SANS NewsBites

Android Permissions Auto Reset Will Work Back to Android 6; NIST Workshop on IoT Security Labelling Approach; FERC Seeks Input on Ways to Decrease Workload Caused by CIP Reporting

September 21, 2021  |  Volume XXIII - Issue #74

Top of the News


2021-09-20

Google is Expanding Android Permissions Auto-Reset to Millions of Devices

Android’s permission auto-reset feature automatically resets apps’ runtime permissions after they have not been used for several months. The feature was introduced in Android 11, which was released a year ago. Google says it plans to expand availability of the feature to devices running Android 6 and above starting in December 2021.

Editor's Note

Android is providing users with a relatively fine-grained system to assign permissions to applications. But these permissions are often confusing, and consumers often do not understand why an application needs certain permissions or how they could be abused. The result is that consumers will often just click "ok". Resetting the permissions is an interesting and maybe a bit radical approach to force users to "Start over". Let’s hope this doesn't lead to a flood of popup messages as applications are asking to have their permissions back.

Johannes Ullrich
Johannes Ullrich

Notice there haven’t been many stories of negative user experiences since Google rolled this out in Android 11. Imagine if the Windows operating system had more “reset to least privilege access” features baked in.

John Pescatore
John Pescatore

This is a good measure as we continue to run into issues with over-permissioned applications. Additionally, review your installed applications, uninstalling those you are not, or no longer, using. If you created accounts for those applications, be sure to also close those out.

Lee Neely
Lee Neely

2021-09-17

NIST IoT Cybersecurity Labeling

The US National Institute of Standards and Technology (NIST) held the “Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software” last week. The Biden administration’s National Cybersecurity Executive Order mandates a labeling program for devices and applications that will provide information for consumers and small businesses to help them make decisions about technology purchases.

Editor's Note

A number of countries have put forward labeling schemes like this. It is the goal of these programs to make it easy for consumers to make informed decisions about the security features of a particular device. Akin to a nutrition label or restaurant health inspection grades, the information should be easy to comprehend and will hopefully lead to companies proactively improving the security of their devices to obtain a better rating. But to work, a significant number of manufacturers need to participate.

Johannes Ullrich
Johannes Ullrich

I think it took the FDA about 20 years to go from the original push for nutrition labels for food to get to the point where testing of products could be done in standard manners by industry and audited to some level by the FDA. Labeling schemes without defined testing requirements are useless.

John Pescatore
John Pescatore

There has been legislation proposed to require federal agencies to purchase IoT devices which meet security standards. Labelling needs to not only indicate the standards met, but also include information on verification. The current plan allows companies to self-attest to their security to expedite the process. Without independent verification against published standards, you cannot be sure the level of security is where you need it to be. Trust but verify.

Lee Neely
Lee Neely

2021-09-17

FERC Wants Input on Updating Energy Utility Cybersecurity Requirements

The US Federal Energy Regulatory Commission (FERC) is seeking input regarding existing security requirements for companies that supply bulk electrical systems. The standards and requirements have existed for more than a decade. FERC is accepting public input through October 14, 2021.

Editor's Note

Comments are being solicited around the cost/benefit of the CIP Reliability Standards reporting requirements, not on the security requirements themselves. In 2018 and 2019 FERC expanded incident reporting requirements, on top of previous reporting and documentation requirements. Good opportunity for the industry to suggest ways to streamline the reporting flow to reduce the time spent.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-09-18

Ransomware Vulnerabilities List

Researchers have begun compiling a list of vulnerabilities commonly exploited by different strains of ransomware to gain initial access to systems. The vulnerabilities are broken down by vendor and enumerated by their CVE IDs.

Editor's Note

A core part of the message here is that unmitigated or unpatched vulnerabilities are key to successful ransomware attacks. Leverage the CISA ransomware self-assessment security audit tool (released in June) as well as the information on response and prevention on the stopransomware.gov site to make sure that you’re well positioned for a ransomware attack.

Lee Neely
Lee Neely

Patch management is a prevention goal, especially for vulnerabilities being exploited in the wild. Unfortunately, 0-days will not have patches and the ability to detect and respond to the inevitable breach is now a requirement for all organizations.

Jorge Orchilles
Jorge Orchilles

2021-09-20

Ransomware Attack Hits Iowa Farmers’ Co-op

An Iowa-based farmers’ cooperative has acknowledged that its network was the victim of a ransomware attack. New Cooperative, Inc. has taken its “systems offline to contain the threat.” The attack occurred late last week; the ransomware operators are reportedly demanding a $5.9 million payment. New Cooperative is finding alternate methods of ensuring that feed gets to animals. One source said that if the incident is not mitigated quickly, it could result in a “disruption in the grain, pork and chicken supply chain.”

Editor's Note

Earlier this year Biden asked Russia to steer clear of 16 critical sectors of the U.S. Economy. Among those is “food and agriculture.” The BlackMatter group, which is behind the Iowa attack, is claiming that the volume of production from their victims doesn’t meet the definition of critical. While ransomware groups may have their own code of “ethics” regarding what is and is not “off-limits,” don’t assume they are on the same page. Operate on a model that everything is fair game and protect your systems accordingly.

Lee Neely
Lee Neely

Poke a nation in the eye enough times, and your fortunes might just change... “Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,’ But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.” -GEN Paul Nakasone, Director of NSA and commander, USCYBERCOM

Christopher Elgee
Christopher Elgee

2021-09-17

TTEC Discloses Ransomware Attack

Customer support and sales management company TTEC has confirmed that it experienced a ransomware attack earlier this month. TTEC issued a statement saying that “as a result of the incident, some of our data was encrypted and business activities at several facilities have been temporarily disrupted.” The company is working on restoring affected systems.

Editor's Note

TTEC provides customer support to large companies such as Verizon, Bank of America, Best Buy, Credit Karma, USAA, Dish Network and Kaiser Permanente. In this scenario there are two challenges: first, providing alternate customer service, or accepting long wait times; second verifying what data is stored with the service provider and of that data, what has been released or lost. Engage your legal team to understand what third-party liability clauses are in play and examine impacts on your service level agreements to your customers. Work closely with your provider to understand their service level and anticipated recovery plan.

Lee Neely
Lee Neely

2021-09-20

Security.txt Files Provide Information About Vulnerability Disclosure

Some companies have adopted a proposed Internet standard that provides researchers with information about vulnerability disclosure. A Security.txt file will usually list links to vulnerability disclosure policies and a contact email address. Some also include bug bounty program information and public encryption keys.

Editor's Note

This is a very simple and cheap (free) way to provide current contact information to security researchers. You certainly should take advantage of this standard. For a description of various "well-known" files like security.txt, see https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/: Not Everything About ".well-known" is Well Known. Unless of course you would rather not know about any security issues with your website/network.

Johannes Ullrich
Johannes Ullrich

While standards are still solidifying, it’s a good idea to implement this file, particularly if you’ve got a bug bounty program. Put it at the top of your web sites or known location such as /.well-known/ (see RFC8615.) Consider digitally signing your security.txt file. Make sure that the identified accounts are both monitored and have junk/spam filters enabled. More on the standard can be found on the securitytxt.org web site (https://securitytxt.org).

Lee Neely
Lee Neely

2021-09-20

DHS OIG: CISA Needs to Update Dam and Levee Security Plans

A report from the US Department of Homeland Security Office of Inspector General (DHS OIG) says that the Cybersecurity and Infrastructure Security Agency (CISA) must update both cyber and physical security plans for the country’s dam and levees. DHS OIG made several recommendations, including updating the Dams Sector-Specific Plan to align with the emerging National Infrastructure Protection Plan; strengthening coordination with the Federal Emergency Management Agency (FEMA); and developing and implementing a strategy for Dams Sector stakeholders to use the Homeland Security Information Network Critical Infrastructure (HSIN-CI) Dams Portal to its fullest potential.

Editor's Note

If you have critical infrastructure, make sure that your plans are updated, to include information sharing, incident response and physical protections. The recommendations in the report can be leveraged to make sure you’re properly prepared. Make sure that you’ve established relationships with organizations such as the CISA and FBI well before you need them; don’t forget to maintain those relationships. You don’t want to find out that your contact has left or number changed in the midst of an incident.

Lee Neely
Lee Neely

2021-09-20

Dept. of Commerce Seeking Comment on Supply Chain Draft Report

The US Department of Commerce’s Bureau of Industry and Security is seeking feedback regarding the content of “a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base.” Commerce is producing the report to comply with Presidential Executive Order 14017. Comments are being accepted through November 4, 2021.


2021-09-17

Guilty Verdict in DDoS for Hire Services Case

A federal jury in Los Angeles found Matthew Gatrel guilty of three felonies for running two distributed denial-of-service (DDoS) for hire services. Gatrel was found guilty on charges of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. A co-conspirator pleaded guilty to criminal charges several weeks ago.

Internet Storm Center Tech Corner

OMIGOD Exploits Captured in the Wild.

https://isc.sans.edu/forums/diary/OMIGOD+Exploits+Captured+in+the+Wild+Researchers+responsible+for+half+of+scans+for+related+ports/27852/


Malicious Calendar Subscriptions Are Back

https://isc.sans.edu/forums/diary/Malicious+Calendar+Subscriptions+Are+Back/27846/


Simple Analysis of a CVE-2021-40444 (MSHTML) Document

https://isc.sans.edu/forums/diary/Simple+Analysis+Of+A+CVE202140444+docx+Document/27848/


Mirai Botnet Hunting OMIGOD

https://twitter.com/1ZRR4H/status/1438580885142507528

https://isc.sans.edu/port.html?port=1270


Exploit for Netgear Flaws Available

https://gynvael.coldwind.pl/?id=742


Apple iOS/iPadOS/tvOS 15 Updates (and WatchOS, Xcode, Safari)

https://support.apple.com/en-us/HT201222


ManageEngine ADSelfService Plus Exploited

https://us-cert.cisa.gov/ncas/alerts/aa21-259a