SANS NewsBites

Online Flash Card Apps Expose Nuclear Weapons Secrets; FBI Can Share Data with Have I Been Pwned; Critical Fixes from HPE, SonicWall and Siemens

June 1, 2021  |  Volume XXIII - Issue #43

Top of the News


2021-05-28

Digital Flash Card Apps Exposed US Nuclear Weapons Secrets

Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.

Editor's Note

"Shadow IT" at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids "gaming rig" for work because the company-provided laptop is too slow.

Johannes Ullrich
Johannes Ullrich

This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.

Lee Neely
Lee Neely

Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.

John Pescatore
John Pescatore

When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.

William Hugh Murray
William Hugh Murray

2021-05-28

Have I Been Pwned Open Sources Code Base and Will Receive Data from FBI

Last week, Have I Been Pwned (HIBP) founder Troy Hunt announced that the HIBP code base is now open source through the .NET Foundation. Hunt also announced that HIBP will provide the FBI with a means to share with HIBP lists of compromised passwords obtained in the course of investigations.

Editor's Note

Have I Been Pwned is a great effort that has struggled to find appropriate funding. Troy Hunt has avoided the easy solution of selling out to a security vendor. This sounds like a great way to support this effort.

Johannes Ullrich
Johannes Ullrich

Have I Been Pwned has been powering other services for a while and is very useful as a retroactive password change reminder warning. But top priority should be in reducing the use of reusable passwords. Fixing the source of the leak is much better than getting faster at constantly mopping up.

John Pescatore
John Pescatore

This year marks thirty-five since Ken Weiss invented SecurID and in which I have been discouraging “exclusive reliance upon passwords.” Convenience continues to trump security. Passwords can be made resistant to dictionary, fuzzing, and even brute force attacks, but they are fundamentally vulnerable to replay and reuse.

William Hugh Murray
William Hugh Murray

2021-05-28

Fix Available for Critical Flaw in HPE SIM

Hewlett Packard Enterprises (HP) has released an update to address a critical vulnerability in its System Insight Manager (SIM) software. The flaw was initially disclosed in December 2020; it arises from “a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.” The flaw could be exploited to allow attackers with no privileges to execute code remotely. The flaw affects HPE SIM versions 7.6.x for Windows only.

Editor's Note

This hotfix replaces the prior workaround where you had to disable “Federated Search” and “Federated CMS Configuration.” Note that hotfixes were also released for the Linux and HP-UX versions of the HPE SIM version 7.6.

Lee Neely
Lee Neely

This advisory was originally released in December. Later, HP upgraded it to a “no authentication required” remote code execution. Now we finally have a patch. Apply it.

Johannes Ullrich
Johannes Ullrich

2021-05-28

SonicWall Offers Fix for Flaw in On-Premises Version of NSM

SonicWall has released updates to address “a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM).” Users are urged to upgrade to patched versions, Network Security Manager (NSM) 2.2.1-R6 and Network Security Manager (NSM) 2.2.1-R6 (Enhanced), as soon as possible. The issue does not affect software-as-a-service (SaaS) versions of NSM.

Editor's Note

Make sure that management services are accessible only to authorized devices. Enable multi-factor authentication where supported and verify there are no end-arounds/shortcuts which could bypass your protections.

Lee Neely
Lee Neely

Luckily, this vulnerability requires valid user credentials to exploit. You may finish your coffee this morning before patching this one.

Johannes Ullrich
Johannes Ullrich

2021-05-31

Siemens Offers Fix for Flaw Programmable Logic Controllers

Siemens has released a firmware update to address a severe memory protection bypass vulnerability in its SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs). Researchers at Claroty detected the flaw and notified Siemens, who released updates on May 28.

Editor's Note

Your PLCs should already be isolated as they don’t respond well to malformed or unexpected traffic. Additionally, apply the mitigations in the Siemens bulletin, including using passwords on S7 communication, limiting or blocking remote client connections, and enabling TLS, and apply the defense in depth measures in the Siemens Operational Guidelines for Industrial Security. https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf

Lee Neely
Lee Neely

Firmware updates are a very expensive remedy for devices that are priced in the tens of dollars and employed in the millions.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-05-28

The Apple M1 Chip Vulnerability and the Business of Bug Disclosure

Last week, Hector Martin disclosed a vulnerability in Apple’s M1 chip that “allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features.” The flaw is “baked in” to the chip, which means it cannot be fixed or patched. While the vulnerability is interesting, Martin notes that “nobody's going to actually find a nefarious use for this flaw in practical circumstances.” He also writes that the website he created for the flaw, which he dubbed M1RACLES, to “poke fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care.”

Editor's Note

This allows two processes to access the EL0 register – which is only 2 bits wide for communication – and should be used as a reminder that all chips have flaws, not as a reason to panic. Use this as a chance to verify sure your services for M1 devices, including endpoint protection, patching and OS security configuration are enabled and working; adjust if needed.

Lee Neely
Lee Neely

A flashy logo/name/website has always been helpful to "sell" a vulnerability. The ability to covertly send messages between two cooperating processes exists in pretty much all PCs (a mock "PoC" was released in response to M1RACLE showing how one processing may modulate CPU load to send messages to other processes). It is also a long going issues in our industry that we focus on the new and shiny instead on the boring but necessary. Remember: Security is working best if it is boring, routine, and doesn't feel like firefighting. The most important stories in this NewsBites (HPE flaw and Sonicwall vulnerability) will probably not make it into the "Top News" (... well ... maybe now they will :) ) .

Johannes Ullrich
Johannes Ullrich

Kudos to Hector on this one. Instead of using FUD to draw attention to his finding, he was transparent and honest about its overall impact. Unfortunately, in our community sometimes researchers over dramatize their findings, causing more harm than good.

Lance Spitzner
Lance Spitzner

2021-06-01

Food Processing Giant JBS Hit with Cyberattack

São Paulo-based food processing company JBS has shut down production at several facilities around the world following a cyberattack. Computer networks in in Australia, Canada, and the US were affected.

Editor's Note

This is a growing trend we are going to see over the coming years: one business unit is infected in one country, which then infects all the other business units of the same company globally. However, these incidents are also impacting people’s daily lives, such as when hospital networks go down, gas lines can’t transfer gas, or in this case companies cannot process food. As the world has become so interconnected and interdependent, the impact of these events will only increase.

Lance Spitzner
Lance Spitzner

2021-05-31

Swedish Infections Diseases Database Temporarily Taken Down After Attempted Intrusions

Sweden’s Public Health Agency (Folkhälsomyndigheten) temporarily took its infectious diseases database offline after detecting several attempted intrusions. The database, which is known as SmiNet, is also used to store information about COVID-19 infections. The database is once again operational; Folkhälsomyndigheten writes that “to further increase security, some adjustments have been made, which means certain restrictions when it comes to reporting data.”


2021-05-27

US Army Requires Remote Workers to Remove IoT Devices from Workspace

In a May 25 memo calling for “teleworkers [to] incorporate strong cyber hygiene practices in their daily telework routine,” the US Army wrote that it is requiring all remote workers to remove Internet of Things (IoT) devices from their work areas. (any device with a listening function) The requirement applies to military and civilian employees and contractors.

Editor's Note

I think unpatched VPN servers are much, much higher up in risk level for government telework, but the smart speaker vendors have not made it easy to prevent (or allow automated deletion) of audio recordings that are tagged “audio not intended for this device” but were saved anyway.

John Pescatore
John Pescatore

Think about the activities performed in your remote workspace. What conversations are happening, what is in view of your camera, what’s on your desk, what can be seen through the door or windows? Ask yourself not just who but what is listening. Smart assistants, while they don’t respond until they hear their wake word, are still listening. Consider muting the mic if you don’t wish to remove or turn it off. Remember also that open windows or doors, using speakers and speakerphones versus headsets are ways sensitive business information can be inadvertently shared. Have a clean desk policy for the remote workspace.

Lee Neely
Lee Neely

This is another example of a policy that sounds good at HQ, but when it hits reality most likely causes more harm than good (kind of like password expiration). How can people follow this policy? First, most people don’t even know all the IoT devices they have. Your coffee pot or light bulbs are often IoT. Even if you do know what devices you have, how can you possibly determine which ones have microphones or go about turning devices off / on every time you have a call? About the only way a remote worker could follow this policy if they created their own isolated, tech free room (aka SCIF) in their house, which is probably a better option if sensitive information is to be discussed.

Lance Spitzner
Lance Spitzner

“Strong cyber hygiene” is good advice but removing Internet of Things devices is over the top. All ‘things’ are not the same. As I sit in my work area, I cannot even identify, much less remove, all the smart appliances that I rely upon, including some that I rely upon for personal safety. (“Alexa, (‘I have fallen and I can't get up.’) Call 911.”) One can eliminate all cyber risk simply by removing all computers but that is not practical advice. Some, e.g., classified, work should not be done in personal work areas.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner