Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Buy a house, get pwned?
In This Issue:
- Buy a house, get pwned?
- Been breached? Try telling the truth
- You had one job, Docker...
- This fight. Again.
Buy a House, Get Pwned?
If you've ever purchased real estate in the U.S., you probably had to get title insurance. And it now appears that if you purchased title insurance from one particular company, your most sensitive personal information may have been sitting around unsecured, waiting for any curious person with a web browser to take a peek at it.
This article has the gory details: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records. It says, "The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser."
This article provides further, scathing commentary: FirstAm Leak Highlights Importance of Verifying the Basics. "The basic error is a major misstep for the financial firm. The class of vulnerability is so well known that it had its own slot on the popular Open Web Application Security Project (OWASP) Top 10 list of web security vulnerabilities, 'A4-Insecure Direct Object References,' for four years, and is so easy to find that a simple Google search often turns up the issue."
Beyond the obvious criminal (mis)uses of banking and identity information, this sort of data is also used in the most frequent types of cyberattacks on businesses. Details are here: Impersonation Attacks Up 67% for Corporate Inboxes.
For the edification of First American—and anyone else wanting to make sure their web security isn't complete rubbish—start here: OWASP Top 10 - 2017. This gives you the absolute basics about what should be secured. This stuff isn't optional, people. Failing to do this a) looks really bad, and b) leaves you open to legal liability.
For customers participating in any transaction that requires sensitive personal data: it’s completely reasonable to ask the vendor(s) involved how this data is going to be stored and secured. If their answer gives you nightmares, find another provider; and tell the vendor with iffy security why your business is going elsewhere.
Been Breached? Try Telling the Truth
You'll probably hear about the Flipboard breach at some point: Flipboard says hackers stole user details. This story is everywhere, perhaps because of the potentially large number of accounts involved. Despite this, it's actually far less of an issue than the First American thing.
Why? Well, for starters, Flipboard actually told its customers about the breach; always a good first step. Also, the stolen passwords had been hashed using fairly strong encryption (most were hashed with bcrypt). While this doesn't guarantee that the passwords will be uncrackable, it means that cracking them would be very difficult and would definitely take time; time that Flipboard has correctly used to notify users and require a password reset.
A potentially much more unfortunate breach is this one: Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online. It's not yet clear whether license plate records and border security information are included in the mass of stolen data, but it looks like a possibility.
In case it’s not already obvious, you will be breached. It happens to everyone. Yes, you should still defend yourself. But also give some serious thought to mitigation and incident response. Techniques like hashing make it much harder for hackers to use any data they manage to steal. You also might want to consider using microsegmentation, so that a breach at one point in your network doesn't give an attacker access to the whole thing.
Have solutions in place to detect breaches, and have a plan for reporting them. Hiding the fact that you’ve been compromised isn't a good choice. It's much better optics to disclose a breach quickly; and preferably, to be able to say "but the attackers didn't get much, because we had mitigation strategies in place."
Oh, and while reporting a breach to users, don't do this: Millions of Canva users’ data stolen as GnosticPlayers strikes again. Canva gets points for using bcrypt to protect stored passwords, but loses points for burying their breach notification underneath a bunch of marketing dreck. As the article states, "Transparency and commitment to data protection mean prioritizing the real meat of the message, not tucking it underneath fluff."
You Had One Job, Docker….
Containerization is a way to isolate (or "jail") individual applications (or bundles of applications) from one another, allowing multiple applications to coexist on a single operating system instance without stepping on one another. The isolation of these applications from one another started as a means to cope with poor development approaches that saw applications spew files all across the file system, but ultimately became part of the security posture of many organizations.
Things which breach that isolation are bad, whether they allow the applications inside a container to influence the host OS or allow one container to read or otherwise interact with the contents of another. This makes Contain yourself, Docker: Race-condition bug puts host machines at risk... sometimes, ish somewhat concerning. More on this here: Docker Vulnerability Opens Servers to Container Code.
If patching and updating your containerization hosts isn't a top priority, it's time to revisit your priorities. Many organizations have been known to go years without updating their virtualization hosts. This cannot be an option with containers. The "separation" of container contents from the host OS is paper thin, and there is no scope for allowing the host OS or containerization platform to get out of date. And yes, this means that for every update you have to take the host, and all the containers on it, down. That also means that you should only be putting applications which are designed for failure into containers.
This Fight. Again.
Unsurprisingly, humans abuse access privileges. Snapchat Employees Abused Data Access to Spy on Users. From the article:
"Tools like SnapLion are an industry standard in the tech world, as companies need to be able to access user data for various legitimate purposes. Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees." Terrific.
In the context of the above, this article is unsettling: Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works. No way would that ever be abused (#sarcasm).
Start working on contingency plans for how your organization will cope with the loss of end-to-end encrypted digital communications. If your organization handles sensitive data, or has intellectual property worth defending, you need a backup plan for if (or when) you are no longer allowed to secure that information if it transits the Internet. This is no longer a far off, distant, hypothetical problem. This is a battle we're all losing, all over the world. It's time to build contingency plans.
Debate of the Week
This is an interesting debate, but one that you should not peruse on Twitter. The current antipathy toward Krebs for doxing folks has resulted in a lot of threads that go down anti-Krebs rabbit holes rather than talking about the topic itself.
Drop this question into a room full of business and/or infosec people. Bring popcorn.
Should Failing Phish Tests Be a Fireable Offense?
Video of the Week
This is about the crucial and thankless task of content moderation on social media.
The Platform Challenge: Balancing Safety, Privacy and Freedom
Tweets of the Week
This funny video clip is worth a watch. Help improve security awareness: share it around.
Phishing Attack #Phishing #Attack #Gnu #coccodrille – defsecnsattack - @defsecnsattack
Good news of any sort is rare in infosec. Thanks to Ian Coldwater and their partner for providing a non-bleak tidbit. Also, congratulations!
We're getting married at @defcon! – Ian Coldwater - @IanColdwater.
Thread of the Week
Do not do.
Github BlueKeep exploit comments are a ride. Don’t run unknown code against your production network. – Kevin Beaumont - @GossiTheDog
Tools of the Week
CrackStation's Password Cracking Dictionary. "CrackStation is a security awareness project started by Defuse Security. Its purpose is to raise awareness about insecure password storage in web applications, and to provide guidance to implementors of user authentication systems. By making large hash lookup tables freely available to the public, we make it easier for security researchers to demonstrate why password storage solutions, like non-salted hashing, are insecure."
- 8 Ways to Authenticate Without Passwords. Not that your Countermeasure authors are implying that doing away with passwords is a good idea… but here's the current state of the tech, anyway.
- How Security Vendors Can Address the Cybersecurity Talent Shortage. "Closing the skills gap involves educating not just those within the education system or the future work force but also current employees who may be unwittingly weakening the company's security posture. Cybersecurity vendors have a responsibility and a role to play in helping with education in all contexts". Yes, please!
- Researchers uncover smart padlock’s dumb security. Our (least) favorite part: "this is not the first smart padlock Naked Security has covered that has glaring weaknesses (see previous coverage of the eerily similar Tapplock from last year), which hints at wider development problems in this category of product." In other words, maybe don't connect locks to the internet, people.
- Git your patches here! GitHub offers to brew automatic pull requests loaded with vuln fixes
- Video Game Helps Prepare Cyber Security Students For Real Life Scenarios
- Hackers actively exploit WordPress plugin flaw to send visitors to bad sites
- Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable
- Why telcos 'handed over' people's GPS coords to a bounty hunter: He just had to ask nicel
- New research generates deepfake video from a single picture
- There's a scarily good 'deepfakes' YouTube channel that's quietly growing – and it's freaking everyone out