“Stir Friday” – an interesting look at cyber-security

July 15, 2016

Following is a regular Friday newsletter from a friend of mine, Christopher Pogue, who is an expert in the field of cybersecurity. More and more organizations are being hit and their operations, as well as their reputations, are being damaged by breaches in their cybersecurity. It follows that even us non-cyber savvy people need to know more about what is happening in this area and how leaders can better protect their organizations. Christopher gave me permission to post his newsletter and I hope you find it interesting and helpful!

BG

Stir Friday

  1. China Hacked the FDIC – and US Officials Covered it Up, Report Says
    1. According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency’s top officials: the FDIC chairman, his chief of staff, and the general counsel.  – This is always a very slippery slope to assign blame to entire foreign governments for specific data breaches.  I would assume they have the evidence necessary to adequately support such as claim. 
    2. When congressional investigators tried to review the FDIC’s cybersecurity policy, the agency hid the hack, according to the report.   – Well that’s nice. 
    3. The FDIC refused to comment. However, in a recent internal review, the agency admits that it “did not accurately portray the extent of risk” to Congress and record keeping “needs improvement.” The FDIC claims it’s now updating its policies.  – Unbelievable – this is the sort of thing that perpetuates the notion of a governmental double standard.
    4. Congressional investigators discovered the hacks after finding a 2013 memo from the FDIC’s own inspector general to the agency’s chairman, which detailed the hack and criticized the agency for “violating its own policies and for failing to alert appropriate authorities.” – Good for him!
    5. The report also says this culture of secrecy led the FDIC’s chief information officer, Russ Pittman, to mislead auditors. One whistleblower, whose identity is not revealed in the report, claimed that Pittman “instructed employees not to discuss… this foreign government penetration of the FDIC’s network” to avoid ruining Gruenberg’s confirmation by the U.S. Senate in March 2012. – Again, unbelievable.
  1. Serious Vulnerability Affects Over 120 D-Link Products
    1. IoT security startup Senrio reported last month that it hadidentified a stack overflow in D-Link’s popular DCS-930L Wi-Fi cameras. Researchers said the vulnerability can be exploited by a remote attacker for arbitrary code execution, including the ability to overwrite the administrator password of the affected devices. – That’s not good.
    2. The vendor has analyzed the vulnerability and determined that it actually affects more than 120 D-link cameras, access points, routers, modems, storage solutions and connected home products. – Ouch…more bad news.
    3. The flaw exists in a service responsible for processing remote commands and it can be exploited with a single specially crafted command. – And the hits keep on coming…I’m Casey Kasem and on with the countdown.
    4. D-Link plans to patch the vulnerability in each of its products soon – starting with DCS cameras, which account for a majority of affected devices. The company said it will address the issue by removing the command that can trigger the vulnerability. – I hope they validate that A) this fix works, and B) the fix does not unintentionally create additional vulnerabilities.
    5. This is not the first time concern over shared code in IoT devices has been raised. Earlier this year, it was discoveredthat surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to a Remote Code Execution (RCE) vulnerability because of shared firmware code. -This is going to become increasingly common as IoT providers share firmware or other types of code.
  1. Zero-Days in BMW Web Portal Let Hackers Tamper with Custom Cars
    1. Benjamin Kunz Mejri, security researcher for Vulnerability Lab, published yesterday two zero-day vulnerabilities in the ConnectedDrive portal that BMW has failed to patch for the past five months.  – Oops.
    2. The first issue is a session vulnerability that allows a user to get access to another person’s VIN – Vehicle Identification Number.  – Seems arbitrary right?  Wrong.
    3. Some of the settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on. – And “so on”?  I bet BMW owners would certain like to understand what encompasses, “and so on”. 
    4. The second issue is an XSS (cross-site scripting) bug on the portal’s password reset page.  This XSS bug can lead to any of the regular complications that come from such Web attacks, such as browser cookie harvesting, subsequent CSRF attacks, phishing attacks, and more.
    5. Mejri claims he notified BMW of these two issues in February 2016. Since BMW has failed to answer Mejri’s bug reports in time, the researcher went public with his findings. An in-depth description of the issues, complete with proof of concept exploit code can be found here (first issue) and here (second issue).         – Interesting.  I wonder what the holdup was?
  2. Home Depot Challenges Banks’ Standing to Recover Losses Related to Data Breaches
    1. Home Depot is trying to ensure that banks, like individual consumers, have little recourse in court against businesses that suffer data breaches. – Hrm…not sure how I feel about this?  I mean, if the banks are out money due to the breach, then it seems logical that the breached entity would be responsible for reimbursing them for their losses.
    2. On July 5, the company asked a federal judge in the Northern District of Georgia to certify for interlocutory appeal his May order preserving the great majority of claims brought by a proposed class of financial institutions and credit unions against Home Depot in multidistrict litigation arising from its 2014 data breach.
    3. In his May ruling, the judge concluded that the financial institutions and credit unions had pled actual injuries — including the loss of money through card reimbursement, fraudulent charges and transaction fees — that gave them standing. But Home Depot argues in its motion for certification that the banks had simply lumped together a list of their injuries in six paragraphs of a 283-paragraph complaint, with no institution alleging its own specific injuries.         – Yes…right there…money lost from card replacement, fraud, and transaction fees.  Not sure about what else was “lumped in”, but those three items sound reasonable.
    4. In the second paragraph of its motion, Home Depot asserts that “financial institution claims are becoming more and more prevalent in the wake of a data breach.” The retailer suggested that this trend was “undoubtedly due to the difficulties consumer data breach plaintiffs have establishing standing” under theU.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International, which held that plaintiffs need to prove they have suffered actual harm or a definite impending injury to satisfy standing requirements.  – A new precedence was set in the 7th Circuit Court of Appeals in the Remijas v. Neiman Marcus case in which Judge Diane Wood indicated that presumptive damages stemming from the loss of payment card data pursuant to a data breach would satisfy Article III.  After all, why else would hackers steal payment card data if not to use it fraudulently?
    5. Section 5 of the FTC Act empowers the Federal Trade Commission to bring claims for unfair or deceptive trade practices against a wide range of businesses, although private parties can’t wield that authority. In its motion, Home Depot is asking the Eleventh Circuit to determine whether a violation of the unfairness prong of the FTC Act can give rise to a negligence per se claim, as the court has thus far permitted in this case.  – Ooooh…this is legally very exciting!  This ruling will set precedence to determine if non-consumers (in this case banks) are protected by Section 5.  If the ruling grants such status to non-consumers, my guess is that we will see a significant increase of filings by financial institutions against breach victims.  This only underscores the importance of obtaining external legal counsel in the event of a breach – anticipate litigation!
  1. Twitter’s CEO Jack Dorsey’s Account Hacked
    1. The Twitter chief executive,Jack Dorsey, had his Twitter and Vine accounts hacked.  – DOH!
    2. The hacking group which posted on Dorsey’s account, OurMine Security, is the same groupwhich has previously defaced social media accounts belonging to Facebook CEO Mark Zuckerberg and Google boss Sundar Pichai.
    3. As with every previous hack carried out by OurMine,Twitter itself was not the source of the compromise. This time, the hackers appeared to have gained access to Vine, and used their access there to post to the main feed. Previous weak links used by the group have included Bitly and Quora. – Um…Twitter owns Vine…soooo…ya…there’s that.
    4. To protect themselves against similar hacks, users should ensure that not only are their social media accounts locked down, with two-factor authentication and secure passwords, but that so too is every other account that can post to their main feed. That includes Quora, Bitly and Vine, as well as many more.        – Might be a good time to change your Twitter password if you haven’t done so in a while.

Thanks for reading and have a great weekend!

Christopher Pogue, MSIT, CISSP, CREA, GCFA, QSA

Chief Information Security Officer
chris.pogue@nuix.comwww.nuix.com

13755 Sunrise Valley Drive, Suite 200, Herndon, VA 20171

Ph: +1 (918) 994-6410 | M: +1 (918) 269-3470
Skype: cepogue | Twitter: twitter.com/nuix