Amir Etemadieh (Zenofex) of Exploitee.rs has a great write up on a series of vulnerabilities in the Western Digital My Cloud storage appliances. Zenofex is an amazing vulnerability researcher and all around good guy.
I’m not singling out Western Digital. I think they make some good products. The types of flaws that Zenofex found in this appliance are the same type that many IoT and personal “cloud” appliances contain. The devices are made to be super easy for a consumer to setup and they allow the owner to connect to them from anywhere (many times with a smartphone app).
This ease of setup and access, though, means that they really should be hardened and secured like real commercial production system. Hardening these types of systems should include changing passwords, closing unnecessary ports, validating and testing interfaces, using encryption at rest and in transit, etc.
This type of hardening is well beyond the average consumer and things like validating web applications for injection attacks is beyond many security professionals.
So, again, I’ll harp on manufacturers. They need to build in security by default. They need to test and validate their apps.
Folks like Zenofex do all of us a great service by finding these types bugs in consumer products, but it should not be up to a curious researcher. It is the responsibility of the vendors to sell products that are safe for deployment.
The news has been buzzing with news that Wikileaks has released a dump of confidential information on the CIA’s Center for Cyber Intelligence. The dump looks to provide more raw information than the Snowden disclosure of 2013.
The hysteria seems to be fueled by the wikileaks’ press release. Liberally sprinkled with zero day, weaponized, arsenal, cyberwar, and the like, they check all the incendiary terms that news outlets will react to. The extent of the dump and any damage caused by the exposure will likely not be known for some time.
What strikes me more is the cultural implications. It is hard to tell whether these folks are self-obsessed, selfie-taking, fame seeking millennials or die hard patriots. Whether geeky Kardashians or digital Thomas Paine, it is clear that “secrets” don’t stay secrets for long. Snowden at the NSA and this individual at the CIA (either a current or former employee) exemplify that “security by obscurity” (or securing something by hiding it) is no security at all.
A year ago when the Department of Justice attempted to compel Apple to build a backdoor into its iPhone products, the DoJ claimed it would protect the information. Many in the security community argued, provided amicus briefs, and supported Apple not because the like terrorists, but because it really is impossible to keep secrets hidden for long.
As Benjamin Franklin is quoted: “Three can keep a secret if two of them are dead.” He was correct in the 1700s. In the digital age, when anyone can circulate information anonymously in a matter of seconds, maybe we should paraphrase “Three can keep a secret if two of them are dead and the Internet is down.”
Today is a big day for New York banks or any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law [of New York].”
Beginning March 1, 2017 the state of New York will begin the two year process to phase in the “Cybersecuirty Requirements for Financial Services Companies” (23 NYCRR 500). The rule sets forth the minimum cybersecurity requirements for financial companies doing business in New York.
Among other security requirements covered entities will have to:
- Develop and maintain a cybersecurity program based on a risk assessment;
- Implement and maintain a cybersecurity policy;
- Designate a qualified Chief Information Security Officer (CISO); and
- Perform penetration testing
In general, the requirements set forth in the New York rule make sense and should be a part of any strong security program already.
One of the requirements that struck me is the 72 hour reporting deadline to the Superintendent of Financial Services. What is striking (at least to me) about this provision is the lack of a law enforcement exception. In most breach notification rules, there is an acceptable delay in reporting if law enforcement is investigating the breach. No such exception is present in the New York regulation.
This is one of the stronger state regulations over the past couple years. It will be interesting to see if other state regulators follow suit.
For at least the past five years “juice jacking” has been fairly well known in the security community. Juice jacking is a term to describe stealing data from or implanting malicious data on mobile devices when they are plugged into a “charging kiosk”.
Anyone who has traveled in the past few years has seen these kiosks setup in airports, hotels, concerts, conferences, and other public areas. They are becoming so common that it is hardly though about who installed it.
In 2011 the folks at Wall of Sheep tested people at security conferences by installing a hoax kiosk that captured information off cell phones that were plugged into charge. Even at a security conference, many people plugged in.
So how do you prevent this type of attack? Well, one choice is to abstain from using these kiosks. But come on, we know you’re going to be weak. You’ll be sitting in the airport with a slowly fading battery. The kiosk will entice you.
Another option is to practice safe charging using a device like a USB condom (yes, it is real thing.) The device blocks the data connections on the USB device, only allowing the power connections through. This guarantees that no one can read or write data to or from your device.
A third option is to not use the kiosks directly. Many now carry around a simple battery charger like this (I’m not endorsing that brand, just providinng an example.) These are so common that they sell them at convenience stores now. Plug that device into the kiosk, then use the device to charge your phone.
Which ever route you choose, think first, then charge.