Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
WhatsApp 💬 With All the Compromises?
In This Issue:
- WhatsApp, Bloomberg, and infosec omnifacepalms
- Patch Windows NOW!
- The most ‘Baltimore’ compromise ever
- Human right violations? There's an app for that
- Wiretap someone's senile granny for fun and profit research purposes
- There's a whole new class of CPU flaws
WhatsApp, Bloomberg, and Infosec Omnifacepalms
A WhatsApp exploit let attackers install government-grade spyware on phones. Fair enough. These things happen. The reporting around the exploit, however, was ultimately more damaging than the exploit itself. For a look at how not to publicize a critical security patch, see Urgent! Update WhatsApp NOW to add new sticker support.
For how to use a report of a vulnerability to create clickbait that basically urinates on the very idea of cybersecurity, see WhatsApp’s End-to-End Encryption Is a Gimmick. Infosec Twitter is almost universal in declaring the Bloomberg article one of the worst – if not the worst – pieces of information security reporting in memory.
For anyone tempted by the above to believe that encryption is irrelevant, see Sensitive Data Can Lurk on Second-hand Hard Drives. Yes, this is comparing apples to oranges: one article talks about encryption of data in flight and one about encryption of data at rest. If you know enough infosec to point out this distinction, then we here at The Countermeasure probably don't have to worry about you believing the reporter who wrote the article.
Patch WhatsApp. Take all the copies of Bloomberg you can find away from executives. Have the talk with them about fake news, and how Bloomberg is emphatically not a reliable source of information security reporting. Just because a news outlet is mediocre at business reporting, it doesn't make them even close to mediocre at information security reporting.
Patch Windows NOW!
Any Windows NT system older than Windows 8—that means XP, Vista, 7, Servers 2003, 2008, and 2008 R2—can be compromised by sending a specially crafted packet to the remote desktop service (RDP). In other words, if you have RDP exposed to the internet, or you have an unknown compromise on your network, and RDP is exposed internally, you will be compromised. This is wormable, and it’s about to be exploited in spectacular fashion. Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003 has more.
Stop whatever it is you’re doing and patch your windows boxes RIGHT NOW. This is not a drill. It's panic time.
The Most ‘Baltimore’ Compromise Ever
In what is being described as "possibly the most Baltimore information security compromise ever," RobbinHood ransomware attack brings down parts of City of Baltimore’s computer network. Home sales are held up; Baltimore ransomware attack cripples systems vital to real estate deals has some more details, while Baltimore Ransomware Attack Takes Strange Twist is one of the better pieces on the topic.
The lesson to take away from the Baltimore event is that computers are involved in everything now. Compromise events happen all the time, and can happen to anyone. Even the most mundane of transactions—such as real estate—can be affected.
We have reached the point where adding a time buffer to everything we do for "unexpected computer glitches" is now a thing that has to happen. It also emphasizes the importance of keeping a copy of any information you submit to another organization's computers: Beyond privacy concerns, there's just no telling if something will eat the data on the other end, so don't trust that just because you've submitted something, and gotten an acknowledgment that it's received on the other end, that all is well.
Human Right Violations? There's an App for That
Reading How Mass Surveillance Works in Xinjiang, China should be enough to explain to anyone why there are very few optimists in infosec. It's a shorter version of this: China’s Algorithms of Repression, which is a report about reverse-engineering a surveillance app.
For thematically-linked news of privacy violations being used to build privacy-violating tech, see Ever app users uploaded billions of photos, unaware they were being used to build a facial recognition system. Millions of people uploaded photos to the Ever app. Then the company used them to develop facial recognition tools is another take on the same subject.
Organizations need to get explicit details about exactly how any data provided to them will be used. Not only is this mandated as law in the GDPR, but the increasing abuse of data by consumer-focused vendors should be creating supply chain concerns for organizations of all sizes. The volume of data provided in B2B interactions vastly outstrips that provided by individual consumers, and comes with a commensurate attraction, and potential scale of abuse.
Wiretap Someone's Senile Granny for Fun and Profit Research Purposes
Spying on personal alarms and GPS trackers is as simple as sending an SMS should be news, but feels to us like the sort of thing that makes headlines every other week. The current exploit is based on a post by security researchers here: Exploiting 10,000+ Devices Used by Britain’s Most Vulnerable. A single SMS could achieve facepalm levels of compromise. Not a good look.
On a more positive note, IoT security might just be advancing: Researchers use power anomalies to detect malware in IoT devices (proof of concept). Faster would be better. Think of the grannies.
Back to the creepy and horrible, we have Over 25,000 smart Linksys routers are leaking sensitive data. The creepiest part in the article was actually an aside: "While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID," the researcher says. "An attacker can query the target Linksys Smart Wi-Fi router, get its MAC address, and immediately geolocate it."
Vet your IoT devices for security. Vet your surveillance apps for security. Don't broadcast your SSIDs. While you're at it, microsegmentation to segment all your IoT devices from one another, and from the rest of your network, is probably a good plan, too.
There's a Whole New Class Of CPU Flaws
Hot off the presses, there is apparently an entirely new class of CPU flaws to worry about. New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011. Yay.
Keep an eye on this. The infosec community is still digesting this information, but the analyses of this flaw that trickle out over the coming months will be important.
Threads of the Week
We have a grab bag of threads this week. The first is just a bit of humor:
By Patch Tuesday, I meant Microsoft's one. Nobody cares about Adobe. Acrobat is basically just a collection of vulnerabilities that somehow also render PDFs. - MalwareTech (@MalwareTechBlog)
The second is...Bloomberg:
WhatsApp's hack shows end-to-end encryption is largely pointless https://bloom.bg/2VAkGV9 via @bopinion – Bloomberg – (@Business)
Seriously though, just go punch "Bloomberg #infosec" into twitter, and prepare to exhaust your popcorn supplies. We haven't seen infosec Twitter agree on something this violently in some time.
Podcast of the Week
An interview with Mozilla executive director Mark Surman about Mozilla's recently released Internet Health Report for 2019 give us our podcast for the week. (Related: How healthy is the internet?)
The health of the Internet in 2019: Deepfakes, biased AI and addiction by design.
Resource of the Week
Demystifying the Dark Web: What You Need to Know. A helpful basic explainer.
On the more questionable side, where the business model makes no sense, there's Presearch extension enables private searching across on Chrome, Firefox, and Brave browsers. We suspect there's an Ever-style "gotcha" in there somewhere.
In Case You Missed It
Obligatory joke about taxes goes here
This story broke last week, but got bumped out of the Countermeasure by Israel's air strike on hackers. Tax malware sounded boring compared to bombs, but it affected enough people that the IRS actually gave an extension on the tax filing deadline. The initial story is here: What’s Behind the Wolters Kluwer Tax Outage? The sequel is here: IRS extends tax filing deadline following attack on Wolters Kluwer CCH cloud accounting service.
1984 was not an instruction manual
Alexa Guard now turns your smart speaker into a home security device. “The general public has not been pleased with the Amazon Echo's eavesdropping or the inability of users to delete voice transcriptions, but in the right circumstances, listening in on your home could be of benefit to remote security." Really? We'll let the New Yorker's cartoonist comment on that. Daily Cartoon: Monday, May 13th.
For once, not a partisan issue
Lawmakers offer measure requiring cyber, IT training for House
'While House employees are already required to undergo this training, Rice in a statement said that “it’s past time” House members be “held to the same standard.”' She is referring to the members of the U.S. House of Representatives.
- 78% of Consumers Say Online Companies Must Protect Their Info. The other 22% think that a web browser == the internet.
- Website Attack Attempts Rose by 69% in 2018
- Keyloggers Injected in Web Trust Seal Supply Chain Attack
- Microsoft: Forget Google, Facebook – log in with our new blockchain ID
- LockerGoga, MegaCortex Ransomware Share Unlikely Traits
- Zara Larsson wants your password so she can watch Game of Thrones
- Poorly Configured Server Exposes Most Panama Citizens' Data
- Effective Pen Tests Follow These 7 Steps