Things I Hearted This Week, 7th December 2018

0
[ This article was originally published here ]

It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions.

Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter

US Postal Service

Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf.

Luckily, a security researcher spotted the error about a year ago and notified USPS.

Unluckily, the USPS didn’t respond to the researcher or fix the issue.

Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours!

This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program?

Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way.

GCHQ Reveals it Doesn’t Always Tell Firms if Their Software is Vulnerable to Cyber Attacks

In other words, spy agency keeps secrets.

There are four reasons given as to why GCHQ may not disclose flaws, being:

  1. There is no way to fix it
  2. The product is no longer supported
  3. The product is so poorly designed it can never be secure
  4. There is an overriding intelligence requirement that cannot be fulfilled in any other way

I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws.

I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary.

Scamming the Scammers

I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money.

ENISA Releases Online NIS Directive Tool

ENISA released an interactive tool showing the relevant national laws and regulations, and per sector and subsector the national authorities supervising the NIS Directive. It’s pretty cool.

Open Source Intelligence: A Key Under The Proverbial Mat

In an age when everyone is connected, many businesses are forced to interact with the public via the internet. People are carrying small computers (phones) in their pockets with more homes having computers than generations before us. According to the U.S. Census Bureau’s 2015 Computer and Internet Use in the United States: American Community Survey Reports, “Among all households, 78 percent had a desktop or laptop, 75 percent had a handheld computer such as a smartphone or other handheld wireless computer, and 77 percent had a broadband Internet subscription.”

Why Security Firms Do Not Share The Cost Of Bad Reputation After A Cyberattack?

The whole security story looks as if it were a play where at the beginning both customer and security firm share the publicity lights when they sign a contract, but soon the lights turn off, the disaster strikes and it turns into a one-act play.

This is where I agree that more transparency is needed, and insurance or warranties can go a long way to help in this regard.

Related to infosec warranties

On The Insecurity of Math.Random and it’s Siblings

During code reviews we often see developers using weak RNGs like math.random() to generate cryptographic secrets. We think it is commonly known that weak random number generators (RNG) must not be used for any kind of secret and recommend using secure alternatives. I explicitly did not state a specific language yet, because basically every language offers both weak and strong RNGs.

So I asked myself: What if I use a weak RNG to generate a secret? Is it possible to recover the secret from some derived value, like a hash?

Why Hospitals Are The Next Frontier of Cybersecurity

Hospital cybersecurity is a pressing problem with unique challenges and incalculable stakes. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. However, despite increasing efforts and awareness, a number of technological, cultural and regulatory issues complicate healthcare cybersecurity.

Other Things I Liked