Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
🔑 Don’t Leave the Keys to the Kingdom in Plain Sight 👀
In This Issue:
- Crypto keys are NOT house keys
- Calm down, security reporters
- Everything we thought we knew is wrong (again)
Crypto Keys Are NOT House Keys
General purpose cryptography has two general approaches. The simplest is a shared secret approach: one feeds a key (or password) to an algorithm, and that key is used to both encrypt and decrypt things.
The other approach is to use Public Key Infrastructure (PKI). PKI has both public keys and private keys. Public keys are used for encryption, private keys for decryption. So far, so simple. Infosec 101.
So why—we ask you, seriously, why?—are developers still embedding shared secrets and/or private keys into everything from firmware images to source code publicly accessible on GitHub? This week, there were several stories about cryptographic keys turning up where they shouldn't, including this one: Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides.
If you misplace the key to your house, that's cause for concern, but it's likely more of an inconvenience than a huge security risk. Maybe that's why headlines like this one don't sound like a big deal: Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps.
Crypto keys aren't quite like house keys. This article goes into details: 4.5 million web servers have private keys that are publicly known! Sharp-eyed readers will notice that this explainer is several years old… because "hiding" digital keys in actually really obvious places is a practice that has been around for a while, and it's still not dead yet.
Do. Not. Embed. Shared. Secrets. Or. Private. Keys. Do not do. If your company is commissioning an app, a website, or pretty much anything built from a string of ones and zeroes, get someone who knows what they’re doing to check for obvious crypto blunders before launch.
Calm Down, Security Reporters
This week we'd like to draw attention to some sensationalist reporting. While we're not fond of the idea of throwing fellow scribes under the bus, the piece in question is an example of exactly why the most important skill to hone in tech is a carefully refined malarkey detector.
The story in question involves Supermicro. Some researchers found some IPMI bugs. The company issued patches. Yawn. Hey, we wish all infosec stories were this boring, but if they were, there would be nothing for us to write about every week. Even the slow summer news cycle, however, fails to explain why infosec publications would not shut up about this story, some discussing it in frankly hysterical language.
For an example of the over-the-top reporting, see here: Supermicro Bug Could Let "Virtual USBs" Take Over Corporate Servers.
A less operatic version of the story is here: Over 47,000 Supermicro servers are exposing BMC ports on the internet.
The important bit is the same today as it has been for literally decades: "This isn't the first time that security experts are warning about leaving BMC/IPMI management interfaces accessible from the internet." So… those 47,000 servers with their IPMIs hanging out for the world to see… none of them could possibly be yours, right? Sure, you go check. We'll wait.
Do not connect your baseband management controllers to the internet. We should not have to be saying this in the back half of 2019. This isn't rocket surgery. It's basic infosec from the 1990s.
What you should do is check to make sure that your baseband management controllers aren't configured to share the same network interface as any other interface on your system not connected to a dedicated management network. Segment your networks so that management traffic never transits the internet, never touches production internet networks, and is generally completely separate from all other traffic on your network.
Everything We Thought We Knew Is Wrong (Again)
It's been "common knowledge" for several years that iOS is more secure than Android. But like many things that are "common knowledge," the truth doesn't quite align with the popular narrative. Zerodium, well known for paying for exploits which it then sells to governments, has recently started offering more for Android exploits than for iOS ones. The Grugq has a great related thread on Twitter.
Further demolishing the image of iOS as the ultimate in security is Google: Google security crew sheds light on long-running super-stealthy iOS spyware operation. From the article: "'I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million,' he said. 'I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.'" Quite.
Piling on, we have Massive iPhone Hack Targets Uyghurs. "This upends pretty much everything we know about iPhone hacking. We believed that it was hard. We believed that effective zero-day exploits cost $2M or $3M, and were used sparingly by governments only against high-value targets. We believed that if an exploit was used too frequently, it would be quickly discovered and patched. None of that is true here."
It would be great if we could suggest three easy steps to prevent something like this from ever happening to you. We can't, and that's actually why we're bringing this story to your attention. Sure, the short term fix is to make sure all of your devices are fully patched. But that won't prevent the next massive operation using millions of dollars of zero-day exploits.
Assume everything is compromised.
In the words of Ian Beer, one of the bug hunters involved in this discovery, "All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.
Resource of the Week
Tool of the Week
- Phishers are Angling for Your Cloud Providers
- Twitter disables SMS-to-tweet feature after its CEO got hacked last week
- QR codes need security revamp, says creator
- Phishing Campaign Uses SharePoint to Slip Past Defenses
- The Top Reason Businesses Make a Cyber Insurance Claim - Business Email Compromise
- CEO voice deepfake blamed for scam that stole $243,000
- Spam In your Calendar? Here’s What to Do.
- Microsoft: Using multi-factor authentication blocks 99.9% of account hacks