September 2017 Newsletter

Firing on all cylinders with no end in sight.

Wow… what a month it’s been. We’re running on all… 12 cylinders (remember the Jaguar V12?) and don’t plan on slowing down anytime soon. September was also a busy month for the security industry as a whole. New vulnerabilities, new breaches, and new tools being revealed at conferences. Let’s dig in!

Adrian here: I don’t know much about Jaguars, but back in the late Eighties, BMW developed it’s first 12-cylinder motor, designated the M70. Essentially two inline 6-cylinder engines mated, the engine had a novel ‘limp home’ mode. Should something go wrong that was isolated to one bank of cylinders, the car would shut it down and you could drive it to the dealer safely. Notably, a later version of this engine (S70/2) is what powers the infamous McLaren F1.

Savage Security News

In September, we investigated a job recruitment scam, published market reports on Axonius and Threatcare’s new Violet virtual assistant (!), and analyzed the Equifax breach (and were interviewed on the local news). We were at InfoSec Nashville, caught up with our friends in Louisville, KY at DerbyCon 7, then hopped on a plane to speak at the 63rd annual ASIS International conference. But, enough about us, let’s get to the news that’s affecting our security.

Our very first partner webinar!

On October 2nd, in just a few days, we’re very excited to be delivering a live webinar with our partner, Strongarm. Adrian has delivered a number of partner webinars in the past, but this is his first for Savage Security.

Adrian and Todd O’Boyle, Strongarm CTO and co-founder, will discuss a topic that leaves many organizations feeling vulnerable: breach handling. As an industry, we tend to be so overly focused on preventing the breach, we neglect planning to handle the breach once it occurs! We’ll go through some examples of breaches that were handled well, and breaches that were handled badly, detailing what could or should have been done differently in each case.

Register for this webinar with this link. Even if you can’t make the time, register and you can watch the recording later.

We love Strongarm’s retro gaming art!

Blueborne and the Makings of a Bluetooth Worm

Eight Bluetooth vulnerabilities were discovered by IoT Security startup Armis. They say this isn’t an issue with the Bluetooth protocol itself, but that the issue is in device-level implementations of the Bluetooth stack. Though they’ve discovered vulnerabilities across four major platforms (Windows, iOS, Android and Linux, they suggest more vulnerabilities like this may remain undiscovered on these platforms or others. This amounts to billions of affected devices — a problem Armis says came about, in part, because security researchers turned their attention to other areas.

Affected devices

Android: Two remote-code execution vulnerabilities, one information leak and one MitM vulnerability. Armis also released an Android app that allows users to check their device and other devices around them for the vulnerabilities. In general, if you have the August 2017 security update, you should be fine. Many Android devices don’t have the patch yet, and many never will, as software support for devices is often abandoned by wireless carriers after just two years.

Windows: Any Windows system since Vista that hasn’t installed security patches as of July 11, 2017 is likely vulnerable. The only vulnerability affecting Windows is a MitM attack.

Linux: All devices running BlueZ are vulnerable to an information leak vulnerability, and all unpatched Linux Kernels from 3.3-rc1 to present are vulnerable to a remote code execution vulnerability. Samsung’s Tizen operating system is notably included here, and runs on some of Samsung’s smartwatches, TVs and IoT devices.

iOS: Only versions of iOS prior to version 10 and AppleTV devices older than 7.2.2 are vulnerable.

As far as we know, there aren’t any exploits in the wild, yet, but PoC code is beginning to emerge. Regardless, we recommend the following security hygiene:

  1. Install related patches (see Armis’s Blueborne page for more details). Microsoft, Apple, Linux Kernel maintainers and Google have released patches.
  2. Armis recommends disabling Bluetooth. They suggest turning it on only for the duration of need and turning it back off immediately when you’re done. However, if you use a smartwatch that relies on Bluetooth, this recommendation isn’t really feasible.
  3. Analyze your exposure. For Windows and iOS, this is pretty straightforward, via vulnerability management and MDM reports. Android is trickier, due to the device fragmentation issue.

The primary concern with Blueborne is the fear of someone creating a worm that hops from device to device using Bluetooth rather than the Internet or internal networks. This is where the name comes from — a portmanteau of Bluetooth and ‘airborne’. Combine the ability to infect via Bluetooth and spreading mechanisms like those built into malware like NotPetya and you’ve got a recipe that is dangerous and able to ‘hop’ across airgaps.

We will continue to research Blueborne and will release any additional news and recommendations to our blog.

Big Firms, Big Breaches

As we all know by now, Equifax announced they had been breached. Granted, they weren’t breached in September, that’s just when it was announced, but it’s a breach that affects 143 million Americans. The difference with this breach is that those of us affected actually have no control of if Equifax had our data or not. It’s not like Target or Home Depot where we control if we purchase from those vendors, and thus, we controlled if they had our information. Instead, Equifax has all of our credit information, and we never gave them permission.

The only thing we can do at this point is hope we weren’t among the 143 million that were affected, and take some proactive approaches to keeping our personal data out of the hands of identity thieves. This includes either putting into effect credit alerts or credit freezes (or both). In Massachusetts there is a senate bill that will remove the fees associated with enacting a credit freeze, and I suspect we’ll see more of this go around.

Deloitte also revealed that they too had been the target of a cyber attack and sources close to the investigation claim that the breach dates back to fall 2016 and involves compromise of internal administrator accounts as well as the compromise of their email system.

Now it seems we can’t even get our gluten-free, dye-free, animal-testing-free food at Whole Foods (now an Amazon company) without our data being compromised! At the end of the month, Whole Foods announced that they were investigating unauthorized access of payment card information being used at some of their taprooms and table-service offerings. It’s worth noting that Whole Foods believes only patrons who visited the taprooms and table-service restaurants may be affected; if you just bought your groceries at Whole Foods, you’re in the clear.

Our take is that it’s pretty clear, regardless of size and budget, without a solid foundation security plan and continued testing of security controls, it’s easy to miss vulnerabilities and holes in your game. That’s why we’re pretty excited to announce our…

Breach Impact Assessment

After thinking on it, we’ve decided that the best way we can help is to offer a breach impact assessment. The goal of the breach impact assessment is to answer the following questions:

  1. Was data exfiltration possible?
  2. Did you see the breach?
  3. How long did it take to notice the breach?
  4. How effective was the Incident Response process?

Coming out of it, we’ll provide information about the security controls you have in place, if they are providing value, and how effectively you respond to incidents. It fits in with our philosophy that security should be provable, measurable, and effective. Best of all, it’s absolutely free (our gift policy allows us to accept the offer of a coffee or beer, however). To take advantage of this service, simply contact us, and we’ll get it scheduled.

Market News

We continue the new Market News section, where we briefly cover new and interesting things we’ve seen, but haven’t had a chance to research in-depth or write about.

New Trends

Active Directory-focused security offerings now appear to be a thing. It’s unsurprising — Microsoft’s Active Directory dominates the market with a vast majority, making it a prime target for attackers. For pentesters, obtaining “DA” (Domain Admin, the highest level of privilege in an AD environment) is often a key goal in any engagement. Hacking AD has been an important goal for attackers as well, and according to most breach analyses — active directory often makes the attacker’s job significantly easier.

We don’t yet have a good roundup of vendors here, but we’ve seen active directory security vendors with booths at the last three conferences we attended. The timing of this is interesting, as we see the industry moving away from giving users access to the internal corporate network, opting for SaaS and cloud-based services instead. You can find some discussion of this polarizing internal vs external dilemma on JumpCloud’s blog, this Duo Security post and descriptions of Google’s BeyondCorp concept, which we mentioned in last month’s newsletter.

Upcoming Events

Oct 2 — Adrian will be co-presenting a Strongarm webinar with Todd O’Boyle at 2pm EST.

Oct 3 — Kyle and Adrian join Jake James and Tori Lee on the 94Z morning show: The Morning After.

Oct 9–10: Adrian and Kyle will be attending Hacker Halted in Atlanta.

Oct 17–18: Kyle will be attending and speaking at EDGE ‘17.

About Savage Security

Savage Security is a cybersecurity research and consulting firm, founded by industry experts with over 30 years of combined experience. We are trusted advisers for our customers, whether providing market services to improve their products, or building defensive strategies to secure their environments.

Interested in any of our consulting, market or subscription services? Drop us an email (info at SavageSec dot com) or go old school and give us a call at (844) 572–8243.

Our website and brochures go into more detail on how Savage Security can help you with your security needs or research project.

Consulting Services Brochure

Market Services Brochure

Subscription Services Brochure

September 2017 Newsletter was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Savage Security Blog - Medium authored by Kyle Bubp. Read the original post at: