Meta is also introducing an encrypted backup feature called Secure Storage

Read More

The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.

The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals.

“I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.”

Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021.

“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. “I went back to see if this was still a problem, and it turns out it’s still a very big problem. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.”

The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based Digital Alert Systems (formerly Monroe Electronics, Inc.), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software.

“The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. Anything lower than version 4.1 should be updated immediately. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. We will evaluate and work to issue any necessary mitigations as quickly as possible.”

But Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks.

Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.

“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”

One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through Comcast, the nation’s third-largest cable company.

“I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start propagating through the EAS.”

Comcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.

“We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson David McGuire said.

The company said it also confirmed that the information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices within Comcast’s network, including EAS devices.

“We are taking steps to further ensure secure transfer of such devices going forward,” McGuire said. “Separately, we have conducted a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We’re grateful for the responsible disclosure and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate his findings and ensure the security of our systems.”

Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.

According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.

“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states. “Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”

In January 2018, Hawaii sent out an alert to cell phones, televisions and radios, warning everyone in the state that a missile was headed their way. It took 38 minutes for Hawaii to let people know the alert was a misfire, and that a draft alert was inadvertently sent. The news video clip below about the 2018 event in Hawaii does a good job of walking through how the EAS works.

Read More

The devices were powered by MediaTek chips and susceptible to two kinds of attacks

Read More

Twitter accidentally exposed the personal information—including phone numbers and email addresses—for 5.4 million accounts. And someone was trying to sell this information.

In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.

In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

This includes anonymous accounts.

This comment has it right:

So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.

But it gets worse… After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.

It was only when the press started to notice they finally disclosed the leak.

That isn’t just one bug causing a security leak—it’s a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.

Twitter’s blog post unhelpfully goes on to say:

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Three news articles.

Read More

20% of the earned profit from the distribution of the ransomware will be paid to the affiliates

Read More

Topics that are top of mind for the week ending Aug. 12 (Black Hat Special Edition) | The Black Hat USA conference returned to Las Vegas this week to celebrate its 25th anniversary, as thousands of security pros gathered in the desert to get wiser about critical challenges, including cloud security, software supply chain risks, ransomware and the rampant burnout and stress among their ranks. Here’s what caught our attention at the event.

A look back and a look ahead

In the opening keynote, “Black Hat at 25: Where Do We Go from Here?,” Chris Krebs addressed thorny questions facing the cybersecurity industry and community: Why are things so bad right now? Will it get worse? What can be done about it?

Here’s a sampling of points made by Krebs, founding partner at the Krebs Stamos Group and former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA):

Tech products are insecure by design because security considerations take a back seat to features and capabilities, and security is seen as “friction” that slows down development and innovation.
Unsafe products, distributed computing and myriad connected devices make managing risk extremely complicated, as evidenced by the difficulty in securing the cloud.
Businesses often prioritize efficiency over security when choosing what technology products to adopt, because many CEOs still don’t equate cyber risk with business risk.
Businesses also must do long-term planning, looking ahead not two quarters but rather years into potential threats, including geopolitical conflicts that could impact their IT environments.
While security vendors try to address existing and emerging threats, it’s a challenge for them to keep up the necessary pace as the attack surface expands.
The U.S. government must do better on various fronts:

Issue smarter – not more – cybersecurity regulations that focus on attaining desired outcomes. 
Manage its systems better as a user and buyer of technology. 
Rethink how it’s structured to deal with digital risk management – moving CISA out of DHS could be a step – because right now the government moves too slowly and is too difficult to work with.

This overall scenario plays into the hands of cybercriminals, allowing them to jump on a growing number of diverse opportunities to do damage. However, Krebs has hope that things can get better if all the parties involved do their part to address the critical obstacles hampering cybersecurity efforts. He specifically called on Black Hat attendees to step up to the challenge.

“Ultimately, it’s going to come down to the people in this room,” he said. “It’s going to take us as leaders to make the changes that we want to see.”

Supply chain, cloud security among infosec pros’ biggest concerns

Black Hat surveyed 180 current and past conference attendees earlier this year about what worries them the most, and supply chain risk and cloud security were among the top current and future concerns, along with phishing and direct sophisticated attacks.

Regarding the supply chain threat, which has gained steam in the past two years with the SolarWinds breach and the massive Log4j flaw, respondents are most concerned about vulnerabilities affecting:

Cloud or network services supplied by third-party providers
Systems, apps or networks maintained by contractors, suppliers, and customers
Off-the-shelf software or systems purchased from third parties
Commercial software or cloud services using insecure open source components
The internet or network connections that link their systems to customers and suppliers

With regards to cloud, the report notes a disparity between respondents’ high level of concern and their relatively low adoption of cloud security technologies, including:

Cloud permissions management – implemented by 35% of respondents
Cloud security posture management – 31%
Cloud-native application protection platform – 20%
Cloud workload protection platform – 16%

Why is this? The report ventures that it may be less about rejecting the technology “and more about the fact that security professionals are not interested in standalone tools” and would be more inclined to adopt new security features if they’re part of a broader security platform.

To dig into all the details, check out the report, which also includes interesting findings on ransomware, burnout, disinformation attacks, budget and staffing issues, and critical infrastructure security.

Behind the scenes: The CSRB’s Log4j report

Black Hat attendees got an insider’s view of the process to create the Cyber Safety Review Board’s (CSRB) much-discussed “post mortem” report about the Log4j vulnerability’s discovery. 

Two board members revealed, among many other things, that they were pleasantly surprised at the level of cooperation they found when they reached out to private businesses, governments, open source software foundations and vendors.

“Overall it was really good to see 80 different stakeholders being willing to come to the table with us, speak with us, get data – that was remarkable,” said Robert Silvers, Chair of the CSRB and Undersecretary for Policy at the U.S. Department of Homeland Security.

For example, it was surprising that the Chinese government answered the board’s call and shared its findings and insights into Log4j. 

“It’s a testament to the appetite people have to get the facts out there and to pull this kind of information together in a way where everybody can trust the facts – or at least trust they have been deeply looked at,” said Heather Adkins, Deputy CSRB Chair and VP of security engineering at Google.

Other interesting issues that came up:

The board determined that after Alibaba discovered the vulnerability, it followed the established, correct process for notifying The Apache Foundation, but that the existence of the flaw probably became public prematurely because Apache, as is common in the open source community, began to fix it publicly, albeit quietly, and the work apparently was noticed. A question on the table is how to prevent this scenario from repeating itself.

The board fully supports the concept of the software bill of materials (SBOM), but recognizes these products need to be further developed to truly realize their promise of providing granular, precise visibility into all the components of a piece of software.

There should be incentives and resources aimed at boosting the security knowledge and capabilities of open source developers, so that the code they write becomes safer.

A compassionate approach to employee security awareness

It’s a constant source of concern and frustration among security teams: Despite frequent security awareness training, employees continue to act dangerously, clicking on shady email links, re-using passwords, downloading suspicious apps and the like.

What to do? Change your approach, says Kyle Tobener, head of security at DevOps startup Copado. He shared an alternative way based on harm reduction and compassion, instead of on rigid rules and scare tactics. 

“My goal is very simple: To help you give better security guidance,” he said during his presentation.

Instead of seeking to reduce risky behavior by forbidding certain actions, Tobener suggests pointing them at the outcome of the unwanted behavior as a way to engage employees in ways to shrink negative consequences.

Risky behavior can’t be fully eradicated because it has strong incentives attached to it, such as the convenience of password reuse or the fun of downloading and using a gaming app.

Harm reduction has worked successfully in healthcare for decades – an example being needle exchange programs that helped curb the spread of HIV among intravenous drug users, while tactics like stigmatization and shaming fell short.

Tobener’s three maxims:

Accept that risk-taking behaviors aren’t going away.
Prioritize reduction of negative consequences.
Embrace compassion while providing guidance.

Tenable at Black Hat

As always, Tenable had a strong presence at Black Hat, starting with its position as a Sustaining Partner of the event and dazzling everyone on the show floor with the coolest booth, complete with snowfalls, a vodka luge, mountain-climbing bots, goofy yetis and much more.

Speakers

Tenable’s Chief Product Officer Nico Popp explained how continuous threat exposure management helps security teams prevent attacks via a better understanding of their attack surface exposure. Benefits include anticipating the consequences of a cyber attack and accurately assessing how secure you are and prioritizing efforts to reduce your risk.

Meanwhile, Tenable’s Senior Director of Product Management Shantanu Gattani spoke about the proper way to do vulnerability management in the cloud, saying that security teams must assess their cloud configurations and assess what’s running the cloud – a unification of cloud security posture management and VM.

Product announcement

Tenable chose Black Hat to announce the latest enhancements to the Tenable.cs cloud security product, unifying cloud security posture and VM in a single, 100% agentless solution from build to runtime. More details in this blog post.

Black Hat quick takes

Here’s a roundup of articles and blogs about Black Hat, to give you a broader perspective on the conference. Happy reading!

“Looking Back at 25 Years of Black Hat” (Dark Reading)
“Black Hat USA 2022 video walkthrough” (Help Net Security)
“Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch” (Wired)
“One of 5G’s Biggest Features Is a Security Minefield” (Wired)
“Researcher Hacks Starlink Terminal to Warn SpaceX of Dangerous Flaws” (Gizmodo)

Read More

Katie Moussouris explains why simply having a bug bounty program isn’t enough to fix security problems

Read More

The UK Ministry of Defence is actively training staff to confront individuals that are engaged in risky behaviours

Read More