Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Mongrel]

Shit, I already don't trust security updates.

[Brentai]

Yeah, it's probably actually good for people to not blindly accept that everything a corporation pushes onto their system is going to be for their protection and benefit. I like the idea of the general public becoming more skeptical about everything being connected and modifiable by a remote party. That's probably a better move for WAN security than "Let's definitely assume every printer, refrigerator and air filter manufacturer is going to reliably secure its firmware."

[Thad]

It would be if the result was going to be "learn more about security and make sure you handle it personally, or get somebody who knows how to help you."

You know that's not going to be the result. The result is going to be that end users refuse any updates they're given a chance to refuse, and publishers respond by making it increasingly difficult to refuse updates.

That is not a good result. In the absolute best-case scenario, it takes us back to where we were before automatic updates, except back then most households only had one or two unsecure computers.

[Brentai]

Well no I was hoping it would result in "End users become skeptical of unnecessary connectivity." The best way to secure your printer is don't put a separate client on your printer.

So yes, I guess I'm pushing for that exact best-case.

[Thad]

OK, yeah, I'll buy that. I think networked printers are here to stay, but a lot of consumers DO seem to be getting more wary about the IoT, and that's a win.

That said, MS's update tactics over the past few years are similarly dangerous.

[beatbandito]

I fell into a Microsoft "security update" trap a couple months back, myself.

I kept getting notifications to connect my work laptop to a windows live account or otherwise an accident may happen to all my poor data, and no one wants that. I couldn't put the time into making it go away permanently, since it's not like closing it and disabling notifications should do that or anything, and finally just logged in to my existing account to link them.

It then proceeded to completely fuck all the network connections to my laptop, because I wasn't actually just linking to a WL account, I was replacing my user account with it.

[Büge]

I kept getting notifications to connect my work laptop to a windows live account or otherwise an accident may happen to all my poor data, and no one wants that.

That's not a security update. That's a protection racket.

[Büge]

[beatbandito]

I use a... 'network of doctors' I guess is the terrible name for only ever having to go to one building for specialists, and they have their own app to coordinate scheduling, patient information, payment information, and the like.

The other day I got the account disabled by trying too many incorrect passwords. Today it still wont let me in and gives a number to call to restore access. I give that number, give my name and birthday, and he reset the password.

This isn't to say he started the password recovery process or sent me an email with how to restore the information. The operator said "okay, your password is 1234 now, so use that to sign in and then change it back to whatever you want."

Which is... frightening.

[Thad]

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

Bush league shit. You view a document, it has a URL ending in a number; if you manually enter other numbers, you can see other documents.

Say, you guys remember that temp job I had where I was working in a warehouse, and my bosses tried to get me promoted to desktop architecture, but management in Santa Ana declined and laid me off at Christmas? Yeah, these fucking guys.

I'm not saying "you know, if they'd given me that promotion, this wouldn't have happened," because who knows where I'd be right now if I'd gotten that desktop architecture gig; there's certainly no guarantee I would have wound up in web development, or even a job where I'd ever look at that website.

But I am saying that FATco had at least one worker who was a competent web developer who would have spotted this if he'd ever been given the opportunity, and with a staff of 18,000, I bet I wasn't the only one.

[Mazian]

Lovely. I'd be in those records.

I look forward to nothing happening, or receiving a form letter about how customer privacy is always their top priority, and then nothing happening.

[Mongrel]

I will say that the only thing that really makes this all that notable is that not doing shit like this is ostensibly their primary purpose.

[Brentai]

They're also one of those entities that's allowed access to deeply sensitive information even if you have no business relationship with them.

[Mongrel]

lmao

[Thad]

Here's what I had to say about that in 2017. My opinion is unchanged.

Equifax CIO and CSO "retire".

Seeing a lot of misogynistic commentary directed at the CSO, Susan Mauldin, mostly over a LinkedIn profile that showed she had degrees in music composition -- it also shows she'd held security positions at other companies, but everybody seems awfully interested in the "composition degrees" part, and it's hard to read those posts as anything but code for "girls can't computer".

It's unclear, at this point, just exactly what happened. We know they didn't patch a serious Struts vulnerability, and the Argentina region had a website with admin:admin as the username/password, but going straight from "someone made some very bad security decisions" to "music major" is awfully reductive.

It's entirely possible that this resulted from decisions that Mauldin made personally. And even if it didn't, the buck stops with the CSO; firing her was the right and necessary call.

Somebody -- almost certainly multiple somebodies -- fucked up here. It's entirely possible that Mauldin was an incompetent CSO who was either unaware of a serious vulnerability, or was aware of it and chose not to plug it in a timely fashion. It's also possible that she tried but was stymied by other executives (this isn't a simple matter of installing a patch; it would have meant installing a patch and then recompiling every Struts project on every website, which is exactly the kind of risky, time-consuming, and expensive process a short-sighted executive might put the kibosh on, and whatever else we know about Equifax at this point, we definitely know it is a company with short-sighted executives). Time will tell, and I'm sure there's plenty of blame to go around.

It may very well be that most of the blame rests with the CSO; it may very well be that she was dangerously unqualified. But I think too many people are drawing that conclusion too early, based on nothing more than a LinkedIn profile.

Here's a related article from the WaPo: Equifax’s security chief had some big problems. Being a music major wasn’t one of them.

[Mongrel]

I wish that article had had literally anything on what, if any, mistakes HAD been committed by Equifax's security department.

As it stands, it's still a solid rebuttal of the general idea that a tech person needs specific formal qualifications, but does nothing to defend that CSO specifically (other than noting she did hold previous tech positions, though nothing particularly notable).

[Mongrel]

Tech Crunch: Over 750,000 applications for US birth certificate copies exposed online

An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments has exposed a massive cache of applications — including their personal information.

More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications, but these could not be accessed or downloaded.)

The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.

[mharr]

I was reading the whole thing as simple proof that promotion in the moneysphere is 100% who you know and 0% what you know. The gender issues are a distraction from the world being de facto ruled by a bunch of Disney movie Grand Viziers.

[Thad]

If you're running Windows 10, you're gonna wanna run updates now. Certificate authentication is broken wide open; an attacker can pass off malware as a trusted app, or spy on your encrypted communications. No actual exploits reported in the wild yet, but now that the vulnerability is known, expect to see it exploited within days if not hours.

[Mongrel]

Clickbait garbage aside, the WaPo also published this absolutely fascinating longform article today:

https://www.washingtonpost.com/graphics ... espionage/

‘The intelligence coup of the century’
For decades, the CIA read the encrypted communications of allies and adversaries.

----

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.

The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.

The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.