I have two “by the numbers” features for you today: First (item #4) is a report on the composition of VPNs and how vendors haven’t been forthcoming when it comes to product ownership. Second (item #5) is a report on how awful SMBs are when it comes to their infosec. And the usual note about the latest funding events in our space is in item #10.
As I mentioned last week, for the remainder of the year there will be no Tuesday Inside Security edition.
Finally, RIP Mike Assante. He lost his battle with cancer, even after winning in so many key industrial and infrastructure security issues. Assante was a giant among us and will be remembered for numerous innovations and leadership roles.
-- David Strom
1. Huawei continues to have issues. First are reports of strong links between Huawei employees and Chinese intelligence agencies. Huawei says this is extremely common. So why did the company try to hide these credentials? Next are reports about three major vulnerabilities found in its web application products from Swascan. These include out of bounds exploits and command injections. The two companies worked together to fix the issues. Finally, the researchers at Finite State identified other bugs in various firmware images. "In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors," they stated in this report.
2. In other China-related news, researchers have found new instances by multiple Chinese threat actors using exploits related to Microsoft’s Equation Editor. This was a bug discovered last year (CVE-2018-0798) that is a stack overflow which leads to remote code execution. This post describes how it works. -- ANOMALI BLOG
3. British Airways has been hit with a massive £183 million (equivalent to $229 million) fine by the U.K. regulatory agency ICO. This was for a data leak that took place from May to September last year. More than half a million customers’ private data was compromised, resulting in GDPR violations. Carl Gottlieb has some excellent perspective. -- ICO
4. By the numbers, part 1: VPN ownership
From a pool of almost 100 different VPN products, researchers have found only 23 unique vendors. Several vendors have misrepresented the extent of their ownership of other brands, including j2 and AnchorFree. Most of the popular mobile-only VPNs -- and a third of the overall pool -- are owned by Chinese entities. Gaditek is a Karachi-based company which owns several VPN brands as well as runs a series of "independent" VPN review sites. Sites that are run in the U.S., Pakistan or China are subject to snooping by those governments (the latter two without any actual search warrants), which defeats the whole purpose of using a VPN. -- VPNPRO
5. By the numbers, part 2: Outdated SMB infrastructure worse than you might have thought
Researchers have found that many SMBs don’t maintain their systems. This is taken from actual instrumentation across a global customer network from Alert Logic's SIEM product that spans more than 4,000 customers and more than 10 trillion log messages. The data shows about 5,000 daily attacks on this group, which covers a period from November 2018 to April 2019.
A vast majority of them haven’t kept up with patches, almost half have misconfigured encryption tools and two-thirds haven’t properly set up their cloud services or haven’t properly protected key protocols such as SSH and HTTPS. Worse yet, two-thirds of the devices that were scanned are running outdated versions of Windows such as XP and NT, as you can see from the bar chart above. ”That is a ticking time bomb for organizations,” said the report's authors. Virtually no one is using Windows Server 2019, for example -- the current supported server version.
Also, nearly half of all SMB systems have outdated Linux versions and a third are running ancient email servers such as Exchange 2000. (Microsoft stopped supporting this version in July 2010.) And many SMBs are running weaker encryption products such as MD5 and SHA-0, which should be replaced with stronger algorithms. -- ALERT LOGIC BLOG
6. The FBI and the Immigration and Customs Enforcement agencies have been using driver's license photos to feed data to thousands of facial recognition searches. This is without the drivers' consent, according to this report. This means that these photos of many people are collected even though they haven't been charged with a crime. Given that this is being done without any explicit legal approval, Congress is gearing up for legislation to regulate these activities. Both San Francisco and Somerville, Massachusetts, have banned police and other municipal agencies from using any facial recognition software. -- WASHINGTON POST
7. Hackers have compromised the credentials of the GitHub account of Canonical. The company maintains one of the most popular Linux distributions, Ubuntu, and this account is used to post updates to portions of the OS and related apps. No source code was affected and the credentials were swiftly removed. -- THE HACKER NEWS
8. If you are looking for a DDoS mitigation and prevention product, this post summarizes the various approaches. There are three basic options: on-premises, hybrid cloud protection, or a strictly as-a-service from your ISP. -- CORERO BLOG
9. Did you know there are ten different types of phishing attacks? This post reviews them all, including CEO fraud, domain spoofing, fake HTTPS sites and watering holes. This is a valuable post for your managers to review. -- THE SSL STORE
10. Funding news of the week
TrapX received a $18M funding round led by Ibex Investors. It has cyber deception technology and is based in San Jose. Its CEO is Moshe Ben-Simon.
Polyrize received a $4M seed funding round led by Glilot Capital Partners. It has authorization security process automation and is based in Tel Aviv. Its CEO is Nati Hazut.
Sweepatic received a $1.1M funding round led by eCapital. It is based in Belgium and has an asset security tool for Internet systems. Its CEO is Stijn Vande Casteele.
This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).