Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records; Critical Flaws in WordPress Plugin; Australia to Expand Scope of Critical Infrastructure

A great aid for avoiding these types of vulnerabilities: the Center for Internet Security has updated v1.3 benchmarks (configuration guidelines) for AWS S3, Office365 and the other commonly used cloud services that are constantly in the news with avoidable misconfigurations enabling incidents and exposures. https://www.cisecurity.org/blog/cis-benchmarks-september-2020-update/: CIS Benchmarks September 2020 Update

John Pescatore

While Amazon has implemented controls and warnings to limit creating or modifying an S3 bucket to be world accessible, it's still necessary to audit your configured storage to make sure permissions are appropriate for storage created prior to those controls or to find users accepting the warning and proceeding anyway. Amazon has published guidelines for auditing your AWS account and services for appropriate permissions as well as tools like CloudTrail and S3 bucket logging which allow you to monitor for inappropriate activity. See AWS security audit guidelines: https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html: AWS security audit guidelines

Lee Neely

The updated plugin was released October 29th. The vulnerability is characterized as easy to exploit, involves leveraging the plugin's not sanitizing input such that a user could change the meta data which defines their role. The free Wordfence firewall rule will not be available until November 22nd.

Lee Neely

The exposure draft clearly defines the scope and impacts related to the new categories, for systems, information and location, as well as legal basis of penalties for non-compliance. What is missing is a standard for securing and assessing those systems such as Australia's Essential Eight, a series of baseline mitigation strategies which, when implemented, makes it much harder for adversaries to compromise systems.

Lee Neely

Australia's 2018 Critical Infrastructure Act was mainly about requiring the original sectors to provide information to the Australian government, and establishing the legal authority of the government to issue directions to owners/operators of systems in those sectors. There was no mention of standards or raising the bar for cybersecurity in Australia. The proposed amendment is also very light on standards but there is a goal of "...setting clear security standards and creating a level playing field in the Australian market." A quick movement towards making the "Australian Essential Eight" practices be required would be very valuable, but the amendment is more aimed at a long term process.

John Pescatore

Approximately 1/3 of Android devices are still running Android 7.1.1, which was released in December 2016. The current Let's Encrypt root certificate can be added to the device, manually or via MDM. Alternately, users can install Firefox which has its own root certificate store. The best option is to replace devices still running Android 7, which is unsupported, with those that can run Android 11.

Lee Neely

Segmenting office and production/OT networks is a key defense, as are supply chain security measures such as cryptographic validation of firmware at the end of assembly and verification processes on media or files transferred to the production network to prevent or detect the introduction of malware.

Lee Neely

While network engineers are rewarded for flat networks (maximum bandwidth and minimum latency between any two points in the network), security engineers recognize that network structure and segmentation are essential to resisting lateral malware spread within the enterprise. At a minimum, highly vulnerable user activities (e.g., e-mail, browsing) should be isolated from "production."

William Hugh Murray

The attack affected only their shared server offering. While systems were recovered by restoration from backup, some customers will experience data loss relating to transactions that happened between the backup and restore date. Customers should review email or other transaction logs not contained on the X-Cart platform to identify gaps. Watch for a follow-up class-action lawsuit, particularly if the attack is related to the RCE vulnerability X-Cart had purportedly fixed previously.

Lee Neely

This is characterized as a "tab napping" attack. The issue occurs when a URL includes target="_blank" without the rel="noopener" attribute. The bug fix makes that the default behavior. This behavior was added to Safari in 2018, and will be added to Chromium and is a change in the HTML standard. Note that the behavior can be restored if the attribute rel="opener" is specified.

Lee Neely

It is a good idea to trust but verify vendor security claims. Understand the impacts and limitations of the security measure, rather than reading the marketing term chosen. For example, there are application limitations when using end-to-end encryption with VTC products like Zoom, which preclude joining before the host, cloud-based recording or use of the web-based applications to participate in the meeting. Understand where and how the system has been secured, so you can make a risk-based decision about what data you do, or do not, want transmitted using that service.

Lee Neely