US Government Agencies Required to Standardize Vulnerability Disclosure Programs; US Prosecutor eMail Accounts Breached via Solar Winds Compromise; Android Malware Uses Virtual Network Computing to Steal Data; Ship Location System Easily Spoofed

Agencies have until September 2, 2022 to have all internet accessible systems in scope. Policies and contacts had to be published within 180 days, and after 180 days any new internet-accessible systems were automatically in scope. Identification of existing systems in scope was required 270 days from the issuance of BOD 20-01, June 1, 2021, with additional systems required every 90 days until all internet accessible systems are listed as in scope. The challenge is developing procedures to track, coordinate and resolve reported issues, which may impact federal incident reporting activities. The BOD provides references and resources needed to develop a VDP. Before you go testing an agency’s system, check their web site under /vulnerability-disclosure-policy to see what is permitted/in-scope.

Lee Neely

Back in 2017 the US Department of Justice put out a solid framework for Vulnerability Disclosure Programs – good to see CISA making standard VDPs a requirement across federal systems. They now provide a template complying with this BOD. One nit: while the BOD does require the policy to be published at a standard URL across government systems, it is *not* an easy to guess URL. I’d like to see requirements that all federal home pages include a visible link to vulnerability reporting information.

John Pescatore

We knew the fallout from the SolarWinds compromise was going to be bad, but this points out how really, really bad the damage has been. In the SANS 2021 New Attacks and Threat report, SANS Fellow and instructor Ed Skoudis detailed the key mitigation needs to minimize damage from what he called “Software Integrity Attacks.” Details at https://www.sans.org/webcasts/2021-report-top-attacks-threat-report-118445/

John Pescatore

Review administrator access to your cloud services. Make sure that service administrators use a separate account to manage the service versus accessing it as an end-user. Require multi-factor authentication on all accounts, especially administrators. Additionally, if you have “break-glass” or other administrator accounts which are single factor, secure those passwords, and monitor their use closely to detect abuse.

Lee Neely

Malware allowing interactive control over a particular mobile device has been used for more sophisticated social engineering attacks. An attacker, while on the phone with a victim, is able to manipulate the screen to for example affect the user’s session as they log into their legitimate online banking website.

Johannes Ullrich

Unlike prior malware which used an HTML overlay to capture credentials, the “Vultur” RAT uses VNC to capture keystrokes and record screens, removing the need to create custom overlays and the effort required to install them. It does leverage an overlay to trick the user into granting permission. The malicious apps have been removed from the play store and play protect will remove them from affected devices. Even so, use caution when granting app permissions, and only install apps from well-known developers in the legitimate app store. (Google Play, or your corporate app catalog)

Lee Neely

The app stores are intended to distribute. They are "suppliers," but of code developed by others. While they have distributed malicious apps, they have done a pretty good job of detecting and eliminating them. Users should limit downloads to code that they are sure they are going to use. In deciding whether to download, they should look beyond the stores to the developers.

William Hugh Murray

The maritime AIS system is set up like the ADS-B system used for aviation. The signals are not encrypted as they are intended to be seen by everybody in the vicinity of the vessel. Theoretically, it would be possible to digitally sign the signals, but that would require a global key infrastructure. Spoofed AIS signals have frequently been observed in areas where boats attempt to conceal illegal activity. This can be dangerous if a ship conceals or alters its location.

Johannes Ullrich

In times of tension or war, military ships would not be using AIS location data. Vessels use on-board systems for safety, such as collision avoidance. Even so, AIS data is aggregated for search and rescue, cargo tracking, environmental crimes and sanction violations, it is for these purposes that inaccurate data is a concern. Some AIS inaccuracies can be mitigated by comparing with satellite imagery.

Lee Neely

Regardless of what marketing says, not every threat can be emulated during a red team or pentest engagement. Tabletop exercises and cyber ranges can be good complements, helping organizations understand their larger risk profile.

Christopher Elgee

If you have an affected system, until updated firmware can be deployed, follow the mitigations in the Armis PwnedPiper report including blocking Telnet (port 23) on Translogic PTS stations, implement segmentation or other access controls to limit PTS components to only communicate with the Translogic central server (SCC) and deploy the provided Snort IDS rules to detect attempted exploits.

Lee Neely

At core here is the use of personalization practices which tailor advertising related to a web service such as Amazon. If you’re providing a service that is personalized based on user activities, work closely with your legal team to not run afoul of GDPR or similar privacy legislation.

Lee Neely

That is almost a 3% hit on Amazon’s CY 2020 profits – or almost all the profit they made from the sales across the annual “Prime Day” event. To paraphrase an old saying: “A billion here, a billion here adds up to *real* money – protecting users privacy rights can meaningfully increase profit margins.”

John Pescatore

In addition to imposing the fine, the regulators mandated procedural changes. It should be noted that Amazon claims that the findings are "without merit" and says that it will appeal. What is significant is that "the game is afoot."

William Hugh Murray

Understand the legislative controls regarding access to data you safeguard on behalf of others. Ensure that data you’ve collected for an identified purpose is only used as intended, particularly HIPAA and PII data which are provided with specifically identified consent or purpose. If you’re in a bind where a legal mandate is asking for access to your data, make sure that you’ve consulted with both your regulator and legal team before releasing it.

Lee Neely

The temptation for the police to abuse and misuse any data held by government is all but irresistible. In the US we have been doing contact tracing for more than 100 years with few reported cases of abuse. However, the potential for abuse interferes with the legitimate purpose of the data. People do not need much of an excuse not to cooperate.

William Hugh Murray

Isolate the vulnerable applications of e-mail and browsing from mission critical applications and sensitive data.

William Hugh Murray