Category Archives: Security Practices

Businesses Losing Customers due to Connected Products Security Concerns

59% of cybersecurity executives at large and medium organizations say that they have LOST business due to product security concerns for connected and embedded devices.

connected product security concerns

45% say that customers want detailed information about what is in their devices, but only 11% of companies have high confidence that they can do that, even if they want to.

Only 27% of people interviewed said that their organizations conduct software composition analysis (what is in it) and only 30% say that they can easily generate a software bill of materials (as required by the new executive order).

So what does it take to develop secure products? More resources (62%), more expertise (60%), industry standards (46%). Only 21% said that their have a security supply chain policy.

connected product security concerns

On top of this, only half of the respondents said their organization check out the security of their products before they ship them.

The good news is that 74% of the organizations either have a Chief Product Security Officer or plan to hire one. In the next two years.

And, last but not least, only 10% have full confidence that they know all vendors in the supply chain for each of its devices.

Ready to buy one of them secure connected devices now?

Credit: Help Net Security

What Happens When Hackers Steal ALL of the Code to your System

Just ask Twitch. The livestreaming service for video gamers, esports, music and other content fell to hackers.

It was acquired by Amazon in 2014 for almost a billion dollars.

Hackers broke in and stole 135 gigabytes of data. This includes all of the source code to the platform, transaction data, userids, passwords and other information.

It appears that the passwords were NOT encrypted.

The data has already been posted in multiple places in the hacker underground.

It is not impressive that a company like Amazon would allow a subsidiary to store personal information this way, but apparently, they did.

Among the data stolen was the source code to a gaming platform designed to compete with Steam and information about how much (and who) the highest paid content creators were being paid.

Worse yet, the hacker, who may have had a vendetta against Twitch, said this 125 gigabytes of data was part 1.

How many parts are there? What is going to happen next?

One obvious problem for Twitch is that now that all of their source code is public, hackers will be combing through it to find vulnerabilities and given what we know so far, there are vulnerabilities.

If you are a Twitch user, you should immediately change your password and enable MFA.

Credit: Threatpost

Twitch said: We can confirm a breach has taken place,” and “Our teams are working with urgency to understand the extent of this.”

I bet they are :).

Google searches for how to delete Twitch were up 800%. Kind of like locking the barn after the animals got out.

Users of Twitch, the world’s biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform.

The phenomenon of “hate raids” — torrents of abuse — has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.

Twitch says that they are working on fixing that. Oh, and they are suing some of their customers for organizing the hate raids.

Credit: Security Week

One source is reporting that the following items were among what was stolen:

  • Entirety of Twitch, with its Git commit history going all the way back to early beginnings
  • Payouts for the top Twitch creators
  • Every property that Twitch owns, including IGDB and CurseForge
  • Mobile, desktop, and video game console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • Every other property owned by Amazon Game Studios
  • Twitch internal security tools

We are seeing conflicting reports from different sources about userids and passwords. It is possible that they were or were not stolen and the conflicts may be due to what piece of the data each source saw.

One poster on 4Chan says the leak was done to foster more competition in the online video streaming space because Twitch is a “toxic cesspool”. While competitors won’t use Twitch’s code directly, they certainly might check it out for ideas.

Credit: Cybernews

Some sources said the hackers got in via a misconfigured server, but I would suggest, the problem goes deeper than that. Much deeper. How comfortable are you that hackers could not steal all of your crown jewels?

Major Software & Hardware Vendors Cause Self-Inflicted Downtime

Let’s Encrypt is the free HTTPS encryption service that is used by millions of web sites. Since it started out as a good idea of two Mozilla employees in 2012, it has issued about 2 billion free TLS certificates.

The history behind this organization is long and convoluted. The industry has a high bar for entery for a new player and in 2012, they had to get someone that the industry trusted to, kind of, co-sign their HTTPS certificates.

They knew that co-sign process was a short term solution and about 4 years ago they convinced the “Internet authorities” that they were the real deal and replaced that co-signed certificate with a new one.

Browsers and other software vendors have been incorporating this new software since 2017.

Let’s Encrypt, itself, has been warning people for about a year that the old certificate was going to expire today and software vendors needed to upgrade.

We expected that old, unsupported software like Windows XP and old hardware like Android phones running Android 7, would have a problem today.

That turned out to be true.

What we did not expect is that mainstream websites like Shopify, mainstream tech vendors like Palo Alto and Cisco and mainstream service vendors like Monday.com, Google Cloud monitoring and Quickbooks would be caught, napping or completely asleep at the switch.

Unfortunately, we were wrong.

These vendors and many others went dark about about 8 AM Mountain Time this morning.

Some of them fixed the issue. Shopify, for example, recovered at about 3:30 PM.

Others, like Fortinet, seem to continue to be asleep at the switch and have told their customers to turn off the security feature that warns you when you have a security issue. That is not a great solution, but for some Fortinet customers, that is their only option.

Many more likely have not been detected yet – like IoT devices that just stopped working but that no one has either noticed or figure out why.

And, importantly, if these software or hardware products are no longer supported, you are probably out of luck and will have to replace it.

In some cases, you have the ability to tell the system to ignore the error and move forward, but most of the time, that is not an option.

I am writing this because, I think, this is day one of an extended discovery process. Likely there are things that are down and people don’t know they are down or don’t know why they are down. This will take a while to discover and to fix. In some cases, the fix will be expensive and extended.

I wrote about this a few months ago. This should not have happened as the industry knew exactly what day it was going to be a problem 9 years ago. Still we, as an industry, create self inflicted wounds.

For more details, check out this article at ZDNet.

CISA Issues Cyber Goals & Objectives for Critical Infrastructure Control Systems

While goals are CURRENTLY voluntary, CISA issued guidelines for what it expects from pipelines and other critical infrastructure in light of the Colonial Pipeline attack. While it appears that the hackers were not able to take over the control systems in that attack, they did take over the control systems in the Florida and Kansas water system attacks.

And, while this legally only applies to critical infrastructure, if it makes sense, you might want to do it also.

Here are some highlights.

CISA already has a raft of documents, so they reviewed and harmonized them and came up with a single list. See the link at the end for more information. Here are some of the highlights. Each goal comes with a rationale and objectives.

RISK MANAGEMENT AND CYBERSECURITY GOVERNANCE

GOAL: Identify and document cybersecurity risks to control systems using established recommended practices (e.g., NIST Cybersecurity Framework, NIST Risk Management Framework, International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443, NIST Special Publication (SP) 800-53, NIST SP 800-30, NIST SP 800-82) and provide dedicated resources to address cybersecurity risk and resiliency through planning, policies, funding, and trained personnel.

ARCHITECTURE AND DESIGN

GOAL: Integrate cybersecurity and resilience into system architecture and design in accordance with established recommended practices for segmentation, zoning, and isolating critical systems (e.g., Industrial Control Systems-Computer Emergency Response Team Defense in Depth guide, Purdue Diagram) and review and update annually to include, as appropriate, any lessons learned from operating experience consistent with industry and federal recommendations.

CONFIGURATION AND CHANGE MANAGEMENT

GOAL: Document and control hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.

PHYSICAL SECURITY

GOAL: Physical access to systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, is limited to authorized users and are secured against risks associated with the physical environment.

SYSTEM AND DATA INTEGRITY, AVAILABILITY AND CONFIDENTIALITY

GOAL: Protect the control system and its data against corruption, compromise, or loss.

CONTINUOUS MONITORING AND VULNERABILITY MANAGEMENT

GOAL: Implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.

TRAINING AND AWARENESS

GOAL: Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.

INCIDENT RESPONSE AND RECOVERY

GOAL: Implement and test control system response and recovery plans with clearly defined roles and responsibilities.

SUPPLY CHAIN RISK MANAGEMENT

GOAL: Risks associated with control system hardware, software, and managed services are identified and policies and procedures are in place to prevent the exploitation of systems through effective supply chain risk management consistent with best practices (e.g. NIST SP 800-161).

For more details go to this CISA web site here.

Security News for the Week Ending September 24, 2021

Detecting Hidden Cameras in Your Airbnb and Similar Rentals

No one wants to think about this, but it is an issue. Especially in private home/condo rentals, owners are worried about you stealing or damaging their stuff. And some of them are just stalkers. Here is a TikTok video from well known security researcher Marcus Hutchins on some things that you can do to look for hidden cameras. Credit: Hack Read

Japan Sets New Internet Speed Record – 319,000,000,000,000 bits per second

While not a security issue, it is pretty impressive. This beats the old record of 178 terabits/second. The test was carried out in a lab, but simulated a 3,000 KM fiber. This is definitely still experimental, so don’t expect to get this speed at your house any time soon. Credit: Computing (free account required)

The Internet is Going to Break

Well, I don’t think so, but some people are concerned. Let’s Encrypt is that free service that lets web site owners encrypt traffic to and from their website. Let’s Encrypt’s original ROOT CERTIFICATE is going to expire in about a week. They updated their certificate in clients like Chrome and Edge and server software like Linux Apache a long time ago, but what about users that are running old, unsupported software. In a word, they are going to be SOL. The certificate will show as expired and depending on the situation, the user likely will not be able to establish the connection. If it is a server that has that expired certificate, even if the user has been updated, things won’t work. Bottom line, this is only going to be a problem for old, unsupported systems – but there are a lot of these. Stay tuned. Old IoT devices are most likely to break. If you are responsible for systems, now would be a good time to test. Credit: Portswigger

VoIP Phone Provider Hit by Denial of Service Attack; Has Been Down for a Week

This is the downside of the cloud. VoIP.ms has been battling a massive (they say) distributed denial of service attack since September 16th. They say they have over 80,000 (likely unhappy) customers in 125 countries. All of whom have limited voice service as a result of the attackers wanting VoIP.ms to pay them a ransom to stop the attack. How would your business operate if it did not have phone service for a week? Credit: ZDNet

100 Million IoT Devices Affected by New Bug

NanoMQ is an OPEN SOURCE messaging processing platform that is used in many critical IoT devices like patient monitors, fire detection, car system monitors and smart city applications, among many others. Researchers form Guardara detected multiple vulnerabilities affecting as many as 100 million devices. It could cause the device to crash – that is very simple to do – or worse. Attacks on these kinds of devices are spiking and until IoT vendors get serious about security, plan on a backup system for anything that is critical. While some people continue to spread the myth that Open Source software is secure, there is not much evidence for that as we see bug after bug revealed in super popular apps, never mind the really niche ones. Credit: Threat Post

Be Careful What Contracts You Sign

While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.

This is a legal battle that goes back several years.

In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.

In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.

In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.

So Bessemer FCU did some more testing and found more bugs – security holes.

According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.

In the end Bessemer sued Fiserv and Fiserv counterclaimed.

Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.

Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.

Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.

Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.

Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.

So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.

  • The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
  • You should review the reasons that you can terminate the contract and what that termination will cost you.
  • You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
  • Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
  • The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.

The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.

Stay tuned.

But think about those contracts you signed and how you would fare in a similar situation.

On the other side, if you are a software vendor, how would you handle this situation.

Credit: Security Week