IoT Rickroll, Suing Over Disclosures, K-12 Cybersecurity Act, & SS7 Signaling – PSW #714
This week in the Security News: Following the ransomware money, the Mystery Snail, school cybersecurity is the law, sue anyone, just not security researchers, "hacking" a flight school, refusing bug bounties in favor of disclosure, Apple still treats researchers like dog poo, prosecuting people for reading HTML, giving up on security and a high school hacking prank that never wants to give you up and won't let you down!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
Hosts
- 1. Biden signs school cybersecurity act into lawSo much this: "While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won't be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place," Bambenek said."
- 2. Cyber-security threat hunters seek legal protections"Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit." - A slippery slope for sure. The trick is to allow researchers to do their thing, but prevent criminals from doing their thing. While private legal action is different from criminal prosecution, what if the situation arises where it's in the public best interest to keep details secret. Then, what if, the researcher does not want to cooperate? Also, if we continue to get sue happy against researchers, they just won't tell the vendor and sell the exploits to criminals.
- 3. Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to FlyVery important to revoke credentials, and change all known credentials, when an employee leaves: "The owner of Flight Circle found that the records had been tampered with by someone who logged in with the credentials of Melbourne Flight Training's current Flight Operations Manager, according to the document. Police investigators then obtained information related to the IP address used to access that account, and found that it belonged to Hampton Lide. The investigators also subpoenaed Google for information about a Gmail account used to log into the Flight Circle app, and found that the email address belonged to a user with the name "The Lides." Hampton Lide would later tell investigators that this was the family's email address, according to the document."
- 4. Microsoft October 2021 Patch Tuesday Squashes 4 Zero-Day Bugs
- 5. Researcher Disclosed Telegram Vulnerability, Refused Bounty For Staying Quiet"Specifically, Dmitrii reported the bug to Telegram in March 2021, which the firm even acknowledged. However, it didn’t fix the bug for several months despite recurrent updates for the Telegram client. The researcher kept reminding of the vulnerability to telegram officials. Eventually, the service fixed the bug in a subsequent beta version released in August 2021 that the researcher confirmed. Nonetheless, problems began when Telegram tried to restrict the researcher from disclosing the vulnerability at the time of rewarding the bug bounty, even after the fix. In response, the researcher sent some questions to Telegram regarding the agreement he was supposed to sign, but Dmitrii never got a response. The researcher even noticed a lesser bounty offered to him (Euro 1000) for the bug than what the service offered previously for a similar flaw (Euro 2500). Eventually, the researcher went ahead for full public disclosure for this vulnerability CVE-2021-41861."
- 6. Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability – Krebs on Security"The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code." - WTH? This is a really great point: "Mackey [senior staff attorney at EFF] said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals."
- 7. Vulnerability Spotlight: Use-after-free vulnerability in Microsoft Excel could lead to code execution
- 8. Ongoing Cyber Threats to U.S. Water and Wastewater Systems"The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats." - Easier said than done...
- 9. SS7 SignallingDecent overview...
- 10. ThreatMapper: Open source platform for scanning runtime environmentsSounds neat, and its free! - "Mapped topology of applications and infrastructure: Using lightweight, easy-to-deploy and non-invasive sensors, ThreatMapper auto-discovers and maps services, containers, cloud resources and third-party APIs within your infrastructure by passively observing network traffic. Continuous discovery of vulnerabilities: ThreatMapper scans online hosts, containers and serverless environments for known vulnerable dependencies, augmenting any “shift left” vulnerability scanning you may do in your development pipeline. Ranked vulnerabilities by attack surface: ThreatMapper ranks discovered vulnerabilities, identifying the highest-risk threats and the order in which they should be addressed by utilizing runtime traffic and cloud context."
- 11. VirusTotal Shares Analysis of 80 Million Ransomware SamplesThe takeaways: "First, while big campaigns come and go, there is a constant baseline of ransomware activity that never stops. Second, attackers are using a range of different approaches, including well-known botnet malware and other RATs. Third, in terms of ransomware distribution attackers don’t appear to need exploits other than for privilege escalation and for malware spreading within internal networks. Finally, as noted earlier, Windows accounts for 95 percent of the ransomware targets, compared to 2 percent for Android. "
- 12. Apple silently fixes iOS zero-day, asks bug reporter to keep quiet"In total, Tokarev found four iOS zero-days and reported them to Apple between March 10 and May 4. In September, he published proof-of-concept exploit code and details on all iOS vulnerabilities after the company failed to credit him after patching the gamed zero-day in July." - This is just silly. Apple is just shooting itself in the foot. How much effort does it take to 1) Credit the researcher and 2) Properly disclose vulnerabilities? I believe it is far more damaging for Apple to hide under a veil of secrecy than to just credit people and come out with it. I'd respect Apple so much more if they'd just admit, like everyone else, that their software has security flaws and give credit to researchers that deserve it.
- 13. A Pentagon official said he resigned because US cybersecurity is no match for China, calling it ‘kindergarten level’"But Chaillan quit on September 2. In his departing LinkedIn post, he cited the Pentagon's reluctance to make cybersecurity and AI a priority as a reason for his resignation. Speaking to the Financial Times in his first interview since leaving, Chaillan said China was far ahead of the US. "We have no competing fighting chance against China in fifteen to twenty years. Right now, it's already a done deal; it is already over in my opinion"
- 14. GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117"keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output."
- 15. Kim Zetter on TwitterIf you read Countdown to Zero-Day: "A. Q. Khan has died from COVID. The Pakistani scientist is known for stealing centrifuge designs from a Dutch company and using them to launch Pakistan's illicit nuclear program and selling the designs & centrifuge parts to Iran, Libya and North Korea."
- 16. IoT Hacking and Rickrolling My High School DistrictThis story is amazing. A high school student discovered security flaws in the AV systems used in the entire school system. Eventually, they worked as a small team to rickroll the entire district after the last class was completed for the day. You can hear students singing and even see teachers dancing. First off, this could have likely gone wrong and the students could have been expelled and/or faced criminal charges. However, they did wait until after they graduated (LOL) to pull off the attack. Also, it would be difficult for the school to prove damages as the students were very careful not to disrupt classes, exams, or damage any systems, and even removed software they installed after the prank was completed. The way they tested the prank was amazing, using a webcam on a computer to observe the AV system in action, after hours when there were no classes in session. They also created a very detailed report and presented it to the administration. The one thing they did not do was get permission, a big no-no. But, if they had sought permission, would the school had let them rickroll everyone?
- 1. Ransom Disclosure Act: US bill mandates organizations to report ransomware paymentsLast week, together with Representative Deborah Ross, Warren announced the Ransom Disclosure Act, which aims to provide the Department of Homeland Security (DHS) with critical data on ransomware payments in order to “bolster our [the government’s] understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat”. Warren said the reporting of ransomware payouts will help the government “to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them”.
- 2. Apple released emergency update to fix zero-day actively exploitedpple has released an emergency iOS/iPadOS update to address a zero-day memory corruption vulnerability (CVE-2021-30883) affecting its IOMobileFrameBuffer application that is being actively exploited by attackers to execute commands on targeted, vulnerable devices with kernel privileges. Install 15.0.2 now.
- 3. Apple Finally Falls Victim to Never-Ending Supply Chain Crisis(Bloomberg) -- Apple Inc., the world’s most valuable company, has finally joined a growing list of household names from Toyota to Samsung forced to cut back on production due to chip shortages. Multiple news outlets are reporting the company will likely reduce the pace of its production factories by as much as 10 million devices – bad timing as the company recently released version 13 of its phone on 14 Sep 2021. The impact could also extend to the company’s tablet line.
- 4. Cisco Patches High-Severity Vulnerabilities in Security Appliances, Business SwitchesCisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products. Successful exploitation of these vulnerabilities could allow attackers to cause a denial of service (DoS) condition, execute arbitrary commands as root, or elevate privileges.
- 5. Over 60? How to tell if someone is scamming you onlineHeartless criminals have maintained their crosshairs on senior citizens – cybersecurity experts believe that online scams increased by 400% over the past few years, and online fraud targeted the over 60 demographic to the tune of $650 million in losses in 2018. The phishing and telephonic scams are targeted to areas of particular concern senior citizens: medical issues, catfishing and tech support scams are especially popular. Seniors need help with basic cyber hygiene. While the article lists specific products to install, use it as a guide for ideas to help them be better protected while not leaving them dependent on you for help.
- 6. Russia Excluded From 30-Country Meeting to Fight Ransomware and Cyber CrimeA virtual meeting led by the United States boasted a dais of 30 nations to discuss cybersecurity challenges that plague their country’s businesses, critical infrastructure and economies. One country was noticeably absent – Russia – as they were purposely not invited to the meeting. The two-day summit is especially focused on ransomware attacks, which predominantly originate from Ukraine and Russia. The U.S. stated that private cybersecurity talks continue with Russian officials.
- 7. Hospital Hacker Steals Patients’ DataAn unauthorized individual breached the IT network of San Juan Regional Medical Center in Farmington New Mexico in September last year. The attack was reported to the United States Department of Health and Human Services' Office for Civil Rights on June 4 as a network server security incident impacting 68,792 individuals.
- 8. Iran-linked hackers targeted maritime and defense contractors, compromised Office 365 accounts – CyberScoopHackers likely supporting Iranian national interests attempted to compromise U.S. and Israeli defense technology and global maritime companies, Microsoft researchers shared Monday. The attacks, which began in July, targeted the Office 365 accounts of more than 250 Microsoft users, the company said. Less than 20 of the targeted victims were successfully compromised, according to a security alert.
- 9. Windows Zero-Day Actively Exploited in Widespread Espionage Campaign – The Cyber PostResearchers say they have spotted a Chinese-speaking advanced persistent threat (APT) group exploiting a zero-day vulnerability (CVE-2021-40449) affecting Microsoft Windows using a new remote access Trojan (RAT) dubbed "MysterySnail" in cyber espionage attacks that took place during Summer 2021. According to reports, the APT group was using the zero-day exploit to elevate privileges on targeted systems and take complete control of Windows servers in order to ultimately infect systems with MysterySnail and pilfer sensitive data.