Cyber Threats to Apple, Android, PHP, and DHS

Unlike the iOS 14.4.1 update, Apple is telling us this vulnerability is being actively exploited. Push the update to your ADE devices so users will see the prompt to install the update. Expect this update to introduce at least one more Beta version of iOS 14.5 and iPadOS 14.5, so don’t hold off expecting a rapid release of that OS. Additionally iOS 14.5, iPadOS 14.5 introduce a number of changes you’re going to want to review prior to rolling it out.

Lee Neely

In my opinion, the malicious commits were meant to be found and are more a "proof of concept" vs an actual attempt to inject a backdoor. I hope the PHP team will investigate thoroughly to identify the root cause of the breach. There is always a chance of a better-hidden backdoor left in addition to the two malicious commits identified so far. If you are using git, either self hosted or via github: (1) ensure you are using strong multi factor authentication or keys to identify developers, (2) use signed commits to make it more difficult to impersonate developers. Luckily, it looks like the intrusion was identified quickly enough and no current release of PHP was affected. As a PHP user, there is nothing you need to do at this point.

Johannes Ullrich

The existing processes were able to detect the unauthorized updates and triggered a security review. The risks of insourcing public facing services versus using a hosted solution have changed, particularly with tight margins and a fast-changing security landscape. Service providers such as GitHub have learned how to secure their offering. Note that that does not alleviate your responsibilities to configure and secure your repositories as well. See GitHub’s nine best security practices: https://resources.github.com/whitepapers/Nine-software-security-best-practices/

Lee Neely

While many malicious Android apps are delivered via third-party app stores, some do get added to the Google Play store. Update user guidance to not only not load apps from third-party app stores but also avoid apps from unknown or unfamiliar developers. Additionally, applications which require side-loading or developer mode should be a huge red flag.

Lee Neely

Looks like SpaceX had been encrypting telemetry communications on the Starship vehicles since 2018 or so but not the Falcon 9s. But, technology advances are leading to a resurgence in commercial satellite networking, including mobile use. While all the hype is on 5G, increased use of satellite comms is likely to happen more quickly. End-to-end encryption should be built into all new satellite comms applications – as this article proves once again, satellite comms (like fiber optic comms) are not impossible to intercept and monitor. Security through obscurity does not work.

John Pescatore

NASA has been pushing to encrypt telemetry across the board to increase the security and integrity of communications. The challenge is that existing probes/satellites/etc. have neither the computer power nor the storage to add encryption to their operations. Irrespective of frequency disclosure, security by obscurity is not a good model. Protect sensitive or proprietary information explicitly, design new systems with that capability and capacity rather than adding it later.

Lee Neely

Knowing where your data is and the consequence of loss ahead of time are key to the decision process here. Consider not only what PII is in the breach data, but also what Intellectual Property is included as well. Consult both the CISA Ransomware guide and your financial institution for regulatory requirements before moving forward with a decision to pay. https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

Lee Neely

Neither of these vulnerabilities constitutes an emergency. Wait for updates to arrive for your platform and update according to your normal vulnerability management procedures.

Johannes Ullrich

Exploiting the certificate bypass flaw was possible only when an application expressly set the X509_V_FLAG_X509_STRICT flag. Exploiting the null pointer dereference flaw requires the server to be running TLS 1.2 with renegotiation enabled, which is the default. Disabling renegotiation is specific for your service implementation, updating to OpenSSL 1.1.1k or later may be a simpler option. While OpenSSL 1.0.2 is not impacted, it is also out of support and not receiving public updates. Patches have been released for Ubuntu and Debian. Expect other distributions to release updates soon.

Lee Neely

SolarWinds will continue to remain under the magnifying glass as they recover from their breach. Adding these security changes to the build process to make unauthorized additions to the code easier to detect may become a model you want to review for your code management. Decoupling time-to-market from the release process, while desirable, may not be practical in a market based economy. Solving this challenge can buy time to produce higher quality code out the gate.

Lee Neely

Anyone thinking parallel build systems will prevent another software supply chain compromise is fundamentally missing the point. The attackers that compromised SolarWinds are extremely disciplined and are playing a long game. This is evidenced by the fact that they actually tested the build process before deploying their malware. While I'm sure statements like these will fool some investors, we can be reasonably sure the Russians are belly-laughing saying "haha - parallel build systems" (or whatever that translates to in Russian).

Jake Williams

This issue may be worse than the PHP compromise. The netmask library is included in more than 200,000 different projects, meaning that more or less any npm/node.js project is using this code. In some cases, it is used to make security decisions. Most users of this library have no idea that they are using it. Time for an "npm audit" and make sure you have a plan for doing this regularly. Not all vulnerabilities in npm packages are advertised as prominently.

Johannes Ullrich

NIST is providing a structured approach to maintaining and securing both the voting machines and supporting infrastructure such as voter registration databases. As with other CSF documents, the controls are cross-walked with CSC, NIST, COBIT, ISO/IEC 27001 and ISA 62443 standards. This mapping should allow you to use existing controls and frameworks rather than starting from scratch in an unfamiliar baseline.

Lee Neely