Singapore Tells Banks to Stop Using Clickable Links in Text Messages; Zoom Fixes Input Validation Flaws That Enabled Zero Click Attacks; Just Like On Servers, Hospitals Have a Problem Patching IoT Devices

These are interesting security measures in that they really strike at the intersection of confidentiality, integrity, and availability. Here, they're protecting the integrity of the accounts by limiting availability of some features. On the issue of clickable links in text and emails, that train has unfortunately already left the station. While this will definitely stop some cybercrime, it will take some time to get people to adjust to the idea that any clickable link is an attack. That said, this is a gold mine for security awareness. Instead of trying to train users on which links are safe to click (which I think we can all agree has been an abject failure), end users can now be trained that *any* link from participating institutions is an attack. This heuristic will certainly be easier for users to apply reliably and consistently.

Jake Williams

While these are good security measures, they also impact usability and remove the risk-based decision from the individual financial institution. The challenge to the FI is to train users to use alternative more secure methods, such as non-SMS authentication verification, out of band verification for transactions which exceed risk thresholds to support the expected transaction volume of modern banking users.

Lee Neely

This measure from MAS/ABS along with the Philippines bank to no longer use clickable links in SMS and emails is an interesting strategy. Inconvenient from a user perspective but the extra steps to copy and paste the URL may give the user time to think about what they are about to do. This is, of course, if it does not become a habit.

Jorge Orchilles

Modern email clients (including browsers) and secure web gateways all give some level of protection to users when they click on embedded links in email. SMS messaging does not go through such protection which is why “smishing” is increasing. Until phone number spoofing is stopped or until such protections are available, it is a very good thing to make it clear that no responsible institution would include clickable links in a text message.

John Pescatore

This is a fantastic write-up exploring the zero-click attack surface of Zoom and the attacker opportunity for client-to-client exploitation. Zoom has fixed these vulnerabilities and significantly improved defenses against future attacks on their servers. Many thanks to Natalie Silvanovich from Google Project Zero for the write-up, and for motivating Zoom to make positive security changes.

Joshua Wright

While I certainly don’t recommend asking board members or CEOs to read the 8 page Google Project Zero blog entry, it is great example of the complexity of a commonly used service (Zoom) and how a skilled attacker (or pen tester/researcher) with tools and time can keep poking and prodding and find weak spots. In my briefings to boards, the closest analogy I have found that seemed to connect is deer eating my landscaping: they are hungry, devious and have lots of time. If I don’t regularly monitor and mitigate my vulnerabilities, sooner or later the damn things will get in and wreak havoc. And, if someone tells you this software is hacker proof or that deer don’t eat that type of shrub, don’t believe them.

John Pescatore

Make sure you’re pushing out updated desktop clients to your users. If you’re not a zoom shop, make sure any endpoints with the application installed are also updated; while removing the app in this scenario is tempting, you need to understand the impact and have an exception process to mitigate business impact. If you’ve been ignoring the update zoom prompt, now would be a good time to click install and relaunch.

Lee Neely

Zoom’s security, their team, and response process to vulnerabilities and threats have come a long way since the start of the pandemic.

Jorge Orchilles

Not to downplay these results, but in 2020 a Rapid7 survey showed 80% of Exchange servers were missing critical patches overall and 60% in the healthcare vertical – and those vulnerabilities are much easier to exploit. That said, where lives are at stake, much higher standards are required. The biggest problem is the procurement of devices from vendors who claim they are restricted from patching them, or update the underlying OS, despite years of FDA guidance saying that is not true.

John Pescatore

As anyone who has worked in healthcare can tell you, this is no surprise. And the “lots of medical equipment has unpatched vulnerabilities and many healthcare providers run legacy operating systems” is evergreen. Given the realities of technology and patient care, we need to start thinking of patient care equipment as operational technology (OT) and segment these networks appropriately. This should be done with the understanding that just like most utilities and manufacturing, healthcare will always have devices on the OT network with known vulnerabilities. Zero trust networking in the patient care networks can help mitigate some risk as well. I'm not advocating giving up on vulnerability management in patient care networks, but I look forward to the day when stories like this stop getting written because there's just no realistic impact.

Jake Williams

Shock and awe numbers like this are hardly useful without context. They sell clicks, but do not promote change. Healthcare IT is a complex multi stakeholder operation and needs to prioritize resources. Ransomware attacks significantly affected hospital operation and patient safety, but they did not take advantage of IoT vulnerabilities; they may have affected IoT devices, but not due to these vulnerabilities.

Johannes Ullrich

Like OT, these systems need proper segmentation and isolation as patching intervals are infrequent and will not only require regression testing, but also careful scheduling to not impact patients. Consider network layer protections that connect devices to the proper segment regardless of how they are connected. These protections can also be used to auto-quarantine unauthorized or rogue devices.

Lee Neely

Sadly, this isn’t surprising in the slightest. Having worked with many medical orgs, we’ve seen these systems aren’t touched. Often no updates or people looking at the (in)security of these systems. Even if the updates exist, most organizations don’t have the buy-in to perform updates or the staff to manage it (again, buy-in). Ideally, if you’re in a situation like this (no ability to update), segment these systems from others.

Tim Medin

Many, not to say most, of these appliances should not be visible to Cynerio.

William Hugh Murray

Input validation must be fundamental for all application development. Don’t solely rely on an external service, as they can be bypassed or misconfigured. Leverage testing harnesses which include fuzzing to insure you didn’t miss anything.

Lee Neely

Input validation vulnerabilities are to information security as fat/salt/sugar is to nutrition: we could avoid them and be really healthy, but then we would be forced to only eat kale. Validation errors is simple use cases like forms are easily avoidable. In things like queries, not so easy to avoid but modern software testing tools used by skilled testers can find them. After all, the bad guys do just that – vendors need to be driven to be doing more of that before the bad guys.

John Pescatore

This story is interesting because of how the vulnerability was identified.

Jorge Orchilles

The supply chain remains a way for attackers to insert vulnerabilities into many enterprise networks at the same time. Until we begin to hold suppliers responsible for distributing malicious code (does not now seem likely any time soon), consider quarantining supplier updates long enough for malicious code to be detected by others.

William Hugh Murray

There was a lot of discussion in the EO about cross domain solutions (CDS) that are used to segment networks of different sensitivities (typically different levels of classification) and only allow specific data types/content to flow in each direction. Commercially, similar systems (often termed "data diodes") are used to separate some IT and operational technology (OT) networks.

Jake Williams

NSS systems are already held to a higher standard than unclassified systems, particularly cross domain components which require specific certifications and validations before they are authorized to operate. These systems are isolated and have many controls on how information enters or exits them. Care must be taken to not introduce impractical requirements which may cause a loosening of existing security measures.

Lee Neely

A nice list of common-sense steps to take. They will protect you against many common attacks.If a new article about Ukraine can get you management attention and funding don't let the crisis go to waste! Pick one item that you had difficulties getting resources for (e.g. 2FA for VPNs is one of my favorites, something you should be doing anyway).

Johannes Ullrich

It's important to note that this isn't just a service that was used by cybercriminals (I'm confident that pretty much every public VPN service is used by cybercriminals at some point). VPNLab was designed for use by and marketed to cybercriminals, a significant difference.

Jake Williams

Always happy to hear collaboration, takedown, and ransomware in the same story. Kudos to the law enforcement working across borders as we all work together to fight the ransomware threats.

Jorge Orchilles

This is a serious, easily exploitable, vulnerability. Apple will hopefully release a patch shortly (a release candidate was made public yesterday). The underlying WebKit vulnerability was patched this week, but to update iOS/MacOS, a patch from Apple is required.

Johannes Ullrich

This vulnerability in Safari leaks information about the websites you visit. Private mode browsing helps, but does not fully mitigate this flaw. Compared to other browser same-origin policy bypass vulnerabilities, this one is mild, but it still warrants rapid patching due to the ease of attacker exploitation.

Joshua Wright

The flaw can be used to discover the names of services used, not their content. The fix requires an update to WebKit, which means all browsers used in iOS or iPadOS are vulnerable. Apple has not released a date for the update, but has reportedly made the necessary fixes and marked the issue closed, so I expect the next patch cycle to include it.

Lee Neely