Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
It's Not a Vulnerability; It's a Feature.
In This Issue:
- Zoom: "It's not a vulnerability; it's a feature."
- But … the user experience!
- What do you mean, "misconfigured"?
Zoom: "It's Not a Vulnerability; It's a Feature."
Your Countermeasure authors were actually in a Zoom meeting, when someone said, "Hey, did you hear about that Zoom thing?" We immediately decided to start pre-drinking for the infosec-related, ethanol-induced amnesia that normally occurs later in the week.
Anyone for unintended ChatRoulette? Zoom installs hidden Mac web server to allow auto-join video conferencing. This article gives the details, but here's a quick recap:
A security researcher found some things that disturbed him in the Zoom web conferencing app. Zoom installed "a hidden web server on Macs in order to bypass user consent when joining a meeting." Also, he found that "even if you uninstall Zoom on the Mac, it leaves the Zoom web server in place. The web server has the ability to reinstall the Zoom client."
This sounds nefarious, but it isn't a sinister data-stealing plot. It's just horribly insecure app design, apparently done on purpose. In a blog post, Zoom CISO Richard Farley wrote: "The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem." In a further statement to ZDNet, Zoom said that "enabling our users to have seamless, one-click-to-join meetings … is our key product differentiator." Zoom reverses course to kill off Mac local web server.
After cynical public response, the blog post was edited to remove the footbulleting event. The updated post is here: Response to Video-On Concern. Apple later issued a patch that removed the Zoom web server from all Macs. Apple update kills off Zoom web server
Insecure design is not a differentiator that you want associated with your business. Down in the quick links are a large number of news stories about large fines and other penalties for sloppy security—all levied in the past week. Shove the list under the nose of anyone who tells you that increased app or web page security constitutes a poor user experience. Marketing peeps, get together with developers and put a positive spin on those extra clicks. Perhaps confirmation dialogues could read: "For your safety, please confirm that you want to do 'X.' This helps to protect against some types of cyberattack." You would at least be 'differentiated' from Zoom, et al.—in a positive manner.
But … the User Experience!
Zoom apparently isn’t alone in thinking that the user experience should trump security precautions—even when those precautions are (or should be) turned on by default. Researchers Find Thousands of iOS Apps Ignoring Security. Researchers at Wandera found more than 20,000 iOS apps weren’t using Apple's App Transport Security (ATS). ATS forces developers to encrypt anything that they sent out on the network, and it’s on by default. The developers of those 20,000 apps had to make a conscious choice to turn it off.
Force all app developers to repeat kindergarten. It would seem that there’s a children's book that they need to read: AppSec ABCs Children's Book. The author's 3-year-old child could help them with the basics. "Her favorite is the OWASP Top 10, which we compare to the list that Santa Claus makes and checks twice." The AppSec ABCs: Cybersecurity’s First Children’s Book
On a more serious note, the Dark Reading article says, "Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private."
What Do You Mean, "Misconfigured"?
Misconfigured security is the most common flaw found in applications. (This makes the earlier stories even more frustrating.) Nearly every week, there are stories about data left exposed though poor configuration. This week we have two: Fortune 100 Passwords, Email Archives, and Corporate Secrets Left Exposed on Unsecured Amazon S3 Server and 'This Repository Is Private'—So What's It Doing on the Public Internet, GE Aviation?
"Misconfigured" definitely sounds bad, but it's rather vague. Pen-testing-as-a-service firm Cobalt did some research to get more details on what the most common config mistakes are (What the AppSec Penetration Test Found):
- 30.1% of security misconfigurations were in security headers
- 28.5% were in application settings
- 12.7% in encryption settings
- 11.5% in server configuration
- 9.6% in mobile settings
- 4.9% in cloud settings
- 2.9% due to an improper security control
The most common misconfigurations weren't necessarily the highest risks. Server configuration mistakes and application settings mistakes were the most dangerous.
If you work in IT, you need to read this article. If you have IT staff—and sufficient clout—you need to make them read this article. For extra credit, read the report on which it’s based. The State of Pentesting 2019. Make a list. Check it twice. Seriously. Checklists reduce critical mistakes. Surgeons and fighter pilots use checklists. IT professionals should do the same. A Simple Checklist That Saves Lives.
Tool of the Week
The 20 CIS Controls & Resources. The CIS Controls are a prioritized list of basic security practices. They’re inspired by the Pareto Principle (aka the 80/20 rule)—the idea that for many activities, roughly 80 percent of the results come from 20 percent of the effort. If you’re unsure where to start improving your security, work through this list in order. It won't protect you against every threat, but it will still help a lot. Posters (PDFs) derived from the CIS controls are also available.
The Motherboard Guide to Not Getting Hacked, version 3.0. While not exactly new, this guide is regularly updated, and provides clear and comprehensive advice. Given this week's heap of news about mobile phone providers, the section on mobile security seems particularly apt.
Podcast(s) of the Week
The Countermeasure took last week off for America’s Independence Day, so here’s a double dose of security podcasts to catch you up:
- Risky Business #547 -- Zoom-Gate, Massive GDPR Fines, Ship Hack Warnings and More
- Smashing Security #135: Zombie Grannies and Unintended Leaks
Tweet of the Week
"It slays me that in 2019, you are considered an utter whacko if you want a simple modicum of digital privacy and firm control of your data and activity." @hacks4pancakes
What Happens in Vegas? Infosec Conferences Galore.
Sloppy Security Has Consequences
- You Lost U.S. Customs Border Data? You’re Losing Your Government Contracts …
- UK Privacy Watchdog Threatens British Airways with 747-Sized Fine for Massive Personal Data Blurt
- Marriott Faces £99.2 Million Fine After Hack Exposed 393 Million Hotel Guest Records
- UK Watchdog Fined Firms £3m for Data Breaches Last Year—Before Its GDPR Balls Dropped
Patch Windows and Outlook ASAP
- U.S. Cyber Command Warns Nation-State Hackers Are Exploiting Old Microsoft Outlook Bug. Make Sure You’re Patched!
- Microsoft Patches Zero-Day Vulnerabilities Under Active Attack
Stealing Hearts: Definitely Unromantic
Cardiac Biometric Remember in our last edition, some academics proposed to use your heartbeat (via ECG) as a way to log in to things? Well, it looks like some other academics can already identify you by your cardiac rhythm, using an infrared laser, from 200 meters away.
- That's invasive and creepy
- If this data can be collected from a distance, how long before someone figures out how to do "heartbeat skimming"?
- DevOps’ Inevitable Disruption of Security Strategy "The average security practitioner still remains largely in the dark about container architecture, its unique peccadillos, and its inherent risks." Perhaps an investment in training is a good plan?
- This New Ransomware Is Targeting Network-Attached Storage Devices Do users really need to access that NAS via the internet? (Hint: No.)
- Organizations Are Adapting Authentication for Cloud Applications Hint: Don't let employees use a Facebook account to sign in to corporate cloud apps.
- Industry Insight: Checking Up on Healthcare Security
- Financial Firms Face Threats from Employee Mobile Devices
- Coast Guard Warns Shipping Firms of Maritime Cyberattacks