Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

David’s Take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about null passwords and the lack of authentication in network printers and other places online. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

Speaking of lacking access credentials, researchers have discovered an XXE vulnerability in HP’s Project and Portfolio Management Center. This involves an XML external entity injection vulnerability, which allows an attacker to exploit the application that parses XML input and reflects it back to the user without any validation.  HP is aware of the issue but hasn’t yet provided a patch. 

In a survey of 600 IT professionals, about two-thirds of users never change their default passwords, and more than 70 percent of respondents regularly use public Wi-Fi for their work tasks. There are other old chestnuts in this Verizon mobile security report that are worth showing to your superiors, if they need reminders.

--David Strom, editor of Inside Security

Email x1 cybereason

Top Story

Usually in the top story I feature some technical exploit that has a wide-ranging impact on numerous devices. Today I want to highlight this report from Cybereason. They talked to multiple CISOs and CSOs from a range of industries to get their insight on how security leaders can be seen by boards as business-savvy leaders instead of technology hobbyists. Security managers need to learn the language of business and not just the latest techobabble, start thinking about revenue opportunities and implications, and communicate real-world impacts of breaches and exploits. While none of this is news to savvy CISOs, it bears repeating and is packaged in a nice concise paper that could be a good refresher. – CYBEREASON (pdf)

Email x1 cisco

Cisco’s annual cybersecurity report provides some dire warnings. Burst attacks have grown in complexity, frequency, and duration. In one study, 42 percent of the organizations experienced this type of DDoS attack in 2017. In most cases, the recurring bursts lasted only a few minutes. More than half of all attacks their analysts observed have resulted in financial damages of more than $500,000. Also, cybercriminals are adopting command channels that rely on legitimate Internet services like Google, Dropbox, and GitHub – along with using encrypted communications (see graphic below) to hide their efforts. There is a lot more insight here to review. – CISCO REPORT

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


Password 123

What do a networked printer and GitLab have in common? They both avoid any authentication whatsoever and allow users access without any passwords. Come on, people it is 2018! It is time to get real with authentication. Granted, most of the world has moved on to talk about strong authentication, but how about doing any auth? Even a password of “123456” is better than a blank space.

For years Lexmark network printers had their default setup with no passwords, which made it dirt simple for anyone to take them over if an attacker could suss out their IP address. Lexmark, when contacted by reporters, claimed this was a feature and not a bug, as it gave its customers flexibility in setting up their printers. The sad part of this story was this happened just a few months ago.

The GitLab exploit is more recent and details are posted on their blog, “When a user adds a custom domain to their Pages site, no validation was being performed to ensure the domain was owned by that user. This issue allows an attacker to discover DNS records already pointing to the GitLab Page IP address which haven't been claimed and potentially hijack them.” A security researcher brought the vulnerability to light by writing a script to hijack several hundred domains within a few seconds. Thankfully GitLab is in the process of fixing the problem.

When a reporter asked GitLab why is was happening, a representative from the vendor claimed the approach is a common one throughout the industry. Well, yes, but how about leading by being more secure rather than having no security?  

These are just two of the numerous exploits with null passwords that are happening every day. Let these be a lesson to you: take some time to review your own apps and servers and ensure that you don’t end up in a similar situation.

Methods and tools

Duo built CloudMapper to generate interactive network diagrams of AWS accounts and is releasing it as an open-source tool to the larger developer community. You can discover unprotected resources across your cloud environment and check to see what happens when a potential VM fails.

It is important to pay attention to the permissions you’re granting to your apps, and this post covers why, when you are notified of permission changes, and how you can manage permissions across your app portfolio. A list of the common trouble spots is also included.  -- WANDERA

Cooking pi

Just for fun

While there is no doubt that the Pi can be very yummy, perhaps a new sorting algorithm for this magazine collection needs to be built.  –  REDDIT

David’s Take

Are you as depressed as I am about the Russian troll indictments from last week? Our top story goes into details, and links some other resources you might want to read and listen to. It is only Tuesday and we already have a full complement of malware, bad actors, data leaks, and even a game developer who intentionally infects his customers with malware.

-- David Strom, editor of Inside Security

Screen shot 2018 02 10 at 12.19.32 am


While a bit self-serving, this analysis of how Cloudflare tries to educate its customers about potential account takeovers, phishing attacks, and other social engineering efforts by criminals is worth reading. If nothing else, it shows what lengths these evildoers go to try to compromise your account every day. The post introduces the concept of a domain name generation algorithm, an automatic method of creating complex and lengthy domain names to be used to identify command and control servers. – CLOUDFLARE BLOG

A former California state employee downloaded thousands of personal data of their Fish and Wildlife agency employees last December. The breach wasn’t disclosed until recently, and appeared to be accidental and not malicious. Police are investigating. – SACRAMENTO BEE

Over a quarter of UK local council authorities have suffered a security breach in the past five years, with the vast majority not providing any kind of cybersecurity training. The council networks were subject to a staggering 98 million attacks between 2013 and 2017, which works out to 37 attempted breaches every minute. – BIG BROTHER WATCH (pdf)

1519055394193 capture 1

FSLabs is a video flight sim game maker who has taken the rather extreme approach of infected pirated versions of the game with password-stealing malware. The game’s installer checks to see if the user has made a legit purchase; if not, the malware is installed along with the game. Since being outed by the researchers, FSLabs has removed the malware from its installer, admitting the action was “a bit heavy-handed on our part.” – FIDUS INFOSEC BLOG

Researchers have discovered vulnerabilities in the popular WhatsUp Gold network monitoring tool. One allows remote command execution on TFTP servers by an attacker, while another allows SQL injection. Users should upgrade to v.17.1.2 to eliminate these issues. – POSITIVE TECHNOLOGIES

1*umcse czftawjvohxhwsna

Hackers have exploited two different backdoors to gain network access, as explained in this post. The exploit, which originated from South Korean IP addresses, has been labeled DoubleDoor, naturally. – NEWSKY SEC BLOG

The Docket

A spate of lawsuits aimed at security reporters such as Steve Ragan and Dan Goodin, are a threat to overall security progress, says my colleague Zack Whittaker in this post. He reviews recent legal cases and the concerns about them, and how many vulnerability researchers have stepped away from the area rather than be under the threat of litigation. -- ZDNET

Funding announcement

Israeli-based Morphisec raised a $12M B funding round. The company has advanced polymorphic security tools and Jerusalem Venture Partners took the lead. Ronen Yehoshua is its CEO.

Email x1 ssl

Beginner’s corner

Julia Evans explains the innards of an SSL cert from a programmer’s perspective. She dissects the X.509 syntax and in her delightful and very readable style tells you what all the various parts mean and what is involved in digitally signing them. – JULIA EVANS BLOG

Email x1 trend mi


A new report revealed a third increase in new ransomware families between 2016 and 2017, a doubling of email compromise attempts between the first and second half of 2017 and a sharp increase in cryptocurrency mining malware, peaking at 100,000 detections in October. Clear indications that attackers are getting more sophisticated and hitting larger targets.  – TREND MICRO REPORT


Insights from an IT Manager at Alaska Airlines

An IT manager at Alaska Airlines talks about how she has implemented threat management using a variety of manual and automated systems. Jessica Ferguson begins her hunt for malware in less obvious places to find new threat families.ANOMALI BLOG

Email x1 nerds

Just for fun

I often do this (at least the laptop part) myself. From 50 Nerds of Grey @ TWITTER

load more stories