Saturday, June 15, 2024

New Windows WiFi RCE vulnerability

Full Disclosure: I am just posthing this because of the meme. It sure beats the usual "hacker (because wearing hoodie) in a dark room with computers" picture that is so common in these posts. Yes, I am looking at you Tom's Hardware.

A "Remote Command Execution" (RCE) vulnerability just means that someone can send remote commands to something whose software have this vulnerability. A classic case of a RCE Vulnerability that was exploited is the log4j one (hello 2021!). These commands can be something like uploading malicious code to the computer or application which can be unleashed in the computer running this application. On June 12th, Microsoft's Patch Tuesday to address 49 CVE-tagged security flaws. Amongst them there was a patch for CVE-2024-30078, which deals with the WiFi RCE Vulnerability that is the topic of this post.

The main difference here is that this vulnerability is on the (Windows) drivers for a network card. The beauty about such attack is the attacker does not need the help from the user (as in phishing) to get the malware into the computer. In fact, chances are unless the code is patched, there may not be much stopping such an attack; all they need it to send a malicious networking packet to enable the remote code execution, which would then be followed with them uploading their own code to start exploring their new acquisition.

To add insult to injury, the attackers may not even need to be in the same network; all they have to be is within the range of the vulnerable computer. Witht he right equipment, "within range" can be measured in feet or even miles.

Homer Simpson: No exploit code is available so far

Microsoft, who issued a patch for that, stated that there are no reported malware exploiting this vulnerability and that "Exploitation Less Likely" while the Cyber Security Agency of Singapore thinks it is a high-severity vulnerability and everyone using the Windows versions affected by this (pretty much everything remotely recent) should "update to the latest versions immediately". I do not know about you, but I would side with the Singapore agency on this one.


Have Windows computer? Patch it. Immediately

Thursday, May 23, 2024

Browsers, expired certs, bad defaults, and risk ASSessment

I have had to access more device/websites with expired or self-signed certs than I would like to admit. There are also those which are just plain insecure (think passwords being sent unencrypted). If you never experienced that, either you are really lucky or, well, welcome to The Planet Earth!

There are those, some of them are my friends, who think that is not acceptable and the only solution is to replace all this junk with new junk which complies with current regulations. Some of them even have CISSP and CISM certificates and have titles like "Senior Security Engineer". They all live in another world with no relationship to ours and our reality.

There, I said it. Call me heretic, but do not be disappointed if you will need to pick a number; you will not be the first or the last. But, I will not change my mind.

Secure All the Things

One of those security concepts that those who are CISSP/CISM/etc certified should know by the very reason they are certified is risk. Everything has a vulnerability, a weakness that if exploited (intentionally or accientally) may, well, hurt. If you ever got electrocuted while working on house wires or trying to repair an appliance you know what I mean. Also, boiling oil in a pan can hurt. So you deal with it. For instance, you can just buy a new electric tea kettle instead of trying to replace the old wire. Or, if you are in a business setting, you can decree all computers will have the latest operating system with the latest patches even if that mean replacing the computers

And that is where we disagree

You see, sometimes that is not feasible. Perhaps I have the skills to replace a wire and doing so is much cheaper than getting a new kettle. Or, you have an old UNIX computer connected to a multimillion dollar test device whose software is hardcoded to that specific version of UNIX; replacing it would cost 50 million and you would be throwing away a perfectly good testing system. Or, that medical device only sends data through wireless to a ftp server, so its password is shown for all to see; each of these devices goes for $15,000 on a good day and really there are no better in its class for the service it provides. What to do?

You analysize the risk and make the best choice of how to deal with it. The options are not only "do nothing" (accept the risk) or "replace it" the "Secure All Things" crowd advocates. There are more alternatives (I am using CISSP parlance here):

  • Acceptance. Decide it does not worth trying to do something about it and move on.
  • Mitigation. Come up with something to eliminate the threat, like keeping all the computers running the latest versions of their software. This is where the "Secure All Things" crowd gathers.
  • Deterrence. Can we cut down the risk? In the case of the multimillion testing device, what if we take it off the network and use an external drive to transfer test data between it and a more modern computer we can secure? Or for a network appliance that can only be accessed by a web interface which has a self-signed certificate that may have already expired: if you cannot replace the certificate (licensing cost or just plain bad coding), put these appliances in a secure network with restricted access, and with a specific web browser configure to accept connecting to that appliance using that cert (and perhaps old encryptions).
  • Avoidance. Stop doing something that causes risk. If printers can be hacked, eliminating all printers takes care of this. If people can attack your wireless, remote the wireless.
  • Transference. Make it someone else's problem. Buy cybersecurity insurance. This can get expensive quickly and insurance companies have been raising the requirements. For instance, most of them will have a clause that if they found out you were careless, no money for you.
  • Rejection. The stick-your-head-on-the-ground approach to danger. Pretend it does not exist. I know it is a very common reaction, but try not to do it; this is considered lack of due care.

So, which one should you do? It depends, and we are way ahead of ourselves. We should start finding out what we have, knowing that getting a true full inventory may not be (economically) possible? But, let's say we did find out what we have. These are our assets, and we need to assign values to them, as risk can be seen as a number (usually money): we have to compare how much each risk response (that includes the bottom one, not doing anything) cost and figure out the cheapest one. You see, business exist to make money, and how we manage risk is a cost to the business. If the cost to mitigate the risk is close to that of deter it, maybe mitigation is the best solution. This kind of thought process is expected from someone who is called "senior security engineer/architect." I myself am fine with knowing that most solutions to minimize risk end up being finding a deterrence. And sometimes, you just have to accept the risk and move on. After all, companies (and individuals) have only so much money to deal with risk; a good senior level security professional will make each dollar count.

You are still on the soapbox

Right you are. We still have not detected the vulnerabilities. And the little dirty secret is that the findings generated by the security scanners should not be taken as face value. Some of these scanners are just mindless pattern-matching scripts. A novice security professional will just the tool and sound the alarm. A senior security professional will compare the findings with the information she has about the IT infrastructure (which may have required her sitting with the IT team) and eliminate what does not make sense for her setup and then prioritize it. Even if she uses AI (there, I said it), she will never blindly follow whatever the tool says.

Don't be what I call Qualysguy, that guy who runs Qualys and then sends a ticket to the IT team saying "fix all these things"

Tuesday, April 30, 2024

Logscale's free tier is dead, Jim

Some of you have deployed logscale at home or in a small setting as a way to get some experience with it. That was possible because Crowdstrike provided a free tier on the same lines as Splunk, Burpsuite, and even AWS/Azure/Google: some features were disabled and the amount of data was limited, but you were still able to get your feet wet in it. Now that is benefitial to both the company and you:

  • You learn how to use a well-known commercial product so when you go apply for a job that uses it knowing enough so you can start using it. Now some will claim the only experience that counts is experience you got from a paid job. Given how active I am in the open source community, I disagree. In fact, I will put my neck on the block and say there were many things I learned in a home lab I could not learn at work because, well, even when you work in a research institution what you can work on their time is dictated by what they think is important.
  • That does not mean if you install it in your homelab you will be just fiddling with some controls without really understanding the product. Logscale, AWS, Splunk, and Portswiggler (just using the same companies I mentioned because I can't be bothered finding links to others) offer free formal classes with hands-on exercises (and, yes, I know some of the AWS and Splunk videos are cringe but at least they are trying). These classed can lead yo you getting certfied, but that will cost and is a discussion for another post. Which leads to...
  • Microsoft, Splunk, and all of those companies want you to learn their product well. If you do, when you work at a company using it, you will not suck using it, so their product will not suck. And, if you get to the point you are the one recommeding products, guess which ones will you select?

So, what about this Logscale gripe you have?

Like the other vendors mentioned above, in early 2021 Crowdstrike acquired Humio, which later became Logscale. Later in that year, they announced the Humio Community Edition, the free version of Logscale with similar restrictions as, say, Splunk's (stealing the above from their announcement):

  • Ingest up to 16GB per day
  • 7-day retention
  • No credit card required
  • Ongoing access with no trial period
  • Index-free logging, real-time alerts and live dashboards
  • Access Humio’s marketplace and packages, including guides to build new packages
Screen capture of message acknowledging the signing up for Logscale Community Edition
Great! So now you can pick and choose between the two! Not quite. Fast forward to March 2024, when CrowdStrike stopped accepting applications for LogScale Community Edition (link accessible only if you have a customer account unfortunately). Also, while those of you who still have your community account will still access it, if you do not access the Community Account for more than 90 days, it will be removed. Do you want to try before you buy? Sign up for their 15-day trial version after providing enough info about your and your company. Oh, they too have a Crowstrike University, but to get in you need to be a current paying customer; not even Bezos does that.

Bottom line

  • If you want to learn Logscale, and by that I mean also practcing it, you will have to get hired by a company that already has it.
  • If you are considering using it but have never used similar products, you will have to spend money. So, you might as well hire someone to see if it is the best solution for your needs. Case in point, a lot of people, me included, make fun of Splunk's price. Thing is, someone who is a Splunk Engineer, as opposite to a Security Engineer with Splunk Experience, knows how to put it together so its yearly cost does not go up the roof.