Daily Archives: October 9, 2018

Risky Business #517 — Bloomberg’s dumpster fire lights up infosec

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Bloomberg’s shaky, disputed report on hardware back doors
  • A look back on other false reports about imaginary incidents published by Bloomberg
  • GRU operations doxed by GCHQ
  • DOJ charges Russian intelligence officers
  • APT crews targeting MSPs
  • Google+ API exposure the final straw
  • Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

(9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Süddeutsche.de
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
Codebook - October 10, 2018 - Axios
Patrick Gray on Twitter: "Just got this from Bloomberg PR.… "
Apple Bloomberg Congressional Letter
Patrick Gray on Twitter: "Holy shit… "
Report: Apple designing its own servers to avoid snooping | Ars Technica
Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg
HHM22137A2 TDK | Mouser Australia
Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site
Justice Department charges 7 Russian intelligence officers
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice
Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country."
Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT
Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet
Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times
Google forcibly enables G Suite alerts for government-backed attacks | ZDNet
SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-"
Google sets new rules for third-party apps to access Gmail data | ZDNet
It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet
CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard
Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet
U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
Senetas, a leading provider of encryption technology

Does PCI Matter?

There’s an interesting article at the CBC, about how in Canada, “More than a dozen federal departments flunked a credit card security test:”

Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.

There are some interesting details about the who and why, but what I want to focus on is the lack of (detected) breaches to date, and the impact of the audit failure.

The fact that there have been no breaches detected is usually a no-op, you can’t learn anything from it, but with credit cards, there’s a “Common Point of Purchase” analysis program that eventually turns a spotlight on larger “merchants” who’ve been breached. So the lack of detection tells us something, which is that a large set of PCI failures don’t lead to breaches. From that we can, again, question if PCI prevents breaches, or if it does so better than other security investments.

The second thing is that this is now a “drop everything and fix it” issue, because it’s in the press. Should passing PCI be the top priority for government agencies? I generally don’t think so, but likely it will absorb the security budget for the year for a dozen departments.

The VORACLE OpenVPN Attack: What You Need to Know

Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.

Under the Hood of a VPN

A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.

About the VORACLE VPN Vulnerability

At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.

The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A  hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.

Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.

  • Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
  • Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
  • Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
  • Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
  • Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post The VORACLE OpenVPN Attack: What You Need to Know appeared first on McAfee Blogs.

When the Digital Impacts the Physical

Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.

When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices. Just last year, the FBI recalled half a million pacemakers, as a crucial flaw was discovered that could expose users to an attack. Additionally, security researchers recently revealed a chain of vulnerabilities in a particular pacemaker brand that an attacker could exploit to control implanted pacemakers remotely and cause physical harm to patients.

Cybercriminals have also set their sights on larger targets when it comes to hacking health care devices and institutions. We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems. Some of these attacks locked patient data and made proper care unachievable for hours on end.

Hospitals are also not the only type of critical infrastructure that’s been on the victim’s end of a cyberattack. In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.

There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data, even when certain settings are off or when the user is unaware of the action. Specifically, it was discovered that even if a user disables Location History, Google still tracks users in particular instances — whenever they open up the Maps app, scan the internet for certain things, or receive automatic weather notifications. Even smartwatches have been used recently to record and track kids’ physical location.

Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it. But as the threat landscape is evolving, so is the industry determined to protect innocent users everywhere.

We at McAfee are working together with our entire industry to stop these types of attacks. We’re sharing threat intelligence, resources, and research findings to ensure we put up a united front against these threats. By learning from these attacks, we’re better preparing for those to come.

We believe that together is power. And though these attacks are advanced, we know that acting together to stop them will be even more powerful.

To learn more about McAfee’s approach to protecting against advanced cyberattacks and more, be sure to check us out at @McAfee and @McAfee_Labs.


The post When the Digital Impacts the Physical appeared first on McAfee Blogs.

Application Security Mistake No. 6: Going It Alone

We’ve been in the application security business for more than 10 years, and we’ve learned a lot in that time about what works, and what doesn’t. This is the sixth and final post in a blog series that takes a look at some of the most common mistakes we see that lead to failed AppSec initiatives. Use our experience to make sure you avoid these mistakes and set yourself up for application security success.

Why AppSec Expertise and Experience Matters

Defining and growing an application security program for your organization can be a daunting task, and it requires people with a deep understanding of software security. In addition, when your program is up and running, finding vulnerabilities in your code is only the first step. The second is remediation, which requires knowledge, experience, and specialized developers. What happens if you get stuck and don’t know the right way to remediate?

Whether you are figuring out where to start or trying to scale an established application security program, getting help from people with experience can improve the effectiveness and maturity of your program.

What happens to your application security program without enough or the right staff? The negative impacts include:

  • Delayed software releases because security issues are not getting fixed in time
  • Ever increasing technical debt because found flaws are not fixed
  • Developers are frustrated, creating friction with the security team
  • AppSec issues become marginalized due to perceived inability to do anything about it
  • Increasing information security risk exposure

Yet organizations struggle to find the right people who fit that bill. Veracode recently sponsored the DevSecOps Global Skills Survey from DevOps.com and found that nearly one in three technology professionals said the IT workforce is unprepared to securely deliver software at DevOps speeds, and just over half said they believe it is only somewhat prepared.

The survey also revealed that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.

Finally, the 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.

Evidence of the Expertise Edge

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise.

We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.

In fact, data collected for our State of Software Security report found that developers who get coaching from security experts fix 88 percent more flaws.

Learn From Others’ Mistakes

Don’t repeat the mistakes of the past; learn from other organizations and avoid the most common AppSec pitfalls. Today’s tip: Extend your security team with outside AppSec expertise. Get details on all six of the most popular mistakes in our eBook, AppSec: What Not to Do.

What is IAM? Identity and access management explained

IAM definition

Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management. The core objective of IAM systems is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified and monitored throughout each user’s “access lifecycle.” 

CVE-2018-12474 (tar_scm)

Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the current build or cause the creation of file in attacker controlled locations. Affected releases are openSUSE Open Build Service: versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106.