SaaSy Security
In This Issue:
- Renting software? Look out…
- Don't let Twitter scare you away from MFA
- This newsletter has not been hacked (has it?)
Infosec Considerations When Renting Software
A recent move by Adobe drives home the risks associated with Software-as-a-Service (SaaS): Venezuela Will Be Cut Off From Adobe Products Because of Trump Sanctions. For many businesses, there is at least one piece of software that, should the business not have access to it, the business will cease to exist. For many creative organizations, those software products are supplied by Adobe. And as much as open source advocates and competing vendors would very much like to be able to say that they could easily step in to replace Adobe’s products, we all know that they just aren’t there yet.
Any on-premises software which refuses to work without authorization from a server located on the internet is SaaS, just as surely as if that software were browser-delivered from the public cloud. In the old days, when a vendor stopped selling into a market, the software that was already installed would still work. Companies would have a chance to transition to something new.
Today, businesses can effectively be arbitrarily deleted on a whim. And we haven’t even touched “what happens when they change how the black box works” yet. We’re just as vulnerable in infosec as those creatives who rely on Adobe—many of the tools we use to defend our networks are cloud-based, or require cloud authorization to operate.
Countermeasure:
Infosec is mostly about planning. Do you have a plan for if/when critical infosec tools you rely on turn into a pumpkin? Can you switch to competing products? Are there competing products? How integrated are these tools into your automation and orchestration? Is your automation and orchestration capable of swapping products in or out as needed, or does the whole house of cards come tumbling down if you remove just one? Answering these questions is increasingly important.
Don't Let Twitter Scare You Away From MFA
One of these days, there will be news about Twitter that isn’t abjectly horrible. Today is not that day. Twitter Took Phone Numbers for Security and Used Them for Advertising.
Because of course they did. They wouldn’t be a leading social media company if they weren’t playing fast and loose with our data!
But this bit of stupidity has real-world consequences. It degrades confidence in a system we very much need to continue working: Multi-Factor Authentication (MFA). MFA relies on people to actually use it, and they won’t use it if they either don’t believe it works, or if the data used as part of the system ends up being used against them: Twitter transgression proves why its flawed 2FA system is such a privacy trap.
Already, we’re warding off attacks against MFA: FBI warns about attacks that bypass multi-factor authentication (MFA). Unfortunately, we currently don’t have anything better, so don't be scared off. Yes, MFA Isn't Perfect. But That's Not a Reason for Your Company Not to Use It.
And don't be Twitter; it's not a good look.
Countermeasure:
Actions by companies like Twitter are already starting to create a backlash against MFA. This is something we all need to invest time and effort into countering. We need to make sure our users understand the importance of it, and why they need to keep using it, even if some companies out there give the approach a bad name.
This Newsletter Has Not Been Hacked (Has It?)
Here's an odd one: Toms Shoes newsletter “hacked by a nice man”.
The article suggests that some consumers' standards for what qualifies as a good post-breach response are getting higher. "Some users were less than impressed that Toms’s statement came several hours after the unauthorised messages were sent out, and that more effort should have been made to reassure customers more quickly."
Countermeasure:
Soothing ruffled feathers and dealing with the emotions of the user base are, sadly, part and parcel of our job in infosec. Humans are the greatest vulnerability, but they’re also absolutely critical to ensuring that any of our approaches to defense will actually work. We need to be better at the human side of things, and in many cases that requires bringing in people who are not hard-boiled nerds, and have never heard of Rick and Morty. Yes, those people are weird and alien to us, but we need them if we’re going to keep the users calm.
Tool of the Week
Ransomware victim hacks attacker, turning the tables by stealing decryption keys.
Don't try this at home, kids. Still, it's nice to see a white(ish) hat win. Especially since recent ransomware news is rather grim: FBI warns of major ransomware attacks as criminals go “big-game hunting”.
Small caveat: the decryptor released by the white hat does not work for all computer processor types. A more comprehensive version of the decryptor, developed by anti-malware firm Emsisoft, is here: Emsisoft Decryptor for Muhstik
Podcast(s) of the Week
- S2 Ep11: Fleeceware, Chrome bug and the sextortion scam that won’t die – Naked Security Podcast
- Defensive Security Podcast Episode 238. It’s based on this article: Marriott data breach FAQ: How did it happen and what was the impact?
Quick Links
- Copy-and-paste sharing on Stack Overflow spreads insecure code
- Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage'
- Complex Environments Cause Schools to Struggle for Passing Security Grade
- DHS and FDA warn about much broader impact of Urgent/11 vulnerabilities
- 8 Ways Businesses Unknowingly Help Hackers
- Attackers exploit 0-day vulnerability that gives full control of Android phones