Online Flash Card Apps Expose Nuclear Weapons Secrets; FBI Can Share Data with Have I Been Pwned; Critical Fixes from HPE, SonicWall and Siemens

"Shadow IT" at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids "gaming rig" for work because the company-provided laptop is too slow.

Johannes Ullrich

This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.

Lee Neely

Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.

John Pescatore

When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.

William Hugh Murray

Have I Been Pwned is a great effort that has struggled to find appropriate funding. Troy Hunt has avoided the easy solution of selling out to a security vendor. This sounds like a great way to support this effort.

Johannes Ullrich

Have I Been Pwned has been powering other services for a while and is very useful as a retroactive password change reminder warning. But top priority should be in reducing the use of reusable passwords. Fixing the source of the leak is much better than getting faster at constantly mopping up.

John Pescatore

This year marks thirty-five since Ken Weiss invented SecurID and in which I have been discouraging “exclusive reliance upon passwords.” Convenience continues to trump security. Passwords can be made resistant to dictionary, fuzzing, and even brute force attacks, but they are fundamentally vulnerable to replay and reuse.

William Hugh Murray

This hotfix replaces the prior workaround where you had to disable “Federated Search” and “Federated CMS Configuration.” Note that hotfixes were also released for the Linux and HP-UX versions of the HPE SIM version 7.6.

Lee Neely

This advisory was originally released in December. Later, HP upgraded it to a “no authentication required” remote code execution. Now we finally have a patch. Apply it.

Johannes Ullrich

Make sure that management services are accessible only to authorized devices. Enable multi-factor authentication where supported and verify there are no end-arounds/shortcuts which could bypass your protections.

Lee Neely

Luckily, this vulnerability requires valid user credentials to exploit. You may finish your coffee this morning before patching this one.

Johannes Ullrich

Your PLCs should already be isolated as they don’t respond well to malformed or unexpected traffic. Additionally, apply the mitigations in the Siemens bulletin, including using passwords on S7 communication, limiting or blocking remote client connections, and enabling TLS, and apply the defense in depth measures in the Siemens Operational Guidelines for Industrial Security. https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf

Lee Neely

Firmware updates are a very expensive remedy for devices that are priced in the tens of dollars and employed in the millions.

William Hugh Murray

This allows two processes to access the EL0 register – which is only 2 bits wide for communication – and should be used as a reminder that all chips have flaws, not as a reason to panic. Use this as a chance to verify sure your services for M1 devices, including endpoint protection, patching and OS security configuration are enabled and working; adjust if needed.

Lee Neely

A flashy logo/name/website has always been helpful to "sell" a vulnerability. The ability to covertly send messages between two cooperating processes exists in pretty much all PCs (a mock "PoC" was released in response to M1RACLE showing how one processing may modulate CPU load to send messages to other processes). It is also a long going issues in our industry that we focus on the new and shiny instead on the boring but necessary. Remember: Security is working best if it is boring, routine, and doesn't feel like firefighting. The most important stories in this NewsBites (HPE flaw and Sonicwall vulnerability) will probably not make it into the "Top News" (... well ... maybe now they will :) ) .

Johannes Ullrich

Kudos to Hector on this one. Instead of using FUD to draw attention to his finding, he was transparent and honest about its overall impact. Unfortunately, in our community sometimes researchers over dramatize their findings, causing more harm than good.

Lance Spitzner

This is a growing trend we are going to see over the coming years: one business unit is infected in one country, which then infects all the other business units of the same company globally. However, these incidents are also impacting people’s daily lives, such as when hospital networks go down, gas lines can’t transfer gas, or in this case companies cannot process food. As the world has become so interconnected and interdependent, the impact of these events will only increase.

Lance Spitzner

I think unpatched VPN servers are much, much higher up in risk level for government telework, but the smart speaker vendors have not made it easy to prevent (or allow automated deletion) of audio recordings that are tagged “audio not intended for this device” but were saved anyway.

John Pescatore

Think about the activities performed in your remote workspace. What conversations are happening, what is in view of your camera, what’s on your desk, what can be seen through the door or windows? Ask yourself not just who but what is listening. Smart assistants, while they don’t respond until they hear their wake word, are still listening. Consider muting the mic if you don’t wish to remove or turn it off. Remember also that open windows or doors, using speakers and speakerphones versus headsets are ways sensitive business information can be inadvertently shared. Have a clean desk policy for the remote workspace.

Lee Neely

This is another example of a policy that sounds good at HQ, but when it hits reality most likely causes more harm than good (kind of like password expiration). How can people follow this policy? First, most people don’t even know all the IoT devices they have. Your coffee pot or light bulbs are often IoT. Even if you do know what devices you have, how can you possibly determine which ones have microphones or go about turning devices off / on every time you have a call? About the only way a remote worker could follow this policy if they created their own isolated, tech free room (aka SCIF) in their house, which is probably a better option if sensitive information is to be discussed.

Lance Spitzner

“Strong cyber hygiene” is good advice but removing Internet of Things devices is over the top. All ‘things’ are not the same. As I sit in my work area, I cannot even identify, much less remove, all the smart appliances that I rely upon, including some that I rely upon for personal safety. (“Alexa, (‘I have fallen and I can't get up.’) Call 911.”) One can eliminate all cyber risk simply by removing all computers but that is not practical advice. Some, e.g., classified, work should not be done in personal work areas.

William Hugh Murray