NewsBites Volume XXII – Issue #92 November 20, 2020

Top of the News

2020-11-19

Internet of Things Security Bill To Establish Security Standards Mandatory for Government

The US Senate has unanimously passed the IoT Cybersecurity Improvement Act. The bill will require that Internet of Things (IoT) devices purchased by the federal government meet certain cybersecurity standards which will be set by the National Institute of Standards and Technology (NIST). Agencies will also need to establish vulnerability disclosure processes for IoT devices. The House of Representatives passed the bill in September.

Editor's Note

While not yet law, having standards for IoT security will give us a baseline to hold manufacturers accountable, as well as aid in measuring the security, and possible certification, of current and future devices. Note that USG agencies will not be permitted to purchase devices not compliant with the standards once established.

Lee Neely

Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously

Three vulnerabilities in Cisco's Webex video conferencing application could be exploited to join meetings as ghost users, able to listen in without the knowledge of other meeting participants or the host. An attacker could exploit one of the flaws to access the names, email addresses, and IP addresses of meeting participants. Another flaw could be exploited to remain in a meeting even after being dismissed by the host. Cisco has released updates to address the vulnerabilities.

Editor's Note

In the 2020 SANS Top New Attacks and Threat Report, Johannes Ullrich pointed out the risk of vulnerabilities in the numerous "Persistent and Promiscuous Web Agents" in use for applications such as Webex, Zoom and others. The Center for Internet Security recently released a good security guide for videoconferencing systems at https://www.cisecurity.org/white-papers/videoconferencing-security-guide/

John Pescatore

Cisco patched their cloud based servers. You need to patch or update on premise Cisco Webex Meetings Server 3.0M3 Security Patch 4 and earlier; 4.0MR3 Security Patch 3 and earlier as well as mobile versions prior to 40.10.9.

Lee Neely

Bad Actors Scanning for Vulnerable WordPress Sites

Hackers appear to be scanning for WordPress sites that use Epsilon Framework-based themes. Multiple function injection vulnerabilities could be exploited together to execute code remotely and to take over vulnerable websites. Users are urged to update to a fixed version of the theme(s) they use, if they are available. Themes built with Epsilon Framework are used on at least 150,000 sites.

Editor's Note

While the attacks appear to be probing, intel-gathering attacks at this time, don't wait for that information to be leveraged. The Wordfence site below lists the specific vulnerable theme versions. If there is not an update for your Theme, and switching themes is impractical, add an application firewall to block the attacks.

Lee Neely

https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/

Two companies with ties to COVID-19 research and treatment were recently targeted by cyberattacks. Americold, an Atlanta-based company that provides cold storage for food distributors and is planning to be involved with COVID vaccine storage has disclosed that its network was hit with a cyberattack earlier this month. The disclosure was made in a US Securities and Exchange Commission (SEC) filing. Miltenyi Biotec, a biotechnology company based in Germany, was hit with a cyberattack that affected some operational processes; Miltenyi supplies research companies with antigens for use in developing COVID-19 treatments.

The Rest of the Week's News

2020-11-18

CISA Director Krebs Fired

Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs has been fired. The decision to fire Krebs has met with condemnation from legislators and from cybersecurity experts.

Editor's Note

Under Krebs' leadership, the CISA raised the bar on cyber security alerting and partnerships with public and private sector entities. It's hoped his model will continue in his absence.

Lee Neely

Security professionals must take care not to give unwarranted comfort nor to raise unnecessary alarm. They are often called upon to speak truth to power and they must be willing to put their jobs on the line for their credibility. Let Christopher Krebs be our example and our hero.

William Hugh Murray

This dismissal has long-term ramifications for global cybersecurity. Many relationships at an international level are based on the individuals in various organisations and the personal relationships and trust they build with their peers elsewhere. The dismissal of Mr. Krebs sends a message to the US's international partners that building those personal relationships and the trust that comes with it can be quickly undermined by a political decision.

Brian Honan

Firefox 83 has HTTPS-Only Mode Feature

Firefox 83 has a new mode that connects only to HTTPS sites; users will be asked to approve connections to unsecure websites. The feature is disabled by default. Mozilla released Firefox 83 to the stable channel earlier this week.

Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users

Mozilla plans to rollout the DNS-over-HTTPS (DoH) protocol for Firefox for all users worldwide, but is asking companies, governments, and Internet service providers (ISPs) for their input. The public comment period runs through January 4, 2021.

Editor's Note

It would be better to roll out DNS over TLS as specified by RFC 7858, providing secure DNS for all system services, not just the browser, to avoid inconsistencies between the browser and host-based resolvers as well as support existing investment in enterprise DNS architecture.

Lee Neely

Firefox Says Goodbye to Flash in January

Mozilla has announced that it will end support for Flash in Firefox as of January 26, 2021. With the release of Firefox 85, "there will be no setting to re-enable Flash support."

Editor's Note

Develop and test your strategy to uninstall and disable Flash now. Leverage browsers no longer supporting Flash, Microsoft's Flash removal "patch" as well as verification to ensure it's truly disabled.

Lee Neely

Industrial Control System Vulnerabilities

Four industrial control system (ICS) vendors have recently disclosed vulnerabilities in their products. Real Time Automation disclosed a stack overflow flaw in its 499ES ENIP stack protocol. Paradox disclosed two vulnerabilities in its IP150 Internet Module. Schneider Electric disclosed nine security issues in its Interactive Graphical SCADA System, and Sensormatic Electronics disclosed a vulnerability in the American Dynamics victor Web Client and Software House C*CURE Web Client.

Managed.com Hit with Ransomware

Hosting provider Managed.com was hit with a ransomware attack that began earlier this week. The company has taken down all its servers to contend with the incident. The attack affected Managed.com's public facing hosting systems; some customers' sites were encrypted.

Editor's Note

Make sure you have backups of hosted services, ideally stored at a separate service, as hosting services have become a new attack target with the goal that once the hosting provider's systems are compromised, manipulation or disruption client services will result. Other hosting providers attacked include Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.Net, Dataresolution.net and Internet Nayana.

Lee Neely

A classic example of why you need to include external providers in your Business Continuity Planning. Just because you outsource something to a third party, it does not mean it is no longer your responsibility.