Yet Again, Patch Your Cisco SMB Routers; Snapchat and American Express Websites May Have Compromised Your Microsoft 365 and Google Workspace Credentials; GitHub Looking to Add Code Signing

It is Tuesday, so it must be time for more Cisco SMB router vulnerabilities. A quick search at nvd.nist.gov shows 7 critical vulnerabilities this year and 8 last year (and 25 total over the two years). I guess it is cheap enough for Cisco to push vulnerability discovery right and left.

Johannes Ullrich

The exploit comes from input which is not properly validated/sanitized. Update to the latest firmware, and make sure that the management interface is only available to authorized systems/users. While the CVSS scores are 8.3/10 (CVE-2022-20841) and 9/10 (CVE-2022-20827) - don't expect this vulnerability to remain on the “not actively exploited” list for long.

Lee Neely

Phishing is just the tip of the iceberg of open redirect issues. These flaws are often underestimated, and can be tricky to fix. But consider that if your site uses OAUTH for authentication, open redirect flaws can be used in some cases to steal authentication tokens.

Johannes Ullrich

Snapchat was told of the vulnerability over a year ago and hasn’t fixed it. Imagine if Snapchat sold breakfast cereal that was found to be contaminated with rat poison - the boxes of Snapchat would have been off the shelves in weeks if not days. It really is time for regulatory consequences that cause business disruption, not just fines, to companies that know of vulnerabilities but don’t fix them.

John Pescatore

The best penetration testers and bug bounty hunters can demonstrate the severity of flaws like open redirection in a way that shows the client how to be more secure – and motivates them to make that change.

Christopher Elgee

Prevention/training can include cautioning users around URLs that contain “url=”, “redirect=”, “external-link" or “proxy” strings, the better defense is for domain owners to limit redirection use, and include things like redirection disclaimers, (“You are leaving my site for this site, click here”).

Lee Neely

Sigstore is a very cool effort, supported by Open SSF, Google, Cisco, Redhat, VMware and others. Kubernetes adopting sigstore/code signing in May 2022 has really picked up adoption. But, the signing of code really isn’t what increases security - *verifying* the signatures and not using unsigned or invalid/expired code is the harder required part. Processes for using open source software need to be updated.

John Pescatore

Code signing is a good idea, and you need to understand what the level of assurance is behind the signature on the code. Having a reliable issuance process and disallowing self-signed as well as enforcing scope - what projects they can and cannot sign code for is a step in the right direction.

Lee Neely

It is easy to criticize thinking local water system inspectors could effectively perform cybersecurity audits, but the real issue is the lack of defined standards for required cybersecurity levels for the various levels of water utilities in the US – no auditor can audit without something against which to audit. By the way, Deputy National Security Advisor Anne Neuberger is quoted as saying the EPA is well equipped to make sure cybersecurity is “holistically” considered. Whenever I hear one of the “H” words (holistic and heuristic) used by a vendor or government official (the two that tend to use those terms the most) I automatically replace the former with “imaginary” and the latter with “undocumented."

John Pescatore

Clearly defined standards and requirements must be in place before you can effectively assess the cybersecurity. Otherwise, you're going have inconsistent results. The selection of Sanitation Inspectors reflects their ability to subjectively inspect and audit against a known set of standards; it is not clear they are going to have the level of familiarity required to audit against cybersecurity requirements.

Lee Neely

Cybersecurity evaluation, audit, is not an ancillary duty nor a job for amateurs. Such efforts will not enable any conclusions about the security of an enterprise. However, in this industry a very short checklist, suitable for use by any literate person, may enable the early identification and mitigation of dangerous omissions.

William Hugh Murray

Healthcare continues to be a target, particularly their IT/OT systems. The guidance is familiar and appropriate for networked IT/OT components (segmentation - only authorized users/devices, use MFA, keep updated/patched, and monitor.) Don't forget about embedded devices, such as pacemakers, which have wireless communication, which requires you to work with the provider to ensure you either have security best practices implemented or disable the interface.

Lee Neely

Anyone who's worked cybersecurity in healthcare knows this is partly a philosophical struggle along the CIA triad. To those of you in cybersecurity making patient health information access secure, immediate, and highly available, thank you! Yours is some of the hardest and most important working going on.

Christopher Elgee

If you are a legitimate business, not much chance you were using Tornado Cash – or using “crypto currency” at all, since actual use for business transactions is minimal. But US Treasury has a compliance guide that is worth reading if you are - https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf

John Pescatore

If you're looking at accepting cryptocurrency, actions like this matter. Be sure you do your research, including getting input from peers on options and pitfalls. This is a case where you really need to be continuously monitoring your partners to ensure you're not going to be on the wrong side of a regulatory decision. Make sure that you not only understand the relationships in play and how transactions are governed but also what the contingency plans are when something fails or becomes prohibited before jumping in with both feet.

Lee Neely

Slack leaked salted hashes of passwords, not passwords themselves. But yet another reason to first of all use long and random passwords to make offline brute forcing more difficult, and of course always use a different password for different services. In this case, the four emails I received from Slack about being affected by the leaks are non-events.

Johannes Ullrich

Slack estimates this impacted about 0.5% of users. Apparently, the shared invite link included the hashed value of the sender's password. Slack has not revealed which hashing algorithm was used and sent communication to those impacted users directing them to change their passwords. It's not a bad idea to go through and update your slack passwords, as well as checking to make sure you're keeping your desktop client updated.

Lee Neely

Slack offers its users a two-factor authentication option. The key word is “option.” All users of Software as a service (SaaS), indeed any cloud service, should expect and use strong authentication.

William Hugh Murray

The question is how insulated are you from compromise at your third-party providers. Make sure that your DR plans address both directly and indirectly connected systems. Whether a failure in the feed you send to the bank for payroll processing or outsourced/cloud services directly connected to your network, be sure to know what impacts are possible and what your recovery option is. Make sure that you have segmentation and monitoring, appropriate geographic distribution as well as redundancy of connections.

Lee Neely

The patch for Zimbra was released May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. The report from SonarSource, released a month after the patches were released, has details and pointers for attackers to successfully exploit the flaws. Yup, time to patch.

Lee Neely

Make sure you're looking at both sides of this equation. Making sure the users have the training and tools to spot and report phishing emails as well as making sure that you're securing your systems, particularly critical systems, whether OT or IT. You know the drill, keep them updated, only allow authorized devices and user access, enable MFA where possible, monitor for irregular behavior. On the monitoring front, where OT systems have proprietary protocols, some network analyzers now understand these and can alert on unexpected traffic. Use caution with active response solutions on OT networks.

Lee Neely

It is unlikely that any technique will ever wholly protect against human error but strong authentication will certainly help here. Once an enterprise network is compromised it almost impossible to completely trust it again. Backdoors are easy to install and very difficult to find and eliminate.

William Hugh Murray