Category Archives: Security Practices

100 Million Devices Vulnerable and Likely Never Patched

What could go wrong?

As we rush headlong to deploy billions of Internet of Things devices with no regard to security, that doesn’t make security problems go away.

Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

And, like all good vulnerabilities, it has a catchy name: NAME: WRECK.

While this particular bug does affect a lot of IoT devices, it also affects servers.  

The servers are likely to get patched relatively quickly.

The IoT devices?  Well, when was the last time you patched your TV?

Oh, yeah, these vulnerabilities also affect industrial control equipment – like maybe your local water treatment plant or your local electric utility.

According to the researchers at Forescout and JSOF, the bug affects the following TCP stacks:

FreeBSD – this one used used by a whole lot of servers and will get fixed very quickly.

IPNet (AKA VxWorks 6.6) – used the the real time VxWorks operating system, which is used in a lot of Internet of Things devices.

NetX – Part of the ThreadX real time OS.  It is open source, but maintained by Microsoft as the Azure Real Time OS.  

Nucleus Net – Part of the nucleus OS maintained by a division of Siemens.  It is used in medical devices, industrial control, aerospace, consumer devices and IoT devices.

Hackers who can exploit these bugs can take over the devices.  That means they could, potentially, disable alarm systems, mess with a water treatment plant or make all the elevators in a high rise office go crazy (they won’t likely crash;  that is controlled by a different system).  If the vulnerable software runs a city’s traffic lights, it could , possibly, turn all the lights red.  Or all green.

These are all speculative, but if the hackers control the system, they could do almost anything and even lock the real owners out of the system.

It looks like most of these software packages are maintained.  By big companies – Microsoft.  Siemens.  And while FreeBSD is not commercial it is super maintained.

The problem is this.

DO YOU EVEN KNOW IF THE SYSTEMS IN YOUR COMPANY ARE RUNNING THIS SOFTWARE?  BY SYSTEMS I MEAN THAT CAMERA IN THE CORNER THAT YOU BOUGHT SOMEWHERE FIVE YEARS AGO OR THAT COOL NEW COFFEE MAKER WITH AN APP ON YOUR PHONE OR YOUR TV OR THE AIR CONDITIONING SYSTEM OR WHATEVER.

That is the problem.  The vast majority of these devices will never be patched.  Because people don’t even know they are vulnerable.  Some of those devices will be harmless, but others not so much.

Without a software bill of materials no one know what TCP/IP software is used in that smart TV.  Do you get the idea?

One thing that you can do is a really strong job of segmenting your network.  If you need help with that, contact us.

Credit Agency Says Cyberattacks Could Lower Your Credit Rating

Fitch Ratings, one of the big creditworthiness ratings firms for businesses, published an alert today regarding the impact of cyberattacks on an organization’s creditworthiness.

Their ratings affect an organization’s ability to borrow money because they are worried that unexpected events like cyberattacks could pose financial and operating risks that ultimately affect an organization’s ability to repay debt.

I am sure that this is purely a coincidence, but in the last 30 days a man was arrested after hacking into a Florida water system and raising the chemical settings high enough to kill everyone in the town who drank the water and also the feds indicted a Kansas man for hacking into a local water system in 2019 and attempting to poison the town.

Fitch, I suspect in response, said (connecting their dots, they were much more polite) that water and sewer districts might not be able pay back their debts if everyone in their town was killed by a hacker.

Or even if just some people were killed by the hacker.

Or even if they just had to spend a lot of money to make sure that everyone in the town wasn’t killed by a hacker.

You get the idea.

In this particular alert Fitch is talking about water and sewer districts, but the extension to other businesses is only logical.

Here is the rest of the Fitch story:

Event risks like cyberattacks are considered asymmetric risks per Fitch’s criteria, and are viewed through the lens of the response of management and sufficiency of governance systems and protocols to deflect or absorb the risk. Management and governance is typically neutral to credit, but could be considered credit negative if utilities lack capacity to adequately manage cyber risk or if there are concerns related to transparency, communication or reputational damage following a cyberattack.

Logically, you can replace the word UTILITIES with BUSINESSES.

Fitch continues:

Fitch assesses a utility’s financial flexibility and its relative capacity to repay debt and other liabilities. Therefore, unexpected costs related to cyber breaches could weaken liquidity metrics and constrain a utility’s overall financial profile assessment per Fitch’s criteria. Emergency efforts to combat cyberattacks could reduce cash reserves and/or increase operating expenses, decreasing funds available for debt service. Unanticipated debt financing to support cyber infrastructure or to capitalize cyber losses could also weaken leverage metrics.

Bottom line, the ratings agencies are starting to understand that the value of an organization can be materially affected by its preparation for a cybersecurity event. Banks and other lenders look to the ratings agencies to understand their risk as well, even if you are not specifically rated by one of the agencies.

While this shift towards factoring in cyber risk to credit risk is not going to shift overnight, the shift has begun.

Credit: Fitch Ratings

NSA Says They Have A Big Blind Spot

NSA Director General Paul Nakasone testified before the Senate Armed Services Committee about the recent SolarWinds and Microsoft Exchange hacks. He said that foreign hackers are taking advantage of the Intelligence community’s blind spot – adversaries working INSIDE the United States.

Our adversaries can come into the United States, set up shop on the web, do their damage and be gone before a warrant can be issued – before we can have actual surveillance by a civilian authority.

To be clear, a warrant does not need to take a lot of time to get approved, but the NSA don’t need no stinking warrant. What is different is the FBI and others, most of the time, do need to get a warrant and getting a warrant requires probable cause and probable cause takes time to find. That is a constitutional problem, however. After 9/11, we did a whole bunch of new surveillance and some of that was ruled unconstitutional by the Supreme Court, but not until years later.

The problem is that no one – neither foreign not domestic, seems to have had any visibility into what the hackers were doing. In fact, neither law enforcement nor the intelligence community actually detected these attacks.

Nakasone said that we can’t connect the dots because we can’t see all the dots. Unlike dictatorships, in the US, we have separation of responsibilities and that does make things more difficult for those people who are tasked with protecting us.

While the NSA can legally intercept almost any signals that they are able to see internationally, inside the U.S., the FBI and others generally require a warrant to access information.

Of course the FBI and the NSA do not need any warrant to intercept traffic inside the government because the government can give them permission to do whatever they like. Given that the government was a major target, that seems like an important piece of information. The executive branch could have collected as much data as they wanted to using existing laws. Did they miss something? Could they have done something differently? Would that have changed the outcome? I don’t know the answer to any of these questions, but they are useful questions to ask.

Some folks – notably NOT General Nakasone – have suggested that the NSA needs to be allowed to spy inside the United States. That presents some minor legal problems, most notably the fourth amendment to the US Constitution.

Other people have suggested that even if we had allowed the NSA to spy on Americans in America, there is no indication that they would have detected these attacks. They might have. Or might not have.

Of course, if the private sector had a way to share their intelligence with the government in a way that protects Americans’ rights and protects the companies that share their data with the government.

I don’t think there is an easy answer. Sometimes the hackers are good – especially when they using an unlimited bank account as is often the case with state sponsored hacking.

The feds have been talking about a bill that would require companies to tell the gov about an attack, but that would be after the fact and that probably would not have helped in this case.

Still, we have to put our collective thinking caps on and try to figure out a solution. After 9-11 we came up with some reactionary responses and we are still arguing about the impact of that twenty years later. This time we should probably think about the long term implications. But we do need to think. Credit: The Cybersecurity 202/Washington Post

Feds Reveal Plans for Improving Cybersecurity

After SolarWinds and after the Microsoft Exchange attacks, the feds have begun to outline their plans to improve cybersecurity. While there are no silver bullets in this business, it is a nice change to see the feds actively working to improve things.

The way the feds have worked things in the past is to use the federal government’s buying power to create change and it looks like this might happen again.

Modelled after Singapore’s system, one thing that the feds are CONSIDERING is a vendor and product cybersecurity rating system. Details will follow in future executive actions.

It also include adding members of the private sector to the war. After the Exchange attacks, the feds stood up the National Security Council’s UNIFIED COORDINATION GROUP. Legally the UCG could have always included private industry but historically, in a manner that could only make sense to the government, they always knew better – even though the GAO says the federal government security is a disaster and private industry was never included.

The feds also say that they plan to continue “timely alerts” like the warning put out by the national security advisor after the Microsoft Exchange hack – their first ever tweet.

The UCG has been meeting for the last three weeks, handing out assignments and checking homework. Something that CISA has had only modest success in doing in the past. In this case, coming from the National Security Council probably adds the weight of the White House to encourage compliance.

The UCG has also identified “significant gaps in modernization [I think the IRS is using software developed in the 1980s] and in technology of cybersecurity across the federal government”.

The recently signed into law Covid relief bill includes a billion dollars for the feds to modernize technology that they use, $650 million for CISA to improve the fed’s cybersecurity practices and $200 million for the U.S. Digital Service, a tech team in the executive office of the President. There are also other tech related funds in the new law. Credit: The Register

Security News for the Week Ending March 12, 2021

Encrypted Phone Firm Sky ECC “Hacked” by Police

Police have arrested 48 people and confiscated 14 tons of Cocaine and over a million Euros, after decrypting a half billion messages and listening in on the bad guys for several weeks. The phone company said that they don’t think the encryption was cracked, but rather, they think the police seeded a bunch of phones with a fake version of the app which had a back door and then sold the phones as secure. Once they were able to seed these phones into the criminals hands, it was easy (relatively) to decrypt the messages. I don’t have any sympathy for the crooks and very clever on the part of the police. Credit: Vice

FBI Warns of Far-Right Extremists Infiltrating Law Enforcement

The FBI issued a private warning that far right extremists including neo-Nazis are infiltrating law enforcement agencies and even the military in Texas and around the nation. They are doing this for two reasons. One is to find out what intelligence has been gathered on their organizations and second to learn techniques and practices (tradecraft) to use against the police and military if they need to. Evidence that this can be seen by the arrests of law enforcement officers for participating in the Capitol insurrection in January. Credit: Dailykos

UK Proposes Law to let Police Hoover Up Your Phone – If They Ask Nicely

A new UK bill was introduce that would allow the police and others to vacuum up all the data in your phone if you hand it over voluntarily. This comes after a year when the police were accused of vacuuming up too much data from phones which were handed over. People who do let the police extract everything from their phones are given no protections whatsoever. The data can be kept for up to 100 years. They will also introduce a “code of practice”, which while legally binding, is much less binding than a law. Victims of rape are being told that the cops will not proceed with prosecuting the criminals if the victim doesn’t consent to a “digital strip search” . Interesting definition of voluntary. Credit: The Register

Microsoft Removes Proof Of Concept Attack Code Against Microsoft Product from Github

Researchers often share so-called proof of concept code for exploiting bugs. In this case, the code showed how to exploit Microsoft Exchange and Microsoft decided to remove it from GitHub, the public code repository. Surprisingly, Microsoft owns Github and Microsoft has never removed any other Proof of Concept code from GitHub before. The removal is stupid and ham-handed because the code is available at a dozen other repositories anyway and it makes Microsoft look like they are trying to protect their own ass. They said that while they had patched the 10+ year old bugs, finally, the patches had not been out long enough. That might make sense if the code wasn’t available at a lot of other places. Credit: The Register

AMCA Settle Breach Lawsuit with State AGs for $21 Million

Medical debt collection agency AMCA settled a multi-state lawsuit filed by multiple Attorneys General for $21 million, but since they are in bankruptcy, the fine is suspended. They filed for bankruptcy after the breach. They said they spent $4 million as a result of the breach and had to take out a $2.5 million loan from their CEO to pay for that. I gather from this that they had no insurance (really?). In the mean time, there are numerous other lawsuits, so this is far from over. Credit: Cyberscoop and HIPAA Journal

SBoM is NOT a Four Letter Word

I have been ranting about Software Bills of Material or SBoM for a while. This week I have two examples of why this is important – even critical.

The first story is about a TCP/IP network stack and the vulnerability is called Amnesia:33. It impacts four open source libraries – uIP, FNET, picoTCP and Nut/Net. Contrary to some opinions, these open source, free TCP libraries are not only NOT bug-free, they are vulnerable to remote code execution, denial of service, information leaks and DNS cache poisoning.

The impact of these vulnerabilities depends on how the device is used, whether it is publicly visible and other factors.

The code is used, THEY THINK, by at least 150 different vendors on an unknown number of products. The researchers at Forescout think that at least a million devices are impacted, but that, along with the number of vendors impacted is mostly a guess. The vendor count is likely much higher as these were vendors they were able to identify.

Since these vendors (and most others) do not have a Software Bill of Materials process – EVEN INTERNALLY TO THE COMPANIES -, most vendors are scrambling to figure out which products and which product versions use the impacted software. Credit: Forescout Research

In many cases, the IoT and IIoT devices are out of warranty and will never be patched and since the companies and people who bought these devices do not have a Software Bill of Material which would, at least, tell them if they have an affected device, so that they could decide if they want to replace the vulnerable devices, the hackers will have a field day.

The second case is for Gnu TLS. Gnu TLS is a free, open source TLS (HTTPS) library that has been around for 17 years and is used in a lot of software. It turns out that GnuTLS 3.6.x before 3.6.14 uses “incorrect cryptography”, which is a nice way to say that the crypto can be trivially bypassed.

So now all you have to do is figure out which of the hundreds of software products in your organization use this library. A few of the well known products that use GnuTLS are apt; cadaver, which is WebDAV, essentially; cURL; Wget; Git; GNOME; CenterIM; Exim; WeeChat; MariaDB; Mandos; Mutt; Wireshark; Rsyslog; slrn; Lynx; CUPS; gnoMint; GNU Emacs; Slapd; Samba; the Synology DiskStation Manager; OpenConnect; and a whole bunch of various VNC implementations.

So since everyone received a Software Bill of Material (SBoM) with the very most recent version of each product you use and that list is in a standardized form that you can import into a spreadsheet or database, it is each to determine which products use GnuTLS 3.6.x where x is less than 14.

Obviously, I am being sarcastic here. I know of no manufacturers that provide computer readable SBoMs to their customers, but there is help in the wings.

The federal government is working on an SBoM standard. While you say that might not help you, consider this. NIST is required to define standards for IoT and IIoT that the government buys. It is likely that SBoM will be one of those requirements. If a company like, say, Wireshark from the list above wants to continue to be able to offer their hardware to the government, they would have to provide an SBoM, assuming NIST goes this route. If they provide an SBoM to the government then you should be able to get a copy too. Credit: Security Now

These are only two examples from this month alone of the problem. The problem is massive and most companies are not prepared to deal with it.

Companies should create a SBoM plan, understanding that this is going to be a work in progress for a while. The first place to start is with ALL internally developed and custom third party software. Getting the information for these products should be easy. Something is definitely better than nothing and even a partial SBoM for a product is better than no SBoM.

If you need assistance, please contact us.