Thanks for the Wildcard, Bro...
In This Issue:
- USPS drops the ball about four times, and 60 million users are compromised
- Why we need more infosec nerds in government
- California leads the way in privacy laws. Other states to follow.
- Equifax execs won’t face consequences for horrendous data breach
- Know Thy Russian Security Enemy
A Cornucopia of USPS Security Errors
h/t: Brian Krebs - KrebsonSecurity
The United States Postal Service (USPS) was informed about vulnerabilities in their "Informed Visibility" API more than a year ago, and didn't fix it. The predictable results are documented in USPS Site Exposed Data on 60 Million Users. The facepalm moment comes in the fifth paragraph, where we learn that because the many API features accepted wildcards without limiting results based on those the user was authorized to see, anyone who knew what they were doing could pull all records for a given search term.
This one has it all: a completely broken API design, responsibly disclosed vulnerabilities abjectly ignored, and much, much more. This story is sure to develop over the coming months, and is worth keeping an eye on for lessons learned.
Countermeasure:
Learn from USPS' mistakes. If someone discloses a vulnerability, engage with them! At a bare minimum, fix the relevant vulnerability with all possible speed. A properly established (and funded) bug bounty program is probably a good idea, too. Willful ignorance is a huge attack surface.
It's Time To Troubleshoot Democracy
h/t: Henry Farrell, Bruce Schneier – Lawfare
Information Attacks on Democracies is a fascinating article that’s a collaboration between Schneier and Lawfare, which is itself a summary of a much more in-depth paper on the topic. It’s must read that explores political systems through the lens of information availability.
One of the conclusions largely left to the reader to extract is that a functional democracy needs politicians and senior civil servants who think like sysadmins. We need to be “red teaming” our democratic systems and processes. We need incident response plans. We need to identify exploits in our democracies before attackers do, and then craft and apply patches. We need sysadmins in office.
Countermeasure:
Everything in this paper applies just as much to corporate governance structures and business processes as it does to democracies. Take an infosec approach to your organization itself, not just to your organization's IT.
Citizen Data Rights are Spreading
h/t: Matt Dumiak – The Last Watchdog
That blissful period in which corporate apathy towards privacy, security and data sovereignty was the norm is coming to an end. California pioneers privacy law at state level; VA, VT, CO, NJ take steps to follow explores the spread of the citizen data rights meme into American law.
As usual, California is on the pointy end of progress. As with so many other citizen empowerment laws pioneered by California, citizen data rights are spreading to other states, and will inevitably become federal law in the U.S. in due time.
- The U.S. isn't the only nation following the EU here. Every other non-EU western nation either has GDPR-equivalent laws in place already, or has seen senior politicians make serious attempts to bring them forward.
- Consider in context U.S. Sen. Ron Wyden's pre-midterm posturing: Senator's data privacy law draft could put CEOs in jail for lying. No rational person expects that this bill would ever be brought to the floor, let alone pass, but it’s significant that it was even suggested.
- Piercing the corporate veil is an absolutely radioactive topic in U.S. politics, as Why Equifax Executives Will Get Away With the Worst Data Breach in History ably explains. That this has even been suggested by a prominent U.S. senator for something as ephemeral as citizen data rights should have every single corporate executive in America sitting up straight and paying attention. This is exactly what went down before the GDPR was born.
Countermeasure:
Get your privacy, security, and data sovereignty sorted out now, rather than later. Taking the lead on citizen data rights is about to become a strategic differentiator in more geos than just Europe. Do not give your competitors an attack surface by waiting until legislation drops before putting only the bare minimum effort in.
Video of the Week
An in-depth look at an often-overlooked Russian APT group; watch, learn, know your enemy.
Shedding skin - Turla's fresh faces – Kurt Baumgartner and Mike Scott – posted by Virus Bulletin
Must-Read Discussion Threads
"We’re just using dummy rounds so don’t check the barrel' is not weapons training." – SwiftOnSecurity – (@SwiftOnSecurity)
- This thread is worth it for more than the author’s wit. The responses are worth reading too.
"Facebook dumps news at 5 pm ET before Thanksgiving that it did ask Definers to go after Soros." – Jon Passantino – (@passantino)
- Facebook controls a big chunk of the world's mindshare. Understanding how they respond to perceived political threats is vital to understanding how they control the flow of information. How the flow of information is directed and/or manipulated is relevant to how threats are detected, qualified, and tracked. Facebook is not the neutral platform some assume it to be.
"Which do I find myself doing more? To be honest, it’s often arguing against IT folks (and my better sales pitch) that things aren’t as catastrophic as they think…" – Lesley Carhart – (@hacks4pancakes)
- A perceived threat to one's job can cause IT practitioners to overreact to a compromise event. Carhart brings a bitterly cold dose of reality to the human equation in incident response.
"I wrote a long thread about being a woman in infosec and why it's so complicated, and then didn't post it out of fear." – Moose – (@Litmoose)
- If you don't attract the best talent, you can't possibly have the best infosec team. Learn something about the struggles women face in infosec, and consider making your organization's environment more inviting.