Archive for January 13, 2022

NCSC Joins US In Miitigating Russian State Interference

Posted in Commentary with tags on January 13, 2022 by itnerd

The UK’s National Cyber Security Centre has joined US calls to be wary of Russian state interference in critical infrastructure IT systems including telecoms networks, energy and utility suppliers, transport operations and logistics and distribution specialists. This comes shortly after a joint advisory published by CISA and the FBI urged CNI operators to “adopt a heightened state of awareness and to conduct proactive threat hunting”. 

I have a total of three comments on this. The first is from Sam Jones, VP of Product Management, Stellar Cyber

“The current security state of complex infrastructure systems is unfortunately one of massive opportunity for attackers. The attack surface of these systems is so large, and oftentimes very outdated, that it is incredibly difficult to defend everything. This is why mentally assuming a breach is so important and focusing on defending only what matters most is the only realistic approach to staying secure.”

The next comment is from Bryson Bort, Founder & CEO, SCYTHE:

We don’t have a cyber problem. In this case, we have a Russia problem, and the worldwide, private industry continues to suffer because of it. As with all persistent adversaries, they will get in. Companies should assume they are a target. As part of that, they should use an assumed breach mindset, that they’ve already been compromised. After mitigating the specific vulnerabilities mentioned by these agencies, they should focus their limited time and resources to get the highest return on investment for their security programs which is why yesterday was the best time to implement MFA.

The final comment is from Sanjay Raja, VP of Product Marketing and Solutions, Gurucul:

“The NCSC and CISA are absolutely missing the mark. Preventive measures are certainly an important layer of defense, but antivirus is fairly useless against most advanced attacks. Vulnerabilities are no longer the primary entry point (aka initial compromise) for most attacks. While a vulnerability is often exploited as a step in an overall attack campaign, the primary mechanism being more actively used by many adversarial nation states is a combination of phishing and social engineering. This means that initial compromise is dependent on human behaviors and impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls and certainly antivirus, especially as variations in attack strategies are implemented to circumvent signatures, pattern matching and rule-based machine-learning detection analytics. What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks. “

Russia being a bad actor has to be a top of mind issue for companies regardless of industry. The warnings are out there. It’s time to act on those warnings and take the right measures to ensure that bad actors of any sort can do their evil.

UPDATE: Ayal Yogev, CEO and Cofounder, Anjuna Security provided me with this comment:

“Great advice. But most organizations have literally millions of vulnerabilities that originate from open computing and networking. Patching them individually is as useful as swatting a swarm of mosquitos. Organizations must focus on mitigations that have the broadest effect on overall risk. Moving to zero-trust infrastructure, such as confidential cloud computing can be relatively simple mitigation that, in most organizations will put them in a fundamentally stronger security posture against these threats.”

Austrian Website’s Use Of Google Analytics Breaches GDPR

Posted in Commentary with tags , on January 13, 2022 by itnerd

TechCrunch reporting something that is bad news for US cloud services. An Austrian website’s use of Google Analytics has been found to breach GDPR:

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

That’s not good and I suspect that this decision is being discussed in a lot of places as I type this. I’ve got two comments on this with the first being from Elizabeth Wharton who is the VP Operations for SCYTHE:

Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.

And the second is from Chris Olson, CEO at The Media Trust:

“With the Austrian court’s ruling, we are finally seeing the concrete impact that emerging data privacy laws will have on unregulated third-party code. Under the hard interpretation of GDPR adopted in this case, a majority of organizations with online domains would be in violation, based solely on the activity of their digital partners.”

“Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”

I think that this will make a lot of companies scramble to rethink and reimplement how they handle data so that they aren’t the next headline that I’m reporting on.

ServiceNow Announces New Solutions For Managing Return To Workplaces

Posted in Commentary with tags on January 13, 2022 by itnerd

Amid the recent surge in COVID-19 cases across the globe, many companies are postponing their return-to-workplace plans once again. Instead, they’re bracing for a new era of hybrid work that requires agility and flexibility. 

In this new era of work, organizations need solutions that enable them to adapt to the rapidly changing environment while prioritizing employee experiences and safety.

Today, ServiceNow is proud to announce updates to their Workplace Service Delivery solution that enable further flexibility and safety to support the future of hybrid work. The updates are: 

  • Streamlining the on-site reservation process
  • Power booking for cross-office events and meetings
  • Make it easy to book desks and spaces nearby team members for better collaboration
  • Help employees navigate the office with ease

ServiceNow is continuing to deliver innovation in our Workplace Service Delivery solution with their Safe Workplace Suite, including a recent integration with The Commons Project’s SMART® Health Card Verifier API to simplify the validation of vaccine record submissions within the Vaccination Status application.

For more information, check out this blog post by Blake McConnell, SVP, Employee Workflow Products at ServiceNow.

Teen Claims To Have Pwned Tesla Cars In 13 Countries

Posted in Commentary with tags , on January 13, 2022 by itnerd

A 19-year-old claims to have hacked into more than 25 Tesla cars in 13 countries, saying in a series of tweets that a software flaw allowed him to access the EV pioneer’s systems.

David Colombo, a self-described information technology specialist, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys and disable their security systems. Colombo noted that he could not drive the cars remotely.

Media reports can be found here and here.

Tesla hasn’t responded to this yet. But if this is true, this is a serious problem for Tesla. And it reminds me of a similar situation with GM’s OnStar where came up with a method to do something similar to OwnStar equipped cars which was dubbed “OwnStar”.

Morgan Whitlow, Sr. Security Researcher, www.grimm-co.com had this commentary:

“From what has been said by Colombo both in the original posts to social media and within interviews, it sounds like this might have been a vulnerability in Tesla’s mobile companion app or the related API. 

Many of the commands and functions he mentions line up with the mobile app’s features and capabilities; honking the horn, flashing the lights, unlocking the door, etc. This could explain how he’s able to perform certain commands on vehicles without being able to say, drive it around like a toy RC car, or having to be within a certain range; the app/API doesn’t support that level of control. 

If he’s found a way to exploit the app/API, or to login as the customer, then he’s essentially tricking Tesla’s backend servers that he’s the legitimate owner and they’ll carry out any app-allowable command just the same as they would normally. That said, it’s hard to say this with any certainty until we have more concrete information, but it’ll be interesting to watch it unfold. “

I’ll be watching this very closely as this is something that Tesla will have to respond to very quickly in order to keep their owners safe and confident about their rather expensive electric vehicles. Watch this space.