Unshakeable Salt

EJust like those famous sofa companies sending you their end of year sale offers, we’re seeing the year out with massive phishing & malware campaigns.  The customary December malware campaigns are centred around end of year bonus’s, holiday (vacation) deals and the usual way of getting rich quick. This year there is the additional uptick in all things ‘Brexit’, with nefarious attachments dealing with how a ‘no deal’ will affect you. Then there’s the ‘secure your money’ with Brexit, ‘maintain your holidays’ and ‘ensure you can still work’ after Brexit themed attacks.

The Brexit Effect

The majority of these phishing attacks are unsuccessful, as people are becoming more and more aware not to click on links / open attachments within emails. The Brexit ones though do seem to catching people unaware.  This could be because they are potentially expecting to receive information, or that the content is slightly more personalised that previous phishing attempts.

The Usual Mo-damage

As a consultancy we don’t do a lot of hands on coding, but earlier this year we did come across a firmware bug (feature) within a certain Chinese manufacturers 4G routers. Apart the potential of nation-state connected manufacturers purposefully putting listening functionality in to their devices, it appears the security of the ‘freebie’ 4G modems and routers is going to be a future trend. Whilst we have done the responsible thing and informed them of their ‘issue’, it’s interesting that Orange Mobile are being picked on in the press for their devices. 

Once the disclosure period has passed, expect a future blog post on what we found, but in the interim Orange are being made a media scapegoat as their devices are accidentally disclosing their WiFi passwords. However due to the historic way that all the network providers update their 4G routers, they are no way different than BT, Vodafone, Three or O2.

The problem comes with the firmware on these devices. Often rushed out to market, they are shipped with a number of vulnerabilities and need to be patched/updated to make them safe and secure. Unlike a smart phone, users don’t look at their settings every day and aren’t prompted to accept an update.  The only way to update them is for the network providers to push out updates – but that again is dependent on the device being on and still being on their network. 

There are hundreds of thousands of 4G routers that were given away by network providers to lure people into buying a second data sim.  The ‘tie-in’ period is now up and network providers are no longer obliged to push out security fixes to those devices. In many cases they can’t, as the users have put another sim into them (often on another network).  The result is a large number of vulnerable devices connected to the internet and capable to being used for many nefarious purposes.

School and Pupil based attacks

On the other side of the pond,  some 500k people have been recently effected by a massive data breach.  Now normally you would say that here in the UK we don’t care.  Large data breaches are common place now and don’t even make the press.  It is also an American peculiarity that healthcare and education sectors get targeted,  as those sectors are normally left alone here in Blighty.

December has seen that normality broken, as it appears that hackers and nefarious actors are attacking British school systems.  A Hertfordshire teenager will have just spent the first of three Xmas’s behind bars after emailing bomb threats to UK schools.  Whilst pretty bad, it appears that some of the security products in schools are being targeted specifically.

Numerous providers across the sector have previously jumped onto the security bandwagon and have sold ‘solutions in a box’ to a school. These unmanaged services have traditionally just been a  filtering web proxy and a subscription to a monitored ‘safe’ DNS service. These might have worked 15 years ago, but the world is a different place now and many schools are finding out the hard way that savvy 8 year olds can get around these controls quite easily.  As for the bad guys on the other side of the protection,  lets just say they aren’t finding it a challenge to circumvent.

Missile Systems

Another year passing also means we reach a few anniversaries.  One of which is the 30th birthday of the US Department of Defences ‘Orange Book’.  The Trusted Computer System Evaluation Criteria (TCSEC) was the centre piece of the Rainbow series of books that I cut my teeth in during my RAF career. It is what started my InfoSec career and was the method by which we validated that computer systems were secure.

It’s also strange that this anniversary comes at a time that the press is making something about US Ballistic Missile Systems being ‘vulnerable’.  Having recently failed 3 of 5 audits, with failures coming about due to unlocked doors on server cabinets and the lack of multifactor authentication on unclassified systems.  

Now the ‘Orange Book’ has changed a lot of the years, but don’t forget that one of the key principles has always been – ‘if you can’t connect to it, you can’t get at it’.   In order to exploit these failings, you had to be physically present at the server.  Maybe after getting past numerous tall fences, barbed wire, attack dogs, armed guards (with rules of engagement that permit shoot to kill) ,  swipe card access to buildings, metal detectors and knowing the username and password – maybe you should be able just able to download the latest cafeteria menu from their Intranet.

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post