Category Archives: Security Practices

Security News for the Week Ending May 20, 2022

Flaw in uClibc Allows DNS Poisoning Attacks

A flaw in all versions of the popular C standard libraries uClibc and uClibc-ng can allow for DNS poisoning attacks against target devices. The library is likely used in millions of Internet of Things devices that will never be patched and will always be vulnerable. This is where Software Bill of Materials is kind of handy. Credit: ThreatPost

Cyberattack on Hawaii Undersea Cable Thwarted

Homeland Security Thwarted an attempted hack of an under-ocean cable that connects Hawaii with other parts of the Pacific region. While Homeland is not releasing any details of the attempted attack, if the attack shut down traffic, that would be really bad for the region. Just one cable, for example, the Hawaiki Transpacific Cable, runs for 15,000 KM and has a capacity of 67 Terabits per second. Credit: Star Advisor

Will the Mickey Mouse Protection Law Go Up in Flames

Full disclosure: I have never been a fan of this law, so if it goes away, it won’t bother me. As some Republicans try to hurt Disney (trying to abolish the Reedy Creek special district, for example), Senator Hawley (R-Mo) introduced legislation to roll back the insane copyright “terms” that companies have used to make money off characters created a century ago. The downside of Hawley’s move is that it likely will anger a lot of people who make money off that 120 year copyright term and they might choose to make donations to the other team to get even. Given that Washington runs on “contributions” and those donors are likely going to explain that fact, I would say the odds of this passing are not great, but who knows. Credit: MSN

Feds Write Memo That Says They Pinky Promise Not to Charge Security Researchers Under CFAA

Sometimes I probably come across as cynical. That is because I am. While it is great that finally the DoJ wrote a memo that says that they are not going to charge security researchers for finding security holes, that memo only has just a little bit more weight of law than if I wrote that memo. There is nothing binding on the DoJ. Still, I guess, it is better than nothing. Credit: The Daily Swig

Sanctions Have Some Effect on Russia’s Tech Sector

Since Russia can no long buy AMD and Intel processors, they had to find an alternative. The solution seems to be a KaiXian KX6640MA. This is an Intel compatible chip, but it is a bit slow. One CPU Benchmark reported that a 4 core, 4 thread chip scored 1,566 points on the CPU benchmark. By comparison, an Intel Core i3, which is the slowest of the current Intel family, scored 14,427. Not exactly a match and for anything that is time critical, that is a problem. Guess how you would feel if someone replaced your computer with one that was 1/10th as fast. Credit: PC Magazine

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

UK, Australia, Canada, New Zealand and US Warn of Attacks on MSPs

Many or possibly most small businesses don’t have an internal IT department. They rely on a third party to help them manage their IT assets. These third parties are called Managed Service Providers (MSPs) or sometimes Managed Security Service Providers (MSSPs). This is not inherently bad. But many of these MSPs are not much larger than the companies they are managing. Many have 25 or fewer employees.

MSPs have to be trusted by their customers and have to have god-like permissions on their customers’ networks and systems. There is no way around that if you want them to manage things for you.

One example of an attack on an MSP right here in Colorado was an attack against Complete Technology Solutions. The attack on CTS compromised over a hundred Dental Practices that were CTS’s customers.

Another was the attack against Kasaya. Kasaya provides software to MSPs. Compromise Kasaya and you compromise a thousand MSPs, each of which has hundreds (or more) customers, each of which has many users.

There are lots more examples – SolarWinds, Microsoft Exchange, and others.

It is not surprising that hackers want to compromise a company that can allow them to leverage their resources and maximize the damage they can do.

But now we have a joint advisory from the cybersecurity agencies or group of nations (the Five-Eyes) that are telling people to beware. The alert provides recommendations for both MSPs and their customers.

For the customers, you are the ones that are responsible for your network. It doesn’t matter that you outsourced the work to someone else. If your network is attacked, you are in trouble. That means that you have to take action to make sure that your MSP is following best practices.

If you need help, contact us.

Credit: The Register and CISA

NIST Releases New Supply Chain Risk Guide

Here is another short read for you (sorry).

For those who read this blog on a regular basis, you know that we talk about supply chain risk a lot. Formally, the government calls it Cybersecurity Supply Chain Risk Management or C-SCRM.

Supply chain attacks are very popular because if you pull one off (think SolarWinds), you can infect millions of machines. SolarWinds was just one very visible one, but it seems like there is at least one every week, to varying degrees of severity.

This is another product to come out of NIST as a result of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

At a short 300 plus pages, you are not going to consume this all at once, but starting now is a good idea. The problem is not going away any time soon.

One thing they have done is integrated C-SCRM into a broader enterprise-wide risk management conversation. Risk management includes cyber risk, but that is far from where it ends.

They also have a section on critical success factors. Definitely worth a read.

Finally, it has 10 appendices of nuts and bolts, including S-SCRM security controls, a framework, templates and resources.

You can find the document at NIST’s website, here.

If you want to have an in-depth conversation on C-SCRM, please let us know.

We’re From the Government and We’re Here to Let Your Information Get Hacked

All software has bugs. But some software has more bugs than others.

And some organizations are better at finding and fixing those bugs.

Just not those in the public sector.

Veracode, the code scanning tool/defect finding tool vendor scans a lot of apps a lot of times. Here is a bit of data that should scare you.

Veracode looked a twenty million scans of a half million apps and while what they discovered doesn’t surprise me, it does scare me a bit.

Their research says that the public sector has the highest percentage of applications with security flaws.

82% of the public sector applications scanned had security flaws.

On top of that, it takes the public sector twice as long to fix flaws once they are detected.

They also said that 60% of the flaws in third-party libraries that are used by public sector apps remain vulnerable after two years. That is double that of other sectors and is slower than the average by 15 months.

Last but not least, they only fix about 20% of bugs -ever.

Given that most of us do not have a choice to use or not use government apps, these statistics are alarming.

Given the government’s lack of IT resources, it is highly unlikely that things will get better any time soon.

Sorry, I don’t have a happy ending. Credit: Helpnet Security

Why Passwords Don’t Hack It Anymore

Security folks (like me) have been telling people for years that passwords are just not secure enough anymore.

Now we have another reason that is true.

Companies have been promoting single sign on as a way around the insecurity of passwords, but now, even that is not secure anymore.

Multifactor authentication helps, but even that isn’t perfect and people grump about it a lot.

Lets pick this apart.

First we told people to look for the padlock in the browser address bar. That worked until hackers started buying doppleganger domains. Is GOOGLE.COM different than G00GLE.COM? What about TIME.COM vs. T1ME.COM? Or DISNEY.COM vs DlSNEY.COM? You get the idea.

When the web went truly international, the browsers had to support different character sets and the hackers added homograph attacks. These are attacks that abuse those different character sets in a way that looks visually identical to the real domain.

Now attackers are figuring out how to compromise single signon attacks. Examples that consumers see are “signon with Google” or “signon with Facebook”, but the business world uses Microsoft single signon or Ping or Okta.

Here is an example of a real and fake “signon with Facebook” screen:

real and fake single signon page

There is a difference between these two, but even I can’t see what it is.

They still have to lure you to the bad website, but if they do and you fall for the sign on with xxx bait, they have you.

But you say, what about multifactor authentication? It definitely helps, but does EVERY site you log into use MFA? I didn’t think so.

And users LOVE having to enter a number from a text message (ignore the SIM swapping attack for the moment). If EVERY SINGLE WEBSITE that you care about uses MFA and you use a more secure MFA method like an authenticator app, that is probably still pretty good.

But if you reuse passwords or if you don’t use MFA EVERYWHERE, you have a problem.

According to researcher mr.d0x, it is pretty simple to concoct the fake popup login with basic HTML and stylesheets. Using Javascript, you can make the window pop up anywhere on the screen – on a button click or a page load or whatever.

This attack, called a Browser-in-the-browser attack, can also fake out the hover over the URL trick. Go to the link for details on how that works.

One tool that reduces the effectiveness of this attack is a password manager. Why? Because the password manager doesn’t rely on the visual URL. It is looking at the code underlying that and it isn’t as easily fooled.

But most companies don’t use – or at least force the use – of password managers and most consumers have no clue what a password manager is.

Client-side encryption certificates are also great, as is IP whitelisting. Most companies don’t even know what that is. Consumers certainly don’t. And, many systems don’t even support this technology.

None of this is bullet proof, but it makes things a lot more secure.

FIDO keys work well too, but how many people have FIDO keys?

Bottom line is that IT teams need to up their game before it is too late.

You can find the rest of the story at Threatpost.