Warn Users of the Risks of Malicious QR Codes; Patch Rust and Then Check Your Other Apps for Similar Flaws; IRS Moves to Facial Recognition to Secure Online Accounts from Attackers

Data from independent sources usually show QR code usage is pretty low, in the 5-10% of users, though the QR code industry shows much higher numbers. Good to warn users that QR codes are just like clickable links in email or text message – may have some convenience but carries risk. I think more importantly: never download a random app to read QR codes. If the camera app in your device doesn’t do QR codes, just don’t use them.

John Pescatore

Treat QR codes like any other clickable link; only scan trusted codes. The native iOS and Android apps provide a pop-up with the site referenced by the QR code; if you’re not familiar with the site, don’t proceed. There is often an alternative to using the provided QR code. For example, many restaurants are now primarily providing menus by QR code, even so, they still have physical menus for those who don’t have a smartphone or are uncomfortable with the link.

Lee Neely

While QR codes have been around for quite a while it was not until the pandemic hit that their use became more mainstream and people more familiar with using them. This is a good example of cybercriminals taking advantage of growing popularity in technology solutions and why cybersecurity pros need to keep abreast of how technologies are being utilized and subsequently abused so they can ensure the appropriate controls are in place.

Brian Honan

I do not believe that it is helpful to tell users not to download apps using QR codes. Too often, there are legitimate apps that are offered via QR codes. But users should be considering what they are downloading, and where they are finding the QR code. The alternative, offering short URLs for users to type in, has the same problems as QR codes.

Johannes Ullrich

QR code adoption has increased since the pandemic; everyone knows how to scan a QR code at a restaurant. Unfortunately, this convenience is being exploited to direct end users to malicious sites. Count this as another feature that requires user awareness training.

Jorge Orchilles

This vulnerability is an interesting race condition, but can only be useful if an unprivileged user is calling a privileged (e.g. setuid/setgid) program. The sky is certainly not falling with this one, but there are two key takeaways from the example. First, TOCTOU (time of check/time of use) vulnerabilities are all over the place in code. Many Windows kernel vulnerabilities are TOCTOU. If you run an SDLC program, ensure you educate your developers on how to write code resistant to TOCTOU bugs. With increasing numbers of processing cores on our systems, these are especially problematic in multithreaded applications. The second takeaway is that vulnerabilities aren't going away. Rust is widely celebrated for its security in defeating memory related bugs. But no programming language is immune to logic flaws such as race conditions and this is a primary example of that in action.

Jake Williams

This was due to a time-of-check/time-of-use race condition, which may not always work. Updating to version 1.58.1 is the fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.

Lee Neely

On a penetration test, vulnerabilities like this usually fall into the “I didn't know we had that!” category. If you aren't small/technical enough to maintain full inventories with scripts and elbow grease, it may be time to invest in an automated solution. Not sure it's worth the time/money spend? How long did it take you to find all the Log4J in your environment?

Christopher Elgee

The IRS is already using the service. I went through the procedure last week, and it appeared to be very thorough but of course, not very convenient. It required uploading various documents (passport, driver’s license) and in the end a video call to verify the information. The IRS also sent a letter a few days later verifying that I accessed the site online, which is a nice touch to prevent fraud. It is likely best to setup access yourself before someone else does it for you.

Johannes Ullrich

Fraudsters and criminals have long swarmed online IRS services to steal tax refunds, so good to see strong authentication finally being required here and that should pave the way for more federal, state and local government and contractor requirements for strong authentication. The government needs to do strong vetting and testing of the ID.me service.

John Pescatore

Civil liberty groups are right to be concerned about the implementation of such technology for authentication means. Biometric data is one of the most sensitive type of personal data there is and why under the EU’s General Data Protection Regulation (GDPR) there are many prohibitions on its use.

Brian Honan

ID.me is set up to do strong identity validation with the intent of preventing fraudulent account creation. As party of that, biometric and other sensitive information is needed to fully verify your identity. Additionally, ID.me supports multiple forms of MFA; when prompted, select the strongest form possible, steering away from SMS or phone calls as a second factor. The ID.me site says you can delete your biometric information; this appears to require deletion of your account. If you’re setting up an account, expect any interaction with the help desk to include a significant delay as they’re ramping up dramatically.

Lee Neely

I love the idea of the IRS requiring strong validation/authentication for access to its databases. Ultimately a process/solution like this should be used for any public access to sensitive government resources.

Lance Spitzner

The lack of requirements for internal network monitoring is definitely a gap in NERC/FERC standards. Years ago, IDS products weren’t all that useful in SCADA/OT environments and networks but that has changed over the years. However, there are definitely specific skills needed to architect, deploy, and make effective use of monitoring those networks. Collecting data or even producing alerts isn’t the goal, quickly acting on potentially dangerous conditions is – and that takes more than technology.

John Pescatore

CISA and others have been publishing best practices for securing these systems you can already leverage to get a jump on this. Check to see what protections you have in place, including monitoring, separation to include local and remote access restrictions for these systems.

Lee Neely

The power grid is unique in the potential for a failure in one provider to spread to others.

William Hugh Murray

Review the CISA Insights document on implementing cybersecurity measures to protect against potential critical threats (https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf). This is a checklist of the fundamentals, irrespective of threat actor; covering reduction of attack steps, rapid detection and response as well as resilience to an incident. When verifying your capabilities make sure there is supporting evidence, don’t accept someone just checking the box.

Lee Neely

Given the heightened geo-political tensions I recommend that organizations outside of the US take heed to these warnings too. We live in an ever more interconnected world and your organization could easily be targeted as part of the supply chain to an ultimate target located elsewhere.

Brian Honan

Web based admin portals, not just CWP, should never be exposed to the public internet.

Johannes Ullrich

Make sure that you’re running the latest version of CWP 7 - 0.9.8.1122. CWP 6 (0.9.8.918) is definitely EOL; it is time to upgrade.

Lee Neely

Another vulnerability in open-source software. Having an inventory of assets, including libraries and plugins, is a must. These should have been lessons learned by Log4j, Struts, and Heartbleed.

Jorge Orchilles

We continue to see rapid exploitation of flaws in perimeter security devices. This has been a problem for the last few years now, and you need to apply updates to these devices quickly. Updating devices can be risky and you may need hands-on-site to recover, but the alternative is having the device exploited.

Johannes Ullrich

Make sure that you didn’t postpone deploying the patches because of the holidays. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. Double check and address any missed devices soonest. Also check your logs for any signs of successful exploit.

Lee Neely

With our greater dependency on remote access solutions and gateways resulting from the pandemic, these security solutions are in turn being targeted by criminals, particularly ransomware gangs. So ensure you keep all such devices, not just those from SonicWall, updated, that you regularly review their rules and configurations to ensure they are valid, and most importantly that you proactively monitor them for any suspicious activity.

Brian Honan

Your organization should have an inventory of all assets and monitor them for vulnerabilities and patches. Edge devices, that are accessible from anywhere on the Internet, should be top of the list when remote code execution patches are released.

Jorge Orchilles

The fix has been incorporated into the release candidate for the next iOS and macOS update. It may be released as soon as this week. The iOS security architecture doesn't allow for a more granular quick update of Safari. All updates need to include a complete iOS image.

Johannes Ullrich

I expect Apple to release iOS and iPadOS 15.3, macOS 12.2 and Safari 15 updates this week. If you’ve not finished you prior update cycle, particularly for mobile devices, you may need to stop where you are and change the target as soon as the new versions drop.

Lee Neely

Initial access occurred around July 10, but the investigation did not complete, and notification did not occur until December 9. Testing, measuring, and improving your resilience to ransomware threats should be part of your plan for this year if you have not started already. The best time to start already passed, the second-best time is now.

Jorge Orchilles

Remember when schools were hacked to alter grades? This attack targeted PII, W-2s, and financial information with the intent to file returns to fraudulently obtain tax returns. Fortunately, the attacker couldn’t guess the victims’ adjusted gross income for the prior year and was subsequently caught. Make sure your systems with this type of data are isolated and monitored, that information is encrypted in transit, storage, and if possible, when not in use (think encrypted fields). Review your network architecture. Make sure you no longer have a flat network when it comes to accessing systems, only exposing needed interfaces for self-service operations.

Lee Neely