Internet of Targets

In This Issue:

  • JPL Security audit woes
  • IoT = Internet of Targets
  • Don't forget the servers
  • From breach to bankruptcy

JPL Security Audit Woes Are a Learning Opportunity

Most of the time, when a data breach makes the headlines, not much technical detail is released. Little scraps of information about the breach, like "stored passwords in plain text" are all that are usually reported, and they tend to sound pretty damning. (OK, that actually is pretty damning. Hint: don't do that.) 


We seldom get a chance to look at a detailed post-mortem, or a security audit of the affected organization. Not surprisingly, embarrassed companies want to keep their security flaws private. That's actually a pity, since there is a lot to learn from someone else's breach and security audit experience.  


When the organization in question is publicly funded, more information is sometimes available. NASA's Jet Propulsion Laboratory (JPL) recently went through a security audit: NASA's JPL may be able to reprogram a probe at the arse end of the solar system, but its security practices are a bit crap. It didn't go very well, but you can use the findings to check your own security practices and audit readiness.  


The full report is here: NASA Office of Inspector General Office of AuditsReport No. IG-19-022CYBERSECURITY MANAGEMENT AND OVERSIGHT AT THE JET PROPULSION LABORATORY (pdf). It’s 49 pages, so we've summarized the important bits for you. 


  1. Know what is on your network, and whether or not it is supposed to be there. The biggest problem identified by auditors was that JPL had an inaccurate and incomplete inventory of network devices.  
  1. Segment your network properly. JPL had a network gateway for use by third-party contractors. It was supposed to let contractors access information relevant to their own project, but keep them out of the rest of the network. Except it didn't actually work. Test your network defenses. Double-check your configurations, and then check again. 
  1. Automate what you can, and whatever you do, hire enough IT staff. Something that wasn't stated in the audit, but which was implied pretty loudly, was that the systems administrators were incredibly overworked. Security problems were sitting unresolved in the ticketing system for as long as six months, and we doubt it was due to laziness. Even the best staff are only human, and they are less likely to make critical mistakes if you don't burn them out.

Read More >

IoT = Internet of Targets

This week, IoT manufacturers decided to take device security seriously. They issued patches to major vulnerabilities, and recalled thousands of affected devices. And we all lived happily ever after. The End.  Yes, all right, that never happened. Sadly.  


Instead, what we got was the IoT security status quo: apathy and horror stories like this: Hacking these medical pumps is as easy as copying a booby-trapped file over the network(Here you go: medical IoT nightmares. You're welcome.) 


This article points out that organizations don't have to use IoT devices to be compromised by poor IoT security: Insecure Home IoT Devices a Clear and Present Danger to Corporate Security. If employees take a work device such as a laptop home and connect it to their home network, it will be exposed to whatever nasties are lurking in the thermostat, security camera, smart light bulb, or TV.  


Internet of Things vendors are usually reluctant to talk about security, probably because terrible security doesn't make good advertising copy. For a moment this week, it looked like that might change: Samsung reminds rabble to scan smart TVs for viruses – then tries to make them forget. Samsung Support tweeted about the need to perform regular virus scans on smart televisions, but later deleted the tweet. (Apparently if you don't talk about the malware, it can't infect you. #sarcasm)  


At least they mentioned the issue, if only briefly. Many IoT vendors respond to reports about vulnerabilities in their products with silence and inaction. Security researcher Paul Marrapese is so frustrated by avoidance of this issue that he recommends consumers just throw out their IoT devices: Consumers Urged to Junk Insecure IoT Devices. 


It's not practical to insist that employees get rid of their smart devices. Instead, insist that they use a VPN to connect to the corporate network. Nobody likes VPNsthey are a bandwidth hog and a pain in the posteriorbut they do essentially put that employee laptop "behind" the corporate firewall, and thus monitored by network-level intrusion detection. (You have intrusion detection, right?) Alternatively, use DirectAccess or something similar; employees get an encrypted connection to network resources, and IT staff can manage them using Group Policy.

Read More >

Don't Forget the Servers


First off, this whole article is worth reading. Cybersecurity: Three hacking trends you need to know about to help protect yourself. But we're going to focus on just the second trend described in this story: the increasing number of criminals going after servers instead of better-secured endpoints like desktop PCs.  


There are an unfortunate number of news stories about unprotected databases sitting exposed to the internet, just waiting for criminals to rifle through them. This week there were at least two.  

  • Spin the wheel and find today's leaky cloud DB... *clack clack... clack* A huge trove of medical malpractice complaints. This tale is uncomfortable reading, not just because of the exposure of people's medical data, but also because… Facebook. Ugh.  

It's easy to say "secure your servers, people," but nobody is trying to misconfigure theirs. This is a case of human error, but unfortunately, it's a common error, now heavily exploited by criminals. could also have a significant effect on the security and privacy landscape. If communications providers no longer had a guaranteed captive audience, they would also have less leeway for collecting massive amounts of user data, creepily tracking users, and practicing sloppy security.


Develop procedures to prevent and detect mistakes. Something as simple as a checklist for server configuration might help. Ultimately, the solution to human error is to remove humans from the equation where possible. Automate as many configuration and deployment tasks as you can. Consider using composable workloads so that you can enforce a secure configuration. The goal is not to reduce your IT staff, but to free them to work on other security tasks, of which there will always be many. 

Read More >

From Breach to Bankruptcy

This got serious, fast. Last week, Quest Diagnostics warned that nearly 12 million of its customers may have had personal, financial and medical information breached. The issue was not in Quest's infrastructure, but was because of a successful attack on the firm that Quest used for payment processing: American Medical Collection Agency (AMCA)Quest Diagnostics Says Up to 12 Million Patients May Have Had Financial, Medical, Personal Information Breached 


This week, another big AMCA customer, LabCorp, revealed that it had also been affected. LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach.  


Multiple class action lawsuits have been filed against AMCA, and the company has filed for bankruptcy protection. Data breach forces medical debt collector AMCA to file for bankruptcy protection. This article states that "the data breach caused a 'cascade of events' leading to the bankruptcy request, the most notable being a severe drop in business." 




In case anyone still thought that cybersecurity was no big dealit may be the difference between staying in business, and… not. 


The problem, in this case, was intrusion detection. The attacker had access to the AMCA infrastructure for an estimated seven months, and AMCA did not know there was a problem until someone noticed that an unusually high number of payment cards that interacted with the AMCA payment portal was also being used in fraudulent transactions.  


Consider using a network- or host-based Intrusion Detection System (IDS), or both, if you are not already doing so. The perimeter model of information security isn't helpful anymore. You need to be actively monitoring traffic to increase your chances of catching a breach early before an attacker can do extensive damage. You could also look into segmenting your network, and encrypting your stored data. Both techniques limit the amount of damage an attacker can do.  

Read More >

Infosec Humor

Another school year ends, another round of #SecurityHaiku from my Cryptography Engineering final exam. @calpoly students truly are amazing. Here are some of the best. – Zachary Peterson - @znjp

Tool of the Week

Smash GandCrab: Free tools released to decrypt files scrambled by notorious ransomware

Podcast of the Week

Smashing Security #132: CBP cyber attack, an iPhone privacy boost, and Twitter list abuse

Quick Links

Get Your Copy.