This week on Security Weekly News, Dr. Doug White covers the following stories: Tesla Goes Pwn2Own Again This Year, GRU “hacks” a Ukranian Gas Company at the Heart of Scandals in DC, Is Iran Shutting Down Social Media to Prevent Protests?, The US Government Issues Phones to the Poor Which Contain Chinese Malware. Oh, and the phones were Chinese too, Cloudflare Expands Into VPN and Firewalling, Microsoft has Officially Ended Support for Win 7 and Server 2008, A Nasty Bug in Firefox, Citrix Exploits are Being Well… Exploited, Can We Just Go Ahead and Read the Patterns in Encryption?, Cisco Data Center Vulnerabilities, More Lawsuits in Georgia, The Return of Emotet, Never Give the Victim a Break if You Want Them to Pay, and Is the US Better Than Anyone in the World at Cyber? In the expert commentary segment, Jason Wood covers the State of 5G Security.
Visit https://www.securityweekly.com/swn for all the latest episodes!
To learn more about our sponsors visit: The Security Weekly Sponsor’s Page
January 14, 2020
- https://www.teslarati.com/tesla-model-3-returns-to-pwn2own-hacking-competition/ — Tesla goes pwn2own again this year.
- https://www.washingtonpost.com/national-security/russian-spies-hacked-ukrainian-gas-company-at-heart-of-trump-impeachment-trial/2020/01/13/db50b2b0-366c-11ea-bb7b-265f4554af6d_story.html — GRU “hacks” a Ukranian gas company at the heart of scandals in DC.
- https://www.newsweek.com/iran-internet-down-outages-protests-plane-crash-websites-offline-flight-752-1481842 — Is Iran shutting down social media to prevent protests?
- https://www.bbc.com/news/technology-51054901 — and… the US government issues phones to the poor which contain Chinese Malware. Oh, and the phones were Chinese too.
- https://www.darkreading.com/risk/microsoft-to-officially-end-support-for-windows-7-server-2008/d/d-id/1336791 — Microsoft has officially ended support for Win 7 and Server 2008
- https://www.pcmag.com/news/372978/hackers-are-abusing-a-bug-in-firefox-to-take-over-computers?fbclid=IwAR0TNf5aZMpvj_1lP0_DeQ3WDcsJoRjDzssMjgYhvl3EQCVu4-QpILz9P5g — and a nasty bug in Firefox
- https://support.citrix.com/article/CTX267027 — Citrix exploits are being well…exploited.
- https://www.darkreading.com/threat-intelligence/major-brazilian-bank-tests-homomorphic-encryption-on-financial-data/d/d-id/1336779 — can we just go ahead and read the patterns in encryption?
- https://www.us-cert.gov/ncas/bulletins/sb20-013 — Cisco Data Center Vulnerabilities
- https://www.jdsupra.com/legalnews/data-breach-class-actions-georgia-48918/ — More lawsuits in Georgia
- https://www.bleepingcomputer.com/news/security/emotet-malware-restarts-spam-attacks-after-holiday-break/ — the return of emotet
- https://www.bleepingcomputer.com/news/security/nemty-ransomware-to-start-leaking-non-paying-victims-data/ — never give the victim a break if you want them to pay
- https://www.fifthdomain.com/dod/2020/01/13/trump-says-us-better-at-cyber-than-anyone-in-the-world/ — Is the US better than anyone in the world at Cyber?
Commentary – Jason Wood, Paladin Security
While I was reading this week I found a security prediction for 2020 that caught my eye. The prediction was that the growth and combination of IoT and 5G would be a major source of security issues in 2020. I kind of chuckled because the annual predictions are usually interesting, but frequently off from what ends up occurring. But because my mind was on 5G, I noticed a blog post released today by Bruce Schneier on 5G security. Bruce explains his view on why 5G is not going to be as secure as people may hope and it’s definitely worth the read.
When you hear about 5G security, there is a lot of focus on hardware that is made in China. The US is strongly against the use of Huawei and other Chinese networking suppliers out of the 5G infrastructure. The fear is that these companies will include backdoors, security weaknesses, or other issues into their products due to pressure or collaboration with the Chinese government. Due to China’s history of content monitoring, censorship, and espionage, that’s a real risk to consider. Are they overblown or underplayed? That depends on who you are talking to. Everyone has their own experiences and biases when talking about these topics. But rather than focusing on this, Bruce pivots to other issues with 5G that don’t get as much attention.
First, he states, the 5G standards are really complex and cannot be implemented securely. If you’ve ever been unable to fall asleep and decided to read an RFC to help you doze off, you know that standards lay out requirements, but do not get into how to build something. They are subject to interpretation. So security errors will still be made while writing the actual implementation. This is further complicated by the standards trying to not only handle the wireless portion of the communication but the infrastructure that will perform the routing and transmission of that data. 5G apparently isn’t just a wireless standard.
Second, Bruce points out that even if 5G was super secure, it still has all the baggage that it is carrying from 4G networking. Backwards compatibility is still an important thing since it’s going to be a while until only 5G and greater capable devices are in use. Because of this 5G will inherit a number of issues from 4G. The need for backwards compatibility is obvious since providers have already started implementing 5G networks, but few people have devices that support it. To expect a “clean break” (as Bruce termed it) with 4G is unrealistic. So we are going to have to live with older security flaws. The idea of a downgrade attack would seem to apply here.
Finally, he explains that the standards committees just skipped out on opportunities to make security improvements. Even where they did propose security features, many were made optional. Don’t like it and think it is too expensive? Then skip it and move on. On top of that, even if it is a requirement can you get away with skipping out on it? It’s not like someone will prevent you from putting it out on the market. Then once it is out there, we end up living with it.
Bruce made one statement that I thought sounded almost silly because it applies to pretty much every technology. “But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.” Well, yeah. That’s always the way this seems to work out. It always ends up causing us problems, but it’s always the case. I don’t think Bruce is being naive here. It’s a lament from him and likely goes back to his calls for government regulation of IoT devices and having mandates for security being implemented. That way the market forces don’t cause security to be treated as something to be bolted on later.
One bit of advice I really liked in his post was this statement from Susan Gordon, who was the U.S. principal deputy director of national intelligence at the time. “You have to presume a dirty network.” In fact, she goes on to say, “That’s what we’re going to have to presume about the world.” While we may agree with that statement as security professionals, it certainly makes for a messy landscape and a rough experience for those who don’t work in security.
The overall takeaway is this. 5G isn’t going to solve wireless communications problems. It will change things, but it won’t be a solution here. It will provide more opportunities for IoT device makers. This makes me wonder if we are going to have to get a data plan for doorbells, refrigerators, and other IoT doodads. So the spread of the network will go further, reach deeper into our lives, but will only provide a feeling of security with the reality very much in question. It will be very interesting to see how this actually plays out.
- Our next webcast is January 15th with Cecilia Marinier, RSAC Program Director, Innovation & Scholars where we will discuss RSAC Sandbox, RSAC Innovation Sandbox, RSAC Launch Pad, RSAC Security Scholar and their “How to” Seminar for Innovators and Entrepreneurs! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.