Drupalgeddon part 3 – the sequel, teenage SAP vulnerabilities, PHP is vulnerable, hacking Apple MFi, Oracle, Mass pays the ransom, and hacking into a prison will land you in prison. Jason Wood from Paladin Security joins us for expert commentary on Staying Cool in a Crisi so stay tuned to this episode of Hack Naked News!
- Third Critical Drupal Flaw DiscoveredPatch Your Sites Immediately – Yet another Drupal vulnerability to patch! I think this makes at least 3 in the past couple of weeks: Technical details of the flaw, can be named Drupalgeddon3, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won’t be attacked. So, thanks to the hacker news, here is a list of versions you should be running: If you are running 7.x, upgrade to Drupal 7.59. If you are running 8.5.x, upgrade to Drupal 8.5.3. If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.
- Onapsis Reveals 13-Year-Old Configuration Vulnerability in SAP – According to eWeek: Onapsis released a report on April 26 detailing the configuration vulnerability that impacts SAP NetWeaver, which is a foundational component for running many SAP applications, including ERP and S/4 HANA. According to Onapsis, the default configuration for NetWeaver allows hackers to remotely attack a NetWeaver instance without authentication, gaining unrestricted access to all of the information on the system.
- MS-ISAC Releases Advisory on PHP Vulnerabilities – Multiple vulnerabilities exist in most PHP installations that could allow remote code execution. Each version listed suffers from its own set of flaws, and all include at least one remote overflow condition. The versions affected are: PHP 7.2 prior to 7.2.5, PHP 7.1 prior to 7.1.17, PHP 7.0 prior to 7.0.30, PHP 5.0 prior to 5.6.36. So, right as you upgrade Drupal, now you can also upgrade PHP.
- apple-struggling-stop-skeleton-key-hack-home-wi-fi – because of the technical workings of something known as an MFi chip – an Apple design it licenses to other manufacturers who want to connect their products with iOS devices. [ Don ] Bailey found iOS devices can be tricked into handing over private network keys to hacked devices that contain such chips. Basically, hack into one IoT device, impersonate another more trusted device on the network, and the protocol will give the attacker access to the trusted Wifi network.
- SamSam Ransomware Evolves Its Tactics Towards Targeting Whole Companies – Interesting Go-to-market-strategy: The latest version of SamSam has taken the malware road less traveled, ditching widespread spam campaigns for unusually targeted, whole-company attacks. According to an analysis by Sophos, in a reversal of previous tactics, SamSam operators are now launching thousands of copies of the ransomware at once into individual organizations, each of which has been carefully selected.
- Umm, Oracle about that patch? It might not be very sticky … – In the words of El Reg: Earlier this month, Oracle patched a critical vulnerability in its WebLogic server – but someone identifying himself as an Alibaba security researcher reckons Big Red botched the patch. Looks like Oracle is just blacklisting commands, rather than actually fixing the bug. Vendors need to be called out for doing this, every time.
- Massachusetts School District Pays $10K to Ransomware Attackers – Don’t do it! Oh crap: A school district located in Massachusetts paid attackers $10,000 after they infected its computer network with crypto-ransomware. Officials at Leominster Public Schools decided to meet the demand after the district suffered a ransomware attack on 14 April. It’s unclear what types of files the malware encrypted. According to CBS Boston, the stain prevented employees from accessing parts of the school’s network. It also brought down the district’s email system, thereby forcing employees to communicate with one another via their personal Gmail accounts.
- The hacker who broke into jail and had to stay for 7 years – Hacking a prison will land you in prison: A 27-year-old Michigan man who tried to hack a “Get out of jail early” card for his friend is now going to be in jail himself for 87 months – 7 years 3 months. On Thursday, US Attorney Matthew Schneider’s office announced that besides the jail term and 3 years of supervised release to follow, Konrads Voits is giving up all his bitcoins, some of his electronics—including a laptop—an integrated circuit component, and several mobile phones.
Staying Cool in Crisis – This has been on my mind since I watched the reaction to the pilots of Southwest 1380 successfully land their damaged airliner and listened to how calm they were during the emergency. Southwest pilots Captain Tammie Jo Shults and First Officer Darren Ellisor have been universally praised for their response to the engine failure on flight SW 1380. They should be. They were calm, professional, and got the plane safely back on the ground. The only loss of life was out of their control due to the window being blown out and the passenger being partially pulled out of the airplane. People have been amazed at how calm Captain Shults sounded on recordings of her conversations with ATC. How did they pull this off? Personal preparation and training.
Every 6 months airline pilots are required to spend two to three days in a flight simulator training on emergency procedures. Fail this assessment and they are removed from flight status and can lose their jobs. It’s grueling. The simulator can put them through insane scenarios and requires pilots to follow emergency procedures and execute flight maneuvers to get their planes back on the ground. I watched a video of one such simulation where the pilot lost all elevator control and safely landed his plane without his main ability to cause the plane to gain or lose altitude.
So what does this have to do with us? IT and infosec deal with crisis. How well we deal with crisis depends on how prepared we are for it. Think back through your career and see if you can pick out those times that something went seriously wrong in your environment. Was it total chaos? Or was the issue worked through with a lack of panic and in a reasonable (given the situation) period of time? If you experienced a more professional response, was it because your organization had previous experiences that they had learned from? Were people feeling under control because they’d been here before? Were the recovery docs and procedures actually useful because they had been tested out before? I’m betting that the more professional the experience was, the more experience you and your organization had had with crisis and preparations had been made.
I’m not throwing rocks at anyone who has less than stellar experiences with an outage, incident or crisis. The first incident that I was involved with was a complete goat rodeo because no one had thought this could happen and no one was prepared. Emergency procedures were non-existent and if they did exist, no one knew where they were. It was a long week. The next major incident was better. Not great, but better. We’d been there before so we knew more of what to do and how to manage it. We weren’t overwhelmed by it.
How do we prepare? That’s going to depend on your organization and its maturity. Netflix uses the Chaos Monkey to train their teams on how to deal with system failures. Your organization can use table top exercises to test out procedures and communication. Systems can be deliberately taken down. Security incidents can be simulated by deploying software that acts like malware. Can your org detect it? Find it? How well can it be tracked down and then searched for on other systems? It’s tempting to look at some common system failures and incidents and think, “Yeah, we can figure our way through that pretty quick.” But don’t give into that temptation. On a few systems maybe you can. Across your organization? No, the scale of it becomes overwhelming and even if the rockstars of your company can handle it by the seat of their pants, they can’t be on every machine at once. You’ll need to sleep at some point.
You want to be like the pilots of SW 1380 and sound calm in crisis while you handle it well? Then take steps to prepare for it. This wasn’t the first time they had dealt with an engine failure, just the first time in a real airplane. When do you want your team’s first time responding to all the credentials in AD being dumped? In a practice drill or during a real incident? The first time doesn’t have to be during the real thing.