Posted by Taylor Armerding on Tuesday, September 4th, 2018
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup.
Fixing the CVE program, your personal data has already “checked out,” and it even “may potentially” have taken flight. Watch this week’s episode below to see why these stories are trending or read the transcript below.
via Catalin Cimpanu, BleepingComputer: Almost 20 years ago, in 1999, a great idea came into being with the creation of the Common Vulnerabilities and Exposures (CVE) List. The idea behind the CVE program was this: Everybody who found an exploitable flaw or bug in software or firmware would notify a single organization (the nonprofit, federally funded MITRE Corp.). That organization would assign the vulnerability an identification number and maintain a database containing relevant info about all known vulnerabilities. It’s like crowdsourcing security. But cyber security today is not like it was in the early days of the CVE program. Watch this segment to learn why it’s trending.
via Shaun Nichols, The Register: Hacks of personal data are now just about a daily occurrence. And one of China’s biggest hotel chains joined the list of victims last week when a number of security firms noticed that data for about 130 million guests of the Huazhu Hotel Group was up for sale for about $56,000 in Bitcoin on a Chinese dark web forum. Watch this segment.
via Pete Evans, CBC News: Two of the most ominous words in an announcement about a data breach are “may” and “potentially.” Air Canada announced last week that the personal data of about 20,000 users of its mobile app “may potentially have been improperly accessed.” Of course, every user of the app should translate that as “definitely” and “already.” What data “may” have been compromised? At a minimum, users’ names, email addresses, and telephone numbers. Watch to learn why this story is trending in security.
Hello, and welcome to Episode 17 of the Weekly Security Mashup. I’m Taylor Armerding, senior security strategist with the Synopsys Software Integrity Group, back again to talk about what’s trending in software security and insecurity, including how to improve your own security.
And at the top of this week, Page 1: Vulnerable on vulnerabilities. Almost 20 years ago, in 1999, a great idea came into being with the creation of the Common Vulnerabilities and Exposures, otherwise known as CVE, database. The idea was that everybody who finds an exploitable flaw or a bug in software or firmware notifies a single organization—in this case, the nonprofit, federally funded MITRE Corporation—which will then maintain a database in which each is assigned an identification number. It’s kind of like crowdsourcing security.
But any good idea needs a good execution. And over the past several years, the complaints about it have mounted—among them, that thousands of vulnerabilities haven’t made the list, that MITRE isn’t responsive, and that it rejects many of these submitted bugs as being “out of scope.” Which means, as a number of experts put it, that those using the database are left with a significant blind spot.
This has been going on for a while. We wrote about it most recently in March on the Synopsys blog. And all of which eventually got the attention of Congress, since the program is, after all, federally funded and, as the House Committee on Energy and Commerce put it in a report issued last week, considered “critical cyber infrastructure.” The committee sent letters this past week to the Department of Homeland Security, which funds the program, and to MITRE with findings and recommendations that mostly mirrored what security researchers and the press have been saying at least since 2016.
The report, which took 17 months to complete, calls for more consistent funding by giving the CVE program its own PPA (program, project, or activity) line item. It had declined about 37% per year from 2012 to 2015 and then spiked by 139% in 2016. And the committee called for much more consistent oversight and analysis, noting that both DHS and MITRE had done essentially no analysis of the stability and/or effectiveness of the program. So they recommended that they do so at least every other year.
The budget recommendation should please Kent Landfield, chief standards and technology policy strategist at McAfee and a founding member of the CVE Board, who told me in March, “We need a line item. I’d love to see discussion about that in Congress, especially when it’s so crucial.” So there you go, Kent. At least this committee heard you. But given the speed—or lack of speed—with which the wheels of bureaucracy turn, that may yet take a while.
Page 2: Your personal data has already been checked out. Hacks of personal data are now just about a daily occurrence. And one of China’s biggest hotel chains joined that list last week when a number of security firms noticed that data for about 130 million guests at the Huazhu Hotels Group was for sale for about $56,000 in Bitcoin on a Chinese dark web forum. BleepingComputer, which broke the story, said Huazhu operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities. And Tim Mackey, senior technical evangelist at Black Duck by Synopsys, noted that “this is bigger than just China. The chain owns Novotel, Ibis, and Mercure,” with hundreds of locations in dozens of countries.
The data for sale include official website registration information, which means the ID card number, mobile phone number, email address, and log-in password. Then there is check-in registration information (which adds name, home address, and birthday) and finally booking information (which adds check-in and departure time and even the room number).
The chain hadn’t responded to press inquiries as of last week, but published a statement that it is still investigating the breach and has notified authorities. And a Chinese cyber security company said what likely led to the breach was that Huazhu’s development team uploaded copies of their database on a GitHub account. That, Mackey said, should be a warning. “Development teams using public source code systems like GitHub and public continuous integration, or CI, systems need to recognize that any developer activity that causes a push to a public repository or a public branch can be viewed by others, he said, adding, “To combat the potential for credentials, configuration information, and data from leaking out, these teams need to have strong policies surrounding how debugging of CI occurs, where forks of code by core developers are located, and the conditions under which a push to a public branch for CI occurs.” Good things to keep in mind.
Page 3: Your data “may potentially” have taken flight. Two of the most ominous words in an announcement about a data breach are “may potentially,” as in Air Canada’s announcement last week that the personal data of about 20,000 users of its mobile app “may potentially have been improperly accessed.” Which every user of the app should translate as “definitely, already.”
What data may have been compromised? At a minimum, users’ names, email addresses, and telephone numbers. But if users had added more than the basics to their profile—such as their Aeroplan number, passport number, NEXUS number, known traveler number, gender, birth date, nationality, passport expiration date, passport country of issuance, and country of residence—all of that could have been compromised as well. Which should be a warning that when you’re creating an app profile, stick to the minimum required.
The company said it detected “unusual log-in behavior” between Aug. 22 and 24. It “immediately took action” to block any further attempts and said it believed only about 1%—20,000 of its 1.7 million app users—might have been compromised. But it locked all the accounts and sent instructions on how to reactivate them, which led to a number of complaints on social media from users who couldn’t do so. The company’s announcement on its website asked users to be patient and to “wait several hours and try again.”
In this case, there “may potentially” have been minimal damage. But Amit Sethi, senior principal consultant at Synopsys, says there is “no excuse for organizations to still be relying solely on passwords for authentication”—especially, as was the case with the Air Canada app, a limit of 6–10 characters with no special characters allowed. “Everyone who uses a mobile app has a mobile device that they can use to enroll in several types of multifactor authentication,” he said. Unless, of course, spending a few seconds on added security is too much of a burden when you want instant access to your app.
And that’s it for this week. The Weekly Security Mashup is a group effort, so thanks again to our entire content, and thanks to you for watching. Help us spread the word. Tweet it like it, share it, like it, and come back again next week. I’m Taylor Armerding for the Synopsys Software Integrity Group, where we help organizations build secure, high-quality software faster.
Get the latest AppSec news and trends sent directly to you.