Tuesday, January 2, 2018

Cyber Updates - 2nd January 2018

Breach at PayPal subsidiary

PayPal disclosed at the start of December that the personal information of 1.6 million individuals may have been exposed when a subsidiary, TIO Networks which had been acquired in July 2017, was breached. It is not clear whether the breach occurred before or after the acquisition but TIO's systems had not yet been integrated into PayPal’s environment which was therefore not at risk. TIO had already suspended operations in November 2017.

Key takeaways:

  • Acquisitions are very and can expose a well-controlled technology environment to new and unknown security risks if the new subsidiary's network is less well controlled.
  • Security due diligence should be part of the pre-acquisition process and the new environment should be carefully reviewed before integration into the main environment (as appears to have happened in this case).

Serious Privilege Escalation bug in macOS

A very serious security flaw was discovered in High Sierra, the latest macOS. Specifically, if a user tried to authenticate as root (highest privileged user) with a blank password in certain situations, the first time it would not accept it but would silently set the root password to blank and therefore the second time it would allow the user to login as root. Apple subsequently release a patch to address this. A detailed technical write-up of this is here.

Key takeaways:

  • It is important to keep on top of patch management at all levels of the business including endpoints.
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of low privilege endpoint users, were suddenly disabled or bypassed.

Top Secret data left exposed in Amazon S3 buckets

A couple of examples recently of top secret US Department of Defense materials (including an entire virtual machine image) being found in unsecured Amazon S3 (Simple Storage Service) locations allowing anyone on the Internet who discovered the locations to download them.

Key takeaways:

  • Use of cloud services is becoming ubiquitous but each cloud service needs someone who is skilled with using the service to act as "security administrator" to ensure these types of error do not occur.
  • Part of this should be frequent technical audits of the cloud environment to look for security issues or misconfigurations.

Critical Vulnerability in Keeper password manager 

Tavis Ormandy discovered a critical flaw in the Keeper password manager (which comes bundled with Windows 10) which could allow an attacker to gain access to passwords stored using the tool. Whilst this was not a good situation, Keeper managed to make it worse by suing a news organisation which reported on it therefore guaranteeing themselves a flood of negative publicity in the Information Security world.

Key takeaways:

  • Whilst having a critical vulnerability reported in your software is not ideal, if reported responsibly then you have effectively received valuable assistance for free.
  • Be wary of the "Streisand Effect" when responding to any actual or perceived issue.

Bonus link - Empathy in Incident Response 

I wanted to put in this excellent blogpost from Tracy Z. Maleeff (@InfoSecSherpa) as well as it talks about a very important concept. If the security team wants users to help them and give them warning when something has happened, it is important that the user doesn’t feel scared to do so.

Josh Grossman
Senior Information Security Consultant and Team Leader