Even the presumption of compromise isn’t enough anymore
In This Issue:
- Sensor-y overload
- Vulnerable links in the supply chain
- Something phishy about this quiz
- A brief history of the crypto war
To Do Security Right, Imagine the Unimaginable
Normally, we prefer to use this newsletter to surface infosec stories that haven't gotten much mainstream attention. As a general rule, if a story has shown up on Ars Technica at the time of writing, it's safe to say that the story is big enough that it probably shouldn't be a title discussion point for The Countermeasure. This is an exception to that rule.
Ingenious! The Android malware which only triggers if you’re moving is the leading topic today. There apparently exists clever Android malware which is only active if it senses that the phone is moving, and it does this by gathering data from the phone's numerous sensors. This is to help it avoid detection, and – hypothetically – help it avoid scrutiny by information security researchers.
This malware should serve as a simple reminder that developers don't think about our devices the way we do. When the average person picks up a smartphone, they see a device for communications, or one that connects them to the Internet. Some may see a video gaming platform. Few people think about the many sensors that inhabit their phone.
It goes beyond phones, too: these sensors are increasingly a part of all electronic devices, big and small. Consider the eavesdropping lamp that livetweets conversations. Or the IoT lightbulb with a built-in security camera. Sensors are everywhere, and clever developers will find novel ways to use them. For the infosec-minded individual, this reality requires changing operational security.
Nothing is sacred. Let's imagine a hypothetical scenario in which the next generation of smart thermostats has accelerometers. Maybe this was part of a wacky plan to wire up buildings in earthquake zones to gather better data on how buildings of different designs handled earthquake stress or something. (Difficult to imagine? Well, we've all seen weirder gizmos from startups than that.)
How long do you think it would take for a curious developer to analyze the output of those sensors, and be able to tell when a group of people was moving into a large meeting room? Said hacker could torment the execs by raising the temperature, or spy on them through the room's video conferencing system. The possibilities are endless.
The reason for raising the profile of this new item isn't simply to reiterate that we should presume compromise of any and all devices. Everyone in infosec should be doing that already. It's to reiterate that we should presume that those who are compromising those devices will be able to use them in ways we haven't even thought of. Increasingly, we haven't thought of how those devices can be abused because we've forgotten – or never known in the first place – just how many different kinds of sensors are finding their way into everything: from phones to printers, thermostats to lightbulbs.
Countermeasure:
Increasingly, it’s worth holding high-value meetings offsite, where the chances that compromised devices will be used to spy on us are lower. Some organizations are even creating "retro conference rooms," in which all smart devices – from phones to printers – are banned. For meetings in which the most critical information is being discussed, this should be a serious consideration for everyone.
The Risk of Outsourcing
Hack of Plug-in Website Ruffles WordPress Community tells the sad tale of an internal threat manifesting in the compromise of user data. In this case, a popular plug-in for WordPress – the most popular website CMS in the world – is the source of the compromise.
There are conversations that could be had here about the importance of monitoring for insider threats. We could talk about password reuse, using disposable e-mails to register for things like plug-ins, or how outsourcing IT in any fashion – from public cloud usage to adopting website CMSes – leaves an organization vulnerable to the security compromises of their suppliers.
Supply chain attacks are increasingly common. The Ticketmaster breach, for example, captured many headlines last year. As a response, hard-boiled infosec types would probably advise never outsourcing anything, because of the risks of not controlling every last facet of your organization's IT. That, however, is entirely unrealistic.
If you don't outsource, your organization won't be around very long. No organization is an island. We all outsource a great deal of our day-to-day, from telecommunications to rent. The primary reason for being of most organizations is not to keep their own IT running. IT is a means to an end, and often an annoying one at that.
Countermeasure:
While jettisoning all outsourcers is unrealistic, it’s worth taking the time to ensure that whatever they’re provided is held at arm's length. Just as you should be segmenting your applications from one another internally to prevent the spread of compromise, outsourced IT should be as isolated as possible from everything else. Not only will it eventually be compromised, but your ability to detect and remediate that compromise is greatly reduced compared to in-house solutions.
Going Phishing With Google
Google subsidiary Jigsaw has created an online quiz about phishing, located at https://phishingquiz.withgoogle.com/. It's actually quite a good piece of educational software on the issue.
Countermeasure:
Consider incorporating Phishing With Google into your organizational education on the topic. It's never a bad thing to learn and educate about Phising.
Backgrounder: the Crypto Wars
Every now and again, a truly great take on an old problem is written. Bruce Schneier’s Evaluating the GCHQ Exceptional Access Proposal is partly an analysis of the latest attempt by the UK spooks to mandate encryption back doors, and partly a quick review of the history of the crypto wars.
Countermeasure:
Schneier lays out the public policy issues around cryptography quite well, and in doing so has created an excellent primer for those new to the topic. This is worth bookmarking as an educational piece for junior infosec people in your organization who might not know the long history of the space they occupy.
Twitter of the Week
This thread is a bit long, but entirely worth it. A hacker's landlord is forcing smart locks on some 40,000 people, including @hacksforpancakes. She does not take it lying down. The movie of this epic battle ought to be interesting...
Now I have to move, again. – Lesley Carhart (@hacksforpancakes)
Quick Links
- Poisoned PEAR. PHP extension repository download infected for up to six months
- Got a Nest security camera? Enable two-step verification now
Link Groups
The Collection 1 Debacle Unfolds
- 773M Password ‘Megabreach’ is Years Old
- Monster 773 million-record breach list contains plaintext passwords
- The Collection #1 data breach - what you need to do about it
GoDaddy Vulnerability
- GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains
- Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com
U.S. Government Shutdown Cybersecurity Impact
- US cyber foes take cue from government shutdown; rise in malware deployment under way
- How the U.S. Govt. Shutdown Harms Security
Google Proposes Blocking Ad Blockers In Chromium-Based Web Browsers
- Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently
- Chrome API update will kill a bunch of other extensions, not just ad blockers