Posted by Taylor Armerding on May 10, 2018
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Weekly Security Mashup episode.
via Brian Krebs, security blogger – Krebsonsecurity.com – Hosts of companies using the online collaboration tool Trello.com share passwords for sensitive internal resources.
via Catalin Cimpanu, security editor – Bleeping Computer – Argentinian researcher, Ezequiel Fernandez, has published a powerful tool that can easily extract plaintext credentials for nearly a dozen DVR brands.
via Chris Duckett, editor, ZDNet – Just because you can solve your problems with a blockchain, doesn’t mean you should, according to RSA CTO Zulfikar Ramzan
via Charlie Osborne, contributor, ZDNet – Gartner says that the majority of enterprise player s have no intention to develop or use distributed ledger technologies.
Hello, I’m Taylor Armerding, senior security strategist with the Synopsys Software Integrity Group, and welcome to the premiere, the inaugural episode of the Weekly Security Mashup, where we talk about what’s trending in software security and insecurity.
So, getting right to it, Page 1. We frequently hear a lot that when people do bad things, we shouldn’t blame the tool they used. And that was at least part of the message from security blogger Brian Krebs this week in a post about people using the online collaboration tool Trello.com to share passwords for sensitive internal resources in plaintext. He found “a host” of companies—including an insurance firm, a state government agency, and the ride-hailing service Uber—where employees who ought to know better were sharing company information with the wide world via the World Wide Web.
But it wasn’t the tool’s fault. Krebs noted that employees were “manually sharing personal boards that include proprietary employer data—information that may be indexed by search engines and available to anyone with a Web browser.”
An Uber spokesperson said the Trello board Krebs found was created by employees who used their work email to open an unauthorized public board. And she offered this considerable understatement: “Employee awareness is an ongoing challenge. We may have dodged a bullet here, and it definitely could have been worse.”
Oh, yes. As numerous experts regularly say, passwords as a single method of authentication are not nearly enough. Passwords in plaintext? They’re a wide-open door.
Page 2: And while we’re on plaintext, BleepingComputer and others are reporting that an Argentinian security researcher, Ezequiel Fernandez, has published a powerful tool that can easily extract plaintext credentials for nearly a dozen DVR brands made by TBK or rebranded versions of it. A Shodan search showed an estimated 55,000–65,000 DVRs were available worldwide.
That kind of access means an attacker can easily play Big Brother—watching or even controlling those video feeds. It could also be one of the simplest exploits out there. By accessing the control panel with a brief cookie header, Fernandez found the device would respond with plaintext credentials. The entire exploit is short enough to fit within a tweet.
If there is any good news, it’s that the tool already has a CVE number: 2018-9995. And owners can block it by allowing only trusted IPs to have access to the DVR’s management interface. Still, with the proof-of-concept code for the tool now available on GitHub, it is expected to become one of the more popular security bugs of the year. You have been warned.
Page 3: Perhaps you’ve heard of blockchain technology. Let me rephrase that: Perhaps you’ve been hearing endlessly about blockchain—that not only can it make cryptocurrency transactions secure and private but that it can improve just about anything else, including the security and credibility of U.S. elections. So you might have thought blockchain would have taken the recent RSA Conference by storm.
Not so much. Yes, there were a number of sessions on it. But it may already have reached what the Gartner Hype Circle describes as the “peak of inflated expectations” and begun to fall into the “trough of disillusionment.” As RSA CTO Zulfikar Ramzan told ZDNet this past week, “It’s become this magical pixie dust, where people think you can solve all problems. … You can buy a sledgehammer to push a thumbtack into a wall. You could also just use your thumb. It’s a much cheaper solution, and probably better for other reasons as well,” he said.
And the word from Gartner this week is that Ramzan either has a lot of company or that people are listening to him. As ZDNet put it, the research firm found that “blockchain technology adoption in the enterprise is limping along at only 1%, with the majority of Chief Information Officers displaying little interest in it.”
Even though mega companies like IBM, Microsoft, JPMorgan Chase, and Visa are working with it, and it has a seemingly endless range of possible uses—including cross-border payments, smart contracts for the sale and purchase of assets, secure recordkeeping, medical records, and supply chains. Which means it may yet follow the rest of the hype circle, climbing out of the trough to the “slope of enlightenment” and finally the “plateau of productivity.”
And that’s it for this week. The Weekly Security Mashup is a group effort, so big thanks to our social media queen and producer, Beth Gannett; to our content gurus, Liz Samet and Mark Van Elderen; to our Final Cut pro, Rachel Felson; and to our beloved team leader, Cameron Caswell. And thanks to you for watching. Help us spread the word. Tweet it, link it, share it, and come back again next week. And until then, stay safe, stay secure, and help make others secure. I’m Taylor Armerding for the Synopsys Software Integrity Group. We help organizations build secure, high-quality software faster.
Get the latest AppSec news and trends sent directly to you.