Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits β€” 24 November 2024

  • by Bart Busschots

    • Feedback & Followups

    Deep Dive 1 β€” Taking Stock

    As we approach the end of the year, summary reports start to come out. These reports mostly focus on the enterprise, so at first glance, they’re not that relevant to this segment, but if you scratch a little deeper they are. Our security depends on two things:

    1. The actions we choose to take and fail to take
    2. The actions the companies we choose to trust choose to take and fail to take

    It’s that second one that these reports are relevant to. Something that’s depressingly consistent in these reports is that there is a surprising amount of low-hanging fruit left for attackers to exploit. This is why there are moves on both sides of the Atlantic to try establish cybersecurity baselines.

    The concept of baseline is not new β€” we already them for sector of the economy like financial & healthcare, and for government agencies. In an ideal world, there would be a spectrum of baselines and every company and organisation that processes customer data would fall somewhere on that spectrum. No one would get away without at least some baseline responsibilities. Nothing like that is on the cards yet, but there are new baselines in various stages of rollout on both sides of the Atlantic, and they’re expanding the net.

    The specifics vary wildly, but if you zoom out, the kinds of organisations that are finding themselves having to prepare for new or expanded mandated baselines of some kind include:

    • Government contractors
    • Critical infrastructure providers (energy, water, communications etc.)
    • Educational institutions
    • Organisations holding a lot of personal data

    One particularly broad-reaching idea that is gaining traction in Europe is the idea of making software vendors liable for damage caused by negligence on their part. Every software license I’ve ever read includes a clause forcing users to disclaim all rights to compensation for damages. The proposed laws would make those clauses unenforceable throughout all of Europe. In effect, this would put a baseline of not being ‘negligent’ on all software vendors doing business in Europe. It would seem sensible in this kind of world for regulators to release or endorse some kind of best practices like those put out by various organisations already as a working definition of what you need to do not to be negligent.

    What has all this to do with end of year reports? Well, those report illustrate why there is so much momentum towards baselines these days β€” clearly, the free market alone is not succeeding is delivering even a reasonable cybersecurity baseline.

    The Most Exploited Vulnerabilities of 2023

    The first report that caught my eye is a joint report by the relevant national security agencies in the so-called Five Eyes πŸ‡¦πŸ‡ΊπŸ‡¨πŸ‡¦πŸ‡³πŸ‡ΏπŸ‡¬πŸ‡§πŸ‡ΊπŸ‡Έ. This report lists the vulnerabilities most often used by attackers in successful attacks on enterprises in 2023.

    The report’s main calls to action are:

    1. For software vendors to adopt a Secure by Design approach
    2. For organisations to put better patch management systems in place so they don’t let so many systems stay so unpatched for so long

    To save you trying to find the relevant bits on a long report, I’d recommend the reporting from Bleeping Computer which includes the list as a nice table.

    Looking at the list, my two conclusions are:

    1. Too many organisations are disappointingly slow to patch even the really well-known bugs that make the mainstream news, let alone the less newsworthy run-of-the-mill bugs. The low-lights for me are that top 15 include:
      • Log4J which was once a zero-day, but not in 2023!
      • MoveIT which did start as multiple zero-days in 2023, but there were patches, massive media coverage, and alerts from major CERTs (Cybersecurity Emergency Response Teams) all over the world within hours. It should not have been reacted to slowly enough for it to make this list!
    2. Too many organisations are too slow to patch the absolute most critical stuff like their firewalls, remote access tools, and core systems like collaboration tools from:
      • Citrix, CISCO, Fortinet, Barracuda & Microsoft dominate the list)
      • Pushback from management against downtime and the risk of patching quickly likely plays a big part, but I really don’t think the risk of not pathing is properly factored in much of the time

    Links

    The 25 Most Exploited Vulnerability Type of 2024

    The second report that caught me eye is from MITRE, the not-for-profit that manages the critically important MITRE ATT&CK framework that has revolutionised modern cybersecurity tools (a common taxonomy of tactics & techniques used by cyber attackers). MITRE’s report lists the 25 most exploited types of vulnerability seen between July 2023 & 2024. In other words, what are the most common types of software bugs?

    Like with the Five Eyes report, Bleeping Computer has a nice summary with a table.

    Again, my takeaway is how depressingly old many of these vulnerability types are, and how easy they would be to prevent with simple best practices and modern tooling:

    • Trivial data validation bugs that have been understood for decades still dominate the list:
      • Cross Site Scripting is still at No. 1, and its slightly more subtle cousin Cross Site Request Forgery is at No. 4 (up five places since 2023!)
      • SQL Injection is still at No. 3
      • Path traversal (letting things like ../ sneak into user input that gets translated to a file path or URL) is at No. 5, up 3 places since 2023!
      • OS command injection is at No. 7, and other generic command injections are at No. 13
      • Finally, all other generic input validation issues are at No. 12
    • Despite a wealth of modern memory-safe languages that make a whole raft of bugs impossible, clearly, lots of code is still written in old memory-unsafe languages like C, and without the required software engineering tools designed to compensate for the language’s well-understood shortcomings being deployed:
      • Out-of-bounds-writes (like buffer overflows) are at No. 2, I guess it’s progress that they’re down one place since 2023 πŸ˜•
      • Out-of-bounds-reads and Use-after-free error are at Nos. 6 & 8, and they lead to memory leaks like HeartBleed πŸ™
      • Code injection (making things like remote code execution possible) is not just still on the list at No. 11 but up a whopping 12 places!
      • Null pointers leading to app crashes are also still on the list, though they’ve dropped nine places to No. 21
      • Even a trivial problem like the good old integer overflow is still on the list at No. 23, though thankfully down nine places
    • Leaky security controls are still a big problem, which implies to me there is not enough penetration testing being done by vendors:
      • Improper authentication, improper privilege management, and improper authorisation are at Nos. 14, 15 & 18, with the latter two up by seven & six places!
      • Exposure of sensitive data to unauthorised actors, i.e. data leaks to software or people, is at No. 17, up a whopping 13 places. I guess that helps explain why we still have so many data leaks πŸ™
      • Missing authentication on critical function rounds out the list at No. 25, thankfully down five places
    • Hardcoded credentials are still a thing in 2024 🀯 β€” though they are down at No. 22, and have fallen 4 places

    Links

    Deep Dive 2 β€” Some Interesting Security Announcements at Microsoft Ignite 2024

    Microsoft’s equivalent of Apple’s big WWDC event is their annual Ignite event, and Microsoft Ignite 2024 ran from the 17th to the 23rd of October.

    From a cybersecurity point of view, the biggest news was the new high-level initiative to boost Windows security and resiliency.

    One of the obvious inspirations for this new security and resiliency push was the infamous CroudStrike outage over the summer. Two announcements in particular are clearly direct responses to that incident:

    1. Microsoft officially announced that they are working with cybersecurity vendors to add the needed APIs to allow 3rd-party security tools to run outside of the kernel (like they already can on macOS & Linux). This work is happening through the Microsoft Virus Initiative.
    2. Windows 11 is getting a new recovery tool that lets admins remotely fix computers that fail to boot (like those afflicted by the CrowdStrike bug!)

    The focus wasn’t entirely on preventing a next ‘CrowdStrike’. There were some other nice announcements too:

    1. Windows 11 is getting a new Admin Protection feature:
      • When local admins log in, they run as regular users, but have the power to elevate to Admin when needed β€” massively reducing the damage malware can do without tricking the user or exploiting a bug for privilege escalation
      • User experience is Apple-like β€” Windows Hello to authenticate admin actions
    2. HotPatch (kernel updates without reboots as we have on Linux, but not yet macOS) is now in test on the latest insider builds of Windows 11
    3. Microsoft is testing new APIs to allow Paskeys stored in 3rd-party apps to be used for Windows Hello (like FaceID) β€” partners include 1Password πŸ˜€

    Links:

    ❗ Action Alerts

    Worthy Warnings

    Notable News

    Excellent Explainers

    Palate Cleansers

    Legend

    When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    ❗ A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    πŸ“Š A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” πŸ™‚
    πŸ’΅ A link to an article behind a paywall.
    πŸ“Œ A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.
    🎦 A link to video content.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top