the class action attorneys jumping for joy).

In this case, a lot of sensitive information will be analyzed in Moscow and used against us for decades. The good news is that these organizations will close the hole. Granted it is after the horse is out of the barn and the barn burned down, but it will get closed.

But what if North Korea decides to use these IoT bugs to say, blow up factories. After all, the Russians blew up an oil pipeline in the Ukraine a few years ago because they were made at the Ukraine government. This is not so far fetched.

Or maybe the Chinese will decide to say, turn off all of the ventilation in hundreds of hospitals. Or worse. Certainly possible.

That probably (hopefully? maybe?) keeps the folks that run these businesses up at night and may cause them to do something about it.

But when it comes to consumers, to be honest, all they care about is the price and does it do what I want it to do.

Until it damages their home or apartment or car. By the way, insurance likely does not cover this sort of damage – ask your agent. So if a nation state decides to launch an attack on the consumer base and it damages your car or home or apartment, you may be facing a large bill.

There is no simple answer, but making sure that your vendor is going to patch your device FOR AS LONG AS YOU PLAN TO OWN IT (note that a one year warranty is not terribly useful for an appliance that you plan to keep for say ten years).

Something to consider before falling in love with that bright, shiny new IoT thingee. I just bought a new washing machine. It comes with an app for my phone. So that I can start the washer remotely. Really? Do I need that? Nope, not going to connect it.

SBoM is NOT a Four Letter Word

I have been ranting about Software Bills of Material or SBoM for a while. This week I have two examples of why this is important – even critical.

The first story is about a TCP/IP network stack and the vulnerability is called Amnesia:33. It impacts four open source libraries – uIP, FNET, picoTCP and Nut/Net. Contrary to some opinions, these open source, free TCP libraries are not only NOT bug-free, they are vulnerable to remote code execution, denial of service, information leaks and DNS cache poisoning.

The impact of these vulnerabilities depends on how the device is used, whether it is publicly visible and other factors.

The code is used, THEY THINK, by at least 150 different vendors on an unknown number of products. The researchers at Forescout think that at least a million devices are impacted, but that, along with the number of vendors impacted is mostly a guess. The vendor count is likely much higher as these were vendors they were able to identify.

Since these vendors (and most others) do not have a Software Bill of Materials process – EVEN INTERNALLY TO THE COMPANIES -, most vendors are scrambling to figure out which products and which product versions use the impacted software. Credit: Forescout Research

In many cases, the IoT and IIoT devices are out of warranty and will never be patched and since the companies and people who bought these devices do not have a Software Bill of Material which would, at least, tell them if they have an affected device, so that they could decide if they want to replace the vulnerable devices, the hackers will have a field day.

The second case is for Gnu TLS. Gnu TLS is a free, open source TLS (HTTPS) library that has been around for 17 years and is used in a lot of software. It turns out that GnuTLS 3.6.x before 3.6.14 uses “incorrect cryptography”, which is a nice way to say that the crypto can be trivially bypassed.

So now all you have to do is figure out which of the hundreds of software products in your organization use this library. A few of the well known products that use GnuTLS are apt; cadaver, which is WebDAV, essentially; cURL; Wget; Git; GNOME; CenterIM; Exim; WeeChat; MariaDB; Mandos; Mutt; Wireshark; Rsyslog; slrn; Lynx; CUPS; gnoMint; GNU Emacs; Slapd; Samba; the Synology DiskStation Manager; OpenConnect; and a whole bunch of various VNC implementations.

So since everyone received a Software Bill of Material (SBoM) with the very most recent version of each product you use and that list is in a standardized form that you can import into a spreadsheet or database, it is each to determine which products use GnuTLS 3.6.x where x is less than 14.

Obviously, I am being sarcastic here. I know of no manufacturers that provide computer readable SBoMs to their customers, but there is help in the wings.

The federal government is working on an SBoM standard. While you say that might not help you, consider this. NIST is required to define standards for IoT and IIoT that the government buys. It is likely that SBoM will be one of those requirements. If a company like, say, Wireshark from the list above wants to continue to be able to offer their hardware to the government, they would have to provide an SBoM, assuming NIST goes this route. If they provide an SBoM to the government then you should be able to get a copy too. Credit: Security Now

These are only two examples from this month alone of the problem. The problem is massive and most companies are not prepared to deal with it.

Companies should create a SBoM plan, understanding that this is going to be a work in progress for a while. The first place to start is with ALL internally developed and custom third party software. Getting the information for these products should be easy. Something is definitely better than nothing and even a partial SBoM for a product is better than no SBoM.

If you need assistance, please contact us.

Magecart Credit Card Skimmer – Gen 2

Magecart is a major (virtual) credit card skimming attack that has taken down the likes of British Airways and Ticket Master, among tens of thousands of other sites.  It works by somehow inserting malicious software into the web server that grabs the customer’s credit card info as they enter it onto the web page.  This can be done by using an unpatched vulnerability on the web site or by compromising an admin’s credentials or other methods.

Of course, web sites might be able to detect that malicious software has invaded its turf, so the hackers evolve.

Enter Magecart Generation 2.

Well, this is not literally true.  This new software isn’t based on the Magecart code, but rather on the Magecart concept.

More than likely, the dirty work of stealing the card data is actually done on the customer’s machine, inside the browser, with code downloaded from the infected server.  Because the data, possibly going to North Korea, is doing that from a consumer’s computer, which has almost no security, no logging, no auditing and no alerting, the odds of being detected before the credit card is used fraudulently, is very low.

Gen 2 is called Pipka and one of it’s neat features (if you are a bad guy) is to delete itself from the web page’s code after it has done its dirty work to make detection and even forensics much harder.

Pipka was discovered by Visa’s anti-fraud team.

They found it on the web server of an American merchant that had been infected with a different bit of malicious credit card skimming code called Inter.  People don’t learn.

In addition to this patient 0, Visa found the code on 16 more merchant sites.  How many more sites are infected?  Unknown.

Since this is an evolution (hence my calling it Gen 2), it is more sophisticated.  It can decide which fields out of the website payment form the hacker wants, that data is encrypted and stored in a cookie (after all, credit card data is only 16 characters for the card number and probably for less than 100-200 characters, you can have everything you need).

Since cookies fly around the Internet all the time and are often encrypted, they would fly under the radar.

As I said before, when the dirty work is done, it deletes itself, making it difficult for developers and investigators to fine.

Of course, once a server is infected, the Visa investigators will eventually track it back to your infected server and that is when all hell will break loose.

In British Airways case, the FINE ALONE – never mind the mitigation, the reputation damage, the credit monitoring services, etc. – cost them $230 million.

All because they didn’t have controls in place to detect this malicious code.  Because their security was not up to the job.

A lot of the sites that have been infected with Magecart are small.  Museum gift shops, for example.  A few very well known brands.

If you accept credit cards online, it is up to you to protect yourself.  Deal with it now or deal with it later.  It tends to be a bit more expensive to deal with it later. Just sayin’

Or wind up on the news.  Source:  CSOOnline

 

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security