Tag Archives: Software supply chain

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

News Bites For June 22, 2018

Latest Cost Estimates For Equifax Breach is $439 Million

According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history.  Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300  million plus.  Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow.  While Equifax’s investors can write that check, I am sure that none of them are happy about doing so.  (Source: Computing.co)

Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI

After all, what could go wrong?

U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products.  Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.

A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries.  Forcing companies to disclose will keep the pressure on to stop doing that.

The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.

The companies say that the reviews are done in company controlled facilities.  I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.

The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.

The article has a graphic with examples of software reviewed and who uses it.  (Source: Reuters)

Senate Votes 85 to 10 to Continue ZTE Ban

ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department.  President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat.  The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution.  Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)

macOS Quicklook Feature Exposes Data on Encrypted Volumes

Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac.  MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not.  Apple says this is a feature and is not going to fix it.

This problem also exists on Windows.  If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume.  The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)

Software Supply Chain is a Critical Issue

Recently there have been a number of reports of cities having credit card breaches.  It turns out that it all ties back to the same vendor that those cities all use called Superion.  At least 10 cities have reported being breached and there are probably more.  Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug  that had not been patched.  The cities counted on Superion to keep them safe.  Superion is blaming Oracle.  Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end.  Likely those cities were not even aware that they were running Oracle software.  Who’s fault is that?  (Source: Dark Reading)

Software Supply Chain Attacks are Real

For those of you who have been reading my blog for some time, you know that I have written about the software supply chain security problem.  In a nutshell, the problem is that programmers rarely write code from zero anymore.  Instead teams write pieces of code and integrate it.  Then there is limited testing due to time and budget.  Finally, everyone crosses their fingers and the code is released.

The folks at CCleaner discovered the hard way that it doesn’t always work out the way you expected.  Or hoped.

About 6 months ago researchers at Talos (a part of Cisco) and Morphisec discovered that the absurdly popular disk cleaner software CCLEANER had been compromised and was downloading infected software from the official web site and had been doing so for a month.

Worse yet, the code was cryptographically signed, meaning two things.  Most users would trust it and the attack happened from within Ccleaner’s four walls.

Finally more details of the story are coming out; useful for anyone else that writes software, for free or for money, and distributes it to outside parties.  This could be YOU!

2.27 million infected downloads (in just a month) later, Avast, the owner of Ccleaner is spilling the beans.

Not only is this a software supply chain lesson, but it is also a merger and acquisition lesson because this was discovered right after Avast bought Ccleaner from Piriform.

The attackers had stolen credentials and used them to log into Piriform’s London network using the remote desktop software Team Viewer that Piriform used.  From there they infected other computers, only working at night when the computers were likely not used, to avoid detection.

They then installed some malware called Shadowpad, which allowed them, among other things, to log every single keystroke on the infected machines.

Then they waited.  Two months after the acquisition closed, they infected the software inside the fence and waited for the infected software to be signed and uploaded to the web.

The attackers were very smart on top of this.  While 2.27 million infected copies were downloaded and 1.65 million copies asked the control server for instructions, only 40 payloads, representing 11 highly targeted companies, were activated with a second stage.  That is very patient.  To be willing to download over two million copies to only infect 40 very precise targets.  Those targets were in particular tech companies like Cisco .

Information for this post came from Wired.

So what does this mean for you?

First, if you are acquiring a company – or selling one – this could happen to you.  If you are the seller, you could sued for millions.  If you are the buyer you could be on the hook for millions.  It all hinges on the words in the contract.  CONDUCTING SOFTWARE SECURITY DUE DILIGENCE DURING AN ACQUISITION IS VERY IMPORTANT.  This is an example of why.

While this is not an example of downloading an infected library, the library did get infected.  How did the bad guys infect the code and get it checked in to the official library?  How come no review detected the added code that no one officially added?  The SECURE SOFTWARE DEVELOPMENT LIFECYCLE process might have caught this.

Could this have been caught during testing?  Probably.  You would have needed to be watching for where on the Internet that CCleaner was talking to – that it shouldn’t have been.  In fact, since it was trying to talk to Russian and Korea, that could have been an alarm bell since the test network likely should never have tried to do that.  But you have to be looking for it.

How come the attackers were able to compromise Team Viewer in the first place.  My bet is that Piriform was not using two factor authentication.  Bad boys and girls.  I know two factor is not friendly.  Neither is having 2 million infected copies of your software downloaded by your customers.

In the end you need to look at the entire software development process and think like a hacker to decide where he or she could compromise the process.

Obviously, these guys did.

How many other companies are already infected and don’t even know it?  THAT IS WHAT IS SCARY!

Russian AV Software Banned While FBI Uses Russian Fingerprint Software

Gene Kaspersky’s anti-virus software has been banned from being used by the Federal government mostly because an NSA software developer went “off the reservation”, took some classified software home and loaded it on a personally owned PC running Kaspersky’s AV software configured by the developer to share potentially malicious software with Kaspersky, thereby compromising an entire development project (see article here).

That was enough to get Kaspersky’s software banned from the government.

In the meantime, it appears, the FBI and 18,000 other law enforcement agencies are running fingerprint software developed by a French company who partnered, secretly, with a Russian company.

The Russian company has closes ties to Putin, The Kremlin and the FSB.

The FBI opted to buy the fingerprint software from Paris based Safran rather than from a U.S. based company.

The Paris company partnered with Russian company Papillion to improve its software capabilities but decided to keep that fact completely secret.  Papillion boasts on its web site about working with the FSB, the successor to the KGB.  In the agreement between the two companies, it says that they need to keep the agreement secret because if it came out that the Russian software was in use it might doom the French company’s bid.

Apparently, according to documents which are part of a whistleblower lawsuit, the Russian company signed a document that there were no backdoors in their code.  That, I am sure, will handle all issues.

At risk here is the fingerprint and related data of tens of millions of Americans and others who’s fingerprints are stored by those 18,000 law enforcement agencies.

After all, if the FSB front company signed a piece of paper that their software had no backdoors in it, surely they would not lie about something like that, would they?

As the whistleblower suit proceeds we will know more.

I also assume that FBI, NSA and contractor software and security experts are pouring through that software with a high power microscope.

However, one more time, it points out the critical nature of understanding the software supply chain.  Every piece of software developed has a software supply chain and we can certainly cover our eyes and pretend it is not a problem.  I don’t think that is working out so well for the FBI right now.

Information for this post came from Buzzfeed.

Equifax, Trans Union and the Software Supply Chain

One more time, Equifax is in the news – but they are not alone!

Users thought that Equifax had been hacked again because when customers went to a particular help page on their web site, they were redirected to a page directing them to download a malicious, fake, Adobe Flash update.

Hopefully, no one is running Flash anymore, so the request to update Flash could be safely ignored anyway.

Given the optics of the whole thing, Equifax immediately took that page offline.

The IRS, who has reputation optics problems of its own and who just renewed a $7 million no-bid contract to Equifax AFTER the first breach, immediately suspended the renewed Equifax contract, even though doing so removed some functionality from the IRS web site.  Given the complexity of government contracting rules, the IRS is limited in what it can and cannot do, but that didn’t stop Congress-critters from trying to score points with their constituents by yelling at the IRS.

In the meantime, researchers discovered that Transunion’s web site for Central America was serving up the same, exact malware!  Within a couple of hours, Transunion said that they had fixed the web site and were scanning their other web sites to see which ones were affected or infected.

It turns out, in this case, that neither Transunion nor Equifax had been breached.

The problem was, as I keep saying at every opportunity, a software supply chain problem.

The software supply chain problem comes from the fact that most web sites integrate some (or a lot of) third party code.  That code can be infected and then infect the user’s of the company’s web site.

In this case, both Transunion and Equifax both used a company called Fireclick.  Fireclick goes though a bunch of gyrations but eventually either displays a fake survey, fake Flash update or another exploit.  Fireclick, part of the conglomerate Digital River, provides web site analytics.  Or should be.  But, apparently, they got compromised and likely compromised HUNDREDS if not THOUSANDS of web site that use their analytic software.

Fireclick, pulls in code from a Fourth party, Netflame.

So the question is – who’s fault is this?

I lay the fault at the feet of companies that use third (and fourth) party code.  As soon as a company decides to do that, they “own” the problem that code causes.  No one cares that Equifax and Transunion use a third or fourth party.  They visited Equifax’s or Transunion’s web site and were served malicious content.

Equifax and Transunion deserve and get the black eye.

So if you develop software, pay others to develop software or use commercial or open source software (which should cover just about everyone with a computer), you need to understand this software supply chain problem and have a policy and procedures to deal with it.

Attackers have figured out time and time again that it is easier to attack your supply chain than to attack you.

AND, if the attackers are successful and your customers are compromised, they are going to come after you and the courts will, most likely, hold you liable.

So, two more things for your to-do list besides creating a software supply chain risk management program, are getting cyber insurance so that you are not left holding the financial bag  when your vendors screw up (while you might, possibly, be able to sue them, even if you are successful, it will take you years to recover any money) and making sure that your contracts with third parties (assuming there are contracts and that you have some say over what is in them) hold those parties responsible and financially liable for damage that they cause to you.  If there are no contracts or you can’t get the vendor to assume the liability of infecting you, you need to make sure that you address that risk in your risk management program.

Information for this post came from SC Magazine, Politico and Ars Technica.

Another Open Source Software Supply Chain Issue

Lets combine all the possible cyber risk concerns into one sentence.

A bug in an open source library used by major IoT vendors is raising the spectre of software supply chain/vendor risk management issues for all developers.

The vendor in question is Axis Communications.  Whether you know it or not, you have seen their security cameras across the country including in high profile places like airports and stadiums.  That is the IoT part.

The open source part is a library that Axis and tens of thousands of other products use called gSoap.  gSoap is available on Sourceforge and has been downloaded 30,000 times in 2017 alone.  Since a developer or developer’s company only has to download it once to use it in hundreds of products, the scope of use of this software is unknown, but large.  Given the number of cameras that Axis alone sells, it likely affects millions of devices.

The bug, called Devil’s Ivy,  is going to be very difficult to stamp out.

For developers, they have to understand their software supply chain.  Axis, for it’s part, is at least trying to spread the word about the problem.  There is a patch available.

But then there is the supply chain issue.  You or I might have an IoT (or other) product that uses this library, but there is no easy way for us to know whether we do or not.  The vendor who downloaded the library and then integrated it into their software has to understand that that library has a patch cycle of it’s own.

ASSUMING the vendor understands the problem, they have to rebuild their software.  If the software is like gSoap, which has been downloaded over a million times, there is no easy way to get the word out, since there is no vendor selling it and no support contract with names and phone numbers.

To make it worse, lets say that Axis downloads the patched library and then figures out which models of their cameras use it and generates a new version of the firmware for that camera, how do they get the word out to their millions of customers that there is a new version of the firmware for some object that is hanging from the ceiling in a store, stadium or airport.  That is not an easy job.

From the customer’s standpoint, their vendor risk  management program needs to be asking questions about how their vendor is keeping up to date on their software supply chain and how they are notifying their customers about new software versions.

Now it is a simple matter of patching an IoT device hanging 30 feet or a hundred feet in the air in the middle of a store, school, stadium or airport.  Did I say SIMPLE?

All in all, a bit of a mess, but with some work it is possible to reduce the risk.  However, it will take work on the part of developers, manufacturers and end users.  THAT is not simple either.

Information for this post came from Senrio.