Biden Executive Order on Supply Chain Security; Google Nudging Users Towards 2FA; Patch Your Exim Servers Now; Vulnerable Dell Firmware Update Driver is in Wide Use

The US goverment using its buying power to drive higher standards in cybersecurity is a good thing, but it can’t be just be more maturity model/process certification paperwork requirements. Actual security testing of products and services needs to be part of the mandates. Also, the idea of a “Cyber NTSB” (first raised by Steve Bellovin many years ago, and more recently by Bellovin and Adam Shostack) is a really vital initiative that needs to come from the federal level to be effective.

John Pescatore

Good step in the right direction, one that does not require legislation. That said, we need to hold accountable suppliers who distribute malicious code, including “back doors.” This may require legislation.

William Hugh Murray

I’d like to see that “eventually” replaced with “next month” and see Google replaced with “Google, Microsoft, Facebook, Paypal…). Once again I will point to Microsoft’s research that replacing reusable passwords with simple (not perfect) 2FA like text messages to mobile phones is effective against 99.9% of phishing attacks and phishing the is the front end of the majority of successful breaches and ransomware incidents. Oh, and 90% of your board members are using 2FA at home on their personal devices and financial accounts.

John Pescatore

Even better would be 2FA on by default, only disabled by exception. Make sure that all your accounts, not just Google, have 2FA enabled wherever possible. While you’re looking at the account, check for application passwords or trusted/logged in devices to make sure that they are current and still needed. Look for the trust relationship for that laptop you gave to your neighbor/co-worker/etc. or that smartphone you traded in last year.

Lee Neely

Google has been a great champion of popularizing 2FA and developing usable solutions for end users. This work has been supported by data that shows that 2FA is preventing almost all phishing attacks. If Google can do it with its vast and diverse user base, so can you.

Johannes Ullrich

Given that people’s email accounts tend to be the nucleus for all their other online identities, this is a very welcome move and great to see someone like Google normalize security measures such as 2FA.

Brian Honan

Fraudulent password reuse is involved in many, not to say most, breaches. Google's offering of strong authentication to its users is a model for others. It offers sufficient choices to users to achieve effective security with a minimum of inconvenience. Its use by default is a step in the right direction. Strong authentication within the enterprise should, by now, be the default. One might really like to know what the voluntary adoption of Google's strong authentication has been. While it might justify the pervasive belief that "strong authentication is too hard," it just might prove that the opposite is true.

William Hugh Murray

Some of these vulnerabilities go back to the original versions of Exim from 2004, so don’t assume the flaws are only for the newer versions you have deployed – update all of them. The Qualys Security Advisory (includes not only the technical details but also PoC code, which means you need to patch any externally facing Exim servers right away. Don’t forget to update the rest of your Exim installations. Take advantage of the Security Advisory information to learn how the exploit works and verify the updated version is not susceptible on a test or lab system.

Lee Neely

Exim had similarly severe vulnerabilities about two years ago. What followed was a large wave of exploits against Exim servers by anybody who knew how to spell "EHLO". It took about a month for an easy to use exploit to arrive. In short: You need to patch now if you run Exim (many Linux systems use it).

Johannes Ullrich

This flaw is "only" a privilege escalation vulnerability. But given the wide use of the utility, and its ability to modify firmware, it may become an interesting conduit to install more persistent back doors. Patch as you get around to it. The challenge will be to find all the instances of these drivers.

Johannes Ullrich

The list of impacted systems from Dell is long and comprehensive, and may suck all the joy out of the room. Note that on May 10th, the Dell notification solutions can be leveraged for automated deployment of the update when installed, even non-enterprise customers will be notified of the available update. https://www.dell.com/support/contents/en-us/article/product-support/self-support-knowledgebase/software-and-downloads/download-center/drivers-and-downloads/notifications

Lee Neely

Given the state of the world’s current political climate I would hope that this review will not be confined to just Russian interests.

Brian Honan

There will always be a geopolitical aspect to supply chain risk assessments, but just as all businesses learned early on that geo-blocking by country domains was rarely a workable solution, political decisions that do the same thing will have very little impact on the actual security level of products and services in company supply chains.

John Pescatore

Given the number of participants in the supply chain, this will be a daunting task. Nor is it clear that identifying and eliminating weak links in advance is an efficient way to strengthen the chain.

William Hugh Murray

Several lessons here. The institute lost a week’s worth of data because their backups weren’t updating as expected. The malware was able to obtain access to the school’s network as remote services used reusable credentials. Make sure that remote connections include a host posture check before completing the connection, particularly if you permit access by non-enterprise devices. Require updated active endpoint protection. Consider carefully options of providing regular or discounted licenses for home use versions of enterprise software. Be prepared for human error, not just direct attacks.

Lee Neely

I would encourage everyone to read the Sophos report. It is a great case study as to how many organisations are at risk as a result of COVID19 forcing people to work remotely, and in particular working from their own personal devices. Read the report and check to see if you have the appropriate controls in place to prevent your organization becoming a victim of a breach related to use of personal devices.

Brian Honan

Ineffective supervision of novices is a fundamental problem of WFH. Consider teaming of novices with experienced people to achieve something like one-on-one supervision. Both halves of the team will benefit.

William Hugh Murray

Do you have a contingency plan for operations if you, or your key services, are subject to a DDoS attack? And have you communicated that to users/customers? With the current remote work environment, in-person work-arounds are tricky and may not succeed. You likely have some ready work-arounds in place. How often have you, like me, rolled your eyes at the list of numbers for dialing into a VTC and clicked use computer audio? Or setup a meeting without a dial-in number? Those may still be working in this scenario. Do you have updated phone trees? Do they include customer incident response organizations?

Lee Neely

Give AR21-126B to your SOC to incorporate the IoCs into their SIEM/SOAR products. You should both read AR21-126A for interesting analysis of the parts and pieces of this attack and review the mitigations – including decommissioning unused remote access devices, limiting the software users can install, enabling host based firewalls, and keeping things patched with updated active endpoint protection services.

Lee Neely

The continued success of extortion attacks demonstrates the vulnerability of the cyber infrastructure. While indicators of compromise are valuable, we need less emphasis on tools and attacks, more on prevention and resilience.

William Hugh Murray

To date, over 29,000 vulnerabilities were reported on the previously in-scope systems; over 70% were determined to be valid. This number is expected to be much larger with the increased scope. In 2020, CISA directed all executive branch agencies to develop their own vulnerability disclosure programs. The Defense Department partnered with HackerOne to develop this program and has spent the last four years maturing it. Other agency programs may not be as well managed and may have a much smaller scope. Before researching a site, be sure that you have found and follow the rules of engagement and reporting processes.

Lee Neely

Well-managed bug bounty programs continue to show very positive results but a key point: “well-managed” means not just a well-managed vulnerability finding/reward process, but also a well-managed process to rapidly fix the verified vulnerabilities and improving the dev process to make sure that same flaws don’t just reappear in the next version.

John Pescatore

One continues to be concerned about "lone-wolf" "researchers. Participants in these programs should be identified in advance and work under supervision or in teams. We must be careful not to legitimize rogue hacking in the name of security.

William Hugh Murray

The SQL injection was enabled by failing to use prepared SQL statements. WordPress includes a function $wpdb-prepare() which will do this for you and encourages all developers with plugins which include database access to use it. If you’re a plugin developer, make sure that you are using it. The updated plugin was released March 10th; make sure your copy is updated. Wordfence firewall rules were released to the paid version March 4th, and to the free version April 3rd.

Lee Neely

It should be clear by now that WordPress Plug-in quality is a risk. They should be installed only by design and intent, only where clearly indicated, and never by default. Once installed they must be actively managed.

William Hugh Murray