John Pescatore - SANS Director of Emerging Security Trends
Beware of unexpected egg salad sandwiches and security claims of proprietary interfaces.
This week’s Drilldown will focus on two items (included below) from NewsBites Issue 87, which details how attackers are abusing features in Google Drive to send phishing messages, and NewsBites Issue 88, on the state of Massachusetts requiring automotive telematic interfaces to be open to owner and third-party use.
Microsoft Office 365, Google Drive and other online storage and collaborative software-as-a-service (SaaS) offerings have internal messaging capabilities to alert users about the creation of, or changes to, files and documents. Attackers have started using these mechanisms as yet another channel for phishing attacks, convincing users to open malware or click on dangerous links.
The senses of smell, taste and touch have evolved over many thousands of years to warn us of danger. We perceive some things as revolting or scary quite often because they are much more likely to cause us harm than good. Fear of heights, recoiling from fire and the stench of rotten food are simple examples.
This is why I’ve been using the analogy of the “unexpected egg salad sandwich” when talking to non-security folks about being suspicious of any message they get over the internet or their phone. I’m trying to jump-start evolution a bit here. We’ve only had the internet in mainstream use for 40 years. Today, no one would eat an egg salad sandwich that mysteriously appeared at their door (or on the room service tray in the morning at the hotel room next to them), but we really don’t want to wait for evolutionary forces to extend that vigilance to all use of online systems!
Bottom line: Make sure your users understand that phishing is not just an email or text messaging risk. They should think of all messages as unexpected egg salad sandwiches. Take advantage of resources such as the Center for Internet Security (CIS) cloud service benchmarks to ensure that all SaaS services are configured as securely as possibly.
The Massachusetts extension of the “right to repair” law may have little direct impact on most businesses, but it raises an important issue.
Lock-in to proprietary interfaces often is justified by claims of reduced cost and increased security, but in the long run almost invariably results in much higher costs and much lower security. As we have seen constantly on the internet, security through obscurity is, at best, fleeting. Transparency, competition and choice are long-lasting (though not always fast-moving) forcing functions for higher levels of security and privacy.
Bottom line: As 5G technology rolls out and more and more “things” get the same level of connectivity as “connected cars,” this issue will reappear across hundreds of use cases and classes of devices. All authentication, encryption and access control capabilities should be evaluated for adherence to established standards. The maturity of the vendors development process and testing by experienced third parties should be highly rated evaluation criteria as well.
Google Drive Collaboration Feature Is Being Exploited by Bad Actors
(November 1 and 2, 2020)
Bad actors are exploiting a legitimate feature in Google Drive to send emails and push notifications that lead to Google docs that contain malicious links. Google Drive's collaboration feature lets users send messages to invite others to share a Google doc. The push notifications used in this scheme lead to malicious docs; the email messages include the malicious link.
[Neely] While collaborating on documents that use shared drives or shared documents is pretty common, it's still important to teach users to not accept unexpected collaboration requests. When collaborating, particularly outside your organization, make sure the collaboration link is only available for specific users, particularly if it allows write access. Once the document is opened, there is a tempting link to a malicious site. Use this as an opportunity to validate that your boundary and endpoint protections still, in the current work environment, block access to malicious sites in case users click it.
[Pescatore] The major point is that every communication/collaboration method created for legitimate use will be used by attackers for spam, phishing, malware delivery and so on. Consider an egg salad sandwich left at your door. It doesn't matter whether it got there by the mail carrier, UPS, FedEx or whoever; you really shouldn't eat it unless you know who sent it to you and unless you have made sure that the mayonnaise hasn't turned yellow or green--the latter being what Google has said it will ramp up on this communications path.
Read more in:
Wired: Beware a New Google Drive Scam Landing in Inboxes
Threatpost: Scammers Abuse Google Drive to Send Malicious Links
Massachusetts Votes to Grant Third-Party Access to Wireless Car Repair Data
(November 4 and 5, 2020)
Massachusetts has voted to extend the state's automotive right-to-repair law to connected car platforms and telematics. The initial right-to-repair automotive law passed in 2013 and took effect in 2018. It requires that all vehicles sold in Massachusetts have a "non-proprietary vehicle interface device" to allow repair businesses to access mechanical data. The newly passed ballot initiative will allow car owners and independent repair businesses access to wireless vehicle maintenance and repair information.
[Pescatore] Car manufacturers having proprietary interfaces to car telematics in no way guarantees a higher level of security, nor does having an open common-access platform. The real issue is the societal decision about market competition for diagnostic and repair services, and then the security level has to enable that. This reminds me of the old debate: "Proprietary code is safer than open source code because attackers can't see the code" vs. "Open source code is safer than proprietary code because of all the eyes looking at it." The real answer has always been: "Code written and tested with security and safety as a key focus/requirement by developers and testers skilled in security is the only software that will be safe and secure."
[Neely] Of note is the trend that almost every new car sold in 2020 included a cellular modem to allow for remote monitoring and data collection, promising a more proactive maintenance/service notification and tracking experience for consumers. And while some manufacturers are working to monetize that information, a big concern about providing access to the online interface by third parties is that it also has the capability to send commands to vehicle components for maintenance, diagnostics and repair, which heightens the need to get security right quickly.
Read more in:
Ars Technica: Connected cars must be open to third parties, say Massachusetts voters
SecuRepairs: SecuRepairs Celebrates Huge Win for Right To Repair in Massachusetts
Security Ledger: Episode 193: Repair, Cyber and Your Car with Assaf Harel of Karamba Security