Electricity ISAC Sharing Tools; Ghost Remote Access Credentials Enable Water System Attack; Google Silently Pushing out Android COVID Contact Tracing App

Great news. Information sharing is one of the most powerful and underused tools to secure organizations. Finding the right balance between sharing and anonymizing data is tricky. I hope we will hear more about this tool and any lessons learned from it.

Johannes Ullrich

Having indicators from peers helps provide relevant actionable data to be better prepared for an incident. Anonymizing the data will help with reputation risk, but it is important to know what anonymizing means and who is processing your data. In this case passive sensors are providing metadata to Neighborhood Keeper to provide distributed alerts, and requests for assistance from other ISAC members are also encrypted and allow for private communication with temporary identification options to permit assistance without revealing specifics.

Lee Neely

This is a fantastic example of community and government working together. It won’t solve all our problems in the utility space, but it is a good start. Kudos to both DoE and Dragos for leading this initiative.

Lance Spitzner

It’s incredibly important to disable departing employee’s accounts immediately, particularly if they can be used for remote access to services. Further, RDP services such as TeamViewer need to require multi-factor access as well as follow the vendor secure configuration guidelines. Verify these settings remain in place, only current users have access and no access is configured which can bypass those settings.

Lee Neely

It is often a manual process for smaller organizations to remove access when an employee leaves. Another advantage of a two-factor authentication approach (which should have been required for TeamViewer remote access) is the ability to revoke the credential in one action and simplify dealing with broad removal of access.

John Pescatore

One more instance in which strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) would have been helpful. Management has always been better at getting terminated employees off the payroll than in revoking online privileges. That problem is complicated by the modern economy where often as many as half of those with privileges are consultants, contractors, temporary, and part-time workers.

William Hugh Murray

Exposure notification services are built-in to Android and iOS devices, and can be enabled, configured or disabled by the end user without the use of an explicit application. Even so, some regions are distributing notification applications to streamline the process. This install is not a full install of the MassNotify application per-se; users will see “Settings -> Google -> COVID-19 Exposure Notifications” which can be removed by uninstalling “Massachusetts Department of Health.”

Lee Neely

I am in favor of COVID contact tracing apps, and Google did a good job implementing them. But in the end, this is a question of trust. Google is not a trusted entity when it comes to how they collect and use personal data. Having them push out an application without user consent casts the Google data-collection machine shadow on this project.

Johannes Ullrich

Public health services have been actively engaged in contact tracing for more than one hundred years. It has been effective in all but eliminating some diseases and has ensured timely treatment for millions. This tracing has been so successful in protecting privacy that most people do not even know that it exists. Technology holds the promise to make it even more timely and comprehensive. Let us not become so fearful that we forego this opportunity.

William Hugh Murray

There are many more cases where export controls around cryptography resulted in unsecure systems and technology being built – unfortunately during the formative years of the internet/World Wide Web infrastructure. The over-reliance on SSL and the still extremely low implementation levels of persistent data encryption are direct results. Societally (and within enterprises) the overall benefits of strong protections on data overall outweighs the negative impact of law enforcement/security monitoring warrant-free visibility into the data.

John Pescatore

While GEA-1 was used in 2G networks, and the weakness is not present in the current GEA-3 and GEA-4 algorithms, some GPRS networks still have GEA-1 fallback, and phones as recently as 2018 still supported the GEA-1 and GEA-2 algorithms. Risks of fallback can be minimized by using devices which don’t include radios which support GPRS fallback, typically newer than 2019, or if supported, configure for 5G/LTE only.

Lee Neely

Not only do government mandated backdoors not provide much value, they tend to weaken security for future generations of devices that need to stay backward compatible.

Johannes Ullrich

Governments have long resisted air-side encryption. (In the US during WWII it was illegal) This is not the first time that air-side encryption in mobile telephone service has been deliberately compromised. While such encryption may not protect the conversations of targets of choice of nation states, mostly “persons of interest” in criminal investigations, it does offer some protection against large scale surveillance and protects targets of opportunity from organized crime.

William Hugh Murray

Most water utilities are run by small local governments. They have the same disadvantages of small businesses in the commercial sector, compounded by the complexities of local funding issues. The most glaring controls needs are very much in line with the essential security hygiene levels (Implementation Group 1) of the CIS Critical Security controls, but most respondents indicated a lack of the trained cybersecurity staff. Any funding for infrastructure improvements should target some funding for this area.

John Pescatore

While the MEGA storage service has closed their account, the Ragnar operators still have the data and will find another location to distribute it. This raises the concerns about where your exfiltrated data could be located and who has copies, despite assurances from the operators it will be deleted upon receipt of payment. It may be simpler to operate on a model that exfiltrated data has been released publicly and to build your response plan from there.

Lee Neely

Ransomware is nothing more than malware; what makes it so effective is how criminals monetize the infections. Originally, monetization was via targeting availability, but criminals then added the impact of exposing confidentiality, as they did here. Depending on your industry, one of these two is bound to have a significant impact to your organization, thus the rise in payments.

Lance Spitzner

While ransomware requires the total compromise of a network, it begins with a breach. A breach is a breach is a breach. If one is breached, then extortion is only one of the bad things that may result. Resist breaches and detect them early, i.e., hours to days. Recovery may be too late and ineffective.

William Hugh Murray

There have been a wave of VPN vulnerabilities and attacks, notably impacting Pulse Secure, SonicWall, Fortinet FortiOS and Citrix. Make sure that your VPN has been updated and configured to current security baselines. Ensure no users can bypass multi-factor authentication and that any old VPN services were fully decommissioned, rather than left running “just in case.”

Lee Neely

An interesting old format string vulnerability. Luckily, the risk from this problem is minimal. A victim has to join a very "odd" looking WiFi network. I doubt a lot of people will fall for that. Still, it may be a good idea to look out for pranks involving this SSID. To recover, you will need to reset your network settings which may erase some stored credentials for other networks.

Johannes Ullrich

Use caution joining a wireless network that has a name which looks like a format statement. (E.g., %p%s%s%s%s%n) While legal, that SSID may not be a network designed for general use. Recovery involves resetting your device network settings – which means all the stored wireless networks are forgotten and you will need to join them again. It’s not a bad idea to do this from time to time so your device is only searching for currently used preferred networks.

Lee Neely