Tractorload of John Deere Vulns, T-Mobile Breach, Kalay IoT Hack, & HolesWarm – PSW #707

"Organizations also need to take a closer look into their cybersecurity investments to maximize ROI. In addition to strengthening the core through network, infrastructure and application security controls, security orchestration and automation with AI- and ML-based solutions and applying techniques like managed detection and response, next-generation identity and access management and zero-trust architecture will help counter modern-day threats, such as ransomware, more effectively and efficiently." - And there you have! All you need is a next-generation identity and access management solution with some zero-trust architecture and just like that, you have all the security you need! We can all retire now...

"The security issues are said to have remained untouched in Realtek's codebase for more than a decade" - Lots of buffer overflows. Lots. Sloppy coding, strcpy for the win in the "boa" web server, which I've seen on a few different IoT devices.

"The Kerberos protocol is solid. It was developed at MIT and provides Single Sign On (SSO) for many large companies." - Okay but define "solid", as in like, it has many security flaws that have been uncovered over the years? Oh, and really try to code to the spec: "Then again, these four security vendors didn’t implement the Client/Server exchange at all. So I can just log in with my fake password to all these systems."

In this case, Cisco's recommendations are something that should be done anyhow, regardless of patch or not: "The IT giant recommends customers using RV110W Wireless-N VPN Firewalls, RV130 VPN Routers, RV130W Wireless-N Multifunction VPN Routers, and RV215W Wireless-N VPN Routers to disable UPnP on both the LAN and WAN interfaces of their devices."

"John Deere claimed in a statement that "none of the claims—including those identified at DEF CON—have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information. Further, contrary to claims made at DEF CON, none of the issues identified by the security researchers would have affected machines in use. John Deere considers the security of our systems and the data within them a top priority and we work tirelessly to identify and address any misconfigurations as quickly as possible. Deere also recognizes the important role our products play in food security and within the global food supply chain." - Yet the researcher proved otherwise....

"Over the course of several months, the researchers developed a fully functional implementation of ThroughTek’s Kalay protocol, which enabled the team to perform key actions on the network, including device discovery, device registration, remote client connections, authentication, and most importantly, process audio and video (“AV”) data. Equally as important as processing AV data, the Kalay protocol also implements remote procedure call (“RPC”) functionality. This varies from device to device but typically is used for device telemetry, firmware updates, and device control." - Sounds like you need to be on the same network as the device, so I thought, but this looks like a publically available network that they were able to interface with the protoctol over the Internet: "If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker."

I thought it was neat to listen to streaming music from the Tor network. Not great quality, and a mixed bag of music, but neat.

Sounds like some miscommunication: "Rapid7 said they contacted Fortinet multiple times to work on the issue but didn't get a response, so they followed their own disclosure policies when releasing the report." - Begs the question, what do you do when you don't receive a response? How hard do you try to get a response? What if emails go to SPAM? Difficult in larger companies as it can get lost in the shuffle. I think the lesson learned here is to closely monitor disclosure communication, and perhaps have multiple routes for disclosing vulnerabilities, or do a bug bounty so a 3rd party can help ensure clean and reliable communications.

"The containerized CIS Hardened Images are built on provider based images via Docker. Docker, a self-contained software bundle, makes it easy for applications to run on multiple computing environments. CIS provides these containerized CIS Hardened Images in Amazon Web Services (AWS) Marketplace."

Lost me right away: "Penetration testing aka pentesting is the process of finding vulnerabilities in the network and preventing them from seeping into the system." - Nope. And then: "A vulnerability scan is a high-level test that seeks potential vulnerabilities in the system." - Again, not really.

I believe this is really about 1) Create your teams to include devs, ops, and security people 2) Design and threat model with said team for functionality, reliability, performance, and security 3) Use OSS for static analysis, SCA, container scanning 4) Use commercial software for runtime protection.