UK Wants Smart Phone Vendors to State Security Support Duration; PulseConnect Exploitation Expands; Linux Kernel Maintainers Push Back Against Researcher

The intent is to drive a consistent security standard across Europe. The disclosure of product support duration is supposed to happen at the point of sale, and now is expanded to include Smartphones. The challenge is for consumers and small businesses, who may be unaccustomed thinking about support end dates, to add this to their lifecycle planning, including sufficient lead time to plan and test replacements.

Lee Neely

These are sensible requirements that shouldn't be too hard to comply with. In particular, the idea of publishing an "end of support" date is important. Some software and hardware manufacturers already do so, but usually only for more professional devices. It may also lead to longer support time frames if customers are able to verify the expected time the device will be supported.

Johannes Ullrich

We expect Microsoft to publicly state how long versions of Windows will be supported; the same should be true of everything else with software that can be updated. The software industry has long evaded any possibility of being required to provide warranty for software; regulations like this are needed.

John Pescatore

No other infrastructure, from food to finance, has gone three generations without government safety regulation. It is ironic that cyber is the only exception, since it is now used to operate all the others. One necessary measure will be to hold suppliers accountable for the quality of their output.

William Hugh Murray

The exploit bypasses 2FA authentication, not just reusable credentials. If you’re running a Pulse Connect Secure VPN, run the Pulse Security Integrity Checking Tool (https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s) to verify the integrity of your installation – note the tool will reboot your VPN appliance. Make sure that you’re on a supported version of their software updates will not be provided for End of Engineering (EOE) or End of Life (EOL) versions. Make sure that you’re actively updating and monitoring the software and security configuration of your VPN, to include running integrity checks on a regular basis.

Lee Neely

Pulse VPN appliances keep on giving to the bad guys, and I still do not see an estimated delivery date for patches. With active exploitation under way, please follow the mitigating steps noted in the advisory and hope for the best.

Johannes Ullrich

The open source community is largely built on trust, not on reviewing each other’s code carefully for security vulnerabilities. So it is reasonable to expect a strong reaction from Linux kernel maintainers if researchers use the kernel development process in security experiments. However, the exact facts are not quite clear in this case. The researchers state that they only suggested patches on mailing lists, and spoke up before these patches were included in any actual code repositories. The Linux kernel maintainers point to a large list of commits that they reverted. But many of these commits are not related to the research, and some actually patched unrelated security flaws, which may now end up being "unpatched" again. The real problem here may rest with the university's Institutional Review Board approving the research. I find that the fallout clearly shows that this research involved people, and people's reactions to the experiment are what we are seeing now.

Johannes Ullrich

Perhaps in no other community is it so difficult to distinguish the good guys from the bad, the rogues from the merely mischievous, those who are part of the problem from those who are part of the solution.

William Hugh Murray

Quanta refused to pay REvil’s ransom, and now the operators are asking Apple to pay by May 1st. The ransom is currently set to $50 million and goes to $100 million after April 27th.  While Apple is not expected to pay, expect that Quanta’s customers (including Apple, HP, Alienware, Dell, Lenovo, Cisco and Microsoft) will be demanding a full accounting of the breach as well as a review of mitigations taken to prevent recurrence to retain their business. Having clear documentation of where data resides and third-party liability agreements are key in this situation. A determination has to be made as to exactly what was exfiltrated and the value determined to drive next steps. You’ll want your legal team at the table.

Lee Neely

This vulnerability only affects the SonicWall email appliance, not the firewall. SonicWall published some rules for its firewall products to mitigate these vulnerabilities.

Johannes Ullrich

The effort includes a new Request for Information (RFI) to get input from electric utilities, electric companies, academia, research laboratories, etc. to build recommendations for future security including preventing exploitation and attacks by foreign threats. The RFI is due by June 7th and is located on the Federal Register (https://www.federalregister.gov/documents/2021/04/22/2021-08482/notice-of-request-for-information-rfi-on-ensuring-the-continued-security-of-the-united-states). Responses can be made via email or in writing via US-mail, and will be posted on DOE’s Securing Critical Electric Infrastructure web page (https://www.energy.gov/oe/securing-critical-electric-infrastructure).

Lee Neely

Mandiant reports they are tracking twelve malware families and multiple hacking groups tied to exploiting the flaws. Beyond wondering if you are target or not, make sure that you’ve applied the updates and are on supported software versions.

Lee Neely

If after running the Integrity Tool hash mismatches or newly deleted files are discovered, your device has to be immediately isolated (while powered on) and forensically analyzed. They can be returned to service once they have a clean bill of health to include the steps in Appendix A of ED 21-03. In addition to running the tool, it is expected that agencies will apply updates within 48 hours of their release

Lee Neely

Government agencies are historically slow to patch and became even slower when they had to support large numbers of work from home employees as the pandemic hit. The level of compromise of the old PulseSecure flaws and the emergence of the latest vulnerability justify an edict for emergency action.

John Pescatore

Use strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), by default. Fraudulently reusable credentials constitute a major weakness in our infrastructure. Use strong authentication to protect the infrastructure even if you think that your application and environment do not require it. The ubiquitous mobile and biometrics make it both cheap and convenient. No excuses.

William Hugh Murray

The credit card companies have been buying up vendors in the fraud detection and identity proofing markets, which together represent $30B in annual revenue – which is about equal what the estimates are for online fraud costs to financial institutions. However, false declines – transactions denied because of false positives in fraud detection – cost the financial industry 5x as much per year as fraud. Just like in phishing attacks, all this spending and cost is due to the use of easily compromised reusable passwords. The European Banking Authority is mandating Strong Customer Authentication under Payments Services Directive 2 which has been rolling out in 2021 and has the potential to shift fraud liability from merchants to the card issuers, another factor driving card brand/issuer spending in this area.

John Pescatore

The card brands really do need to get their house in order. All the new detection technology cannot compensate for the fundamental vulnerability, Primary Account Numbers in the clear, that they have no plan to fix.

William Hugh Murray

This is an actively exploited vulnerability with no available update. Because the plugin is not maintained, no update is expected, necessitating prompt retirement and uninstallation of this plugin. While paid Wordfence users have firewall rules as of April 21st, free users will not have those until May 21st.

Lee Neely

The good news is the plugin maintainers released an update within 24 hours of confirming reports of the flaw, indicating the team is actively engaged and committed to maintaining the security of the plugin. Verify you’ve updated the plugin, and even if updated, uninstall it if you are not actively using it. Wordfence released firewall rules February 11th and March 13th for the paid and free versions.

Lee Neely

Hardly a week goes by that vulnerabilities in WordPress plugins are not identified. Plug-ins should be used only by design and intent, never by default, and they must be managed.

William Hugh Murray

Please use my comment from prior issues of NewsBites: "DO NOT EXPOSE YOUR NETWORK STORAGE DEVICES TO THE INTERNET. EVER." I will stop typing now and patch my QNAP device. (But I likely uninstalled this utility during setup.)

Johannes Ullrich

Hard coded credentials solve short term problems, but leave you open to exploit when discovered. Make sure not only that you are updating the software on your NAS devices, but also that they are only accessible from authorized devices, including limiting remote management to local devices only. Review them for unexpected accounts and applications, removing these when discovered.

Lee Neely

"Hard-coded credentials" is the kind of bad practice that the UK effort is intended to identify and discourage.

William Hugh Murray