The Downright Dreadful Docker Debacle
In This Issue:
- That Docker thing. Yikes.
- How do you evaluate third-party security?
- Brace for regulatory impact
- Wait, IoT security flaws are… sometimes useful?
That Docker Thing. Yikes.
Docker Hub Suffers a Data Breach, Asks Users to Reset Password. The reason why this is more than just another breach is mentioned in the article: "Docker Hub is an online repository service where users and partners can create, test, store and distribute Docker container images, both publicly and privately." Meaning that attackers who got these images could potentially have a big leg up on any future attacks involving targets with container infrastructure. This article goes into the potential implications: Hackers Breached a Programming Tool Used By Big Tech and Stole Private Keys and Tokens.
The infosec community has responded quickly with analysis and advice.
- Docker Forces Password Reset for 190,000 Accounts After Breach
- Docker Hub security breach exposes credentials of 190,000 users
Docker breach of 190,000 users exposes lack of two-factor authentication
Countermeasure:
Docker Hub is a useful and convenient way to spawn workloads based upon templates that somebody else has created, but relying on anybody else to create the templates upon which you base your workloads ultimately becomes a source of vulnerability. Docker Hub is great for prototyping; however, if deploying containers in a production environment, it’s worth investing both in a container marketplace controlled and managed by your own IT team, and in templates crafted and curated by your operations team.
How Do You Evaluate Third-Party Security?
If you haven't heard, large companies like Oracle, Airbus, Toshiba, and Volkswagen suffered data exposure this week, not because they were breached, but because their infrastructure provider was. Hackers Steal and Ransom Financial Data Related to Some of the World’s Largest Companies. When Citycomp (the provider in question) refused to pay a ransom, hackers spilled sensitive client data onto the internet. Failed blackmail attempt prompts hackers to leak ocean of data belonging to major companies.
This isn't the first such hack. A few weeks ago, tech outsourcing company Wipro got hit. Some more information has come to light about exactly how that happened: Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro.
In an increasingly "as a service" IT environment, these attacks aren't going away anytime soon. Unfortunately, most organizations haven’t yet caught up with this reality. Third-Party Cyber-Risk by the Numbers.
Countermeasure:
Start with the absolute basics. Does your organization send sensitive data to any third parties? (Probably yes.) Which ones? Make a list. Check it more than twice. You could ask those vendors to complete a third-party risk assessment, but don't do that unless you'll actually read it and make some use of it. If that's not realistic at this stage, at least ask your third-party vendors 1) what is their procedure for handling and reporting a breach? 2) Do they send your data to any other parties for any reason? 3) Will those other parties report breaches back to your third-party service provider, or to you? If you don't trust the answers you get, you at least know what company names to watch for in the headlines. (And maybe you should think about changing vendors.)
Just FYI, everything recommended here is required by the GDPR. If you don't think that affects you, well, read on.
Brace for Regulatory Impact
We were trying to get past simply slagging Facebook. But since the F8 conference is on, there are people who will do it for us. Facebook Pivots to What it Wishes it Was. Facebook's Zuckerberg preaches privacy, but his delivery makes it hard to even ponder believing.
Beyond the easy dig, though, Facebook is having a bad week, and their woes have bigger implications for anyone who collects customer data. Law enforcement is wading in, as evidenced by this Tweet:
BREAKING: We're launching an investigation into Facebook's unauthorized collection of 1.5M of their users’ email contact databases. Facebook has repeatedly demonstrated a lack of respect for consumer information while at the same time profiting from mining that data. - @NewYorkStateAG
The general climate of Facebook cynicism is expanding to affect other major companies. Survey: Trust in tech giants is 'broken'. It's not just Facebook expecting legal or regulatory action: Google adds option to auto-delete search and location history data.
This article predicts the fallout: Facebook’s latest privacy scandals open regulator floodgates.
If GDPR-style regulation gets passed sooner rather than later, we'll know who to thank.
Countermeasure:
You might as well start thinking about your organization's privacy strategy now. Even if you aren't subject to the GDPR, since it’s currently the most stringent piece of privacy regulation, it makes a good model for what might be coming down the pipe. Some privacy considerations to get you started: 1) Only collect what you need. Superfluous data still has to be stored and secured. 2) Know what applications use the data and where it’s ultimately stored. Auditors always want to know this. 3) If you don't already have it, get some kind of Role-Based Access Control in place. Regulations are likely to require you to know and implement the concept of "least privilege."
And IoT Is… Wait. Terrible IoT Security Is Not Universally a Bad Thing?
Don't get me wrong; it's still mostly been an awful week for IoT security, and that isn’t OK. This happened: P2P Weakness Exposes Millions of IoT Devices.
The IoT dumpster fire has been burning long enough that governments are reluctantly taking notice. The U.K., for one, is fed up with IoT misery: IoT security crackdown: Stop using default passwords and guarantee updates, tech companies told.
If you're wondering what all those compromised IoT devices get used for, here's one possibility. Emotet gang is trying to build a shell of IoT devices around its banking botnet.
But here's a twist: terrible IoT security can (very occasionally) be a good thing, at least if you want to make an artificial pancreas. Diabetics are hunting down obsolete insulin pumps with a security flaw.
Countermeasure:
Unless you need an artificial pancreas, you really don't want hackable IoT devices. Peer-to-Peer Vulnerability Exposes Millions of IoT Devices. This article contains useful advice from Paul Marrapese, the researcher who discovered the iLnkP2P flaw. From the story:
"It's impossible for consumers to disable the vulnerable software on most of these devices. The only real option for these… is to block outbound traffic on UDP port 32100, as that will prevent the P2P software from contacting its server. Better still, he recommends not purchasing any device that features P2P communications as part of its application suite."
Podcast of the Week:
How a Hacker Tracked Thousands of Cars and Gained the Ability To Kill Their Engines. Speaking of the security of internet-connected "things…."
Tweet of the Week:
At a Senate hearing on IoT security, Rapid7's @HarleyGeiger: "Unsecured IoT devices will be like the new asbestos. We will build them into our environments, only to have to rip them back out years later." - @alfredwkng
Tool of the Week:
Okay, an older tool that got renewed visibility this week. Still useful. The URL in the tweet below links to an exhaustive guide to analyzing permissions in Active Directory, and a tool that creates visual reports of anomalies.
FREE Microsoft PFE assessment tool: ~~ AD ACL Scanner ~~ Produces visual reports of nonstandard permission anomalies and advanced elevation/dumping backdoors inserted in your Active Directory by malicious actors or unknowingly by admin activities. https://blogs.technet.microsoft.com/pfesweplat/2017/01/28/forensics-active-directory-acl-investigation/ … @SwiftOnSecurity
Quick Links:
It's just a crappy week for enterprises all over.
Hackers went undetected in Citrix’s internal network for six months
We don't even know who got pwned in this one. Details on 80 million US households exposed by unprotected cloud database. Will the owner of this breached database please stand up?
Also: Crime
- Data: E-Retail Hacks More Lucrative Than Ever
- Huge DDoS Attacks Shift Tactics in 2019
- Database Leaks, Network Traffic Top Data Exfiltration Methods
- Why credit card data stealing point-of-sale malware is still such a big problem
- Chrome on Android: Phishing attackers can now trick you with fake address bar