Category Archives: Security Practices

Remote Work Policies

When Covid happened 9 months ago no one really knew what to expect. I am not sure that anyone still knows what to expect, but it looks like that Work From Home (WFH) is here to stay.

Many companies have decided that it has not negatively impacted productivity and some even say that productivity is better.

Some companies have decided that it is a great employee benefit and helps with recruiting. It also allows companies to recruit talent anywhere in the country (although companies need to watch out for the potential impact of having to comply with personnel, privacy and tax laws in multiple states). Facebook, for example, has said that they anticipate that 60% of their employees will work from home forever.

But it does mean that we should consider security impact of WFH. Here are some thoughts.

#1 – Your employee’s computer, even if it is a company provided one, is operating in hostile territory. You have no control over the rest of the employee’s family, what their computing habits are, whether they ever patch anything, what web sites they go to and even if their wireless has been updated since, say 2013.

This means that you have to assume a zero trust environment. Your employee’s computer is likely operating in a war zone full of land mines and snipers. Are your computers’ protections up to the task?

#2 – If you allow your employees to use their own computers, it is even worse. Not do you not understand the security of your employee’s family’s computers (and phones and video games and IoT devices), but you don’t even know the security setup of your employee’s computer. For example, when was the last time it was patched. Not just the operating system but every application that is installed on the computer.

#3 – If employees have to VPN into your network or into a cloud network, do they have access to the entire network? Does every employee have access to the entire network? Do they need access to everything. This is where sub-netting and segmentation come into play.

#4 – Continue and enhance employee security training, phishing training and now, also, vishing training. Attacks are up and the environment is hostile. Attackers know that and are taking advantage of it.

Some things that you can do:

Provide employees a personal HARDWARE firewall that they are required to place between their computer and the rest of their home network. Not inexpensive, but highly effective. This firewall can establish a VPN tunnel between the employee’s computer and the company’s office or data center transparently.

Create policies about BYOD computers. It is a pain to enforce, but your company is at risk.

Implement network segmentation. It may mean that you need to buy, one time, some consulting expertise, but once it is done, your IT assets are much more secure.

For company owned computers make sure that patching remains a high priority and encourage employees to patch personally owned computers.

Ask employees to, if possible, connect via a network cable and not via wireless. Wireless connections are significantly more vulnerable to attack.

If employees have to use wireless connections, make sure the default router password has been changed and that the router has been patched.

If possible, implement a device management solution such as Microsoft Intune, JAMF for Mac or Airwatch.

The security situation is not going to get any better any time soon. You are in control of your company’s destiny as cyber is a key to protecting your company. I read stories every single day about companies that have been hit by cyber attacks of one form or another and how it is impacting their business. One company I read about today has been down for a month trying to recover. Another can’t ship products. A third has its online services offline. That is just today. Do not be the next news story. Please.

Feds Pass IoT Security Law – Its a Start

The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.

While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.

We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.

The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.

So what does it do?

NIST is Required to Publish IoT Security Standards within 90 Days

This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.

NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days

This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.

Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)

This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.

NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days

NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.

The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted

This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.

This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.

While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online

Security News for the Week Ending Nov 13, 2020

The “S” in Coworking Stands for Security

While the WSJ says that coworking companies are closing money losing spaces as a result of Covid, don’t forget that coworking spaces are about as secure as airport WiFi, meaning not at all. The local news just said that some coworking companies are actually expanding as people want to get out of their house. For most coworking companies, the users are on a shared WiFi connection with no security and often, no encryption. Your remote working policy and procedures need to address this subject, based on the level of risk you are willing to accept and whether you are part of a regulated industry that might frown on you sharing your trade secrets, PII or customer data with the world. Also remember, that if malware gets into shared WiFi, it will certainly try to attack you. Here are a few tips for coworking company security.

Travelers are Faking Covid-19 Test Results

Apparently some travelers don’t want to go through the hassle of getting tested for Covid but still want to travel to countries that require those tests to enter the country. First there were paper documents, which, with Photoshop, were easy to forge. The cops in Paris’ Charles de Gaulle Airport just arrested some of those forgers. They were charging $180-$360 for fake documents. Apparently the French do not cotton to counterfeiters. The penalty for counterfeiting Covid documents is 5 years in a French prison and a half million dollar fine. Brazil arrested some tourists last month for presenting fake documents, so it sounds like you can get in trouble whether you are the buyer or the seller. Some locales are now only accepting electronic versions of the documents from the labs, making it harder to fake. Credit: USAToday

Google Finds At Least 7 Critical Bugs in Chrome, Android, iOS and Windows

Google says the bugs were being actively exploited int the wild, but are not saying by whom or against whom. The iOS 12 patch released patches back to iPhone 5S and 6, typically indicating that it is a big problem. The bugs were “found” by Google’s Project Zero, but apparently were being used by someone(s) prior to them being found. Does this smell like some spies were caught? Probably. We just don’t know which side they were on. Credit: Vice

Vietnam’s OceanLotus Hacking Group Joins Other Countries in Hacks

While countries like China get all the credit for hacking, Russia, North Korea and others are just as active. Add Vietnam to the list. Right now they are attacking their Asian neighbors. As is typical for these government run attacks, they are applying a great deal of effort to compromise their victims. Credit: The Record

White House May Fire Krebs for Securing the Election

Chris Krebs, the head of DHS’s Cybersecurity agency CISA, says he expects to be fired by the White House for securing the election from hackers. All reports indicate that while there is a lot more work to do to secure elections, the 2020 elections were, by far, the most secure ever. The agency also created an election rumor control web site (www.cisa.gov/rumorcontrol). This website debunked many of the myths being spread people who are trying to discredit the election results. General Nakasone, head of NSA and Cyber Command, who also said that there was no significant election fraud, could also be in trouble. Credit: Darkreading

Is The NSA Still Putting Back Doors in Tech Products?

This is a bit like the old question “are you still beating your spouse?” In order to answer that you would have to admit that you had been doing it previously.

The NSA, as far as I know, hasn’t admitted to placing back doors in tech products but there is a lot of information that has leaked out over the years that seems to indicate that they did and possibly still do.

One example. The CIA and NSA, in partnership with German intelligence, actually OWNED the Swiss crypto hardware company Crypto AG. They sold backdoored crypo hardware (back when hardware was the only way to do that) to both our friends and our foes. Of course, no one knew that the intelligence community owned the company or that the crypto was defective. The company was shut down or sold in around 2015 when all encryption was done in software and the CIA and NSA no longer had the monopoly that Crypto AG once was, but the NSA and CIA had access to the supposedly secure communications of both our friends and enemies for decades.

Second example. Juniper has admitted that in 2015 someone inserted a back door – what they refer to as unauthorized code – into the Juniper operating system ScreenOS. Some sources say that the code goes back to 2008. Call unauthorized code a code word for back door.

Third example. The NSA paid RSA millions of dollars to use a particular pseudo random number generator called dual EC. The algorithm has a weakness making the numbers not so random and the NSA knew that and was able to leverage that to make crypto easily crackable. By them. Because they knew about this flaw. They even managed to get NIST, for whom the NSA was a technical advisor, to adopt Dual EC as a standard.

When Snowden released the documents that he did release, it became clear that the algorithm was fatally flawed. NIST says that they were duped – which is both possible and possibly a lie – and revoked the standard.

But in the meantime some government other than ours figured out that there was a flaw in the Juniper software and kind of used the flaw against us. And others.

All that is background.

Senator Ron Wyden, a member of the Intelligence Committee has asked the NSA for a copy of a report they created after it became public that the NSA’s back door was being used against us. Wyden is opposed to back doors because it is hard even for the NSA to keep a secret a secret. For one thing, someone else might discover it accidentally.

Mysteriously, the NSA says that they cannot find that report.

Supposedly after the NSA’s hack got hacked the NSA changed its policy on inserting back doors into commercial products.

But, hmmm, they can’t seem to find that information. Maybe we should ask Snowden to look for it like Trump asked Russia to look for Clinton’s emails.

Rumor has it that for years the NSA intercepted equipment from vendors like Cisco while it was in transit and inserted “gifts”. They then put it back in the delivery stream and used the access they had to steal information.

Bottom line, we don’t really know what the NSA’s policy is about adding back doors to commercial products.

And the NSA is not saying.

You would think that if they were NOT doing it any more, they might be willing to say so, which leads me to assume that the new policy is “don’t get caught”.

You are going to have to figure this one out yourself.

Guess What Vendors are NOT Doing – Leaving it to You

Orca Security scanned more than 2,200 virtual appliance images – the same ones that your company probably uses every day. The images represented over 500 vendors. They were found on the marketplaces at Amazon, Microsoft, Google and others. They included both open source and commercial (licensed) software.

Orca created a scoring system that ran from 0 to 100. Companies (or images, actually) lost points for:

* Unsupported or no longer supported operating systems

* Contained 1 or more high profile vulnerabilities (from a list of 17 that they created)

* Contained 1 or more vulnerabilities with a CVSS score of 9 of higher (critical)

* Contained 1 or more vulnerabilities with a CVSS score between 7 and 9

Grades ran from A+ (really cool) to F (not so cool). Just like school.

They got an instant F if they:

– Used an unsupported operating system

– Had 4 of the 16 high-profile vulnerabilities

– Had 20 or more flaws with a CVSS score of 9 or higher

– Had 100 or more flaws with a CVSS score between 7 and 9

– or had more than 400 unique vulnerabilities

That seems pretty freaking generous to me. I’d cut those thresholds way down. 19 flaws with a CVSS score of 9 or higher is okay? I don’t think so.

Still, that was the threshold.

So what was the result?

15% graded an F

16% graded a D

25% graded a C

12% received a B

and 24% got an A; 8% got an A+

That means that less than half got above a C and 30% got a D or F. Less than 10% got a gold star.

In total, Orca’s scanning identified 401,571 vulnerabilities across 2,218 appliances.

Almost half had not been updated by the vendor in the last year and only 2.8% had been updated in the last month.

This test includes both security and non-security product vendors, but security vendors only scored a low B, on average.

There are more details in the article, but the bottom line, is that you really can’t trust vendors when it comes to security. That is not great news. Some hardened security appliances did score well, but again, how do you know when you install an image that you got from the vendors store?

First thought is to ask the vendor. Second thought is that you have to scan the virtual appliance before you connect it to the Internet.

Great. Something else for my to-do list. Credit: CSO Online

How Might Russia Interfere with the Elections?

There are a number of obvious ways like compromising the election software that voters use to vote, but that is likely to be hard to do.

They are spreading disinformation which may cause Americans to not trust the election process and therefore not vote. That is much easier to do and some of our elected politicians are helping them do this.

They might compromise the voting management software that the counties use to tabulate and report on the vote. We saw a recent incident with that from one of the leading voting software vendors. There is no indication that this hack was based in Russia, but that is certainly possible.

But then there is the easy way to compromise things.

Spam and malicious emails.

One clerk in rural Texas, Hamilton county, has been sending out spam and infected emails recently. Their email system was compromised.

What if that happened to a big county? Or several? Or many?

In this case, voters got official looking emails with an attachment and in the email was a supposed password for the attachment. Some people, I am sure, are likely to open an attachment like that. It contained malware.

A recent study showed that way too many election entities were using home grown, old, obsolete or insecure email systems and many were not using email security best practices.

This county clerk only has 3 people in the office. Combine Covid with this mess and the office basically stopped.

Homeland Security (DHS) has been working with election officials to improve things but with many small jurisdictions, they don’t have the money or the resources to tackle the problem, even if the DHS part is free.

Unfortunately, the bad guys, whether nation state or others, are likely going to take the easiest route to cause problems and that is not likely to be trying to change the ballot in 10,000 voting jurisdictions.

They may just try the tried and true method of spam. After all, that has been working for decades. Credit: Propublica