Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
146 Security Flaws Shouldn’t be a Shipping Feature
In This Issue:
- Phones are security dumpster fires
- What if the internet is turned off?
- Public sector security execs need to be smacked with a trout
Phones Are Security Dumpster Fires
Security researchers at Kryptowire discovered that Brand new Android smartphones shipped with 146 security flaws.
From the article: "… these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app." The security flaws were found in software pre-installed by the phones' manufacturers. Unfortunately, "… these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix."
Don't hold your breath waiting for that to happen. Samsung in particular has a rather long history of poor security maintenance, even when the security maintenance in question is simply passing along the upstream updates that were added to the stock Android project. None of this is exactly news, of course, but it's worth being reminded once in a while that the most persistent vulnerabilities in Android come from vendor bloatware, and not necessarily the core of Android itself.
That being said, both stock Android and popular store applications absolutely can, and do, contain serious vulnerabilities. This makes keeping on top of patching—and having the ability to patch—an absolute necessity. For examples, see this pervasive Android security issue: Millions of Android phones may be vulnerable to camera spying vulnerability, and another one: Popular apps on Google Play linked to old remote code execution bugs.
From the first article: Avoid bloatware like the plague. If you must buy Android (and many of us must), then buy from a vendor that sells stock, or near-stock, Android. Also: use mobile device management, and endpoint security. And a VPN.
And maybe a hazmat suit. And a flamethrower. Or just take off and nuke it from orbit. It's the only way to be sure.
What if the Internet Is Turned Off?
What do you do if vital tools for doing business aren't under your control, and can be turned off or held hostage with little or no warning? How the Iranian Government Shut Off the Internet. See also: The Ayatollah Comes for the Internet.
We could do a song and dance here about cloud computing, and woe betide those who must rely entirely on access to applications that don’t live on-premises, but if the past decade of fearmongering on that front hasn't convinced you, then there isn't much point in banging that drum.
It's easy for individuals and organizations in Western nations to dismiss full-fat government shutdowns of internet access as a problem that only affects people in other countries, but that level of internet interference isn't the only approach that can cause harm.
Consider plain old censorship. The U.K. is well known among western nations for trying its hand at forcibly censoring the internet, and both the U.S. and Australia have had a few goes at it as well. So enticing is the idea to those in power, however, that even Canada is getting in on the censorship game: Top Canadian Court Permits Worldwide Internet Censorship.
Add to that issues like BGP poisoning, Fun With DNS™, and even minor annoyances like the prices of domain names to going up: Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed. The internet is littered with potential operational risks that range from "minor annoyances" to "serious business impacts," and reliance on cloud computing only amplifies these risks.
None of this is news, nor at first glance relevant to information security. But we here at The Countermeasure have noticed that whenever outages or incidents as described above hit, scammers jump into action. There has been a noticeable uptick in 2019 of calls to our underground lair by scammers seeking to capitalize on both outages as they happen, and a general fear of censorship.
A standard call might claim that a company's domain has been added to a blacklist, and that their e-mails were not going to get through to intended recipients. Scammers will claim to be from the vendor that supplies the organization with cloud-based e-mail (frequently Google or Microsoft). (We presume the scammers are picking up the provider by examining the MX and/or SPF records in the organization's public-facing DNS.)
Individuals are then encouraged to hand over credentials—usually by being directed to click on a link sent to them in an e-mail in real time during the conversation, where they are then harvested—and attackers do their thing from there. This approach has been used for DNS hijacking, gaining administrative access to ISP management interfaces for an organization, and extorting payments directly. (For example, claiming that an organization's inability to access a resource, or the internet itself, is due to an attacker shutting down access, when in reality that access was blocked at a government level, or is due to a vendor outage.)
There's no one size fits all solution to this, but it is worth a conversation. If an Iran-like event occurs, will your critical data be stuck on the wrong side of someone's Great Firewall? Are your people trained to understand that these events are now part of the new normal, and that they shouldn't fall for scammers trying to capitalize on panic and/or frustration? This approach to social engineering isn't new, but it is increasing in frequency and popularity. If you don't have a training program to deal with it, now is the time.
Public Sector Security Execs Need to be Smacked With a Trout
Please read the following article: UK public sector IT chiefs shrug off breach threats: The data we hold isn't that important. If your read was briefly interrupted by your Countermeasure authors banging their heads against a wall, we apologize, and thank you for your patience.
From the article: 'Just over 50 per cent of 420 senior managers quizzed by Sophos agreed with the statement: "The data held by my organisation is less valuable than data in a private sector organisation."'
Of additional interest, the article suggests that executives are reading about infosec in the news, but not talking about it with the people in their own organization—or not getting accurate answers, if those conversations do take place. Also from the article: "Two-thirds of senior IT folk said they had had problems with ransomware during the preceding year, while just 16 per cent of IT bods were incautious enough to make the same confession. Perhaps reflecting the state of media reporting on security, 45 per cent of execs reckoned there had been a "large increase" in "IT security incidents", compared to an impressive 4 per cent of frontline techies."
And on it continues.
First, let's get the obvious out of the way. Any personally identifiable information is valuable, and the value is not determined by whether it was stolen from the public or private sector. It can be sold on the dark web and used in devastating attacks. Don't be the lackwit who made that possible.
Also, maybe your organization needs a "Let's talk about cybersecurity" event. It might help your security posture if all of your key players have an accurate picture of what's going on. Yes, having The Talk™ is never fun, but convincing people to practice safe computing helps protect everyone.
Don't be a fool. Packet inspect your tool.
Podcast of the Week
Tool of the Week
- Ransomware: This free tool decrypts 85 variants of the horror-tinged Jigsaw malware.
- Emsisoft releases new decryptor for Jigsaw ransomware
Fail of the Week
PayMyTab data leak exposes personal information belonging to mobile diners. Secure those AWS buckets, people.
End of Support = End of Security Patches
- Adobe Acrobat and Reader 2015 reach end of support. If you use these, update to a newer version. If this seems too obvious to be worth a mention, may we point out that Adobe customers don't seem to be terribly speedy on the patching front. A little stating of the obvious may be in order: Half of Oracle E-Business customers open to months-old bank fraud flaw.
- Official Monero site delivers malicious cash-grabbing wallet. "Like a lot of software vendors, The Monero Project publishes SHA-256 hashes of its software. Users can check their software download by running it through a SHA-256 hashing function to see if it matches the published hash." On the one hand, checking hashes of downloaded software is a useful precaution. On the other hand, people don't usually need to have a cryptocurrency wallet for work. Blocking traffic from cryptocurrency sites is one way of reducing your attack surface.
- Ransomware Bites 400 Veterinary Hospitals
- This fake software update tries to download malware onto your PC even when you click 'later'
- New Phoenix Keylogger tries to stop over 80 security products to avoid detection