The IT Nerd

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, releasing the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. Why is this important? Here’s why:

Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.

In short, you need to pay attention to this list so that if you have exposure to these weaknesses, you can take the required actions to protect yourself.

Joe Saunders, CEO, RunSafe Security had this to say:

“As the Top 25 shows, memory-based exploits remain the most devastating weaknesses in software and account die the most known exploits targeting weaknesses. We must defend against these memory-based exploits or adversaries will be able to take down our critical infrastructure. It’s imperative to prevent attackers from exploiting memory-based weaknesses in software which are the most dangerous vulnerabilities with the most numerous known exploits targeting systems today.

These results are consistent with CISA Director Jen Easterly’s call to solve memory-based weaknesses in code. The sad reality is we cannot afford any more years to go by without immunizing our critical infrastructure from such attacks. This list is no surprise: Not only do CISA and NSA know memory-based software weaknesses threaten our critical infrastructure, but so do our adversaries.  We must achieve memory-safety now or China may disrupt the services we all take for granted, such as powering our facilities or distributing water.”

This is a good initiative. Thus we should all pay attention to this list so that our exposure to these vulnerabilities is reduced.

Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations. In relation to that, The U.S. Department of Homeland Security (DHS) released its first Cyber Safety Review Board’s (CSRB) report. It should be considered required reading:

Chris Clymer, Director & CISO, Inversion6 had this to say:

Log4J shined a light on long-standing problems in our software supply chain.  IT systems have become incredibly complex, with layers and layers of components put together by layers and layers of integrators and developers.  All of which is often compiled and built in ways where it is extremely difficult to know what components are included in a system your business relies upon.

This CSRB report is filled with great recommendations, and helps to reinforce that the Log4J issue has not gone away, and that there are likely numerous similar problems out there still unidentified.  CISA has done really great work raising awareness on security the last few years, becoming a singular voice on cybersecurity for the government.  So its striking that this report says that for all that, CISA should be doing MORE to assess and raise awareness.  Theres clearly more improvements to keep making.  They also recommend that the CISA guidance be taken from optional to mandatory by state and federal regulators.  I’m skeptical that many laws will pass here in our current political environment…and sadly, I agree that short of regulations REQUIRING organizations to do things like maintain a Software Bill of Materials, organizations are unlikely to prioritize investing the significant time and money into these efforts.  Many would like to…but the costs to really address these problems will be high.  Without regulatory cover, it is difficult to explain to stockholders why you’re making these investments…especially if you’re the first one making that shift.

This is fundamentally a good thing. For too long, cyber incident response has been uncoordinated, with a lack of systematic review at the Federal level. I look forward to seeing future reports as this one is very instructive.

The Department of Homeland Security is concerned that according to an “intelligence note” found among the BlueLeaks trove of law enforcement documents, masks related to COVID-19 are breaking police facial recognition:

The rapid global spread and persistent threat of the coronavirus has presented an obvious roadblock to facial recognition’s similar global expansion. Suddenly everyone is covering their faces. Even in ideal conditions, facial recognition technologies often struggle with accuracy and have a particularly dismal track record when it comes to identifying faces that aren’t white or male. Some municipalities, startled by the civil liberties implications of inaccurate and opaque software in the hands of unaccountable and overly aggressive police, have begun banning facial recognition software outright. But the global pandemic may have inadvertently provided a privacy fix of its own — or for police, a brand new crisis. A Homeland Security intelligence note dated May 22 expresses this law enforcement anxiety, as public health wisdom clashes with the prerogatives of local and federal police who increasingly rely on artificial intelligence tools. 

The bulletin, drafted by the DHS Intelligence Enterprise Counterterrorism Mission Center in conjunction with a variety of other agencies, including Customs and Border Protection and Immigration and Customs Enforcement, “examines the potential impacts that widespread use of protective masks could have on security operations that incorporate face recognition systems — such as video cameras, image processing hardware and software, and image recognition algorithms — to monitor public spaces during the ongoing Covid-19 public health emergency and in the months after the pandemic subsides.” The Minnesota Fusion Center, a post-9/11 intelligence agency that is part of a controversial national network, distributed the notice on May 26, as protests were forming over the killing of George Floyd. In the weeks that followed, the center actively monitored the protests and pushed the narrative that law enforcement was under attack. Email logs included in the BlueLeaks archive show that the note was also sent to city and state government officials and private security officers in Colorado and, inexplicably, to a hospital and a community college.

Given the fact that the US is number one when it comes to COVID-19 infections, you would think that the health of the nation would matter more than using facial recognition. But I guess not.

Facial recognition is racially biased, and it doesn’t work to actually catch the bad guys. But it really seems to me that law enforcement is really laser focused on trying to make it a tool that works despite evidence to the contrary. That alone doesn’t seem to be a viable strategy to me. But add on top of this the fact that masks have become an issue, and I have to shake my head.

This story doesn’t exactly sit well with me seeing as later this week I will hopping on a 787 Dreamliner to fly to India for a week. But I’ll put that aside for a moment. Apparently the folks at DHS wanted to find out what kind of threat a hacker could pose to an aircraft. Could they pwn it and cause havoc to the flying public? To find out, they purchased a 757 and went to town on it. Here’s what happened next:

A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

So while I likely don’t have anything to worry about, a lot of people do quite clearly. Now that this is public, it will be interesting to see how airlines who run this older equipment along with companies like Airbus and Boeing deal with this. Because you can be sure that the bad guys will be looking at this too now that they know that this is possible.

It’s not clear what’s going on, but news is filtering out that employees of the Department Of Homeland Security are locked out of some of the agency’s networks because their Personal Identity Verification cards are apparently not working:

Employees began experiencing problems logging into networks at 5 a.m. ET on Tuesday due to a problem related to the personal identify verification (PIV) cards used by federal workers and contractors to access certain information systems, one source said. At least four DHS buildings were affected, the source said, including locations used by U.S. Citizenship and Immigration Services.

Another source said the cards did not appear to be responsible. DHS did not immediately respond to requests for comment.

This could be a widespread technical issue, or something more sinister.It isn’t clear which at this point. But this is a story worth watching. As I get more info, I’ll post it here.

UPDATE: The Reuters story that I quoted has been updated with this:

In a statement, a DHS official confirmed a network outage that temporarily affected four U.S. Citizenship and Immigration Services (USCIS) facilities in the Washington area due to an “expired DHS certificate.”

Reuters first reported the incident earlier Tuesday, which a source familiar with the matter said also affected a USCIS facility in Philadelphia.

And this:

The source characterized the issue as one stemming from relatively benign information technology missteps and a failure to ensure network redundancy. There was no evidence of foul play, the source said, adding that it appeared the domain controller credentials had expired on Monday when offices were closed for the federal Presidents Day holiday.

“We are working to track all device certificate issuance and expirations to ensure future lapses of service do not occur,” the DHS official said in the statement.

The next time that you go to the US, you may have to hand over your Twitter handle as well as your passport if US Customs & Border Protection gets their way. A proposal to ask people to provide details of their social media accounts, such as Twitter, Facebook, Instagram or whatever else, before entering the United States. This of course is causing people to freak out. A coalition of 28 groups, including the American Civil Liberties Union, Center for Democracy & Technology, Consumer Federation of America, and Electronic Frontier Foundation, has sent a joint letter on the last day of the Department of Homeland Security’s public comment period to say that the proposal is a #fail on the grounds that this is beyond invasive and should be scrapped. Now DHS argues that this is required because they would be able to spot those who would do harm to the US because of what is in their social media accounts.

I have to ask the question. Is a terrorist really going to tip their hand on Twitter that they’re going to do something in the US? Is something like that really easy to find via an algorithm or with a bunch of humans scanning various social media sites? Plus keep in mind that Twitter for example has been actively suspending the accounts of people they consider to be terrorists. So I have to wonder how effective this will be. Maybe DHS has some master plan that would make this effective? I don’t know. What I do know is that on the surface, this doesn’t seem to be a great idea, or a great use of taxpayer money. But in the interest of being able to enter the US, you might want to keep your social media accounts as clean as possible.

Deputy Under Secretary for Science and Technology Dr. Robert Griffin announced the launch of a new take on the Science and Technology Directorate’s (S&T) annual Year in Review at the Internet of Things (IoT) World Forum in Santa Clara, California. The interactive, web-based report provides a guided tour of S&T’s successes and developments in 2015.

S&T’s Year in Review includes highlights from 37 of S&T’s projects that represent the directorate’s progression toward meeting long-term visionary goals. The review includes an introduction on programs and initiatives and further discusses how S&T meets its mission and fits into the larger mission of the department.

A video by Under Secretary for Science and Technology Reginald Brothers opens the review with an overview about what sets S&T apart from other research and development organizations, how the department is facing shifts in research and development funding, and where directorate is going in the future with its visionary goals.

S&T’s Year in Review breaks down the directorate’s research and development efforts and the measurable differences it has brought to the homeland security landscape with animations and graphic features as aids. From the FINDER technology that saved four lives in Nepal to the improved structure fire fighter gloves that keep firefighters safe from punctures and burns—S&T tells its story of addressing problems from the global to the community level.

With this review, S&T shows the directorate’s commitment to effective communication, which was highlighted in the S&T Strategic Plan published in 2015. This review is one of the many vehicles through which S&T has worked to inform, educate, and even captivate its audience in new and inventive ways.

I’ve written about the fact that US Customs And Border Protection has a habit of searching laptops of travellers. That might be changing thanks to a court decision that came down on Friday:

The Ninth Circuit Court of Appeals ruled that Homeland Security’s border agents must have “reasonable suspicion” before they can legally conduct a forensics examination of laptops, mobile phones, camera memory cards, and so on.

Today’s opinion (PDF) is a limited — but hardly complete — rejection of the Obama administration’s claim that any American entering the country may have his or her electronic files minutely examined for evidence of criminal activity. Homeland Security has said the electronic border searches could detect terrorists, drug smugglers, and people violating “copyright or trademark laws.”

It’s only a limited rejection because certain warrantless searches at the border remain permissible: The judges said that “a quick look” or “unintrusive search” of a laptop, such as asking its owner to turn it on and peruse open windows, is perfectly OK. In addition, the court indicated that previous criminal history qualifies as “reasonable suspicion” that justifies a complete forensics analysis.

This will not stop warrantless searches. But perhaps it may reduce them because you have to wonder about the need to just search anyone they come across in an airport or at a border crossing. Personally, I’m not a fan of this and I am not convinced that any country that does this is making that country any safer.