FCC Wants to Make SIM Swapping Attacks Less Likely to Succeed; Vulnerable MFA Recovery Process Used to Steal Cryptocurrency from Coinbase; Faulty Facebook BGP Update Likely Cause of Outage

Good to see the FCC finally taking action on this longstanding problem. Last year, Princeton researchers showed how shoddy SIM swapping authorization and authentication processes were still in use by most carriers. Next maybe the FCC will address the ease of cell number spoofing.

John Pescatore

Make sure that you’ve checked the security settings on your mobile account relating to SIM swapping. Some of the carriers have updated their controls, such as requiring an added PIN be created to authorize a legitimate swap. Even so, the wording can be tricky and should be read carefully. When setting up 2FA, select options other than SMS or a call to your mobile, and when those are the only choices the only option, they are still better than a reusable password.

Lee Neely

This is a hard problem. Carriers want to resist the small number of fraudulent swaps while not inefficiently burdening the large number of legitimate (lost, stolen, broken or new phones) swaps. At a minimum carriers should confirm all swaps out-of-band. Not expensive, not even necessarily inconvenient.

William Hugh Murray

Every authentication method, from passwords to 2FA to biometrics, requires a backup authentication approach in case the primary authentication method doesn’t work. Those processes need to be tested for weaknesses, as too often they prioritize ease of use/cost reduction over security. (See the FCC/SIM swapping item above.)

John Pescatore

Coinbase does not reveal a lot of details other than saying that the flaw is related to the 2FA recovery process. So far, I have not seen a system that recovers lost 2FA securely and efficiently. Too often, recovery means answering some security questions or calling a help desk, which will again ask some recovery questions. Worse: recovery systems that are buggy and let users disable 2FA by brute forcing a simple six digit code.

Johannes Ullrich

Attackers were able to recover a user’s account, log in and transfer their funds to a non-Coinbase wallet. Coinbase has multiple MFA options, to include secure keys, TOTP and SMS as a last resort. Victims who had secured their account and lost funds are being reimbursed. If you have a Coinbase or other cryptocurrency wallet, revisit MFA options to move away from SMS if possible.

Lee Neely

Outages and routing issues due to BGP mistakes are common enough that there is a website tracking them (e.g. see https://observatory.manrs.org/#/history ). For your next business continuity tabletop: Consider what will happen if your authentication servers are down due to a routing issue. Include the authentication servers used to authenticate local and remote users to make routing updates.

Johannes Ullrich

The first thing that comes to mind is that the world’s economic output probably went up for the five hours that Facebook was off the air… Some of the longest outages are due to self-inflicted wounds – some of you may even remember the 9 hour+ January 1990 ATT telecoms outage when ATT pushed out a bad software update to their switches. Just as with DDoS and ransomware incidents, how to deal with extended outages of revenue-critical services is an important tabletop exercise.

John Pescatore

Reversing the BGP update required physical access to routers which were in buildings where the physical access systems were also offline. Make sure that there is a viable contingency plan for your physical access control system. Document the use cases which require physical access to IT components, making sure you’ve not overlooked options to further minimize that access. Test your contingency physical access controls regularly. Make sure that you don’t have single points of failure. Remember the productivity losses we attributed to the Microsoft Solitaire game on Windows? Social media seems to have stepped into that role and is available from about every platform a user has, not just their Windows systems. It may be time to revisit your incidental use policy with this outage in mind.

Lee Neely

It is not really the AirTags that should be sanitizing user input. Instead, Apple's website displaying the link should properly encode the data to prevent XSS, and the API they use to receive the data the user configures for the link should properly validate input. The AirTag, a device the user controls, should not be used to implement security.

Johannes Ullrich

Apple AirTags are about $30, which raises the bar on a malicious actor leaving them around to be scanned by an unwitting victim, as compared to USB flash drives which can be under $1; even so you may want to advise staff to be cautious, particularly VIPs. Two lessons here, first: input sanitization is always important, for every input. Second: respond to vulnerability disclosures. The researcher disclosed the weakness to Apple on June 20th with no response for several months despite follow-up communication. While Apple did finally respond and will be addressing this error in an upcoming update, the researcher disclosed the weakness as it had not been addressed for 90 days.

Lee Neely

Apple had previously only partially addressed stalking risk of AirTags, where the malicious actor drops an AirTag in someone’s bag or vehicle and has cheap and easy tracking. The good news is “drop attacks” are both expensive since AirTags cost much more than USB drives, and require physical access to the target. Good to warn executives they might receive malicious AirTags in the mail, just as “poisoned” USB drives were physically mailed out over the past couple of years.

John Pescatore

As more components are reporting and accessing OT components, isolation is becoming more challenging. Make sure that you know what systems need to interact with your OT and restrict access to only those authorized systems and users. Monitor the networks they are using for unexpected behavior, protocols, or unauthorized devices. Don’t provide direct OT connectivity to the Internet.

Lee Neely

Standardization of security is essential to efficiency, ensuring that sensitive resources get the necessary and intended protection while expensive measures are reserved to only those resources that require them.

William Hugh Murray

Don’t underestimate the range at which a transmitter like RFID tags can be read. Also, be aware of the ease of duplication. Lastly, consider the OPSEC tradeoff of easy remote/touchless read versus the adversary having that information.

Lee Neely

RFID is one of those tricky technologies that often falls in the creases of security programs. Like electronic locks, “smart” home devices, industrial wireless signals, and hardware tokens, these intersectional systems are often poorly understood - even by their vendors. Recommendation: give special attention to “The Weird” in your environment. The attack surface is all around us!

Christopher Elgee

The blog post is a great read for anybody dealing with credentials (meaning everybody...). The mistakes shown go beyond Apache Workflow. Many of the issues outlined can be found in a wide range of code dealing with storing and using credentials securely.

Johannes Ullrich

The workflows leverage stored credentials for accessing services. Review your workflows to make sure that you are not embedding credentials in scripts or variables, but rather use the connections functions to manage those credentials where they are encrypted. Even so, verify the plain-text password value wasn’t also stored in the extras field.

Lee Neely

While 2FA, using SMS or a phone call are a huge step in the right direction, these verification methods are subject to interception. When configuring services to support MFA, enable TOTP, physical tokens, smart cards or other mechanisms not subject to interception before allowing SMS/Phone options.

Lee Neely

They are operating under EHR downtime procedures, which were previously established and tested. Consider the viability of operating with key systems offline. Make contingency plans accordingly. If operation without those systems is not viable, and a suitable option cannot be determined, engage senior management before you consider that not operating is an acceptable alternative.

Lee Neely

Criminals are disproportionately targeting healthcare. Patients are put at risk of injury and death and clinical data is being lost that will never be recovered.

William Hugh Murray