Cybersecurity Dimensions of the Coronavirus and the Iowa Caucus Reporting App Problem

Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: https://isc.sans.edu/contact.html

Johannes Ullrich

The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry.

Lee Neely

Think of the Iowa caucus primary as that troublesome business unit in your company that is considered a key performer by management and is allowed to do everything just a little bit differently than all the other business units. The security approach here was "rather than make sure this new app is thoroughly tested, we will only release it to the users at the last minute - that way hackers won't have time to hack it if there are vulnerabilities." Not only is that always a bad approach to security, it is absolutely the worst approach to take with that business unit that never follows all the policies and procedures everyone else does. This one will make a very good Harvard Business Review case study - next time a business unit is pressuring to subvert the time require to thoroughly test new stuff, just tell management "We will be at risk of an Iowa caucus implosion...."

John Pescatore

The issues underscore the need for usability and load testing before a wide scale deployment. The plan for the caucus included backup measures, including a number to call as a backup; unfortunately, the number was released widely and was overwhelmed, creating an intentional denial of service.

Lee Neely

Testing the app was necessary but not sufficient. The deployment of applications must be end-to-end and must include the training and participation of the end users.

William Hugh Murray

Another connection between cybersecurity and the Iowa Caucus App is that many Americans, including very senior government policy makers and politicians, perceive the Iowa App debacle as a cybersecurity-related problem or at least something that cybersecurity people should have anticipated and solved. At the same time many software development organizations consider 5 to 15 minute cybersecurity awareness training as sufficient for their software development people.

Alan Paller

This is not the first CDP vulnerability; as such. the best mitigation is to disable it explicitly. A notable concern is the flaws can be used to access other VLANS, possibly allowing access to sensitive traffic such as VoIP or ICS.

Lee Neely

Cisco has joined Adobe and Microsoft among the infrastructure software providers with routine patches.

William Hugh Murray

Some attention has been paid to the security of voting equipment, but very little paid to the complex "supply chain," from registration to voting to tallying to announcing results, etc. The business equivalent is the ordering app being very secure and having DDoS protection but the user sign-up app being vulnerable.

John Pescatore

This is a "must patch now" vulnerability (emergency priority) for anybody using OpenBSD with OpenSMTPD. OpenSMTPD is not very popular, and as far as I can tell used only on OpenBSD systems. But OpenBSD, due to its reputation as a secure operating system, is often used for critical systems like security devices and firewalls. The vulnerability is trivial to exploit, and likely already exploited.

Johannes Ullrich

Exploitation of this flaw harkens back to the Morris Worm. A properly crafted message can be sent which causes the message body to be executed with the privileges of the SMTP daemon. Vulnerable daemons can be detected by vulnerability scanners, the best mitigation is to apply the update.

Lee Neely

The modern "stack" makes it difficult to fully vet input at the application layer. It is essential that every layer also parse its input.

William Hugh Murray

It has always been dangerous to store sensitive data on portable devices. The speed and ubiquity of the modern "cloud" (storage, connectivity, and software) makes it not only unnecessary but reckless to do so.

William Hugh Murray

It is easy to focus on a single issue and miss other indications of compromise, particularly with pressure to return services to operational status rapidly. Regular scanning and monitoring for indicators can provide a backup for when this happens.

Lee Neely

The time allowed for public comment on NIST publications seems to be disproportionate to their size and importance. Few of us are sitting around with time on our hands just waiting to work full time for a month on their latest effort. We should admit that we are only giving lip-service to the idea of "public comment."

William Hugh Murray