Educate Employees Working from Home About Video Doorbell Storage Risks; First US Cyber Safety Review Board Focuses on Log4j Risk; Another Form of MFA Bypass Does Not Change Advice to Eliminate Reusable Passwords

Amazon’s response to the Senator shows Amazon has evolved to a balanced response between user demands for privacy and law enforcement (and often user) demands for using stored doorbell video to catch thieves and criminals. Worth showing your Chief Legal Counsel if your company provides any product or service storing such data. From a Work at Home security viewpoint, Amazon Ring is the largest vendor but only has about a 15% market share. The top 5 vendors overall only represent 30% of the market – 70% of devices are sold by dozens of tiny vendors who are likely not being as diligent as Amazon. The good news from WAH point of view is many of the smaller ones don’t offer long cloud storage of video/audio but most will over time. WAH security awareness should include tips on how employees can minimize risk.

John Pescatore

Make sure that you understand who can view your doorbell or other security footage, and under what conditions. And this reminds us that they have direct access to the data to override those processes if needed. Amazon has their Neighbors Public Safety Service which allows users to elect to share footage with law enforcement as well as a process where they will share footage in response to a court order or emergency request. In this instance, Amazon (Ring) made a good faith determination that sharing the footage was warranted, but those requests cannot be linked to a court or emergency order. If you're uncomfortable consider solutions where the footage is stored locally and only you have access to view it.

Lee Neely

Police and other government agencies will always look to gather whatever data they can when investigating crimes or individuals. That is why strong privacy laws are so important to ensure that any such access is provided in a controlled, informed, and transparent manner and it is beyond time that the US introduced strong federal privacy laws. Privacy laws are not there to hinder police or government agencies, they are there to protect the human rights of us all.

Brian Honan

Their "terms of service" almost universally permit holders of data to respond to "lawful" requests, i.e. warrants and subpoenas. If that is a problem for you, then do not share the data. Holders of data should be transparent about the number of such requests it receives and how they responded. Such transparency is essential to maintaining the necessary level of public trust.

William Hugh Murray

Log4j is a bit of a tricky vulnerability. Initially, we saw a big surge in scans for the vulnerability and these scans dropped off quickly as attackers realized that the standard attack tools only worked for a few specific applications. In many cases attacks against log4j need to be customized for a particular application based on how it where it uses log4j. But the application is still vulnerable and as more specific exploits are released for these use cases, we will see new flare ups.

Johannes Ullrich

The good news quote in the CSRB’s first report since being established: “At the time of writing, the Board is not aware of any significant Log4j-based attacks on critical infrastructure systems. Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.” This first output from the CSRB was focused on a vulnerability vs. an incident. The idea of a Cyber Safety Review Board came from trying to get similar “lessons learned” that have for years come from the US National Transportation Safety Board that investigates plane, train, vehicle, etc. crashes. The “Organizational Reponses” section of this initial report is just a few paragraphs of lessons learned. The Enterprise Risk Management recommendations section has a bit more, but at a much higher level. I’d like to see the next CSRB report focus on an investigation of one of the continuing stream of successful attacks we are always commenting on in NewsBites.

John Pescatore

As we are still having breaches due to SQL injection and other vulnerabilities identified decades ago I have no doubt that we will still be dealing with recently discovered vulnerabilities for decades to come, and yes I won’t be surprised to still see SQL injection attacks over the coming decades. Security engineering needs to become the default for all systems and applications from their very beginning and not something added on as a nice to have or to keep regulators happy.

Brian Honan

The first task on the CSRB agenda was a report on Log4J. The executive summary includes a number of recommendations which apply to more than just Log4j, even if you're not developing applications, to include being aware of the components you're integrating, keeping good software inventories so you know where those components are located. SBOMs are a step to aid this: remember that they represent a point-in-time, so make sure they are maintained/updated.

Lee Neely

At the SANS New Threats and Attacks keynote presentation at the RSA Conference, SANS instructor Katie Nickels covered MFA Bypass attacks but also said “Multifactor auth remains an incredibly powerful force for security. You should still use it.” Successful attacks (like airplane crashes) make the headlines, blocked attacks (like safe plane landings) do not – you will not see publicity around the 99.9% of credential stealing attacks that don’t work if MFA is done right. MFA does have to be done right, Katie points that out, and even done right doesn’t mean the end of successful attacks. But raising the bar against credential stealing that takes advantage of reusable passwords is mandatory if you are even talking about achieving anything close to “zero trust.”

John Pescatore

The attack isn't particularly new, but the write up does also cover what attackers are doing after the phishing is successful. Good read and maybe a motivation to not allow "remember browser" cookies to bypass MFA for critical applications.

Johannes Ullrich

Just to clarify, ‘advisory-in-the-middle’ attacks have been going on for almost twenty years now, nothing new. Second, this is not an attack specifically against MFA. In this version, the attackers’ goal is to steal the session-cookie, not the actual authentication credentials. In other words, the attackers wait for / assist you to authenticate first, steal the authenticated session cookie and then replay that to gain access. A similar attack happens with “trojaned” M365 plugins that you approve and install AFTER authenticating to your M365 account. Strong authentication mechanisms like MFA are highly effective, something I still strongly recommend and use actively for my own personal accounts. The Microsoft post has good details about how the attack works and mitigation steps.

Lance Spitzner

While we have been raising the bar by implementing some form, any form, of MFA, attackers have been working on how to exploit these efforts. You should be starting to hear the term phishing-resistant MFA. These leverage both cryptographic (public-private key pairs) as well as verification the requesting site is genuine. FIDO2 is one example. From an infrastructure perspective, pursue a strategic roadmap from your current MFA to phishing resistant MFA, while taking tactical steps to phase out SMS or phone call MFA quickly. From an end-user perspective, continue to educate them on being skeptical and checking that the site they are interacting with is truly genuine.

Lee Neely

MFA has raised the bar for criminals to hijack user accounts but it should not be seen by itself to be a panacea. Other mitigations should be put in place to reinforce the protection offered by MFA solutions. The Microsoft blog included in the links to this story offers some very good additional mitigation steps to help defend against this type of attack.

Brian Honan

Unlike the fraudulent re-use of passwords, which is cheap and enables session creation, attacks against strong authentication are expensive and only enable session stealing. We must not permit the limitations of a security mechanism to discourage its use, the perfect to be the enemy of the good.

William Hugh Murray

The Lenovo site includes a table of models and which of the three vulnerabilities impact them. All 70 are impacted by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver. The fix, in all cases, is to update your firmware. In April Lenovo addressed three UEFI vulnerabilities with firmware updates. It's a good time to make sure your entire fleet of Lenovo systems are running updated firmware.

Lee Neely

The good news is the fix is in the July patch bundle. The bad news is this impacts client and server operating systems, through Windows 11/Server 2022, and is a zero-day to boot. While you're already pushing out your client updates, you're going to want to expedite your regression testing for server deployment.

Lee Neely

Overall, a pretty "average" patch Tuesday. The CSRSS vulnerability is already exploited, but it is "only" a privilege escalation vulnerability, so nothing to lose too much sleep over. Also note that Microsoft did release the new auto-patch in general release now. Maybe start experimenting with it to take the busy work out of patch Tuesday.

Johannes Ullrich

While it sometimes feels we can't catch a break, it's nice to see a fix released for all impacted platforms rather than having to wait for patches for different OS versions. The CSRSS vulnerability is a zero-day and allows an attacker to execute code as System. Note this update also includes another round of patches for the print spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) which can be leveraged to delete files or gain System privileges.

Lee Neely

Spectre variant 2 is back - while it was argued that the retpoline mitigation to that attack was insufficient, it was countered that those attacks were impractical. This is that impractical attack. The good news is there are mitigations, and Windows systems are not vulnerable as they are by default using Indirect Branch Restricted Speculation. Mitigations for other operating systems come at a 12-28% overhead so research carefully before deploying.

Lee Neely

You're not still treating your Macs as non-targeted are you? While we can chuckle about Microsoft finding a flaw in macOS, we need to quickly acknowledge that disclosure to Apple was made and fixes incorporated in the May 16 updates to Catalina, Big Sur and Monterey. Make sure those updates have been deployed, particularly as it's going to get busy with iOS 15.6 likely next week and Ventura/iOS 16 in a couple of months.

Lee Neely

So called "proof-of-concept" code should not be released; it lowers the cost of attack to the rogues. I, for one, am more than willing to take Microsoft's word that there is a vulnerability, that it can be exploited, and should be mitigated. Microsoft should not lower the cost of attack against vulnerabilities in its competitors’ products. Rather it should focus on putting its own house in order.

William Hugh Murray

The claim is hitting both on timely notification and encryption of sensitive data. HIPAA allows data to not be encrypted at rest if you have other mitigations; it will be interesting to see how this plays against that plan. Make sure that you're prepared to notify users and/or partners in a timely fashion in the event of a breach. Take a moment to review contractual or regulatory requirements to make sure that you're meeting those obligations. As to encryption, it's become increasingly easy to encrypt at rest and in transit, make sure that you've not overlooked options to facilitate this not previously available, particularly for services you migrated to the cloud. Then document and track gaps.

Lee Neely

These class action lawsuits after breaches have been tried many times over the past 10 years and they rarely seem to succeed. That may change in the future as the broad loopholes in regulations get narrowed at the state level, but I think today it is more important to convince CXOs and Boards that the cost of preventing or minimizing the damage from breaches is almost invariably less than incurring a breach – and cybersecurity insurance rarely changes that.

John Pescatore