Thursday, November 23, 2017

Cyber Updates - 23rd November 2017

Final Release of the new OWASP Top 10

The final version of the OWASP Top 10 2017 has now been released. Following a controversial RC1 release, the project underwent a significant overhaul in the past six months including a change of leadership and a move to a fully transparent methodology based on data received and community feedback. The final release removes CSRF and Unvalidated Redirects, merges two previous categories into Broken Access Control and introduces three new categories, XML External Entities, "Insecure Deserialization" and Insufficient Logging and Monitoring.

Key takeaways:

  • Many different standards and frameworks reference the OWASP Top 10 or require companies to demonstrate that they are addressing the risks which it includes. It is important that application security teams understand the new risks which have been added including how to test for them and how to develop applications which are protected against them.
  • It is also important to remember that this is just a condensed list and that a full application security program needs to consider the full spectrum of potential application security issues.

Uber Reveals Data Breach of 57 million records

Bloomberg broke a story this week that in 2016 Uber had paid hackers to delete and not disclose 57 million records which had been stolen in a data breach. The data included names, email addresses and phone numbers for 50m Uber users and data on 7m drivers including US driving licence details. Uber themselves claim that they had a legal obligation to disclose but did not.

Key takeaways:

  • One of the key concerns in this case is that Uber did not disclose when they were legally (and ethically) obligated to do so. These should be key considerations when a data breach is discovered.
  • Another key concern is that Uber effectively paid a "ransom" to the hackers despite potentially having no way of verifying that the data had been deleted and would not be used. As well as potentially also being illegal, this is generally a poor approach to dealing with a situation of this kind.

Serious Intel CPU Vulnerabilities Disclosed

Following some speculation and based on findings from external researchers, Intel released a security advisory detailing significant security vulnerabilities in a number of its CPUs used in desktops, servers and "Internet of Things" devices. The vulnerabilities could allow an attacker to remotely take control of affected machines and access privileged data. This is particularly serious because the vulnerability is in the CPU itself and is therefore completely separate to the main PC operating system.

Key takeaways:

  • IT organisations should start reviewing their IT assets for this vulnerability and work with the relevant system manufacturer (e.g. Dell, Lenovo, HP, etc) to receive and apply updated firmware.
  • Defense in depth measures such as network segmentation and endpoint isolation should always be in place to mitigate the effect of a vulnerability of this sort.

From XSS to RCE, Hidden uses of JavaScript 

We are starting to see applications written using "Electron", a technology which utilises node.js to allow writing desktop applications as if they were web applications (HTML, CSS and JavaScript). A Swiss security researcher published an article detailing how he found a Cross-site Scripting (CSS) vulnerability in Github's atom text editor and was able to escalate this to Remote Code Execution due to the use of Electron.

Key takeaways:

  • Application developers should fully understand the implications of adopting new technologies and frameworks.
  • Less mature frameworks will have less available security information and therefore careful security testing should be performed before deployment.

Josh Grossman
Senior Information Security Consultant and Team Leader