Internet of Targets
In This Issue:
- JPL Security audit woes
- IoT = Internet of Targets
- Don't forget the servers
- From breach to bankruptcy
JPL Security Audit Woes Are a Learning Opportunity
Most of the time, when a data breach makes the headlines, not much technical detail is released. Little scraps of information about the breach, like "stored passwords in plain text" are all that are usually reported, and they tend to sound pretty damning. (OK, that actually is pretty damning. Hint: don't do that.)
We seldom get a chance to look at a detailed post-mortem, or a security audit of the affected organization. Not surprisingly, embarrassed companies want to keep their security flaws private. That's actually a pity, since there is a lot to learn from someone else's breach and security audit experience.
When the organization in question is publicly funded, more information is sometimes available. NASA's Jet Propulsion Laboratory (JPL) recently went through a security audit: NASA's JPL may be able to reprogram a probe at the arse end of the solar system, but its security practices are a bit crap. It didn't go very well, but you can use the findings to check your own security practices and audit readiness.
The full report is here: NASA Office of Inspector General Office of AuditsReport No. IG-19-022CYBERSECURITY MANAGEMENT AND OVERSIGHT AT THE JET PROPULSION LABORATORY (pdf). It’s 49 pages, so we've summarized the important bits for you.
Countermeasure:
- Know what is on your network, and whether or not it is supposed to be there. The biggest problem identified by auditors was that JPL had an inaccurate and incomplete inventory of network devices.
- Segment your network properly. JPL had a network gateway for use by third-party contractors. It was supposed to let contractors access information relevant to their own project, but keep them out of the rest of the network. Except it didn't actually work. Test your network defenses. Double-check your configurations, and then check again.
- Automate what you can, and whatever you do, hire enough IT staff. Something that wasn't stated in the audit, but which was implied pretty loudly, was that the systems administrators were incredibly overworked. Security problems were sitting unresolved in the ticketing system for as long as six months, and we doubt it was due to laziness. Even the best staff are only human, and they are less likely to make critical mistakes if you don't burn them out.
IoT = Internet of Targets
This week, IoT manufacturers decided to take device security seriously. They issued patches to major vulnerabilities, and recalled thousands of affected devices. And we all lived happily ever after. The End. Yes, all right, that never happened. Sadly.
Instead, what we got was the IoT security status quo: apathy and horror stories like this: Hacking these medical pumps is as easy as copying a booby-trapped file over the network. (Here you go: medical IoT nightmares. You're welcome.)
This article points out that organizations don't have to use IoT devices to be compromised by poor IoT security: Insecure Home IoT Devices a Clear and Present Danger to Corporate Security. If employees take a work device such as a laptop home and connect it to their home network, it will be exposed to whatever nasties are lurking in the thermostat, security camera, smart light bulb, or TV.
Internet of Things vendors are usually reluctant to talk about security, probably because terrible security doesn't make good advertising copy. For a moment this week, it looked like that might change: Samsung reminds rabble to scan smart TVs for viruses – then tries to make them forget. Samsung Support tweeted about the need to perform regular virus scans on smart televisions, but later deleted the tweet. (Apparently if you don't talk about the malware, it can't infect you. #sarcasm)
At least they mentioned the issue, if only briefly. Many IoT vendors respond to reports about vulnerabilities in their products with silence and inaction. Security researcher Paul Marrapese is so frustrated by avoidance of this issue that he recommends consumers just throw out their IoT devices: Consumers Urged to Junk Insecure IoT Devices.
Countermeasure:
It's not practical to insist that employees get rid of their smart devices. Instead, insist that they use a VPN to connect to the corporate network. Nobody likes VPNs—they are a bandwidth hog and a pain in the posterior—but they do essentially put that employee laptop "behind" the corporate firewall, and thus monitored by network-level intrusion detection. (You have intrusion detection, right?) Alternatively, use DirectAccess or something similar; employees get an encrypted connection to network resources, and IT staff can manage them using Group Policy.
Don't Forget the Servers
First off, this whole article is worth reading. Cybersecurity: Three hacking trends you need to know about to help protect yourself. But we're going to focus on just the second trend described in this story: the increasing number of criminals going after servers instead of better-secured endpoints like desktop PCs.
There are an unfortunate number of news stories about unprotected databases sitting exposed to the internet, just waiting for criminals to rifle through them. This week there were at least two.
- Spin the wheel and find today's leaky cloud DB... *clack clack... clack* A huge trove of medical malpractice complaints. This tale is uncomfortable reading, not just because of the exposure of people's medical data, but also because… Facebook. Ugh.
- Parliament IT bods' fail sees server's naked OS exposed to world+dog. Government IT is not immune to making the same mistake, apparently.
It's easy to say "secure your servers, people," but nobody is trying to misconfigure theirs. This is a case of human error, but unfortunately, it's a common error, now heavily exploited by criminals.
Matrix.org could also have a significant effect on the security and privacy landscape. If communications providers no longer had a guaranteed captive audience, they would also have less leeway for collecting massive amounts of user data, creepily tracking users, and practicing sloppy security.
Countermeasure:
Develop procedures to prevent and detect mistakes. Something as simple as a checklist for server configuration might help. Ultimately, the solution to human error is to remove humans from the equation where possible. Automate as many configuration and deployment tasks as you can. Consider using composable workloads so that you can enforce a secure configuration. The goal is not to reduce your IT staff, but to free them to work on other security tasks, of which there will always be many.
From Breach to Bankruptcy
This got serious, fast. Last week, Quest Diagnostics warned that nearly 12 million of its customers may have had personal, financial and medical information breached. The issue was not in Quest's infrastructure, but was because of a successful attack on the firm that Quest used for payment processing: American Medical Collection Agency (AMCA). Quest Diagnostics Says Up to 12 Million Patients May Have Had Financial, Medical, Personal Information Breached.
This week, another big AMCA customer, LabCorp, revealed that it had also been affected. LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach.
Multiple class action lawsuits have been filed against AMCA, and the company has filed for bankruptcy protection. Data breach forces medical debt collector AMCA to file for bankruptcy protection. This article states that "the data breach caused a 'cascade of events' leading to the bankruptcy request, the most notable being a severe drop in business."
Quite.
In case anyone still thought that cybersecurity was no big deal—it may be the difference between staying in business, and… not.
Countermeasure:
The problem, in this case, was intrusion detection. The attacker had access to the AMCA infrastructure for an estimated seven months, and AMCA did not know there was a problem until someone noticed that an unusually high number of payment cards that interacted with the AMCA payment portal was also being used in fraudulent transactions.
Consider using a network- or host-based Intrusion Detection System (IDS), or both, if you are not already doing so. The perimeter model of information security isn't helpful anymore. You need to be actively monitoring traffic to increase your chances of catching a breach early before an attacker can do extensive damage. You could also look into segmenting your network, and encrypting your stored data. Both techniques limit the amount of damage an attacker can do.
Infosec Humor
Another school year ends, another round of #SecurityHaiku from my Cryptography Engineering final exam. @calpoly students truly are amazing. Here are some of the best. – Zachary Peterson - @znjp
Tool of the Week
Smash GandCrab: Free tools released to decrypt files scrambled by notorious ransomware
Podcast of the Week
Smashing Security #132: CBP cyber attack, an iPhone privacy boost, and Twitter list abuse
Quick Links
- The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry. "Spyware that possesses powerful surveillance capabilities are routinely marketed to consumer audiences to facilitate… monitoring of employees. When these powerful capabilities are used to facilitate intimate partner violence, abuse, or harassment, we refer to such spyware as stalkerware." Don't use spyware to monitor employees; it legitimizes apps that help abusers.
- Pass the salt! Popular CMSs aren’t securing passwords properly. If you use a CMS, you might want to find out if it is on this list (and perhaps give your CMS vendor a nudge). This article also contains a good explanation of password hashing.
- Utilities, Nations Need Better Plan Against Critical Infrastructure Attackers. You may not work for a critical sector such as electrical generation, but you are almost certainly a consumer of these utilities. With cyberattacks on the rise, you should consider your strategy in the event of an extended power failure or similar disruption.