Welcome to Cyber Security Today. This is the Week in Review edition for Friday, March 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by IT World Canada CIO Jim Love for some news analysis. But first a roundup of some of the other news from the past seven days:
A number of IT companies including the HackerOne bug bounty program and Microsoft’s GitHub platform are calling on companies to publicly commit to cybersecurity best practices. Jim and I will talk about this report.
We’ll also talk about an analysis of vulnerabilities found last year around the WordPress content management platform. Of 35 plugins deemed critical, nine weren’t patched by the developers.
And we’ll also touch on a vulnerability found in unpatched collaboration systems made by Canadian-based VoIP provider Mitel that can lead to huge denial of service attacks.
Samsung confirmed a big data theft after the Lapsus$ hacking group said it copied and began leaking some 190 GB of company data. That includes source code used in its Galaxy mobile devices.
Meanwhile, following the Lapsus$ gang’s data theft at Nvidia, threat actors began using stolen Nvidia code signing certificates to sign and legitimize malware for installation on victims’ computers.
A New York City company called Adafruit, which makes electronic components, admitted that a dataset with real customer data used for training could have been seen by anyone who could access an employee’s GitHub account.
Last week my guest commentator and I discussed troubles facing the Conti ransomware gang after it was hacked by a Ukrainian security researcher. But that apparently hasn’t hobbled its operations. New alleged victims are being added to Conti’s data leak. They include a Canadian broadloom manufacturer and a precision machining firm.
And as the back and forth cyberwar with Ukraine goes on, Russia said some of the websites of its federal agencies were compromised this week. An unknown attacker leveraged the statistics widget on the sites used to track the number of visitors.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: Let’s first start looking at a call from HackerOne, GitHub, Tiktok and Starling Bank, who are calling on companies to be more upfront publicly on their cyber security practices. They want to see more transparency, collaboration, innovation, and differentiation. Jim what’s this about?
Jim: First of all, let me say transparency is a word like fingernails on an old chalkboard for me … Transparency is a made-up business word. But it in this particular case it does come home with some real needs and facts and things. This report is important, and it’s important for a number of reasons. It comes down to this whole idea of that we should be a more honest and upfront about what we’re doing, what the risks are of hacking, whether we’ve been hacked or not. I picked up one stat from this report: It said 63 per cent of organizations surveyed want to be seen as infallible by who by their customers. If you, do you’re setting yourself up for a big fall. You want to be seen as infallible by the tech community? No way. Everybody knows everybody’s been hacked. It’s just that simple. Everybody’s been hacked. Everybody will be hacked. The question is how we respond to it, and that’s where this need for straightforwardness and honesty really comes into play.
You did an interview with somebody and later they phoned me and complained about being quoted. In this case the CEO had referred them to you. And the person said, ‘I didn’t think I was going to be quoted in the press.’ But what he was upset about was he gave an honest answer to your questions. I think he acquitted himself marvelously. But we have this fear of talking openly about things that have happened I find it to be insane, especially since none of this is hidden. We don’t find out somebody’s been hacked by telepathy. It’s all over the internet. So transparency is already there. The question is, when you get hacked or when you have an incident how well are you going to deal with it? Are you going to speak authentically and honestly and openly? I think it’s the best thing to do. People old enough to remember the Watergate break-in [when the Democratic Party headquarters was broken into by Republican operatives in 1972] the crime was the cover-up. If you try and cover up a hack you’re in deep trouble.
Howard: A number of years ago Uber tried to cover up a hack, and they got a lot of public flak about it. But on the other hand it doesn’t seem to have affected Uber’s revenue. So maybe a lot of organizations are looking back at them and saying, ‘Hey, if we say nothing about a hack or we say very little we can get away with it. It doesn’t affect corporate reputation.’
Jim: Yeah, security through obscurity, right? It doesn’t work. In the [HackerOne] report they also point out that 53 per cent of firms surveyed say they’ve lost customers as a result of a security breach. And I will take a wild guess and say that they didn’t lose them because of a security breach — they lost them because of how they handled a security breach. That’s part of it: If we say ‘We’re infallible,’ then when we fail, it’s a big fall. You put something on a pedestal it’s only got one place to go. So be honest and upfront: ‘We live in a complex environment. We are attacked [online] consistently. We will build the best cyber defenses we can, and if we have been infiltrated we will be straight with you.’ I don’t think you can do any harm, and I think that’s what this report is about: Be straight with people. Obviously, prepare your employees, train them to do things, to make the right speeches, to handle the press — but be honest. It’s going to go a long way.
Howard: There’s a difference between being a publicly-traded company — and therefore you owe shareholders, and there may be some regulatory obligation to make a public statement – and a private company. Private companies may feel they don’t have to make a public statement. It wouldn’t surprise me that their lawyers are telling them that. I often get tipped off that hacking groups, ransomware groups will list companies who they say have been hacked and they are starting to leak their data, and so I phone the companies and say, ‘So-and-so ransomware group is saying that they’ve hacked you and they say that they’re leaking your data, I’d like to have some comment from you. And they say nothing. They may say, ‘We will try to get back to you, or I can’t get a hold of them — probably because they’re dealing in crisis mode and all you can do is leave a message on the CEO’s answering machine — I hear nothing.
Jim: Because they think they can you keep you at bay. This is also a reflection of poor planning and poor training if you have nobody in your organization assigned to speak for the organization when you’ve been hacked. You have failed in your planning. And if you haven’t had somebody who’s actually thought through what they’re going to say and what the approach is going to be, then you failed to plan — and you can fall into that 53 per cent of companies who say that they’ve lost clients I have never seen a company fail who had an honest approach. As a matter of fact, I was going to do some sales work at one time and I was told, ‘If you make a mistake with a client, the first encounter you have with them after you rectify it.’ You get a client for life, and I think security is a lot like that. If you’re going to get hacked, it’s out there anyway. How are you going to present your case? Speak honestly. And by the way, you have to report if you’ve been hacked [to privacy commissioners] if there’s a real risk of personal harm.
Howard: Except you have to report it in confidence to a privacy commissioner, depending on what province you’re in and depending on what industry that you’re in [whether it comes under federal jurisdiction]. It’s not that you have to report it publicly.
Jim: But you also have to report it to the people who have been affected.
Jim: One of the things I learned when I was doing tech support in the early days is the hardest time to talk to somebody is when you don’t know everything. That’s the time when you most need to talk to them. So, too, if you’re going to be dealing with a crisis. The people who are effective are honest, open have thought through how they’re going to handle this. Again, most companies don’t have a communication plan or a plan for communicating when they’ve had a hack. And that’s a mistake.
Howard: How many organizations do you think are going to join this call by HackerOne and its supporters?
Jim: Not enough. And those might not be as as transparent as as one might hope. But it’s a start.
Howard: Let’s move on to the report on WordPress vulnerabilities. It comes from a security firm called PatchStack, which does an annual report. This is important because it estimates 43 per cent of websites use WordPress for running news sites, blogs and e-commerce sites. In 2021 PatchStack found nearly 1,500 vulnerabilities in WordPress or plugins and themes from developers. That’s almost twice as many as were found in 2020. The overwhelming number of those vulnerabilities — well over 90 percent — were in plugins and themes, not in WordPress itself. Not only that, 35 of the vulnerabilities that were found were critical vulnerabilities and only nine of them were patched. What do you make of this?
Jim: WordPress has 43 per cent of the market –I was actually surprised it was that high – so hackers are going to go after it. They go after the weak link – plugins, templates all of those sorts of things. These are not surprising statistics when you think about them. Ninety-nine point five per cent almost of the vulnerabilities are in themes and plugins. WordPress itself does a fantastic job of keeping up to date. They’ve even done good work to make plugins. They’ve patched a couple of the holes where where plugins are are could be attacked. It used to be called the dependency confusion. You could actually hook and and update a plugin from another if you knew the slug. It’s a WordPress thing. The plugin vulnerabilities are still there, and if I read the report right those are where the major colossal exposure exists. Who’d have thought that a theme — which gives you colours, presentation text and all kinds of facilities and things like that – can compromise your entire site? It’s a bit of a mess, but I think it comes down to ‘Don’t upload a plugin unless you’ve researched. If it’s free, it probably means it’s not getting the support you want [for patches] … Only load plugins that you can find in research, if you don’t have the tech support to actually look at how they’re working.’
Howard: Finally, let’s turn to the report on three vulnerabilities in Mitel Telephony products.
Cloudflare, Telus, Akamai and others found problems in Mytel’s My collab and MyVoice Business Express collaboration systems used in these Voice-over-IP systems. Approximately 2,600 of these systems worldwide have been incorrectly provisioned. An unauthenticated system test facility has been inadvertently exposed to the public internet allowing attackers to leverage these PBX VoIP gateways as denial-of-service reflectors/amplifiers, which is a long way of saying they can be responsible for huge DDoS attacks. In theory they could last up to 14 hours against a target website.
Jim: It’s a huge number. Who’d have thunk that your VoIP system is [software] code? It’s a [IT] system like anything else. You can’t treat a VoIP phone system like it’s not code and vulnerable. When VoIP systems first started I was working with this young kid who was trying to build his own VoIP company. He was doing great stuff. Then he called me up and said, ‘I don’t know what to do. I’ve run up $10,000 in long distance charges because people hacked my system.’ Why? He’d left it obviously open. I was reflecting on that when I looked at this report and I went, ‘Ah. Unauthenticated system test facilities.’ First of all, it astounds me that we still treat test environments like they’re not computer facilities. You will find test environments with passwords that are feeble, that are exposed, that are not maintained, where the software is the underlying operating software and is not kept up — all of the things that you might do in your production system. [Sarcasm] … This should be a wake-up call for everybody go out and talk to your testing people and ask they are following the same procedures … The other part of this is it’s another supply chain vulnerability. We’re going to see a lot of these this year: ‘Who am I going to hack? Well, let’s hack somebody who’s got lots of customers. We’ll filter through all of the customers who were touched by this.’ And it takes only a single spoofed authentication packet [to launch a DDoS attack].
Howard: How can it be mitigated?
Jim: By making sure that our test facilities have the same protection as we assign to production. Test should be a rehearsal for production and they should be dealt with as being sensitive. This is just the tip of the iceberg. There have been lots of of things that have been leaked because people have copied over data from their production system to their test systems and left that exposed.
Howard: The good news is tens of thousands of these devices have been purchased and deployed worldwide but only 2,600 are vulnerable.
UPDATE: An expert at the SANS Institute posted this comment: “This technique, dubbed TP240PhoneHome (CVE-2022-26143), leverages UDP port 10074, a system test service, which should not be internet accessible. If you have the Mitel products, verify that you’re restricting access to that service. The most recent software update from Mitel makes sure this port is locked down. Even so, verify that you’re protecting and monitoring use of that service. All this attack takes is a single malicious command to release a flood of 4.3 billion packets over about 14 hours, or about 2.5TB of traffic at about 393mb/sec from a single amplifier.”