I just finished a short, 9-page guide for implementing business continuity in any organization. It includes links to tools and additional guides. It is free for download from http://bit.ly/2nQbxDT
NetSarang Computer Xmanager software backdoor
Kaspersky Lab discovered a backdoor in signed code from NetSarang Computer, a South Korean company. The software, Xmanager, is used to manage Linux/Unix applications on Windows platforms. According to Kelly Jackson Higgins in a DarkReading article,
The cyber espionage malware was embedded in one of the source code libraries of NetSarang Computer’s July 18, 2017 software builds. Its Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, were all compromised.
NetSarang Computer’s network was apparently compromised, resulting in distribution of trusted, signed code with embedded malware (Goodin, 2017). This is now patched, and customers should apply the patch immediately.
This is an example of an attacker-created vulnerability created by attacking the supply chain instead of actual targets. As in this case, customers have no reason to believe the vendor is malicious. NetSarang Computers is not a threat agent, but a vulnerability in its security resulted in weaknesses in many organizations.
As with any organization, no security framework is perfect. We have to believe that, as target organization security strengthens, attackers will start looking at supply chain attacks. Some organizations have hundreds, or thousands, of applications installed by IT and business employees. One or more of these vendors will eventually fall victim to an attack like that experienced by NetSarang Computer. Goodin writes,
The NotPetya worm that shut down computers around the world in June used the same tactic after attackers hijacked the update mechanism for tax software that was widely used in Ukraine. Supply-chain attacks that targeted online gamers included one used to spread the PlugX trojan in 2015 and the malware dubbed WinNTi in 2013.
In this case, blocking and monitoring for anomalous traffic would likely prevent or detect backdoor activity. However, software whitelisting is still one of the best ways to minimize the number of applications you have to watch.
Printers still big risk
In a recent blog, Tenable researchers described vulnerabilities in HP business printers. This is just one vendor, but I’m sure a close look at other printer products would reveal problems across most (if not all) manufacturers.
As we evaluate and manage IoT risk, we should never forget about printers, fax machines, and other devices that have long lived on our networks. How are you controlling the risk?
Cloud service providers still don’t get it…
This has been an interesting week. First, my old website provider (initial Y) decided to break my email. When I called to have it fixed, I was told it would take 48 hours. When I informed them this was their fault, they continued providing me with formulaic responses that meant nothing. So I decided to move to another provider.
Well… I did some research and decided to go to a highly rated site (initial i). Everything was fine until I entered an online chat to get help with an issue. The first thing the support person asked me for (as part of identity verification) was my answer to my secret question. Those security professionals out there know this is just plain wrong. I immediately cancelled my subscription.
My new provider, HostGator, seems to get it. I had to create a PIN instead of answering a secret question. In addition, chat sessions require me to authenticate using my HostGator credentials. This provides immediate verification without asking for information the support tech should not have.
Granted, these are small providers… unlike Amazon, Microsoft, Google, etc. However, how many people use these services to post information? How many of these sites have questionable business continuity assurance or security? For example, ‘i’ likely has other security issues if they believe asking for a customer’s secret question response is a good idea.
Oh, well. I am settling into my new website home. ‘Y’ and ‘i’ will just have to get along without me…