Commerce Department Audit Finds Many Discrepancies Between Data in CSAM Tool and Reality; More Reason Not to Expose Your NAS Devices to the Internet; Warn Employees Going to Beijing Winter Olympics: Only Bring Temporary or One Time Devices

Most of the report points to problems with accuracy and completeness of the data in the CSAM tool Commerce (and many other government agencies) uses to meet reporting requirements. This often happens when operational tools are used for vulnerability scanning and inventory discovery and the customization and integration required has not been done in the reporting system to support direct import of timely and accurate data. You can push the button on the reporting tool and creates pages and pages of reports, but any audit finds these same problems.

John Pescatore

Assessing the security posture of our information systems to ensure the security posture remains appropriate is a challenge for everyone and is easy to postpone. With the advent of more tools to verify security against baselines, it’s tempting to just install and walk away, rather than integrating them fully into your processes. Make sure that you not only have a view into the current security posture but also are tracking remediation efforts. Don’t forget to monitor your cloud services as well. Figure out how you’re going to track and remediate cloud and outsourced system security as part of the onboarding process, then verify they are being monitored and reviewed at least annually.

Lee Neely

Yet again, network storage devices are affected by ransomware. In response to this recurring problem, QNAP started to "push" firmware updates to users who had automatic updates enabled. An interesting side effect of the update was that it may have removed ransomware from devices, preventing recovery for users who had paid for the decryption key (or intended to do so). Never ever, ever expose your NAS to the Internet. It will get compromised and yes, you will lose all your data.

Johannes Ullrich

Because NAS remains a top target for attackers, you need to aggressively keep them updated and regularly verify security settings, user lists, and application lists, removing unneeded or unrecognized items.

Lee Neely

Using clean or throwaway devices for any travel to China (and some other countries) has long been standard practice for high level business executives. There has been plenty of evidence of China broadening its cybersurveillance across broader civilian targets – good to pass this warning along to any employees that may be attending the Olympics in China.

John Pescatore

Consider this a hostile environment, another place to carry a burner phone. Keep devices in airplane mode where possible, don’t trust any unknown WiFi, particularly open/free WiFi. Use caution transferring information from the burner device to any other systems. This may be a good time to use a camera for taking photos.

Lee Neely

We must assume that the young athletes may be targeted, that many will not receive or heed warnings, that they will use their phones to memorialize their experience, and that some of those memorials will be compromising. A small number may be exploited. However, government, business, media, and activist travelers are targeted by the Chinese and other nation states. The cost of travel to China includes the cost of a burner device that can be discarded after returning. Store files, photos, and messages in the cloud or on your home system: do not store anything on the burner device. Consider removing the cloud clients when not in use and re-loading them from the store when needed. Arrange for a secure connection to your home or work system before departing.

William Hugh Murray

Pentesters and red teamers: If your attack methodology does not already include OAuth token abuse, now is the time for an update. Credential and MFA phishing are still fine but be sure to measure your clients' cloud identity/access risk too.

Christopher Elgee

Beware of unrecognized apps requesting permissions, particularly “Consent on behalf of your organization.” In this case, the attackers are manipulating the reply URL such that clicking cancel will just redirect back, sessions will need to be positively closed, possibly closing the calling client or browser. Make sure your CASB, URL rewriting, or other attack prevention solution has incorporated rules for this attack.

Lee Neely

Assume intelligence agencies have tools like Pegasus and Phantom; take actions to mitigate the risk, even if you don’t think you’re targeted. This means use loaner phones with minimal data, strong authentication, current OS and applications and verified security settings when going to risky foreign locations. Don’t update the devices while on those trips and consider them suspect upon return. This scenario is not a time for BYOD.

Lee Neely

One should not be surprised that such discussions took place. One would like to think that the FBI would use such a tool only with warrants based upon probable cause. However, recent experience with airborne IMSI-catchers raises some doubt. Even the “good guys” are vulnerable to temptation. The “usual suspects” must take into account the security limitations that all technology, but particularly general purpose communication devices, has.

William Hugh Murray

Apple released fixes in iOS 15 which address NSO’s ForcedEntry exploit, make sure your devices are updated. While Apple says they will notify those targeted with this exploit, in accordance with best practices, take proactive steps to minimize the risk before heading abroad.

Lee Neely

Agencies are required to evaluate the catalog against installed products and report findings as well as remediate per the published remediation deadlines. The problem that is trying to be solved is long lead time on remediation for US government systems. With the impending Zero Trust model from EO 14028, timely remediation and monitoring is going to be a key component for keeping systems secure. If you’re using a risk-based approach to applying updates, make sure that you’ve documented those decisions, and prepare to revisit them with an eye to Zero Trust.

Lee Neely

Exploitation of this flaw is likely going to be a bit tricky. The attacker needs to have write access to the EA metadata. There are however configuration options to provide guest/unauthenticated users with this ability. This flaw is most likely going to affect Linux based network storage devices, which you should never ever, ever expose to the Internet.

Johannes Ullrich

The best fix is to update to the patched version of Samba. The attack requires access to a file’s extended attributes, which is present in the default configuration. A workaround is to disable the “fruit” VFS module from the list of configured VFS object; this does block access to those attributes, and has the side effect of causing all stored information to be inaccessible to macOS client, giving the impression the information is lost.

Lee Neely

Make sure you have a DDoS strategy which includes web application firewalls as well as considerations for any workloads which are sensitive to increased latency. The Microsoft guide on a DDoS response strategy (https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-response-strategy) can be leveraged in your assessment process, whether or not you’re using Azure services.

Lee Neely

While the attack appears to have been targeting the players in Andorra, this small country effectively only has one ISP, so the attacks took out businesses, home users, and government agencies as well. Understand the limitations of your ISP, have a conversation specific to their DDoS protections, evaluate the need for a secondary connection, even if only for small bandwidth operations such as PoS transactions.

Lee Neely