Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
A Sidewalk Into the Unknown?
In This Issue:
- A Sidewalk into the unknown?
- Routers now a target for payment card theft
- Clouds are leaking more than rain
A Sidewalk Into the Unknown?
Amazon Sidewalk is a new long-range wireless network for your stuff. By "long range," we mean Amazon Sidewalk extends beyond Wi-Fi and Bluetooth range to control more gadgets. But just what exactly is Amazon Sidewalk?
Amazon announces Fetch pet tracker that uses new Sidewalk networking claims that Sidewalk is a "secure wireless standard," but offers no elaboration. “Secure” could be mean anything in this context, as it looks like Amazon has basically invented their own protocol (which we can only assume is based on spread-spectrum chirp tech) that operates in the 900Mhz range.
Now, 900Mhz is a freely usable public chunk of spectrum. So you'll see a lot of discussion about how Sidewalk is "compliant," but you'd be right to ask "complying with what, exactly? Complying with the security they just invented for their own protocol?”
If searching for "900Mhz" and "compliance," you get this:
Commission Proposes To Reconfigure the 900 MHz Band To Facilitate Broadband Services. It's about a million pages long; good luck. Shorter version: FCC Proposes Sweeping 900 MHz Band Changes, Including Voluntary Broadband Exchange.
Putting those thoughts to one side for a moment, it's worth also noting that Amazon also announced a large number of Alexa-enabled IoT devices, including wearables. New Amazon Echo devices: Prices, release dates, and pre-order info.
Long range, IoT devices, and an unknown protocol with undisclosed security: We here at The Countermeasure wonder what the OpSec and GDPR implications are of this.
While we suspect that Amazon is using 900Mhz spread-spectrum chrip tech—which we're not 100% certain of—it's worth nothing that this technology would not be exclusive to Amazon. This sort of chirp tech is being used in all sorts of IoT devices.
It was nowhere a year ago, and we're seeing it everywhere today. It’s effectively impossible to detect—just ask your local military how hard it is to detect spread-spectrum communications—and the chips required to make it go are now being stamped out for pennies. They're low throughput (for now), but more than enough to serve as a command and control channel for ne'er-do-wells.
Actually, on this one... we've got nothing. If Amazon's 900Mhz IoT protocol is in fact spread-spectrum chirp tech, then the consumer proliferation of this technology is straight up terrifying. Not only can we not think of a way to defend against it (jamming the 900Mhz band is illegal), but even detecting that it's in use would be pretty hard.
If you have any contacts at Amazon, now's the time to lean on them to get Amazon to build a widget that we can deploy on our premises to detect if someone is using their specific tech. But all it takes is someone to use a slightly different variant of chirp tech, or to root a few of Amazon's devices, and suddenly they have an unstoppable and undetectable communications channel. We expect to see demos of exactly this at Defcon 2020
Routers Now a Target for Payment Card Theft
You know how infosec people have been saying for years that literally anything on your network can be compromised? Lightbulbs, printers, even network switches and routers? Well gather 'round, y'all! Router compromises are no longer just for cheap consumer devices: Hackers looking into injecting card stealing code on routers, rather than websites.
Compromising core network devices, especially Layer 7 routers and firewalls, is a Very Big Problem. Beyond the part where these devices have the ability to see a large number of data flows on any given network, these are also the devices which are typically responsible for cracking open encrypted TLS data flows to examine what's inside.
Secure your networking equipment—i.e., switches and routers—this instant. By this, we do not mean "put a firewall in front of them." We mean "make sure that you need multi-factor authentication in order to administer them." Make sure that your centralized management plane has robust RBAC, multi-factor authentication, and other security controls. If your vendors don't support this, start screaming. Loudly.
Clouds Are Leaking More Than Rain
Does it feel like we keep repeating this story, only changing the name of the company from one week to the next? Organizations must stop exposing unsecured production servers full of Personally Identifiable Information (PII) to the internet, so that we can write about something else.
If, like us, you’re wondering why organizations keep making the same basic mistakes, then you might take some comfort in knowing that researchers at McAfee got so curious about the problem that they looked into this. Why do cloud leaks keep happening? Because no one has a clue how their instances are configured. The money quote is below:
"...most businesses are woefully unaware of what data they have facing the internet.
Customers told the security house they had, on average, around 37 instances of misconfigured systems and folders arise per month. In reality, McAfee places this number closer to 3,500 incidents per month as databases, storage buckets and cloud servers are inadvertently left open or exposed by a vulnerable web application."
McAfee listed standard strategies for dealing with the problem: "The regular use of auditing tools and security frameworks to make sure your cloud platforms aren't spitting out VMs with the wrong settings." But given that this isn't working today, we suggest a different approach: invest in multi-cloud management software. Or, if you can't find one that you like, look into multi-cloud policy enforcement products.
The purpose of these products is to give you a single management interface that applies the same configurations and security policies across to workloads and data, regardless of the underlying infrastructure. It's illogical to think that already burned-out administrators are going to successfully secure multiple infrastructures (on-premises, public cloud(s), etc.), when the past 30 years have demonstrated that we can't get people to secure a single data center. But at least multi-cloud policy enforcement products mean that administrators only have to put the effort into defining a security policy once, and then everything covered by that policy is secure. Reducing the amount of effort required greatly increases the chances that they'll actually secure something.
Responding to a Breach, Part 967
Don't do this: CafePress finally warns customers that it was hacked
Instead, do this: 6 Questions to Ask Once You’ve Learned of a Breach
And this: Cybersecurity: Why you should hire staff from firms which have fallen victim to hackers
Oh yeah, and inform your potentially affected customers before months elapse. Please?
Podcast of the Week
Privacy or Profit - Why Not Both?
Thread of the Week
When discussing cryptography with the general public, one of the biggest sources of confusion is the difference of security between 256-bit AES (secure) versus 256-bit RSA. – Paragon Initiative Enterprises - @ParagonIE.
The thread explains some basics about crypto keys. It's relevant this week because of Medicine show: Crown Sterling demos 256-bit RSA key-cracking at private event. Further reading: Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago.
TL;DR: Don't believe every claim made by infosec startups, especially not if the entire industry is laughing at them.
Resource of the Week
- If you're using Harbor as your container registry, bear in mind it can be hijacked with has_admin_role = True
- Cloudflare Introduces 'Bot Fight Mode' Option for Site Operators
- 15,000 private webcams left open to snooping, no password required
- GDPR: Only one in three businesses are compliant – here's what is holding them back
- Instagram phish poses as copyright infringement warning – don’t click!
- Google pulls more fake adblockers from Chrome Web Store