Friday, May 15, 2020

What I'm Reading 5/15/2020 - A New Cold War With China? (Duh!), Improving The Supply Chain, Patch Cisco and Palo Alto, and More Coronavirus Stuff

NY Post - Leaked data suggests China may have 640,000 coronavirus cases, not 80,000   - 

A leaked database from a Chinese military-run university suggests the country may have at least 640,000 COVID-19 cases — a figure substantially higher than Beijing’s dubious claim that it has seen just 80,000 coronavirus infections.

The virus tracker, compiled by China’s National University of Defense Technology and leaked to Foreign Policy magazine, appears to confirm fears that the nation’s Communist government is hiding the true nature of the outbreak that originated in Wuhan late last year.

Cisco Systems and Palo Alto Networks have fixed similar high-risk authentication bypass vulnerabilities in their network security devices that were caused by an oversight in the implementation of the Kerberos protocol. Man-in-the-middle (MitM) attackers could exploit these weaknesses to get administrative control over the appliances.

The article says Patch Now! Seems like a good suggestion to me.

The PrintDemon article authors finish up with the claim that:

So yes, walk to any unpatched system out there […] and just write Add-PrinterPort -Name c:\windows\system32\[REDACTED] in a PowerShell window. Congratulations! You’ve just given yourself a persistent backdoor on the system.

But we agree with the public assessment of Rapid-7 researcher Brendan Watters, who offered the opinion that the authors of the PrintDemon article have overstated the dangers somewhat.

As Watters points out, “this is not a single command to [a] root backdoor. It is more like several thousand lines of code and some well-timed execution gets you a rooted backdoor.”

...

t’s definitely a bug, and it’s a bad one, but:

  • It’s not really just one line of PowerShell to a “persistent backdoor on the system”.
  • The attacker already needs to be logged in to exploit this hole, so it can’t be abused remotely. 

Many supply chains are not just complex, they're brittle – hardened against certain risks, but vulnerable to shocks from other sources. That statement is true for the physical components of a supply chain as well as the supply chain data that IT security professionals are charged with protecting.

Dark Reading turned to a number of security professionals about what it takes to secure a supply chain.

 1.  Consider both upstream and downstream security.  - 
"A simple, practical step is to start making a list of all the organizations you deal with, either as suppliers, clients, or customers," Erlin says. "Ideally, you should be able to identify and categorize the data to which any of the organizations that you deal with have access."
2.   Make sure contracts identify known breach sources and how to respond to them as well as containing language to specify how to deal with new breach types or sources.

3.  Know your data flows - what data is being given to how and who has access to critical assets

4.  Secure your processes -
 it's important to remember that processes can have security implications, too. "Quite often risks have more to do with operational process, such as storing in an exposed database in the cloud, than it does with a flaw or vulnerability in code," Vectra's Morales says.
5.  Annual Audits - any organization that supplies electronics or has remote access to the company.
(IMHO, This is kind of unrealistic for a lot of companies, but regular audits should be conducted on a schedule that resourcing allows. )

6.  Support smaller supplier - focus on real risks and mitigating controls, communicate clearly, share expertise if appropriate. 

7.  Make things easy for management by grouping risks into buckets  they can understand.

8.  Keep an eye on the cloud -

The cloud problem is exacerbated because software and services tend to be built from existing software, services, and modules, making the stack of "dependencies," or nested code products, 10, 20, or more layers deep. "Much of the cloud infrastructure and SaaS applications consist of assembled components and frequently includes open source products," says Sachin Aggarwal, co-founder and CEO of Accurica explains. "For example, Amazon Web Services uses Linux, Java, Kubernetes, Xen, and KVM as components in their cloud. These provide cost benefits but can introduce security risks, which organizations need to mitigate."

This cloudy risk doesn't end with software and services, Aggarwal points out. "There are unique risks introduced when cloud SaaS applications use third-party APIs as components," he says. "Modern cloud applications integrate with several third-party APIs for purposes such as notification, monitoring, data aggregation, and security analytics." 

Additionally it is very easy for a development team to spin up a new environment without every going thru the hardening process thus leaving data exposed.  See Step 4.  

Researchers reported at least some of the monkeys developed antibodies to the virus within 14 days of being vaccinated, and all of the vaccinated animals had evidence of antibodies within 28 days.

The Oxford University vaccine trial is heading into hospitals amid fears that Covid-19 is not prevalent enough in wider society, a leading scientist has revealed.

John Bell, regius professor of medicine at Oxford University, said more than 1,000 people had been vaccinated in the first phase of the project and that, so far, things were going well and the drug looked safe.

Microsoft has detailed how it's changed Windows 10 to wipe out a class of memory bugs called uninitialized memory vulnerabilities using a new security feature that has plagued users of games that employ anti-cheat software.    

Microsoft has been experimenting with Rust for certain Windows components written in C and C++ to weed out memory-related bugs, which make up about 70% of all patches Microsoft has shipped over the past decade.

In a short message posted on its website, the company said the incident only impacted its internal IT network and employee laptops.

The company's email server was also impacted and had been taken down, cutting employees off from crucial communications.

Systems that managed the UK's electricity transit were unaffected, according to Elexon.

Neal Stephenson’s 1992 novel, Snow Crash, is often considered one of the most idiosyncratic and enjoyable cyberpunk fictions ever produced. Its inventive world, tongue-in-cheek humor, and eerily accurate predictions of the information age have made it one of the most renowned American sci-fi novels of the last 30 years. Fans of the book and cyberpunk should be happy to hear that the novel is currently being adapted for a series on HBO Max.

 At the direction of the White House, the Department of Homeland Security has sent recommendations for further restricting legal immigration during the COVID-19 pandemic, according to one former and two current administration officials.

Among the recommendations expected to be considered is the suspension of a program for foreign students to stay in the U.S. to get one or two years of occupational training between secondary education and full-time employment, a move many in the business and university communities are fighting.

How does a Cold War begin? In Washington, an accumulation of anti-Beijing animus hangs like a dark cloud over the capital. Before the pandemic, there was no shortage of experts warning of emergent fault lines between the United States and China. That sense of a looming clash between the 21st century’s heavyweights has only accelerated since the novel coronavirus paralyzed much of the world.

In an interview aired Thursday morning by the right-wing Fox Business Network, President Trump floated the idea that the United States “could cut off the whole relationship” with China in the aftermath of the pandemic, in reference to discussions over the lingering trade differences between both countries. He also argued that the economic toll of the pandemic offered further proof that the United States needed to do more to disconnect itself from global supply chains that thread through China.

China's foreign ministry said on Friday that steady Sino-U.S. bilateral relations serve the interests of both people, responding to U.S. President Donald Trump's comments that he could cut ties with the world's second-largest economy.

The U.S. Commerce Department said it was amending an export rule to “strategically target Huawei’s acquisition of semiconductors that are the direct product of certain U.S. software and technology.”

Reuters first reported the news ahead of the department’s release. The department said its “announcement cuts off Huawei’s efforts to undermine U.S. export controls.” 

The measures include launching investigations and imposing restrictions on U.S. companies such as Apple Inc, Cisco Systems Inc, Qualcomm Inc as well as suspending purchase of Boeing Co airplanes, the report said here citing a source. 
Hackers believed to be operating in the interests of the Chinese government have targeted the air-gapped networks of the Taiwanese and the Philippine military.
...

The malware would infect a system with fewer security protections, then wait for a USB device to be connected, infect the device, and wait to be ferried to other parts of a victim's internal network.

On the new device, USBferry would collect sensitive documents inside the USB device's internal storage, and wait until it was ferried back to another internet-connected device, where it would send the data back to Tropic Trooper's command and control servers.

Interest in antibody tests from employers has fallen in recent weeks as reports have suggested that it is too early to conclude that antibodies to the new coronavirus translate into immunity. The American Medical Association cautioned on Thursday that these tests do not determine an individual’s immunity.

“Many employers ... are realizing that antibody testing isn’t going to be a silver bullet and really isn’t going to bring them any value,” said David Zeig, a lead consultant on clinical services at Mercer. 


No comments: