The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers (December 14, 2018)
- Elon Musk’s SpaceX Cancels Rocket Launch Again Because of Technical Glitch (December 19, 2018)
- Drones are becoming increasingly disruptive. Can they be stopped? (December 20, 2018)
- San Diego School District Data Breach Hits 500k Students (December 24, 2018)
- The Story Behind the Huawei Story – It’s Not a Politically-Orchestrated Car Accident in Slow Motion
Summary: Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers.
Why it matters: SQLite is the de facto embedded database for the Internet of Things. Embedded across Android devices, iPhones and iOS devices, Win10 machines, Firefox, Chrome and Safari browsers, Skype, iTunes, Dropbox, TurboTax, Python—the list is nearly endless. Such wide usage across the Android and iOS ecosystems combined with the possibility of a remote code execution (RCE) attack can unsettle the IoT ecosystem in fundamental ways. SQLite is so endemic to the IoT application stack and taken for granted in countless implementations, that a potentially major flaw cannot be easily dismissed—a widespread asset is also a bullseye for malicious actors. Exploit of this vulnerability not only means access to a wide array of devices across an equally disparate OS base, but this vulnerability also means hackers can, depending on implementation and input validation, remotely execute commands. When it comes to development and configuration, programmers focus on bugs and security flaws; however, those tests often hinge upon the program being used for its intended purpose. Recent advances in fuzzing are credited with an endless stream of major vulnerability discoveries in browsers and media-rendering applications like Adobe. For example, Check Point Research applied off-the-shelf American Fuzzy Lop AFL to Adobe Reader and brought in 53 CVEs in 50 days. Similarly, Tencent Labs applied new fuzzing techniques to gain 100+ CVEs in one year. A creative hacker may approach the same code with a different, malicious intent, and thereby uncover unnoticed vulnerabilities. Coders and programmers must write their code with an adversarial mindset—not simply focusing on functional requirements to achieve the desired result, but also the ability of the program to defend against attack.
Summary: Until recently, space was the arena for exploration. Today, it’s a critical component for national security.
Why it matters: Until the details of the “technical glitch” are revealed, we can only speculate as to the exact cause of the delay—perhaps there was simply a faulty component or a defective sensor. Both physical security and cybersecurity have evolved and become intertwined in recent years. Ground satellites once thought secure because they were guarded by fences, cameras and arms are now also guarded by firewalls and monitoring tools. Similarly, satellites that were once thought of as untouchable must now be protected from a cyber perspective as well as a physical perspective. Take a GPS or weather satellite drifting around the planet, unguarded—were a foreign space cowboy to make contact with that satellite and take control, either by physical or wireless means, GPS and weather data for an entire country could be compromised. We’ve seen attacks on NOAA satellite data networks and just this year it was revealed that U.S. missile defense and GPS satellites are vulnerable to cyberattack. Global concern about the possible impact of a nuclear explosion in space has existed since the Cold War—the potential disruption of such an attack extends beyond halting satellite communications, but also debilitating intercontinental missile communications. In response to this threat, President Trump called for a Space Force earlier this year. While the scope, responsibilities and effectiveness of such a force are yet to be determined, what we can expect is that cyber threats will prompt the development of additional forces to counter attacks. Bad actors will continue to employ creative means across multiple vectors; and, adaptation to those tactics and methods will be increasingly critical to a sound defense posture across air, land, sea, space and cyber.
Summary: Multiple flights were recently cancelled at the second-busiest airport in the United Kingdom after drones were spotted nearby.
Why it matters: While the multiple headlines covering this story aren’t immediately cyber-specific, it’s important to consider the potential cyber implications. So far, investigators are flummoxed, despite arrests and the recovery of a broken drone. While no planes crashed, and no direct physical harm resulted from the incident, multiple flights were delayed and countless passengers were inconvenienced. However, it’s important to consider the very real potential damages posed by drones. First, there’s the risk of remote takeover—Johnny’s new Christmas present becomes virtually commandeered and used for ill-intent, under Johnny’s name. Second, even if an attacker can’t take over physical control of Johnny’s drone, they can gain access to the photos and video captured by the drone. Drone Maker DJI has allegedly been sending footage back to China for years. Capturing that aerial river view might not help the Chinese, but flying a drone near highways, airports, power plants and other plants for industrial controls can provide adversaries with valuable intelligence. The FAA has established various “No Drone Zones” and many drones are equipped with software to prevent takeoff in no-fly zones, but simple hacks (like covering the bird in aluminum foil to jam the GPS signal) can be used to override those precautions. Cyber isn’t just limited to IT anymore. As we noted in our 2019 predictions, the convergence of operational technology (OT) and information technology (IT) will result in cyber-physical destruction. What’s important to note is that the origin of possible attacks is complex and multi-directional. A physical attack can initiate a cyberattack, but a cyberattack can yield a kinetic action with a very physical consequence. 2019 will be the year the line between cyber-kinetic is both established and blurred. There’s been considerable debate in the U.S. when it comes to using drones and other autonomous systems in the military. Two recent patents might change naval warfare, yet the debate over the need for human control with lethal autonomous weapons remains open. In the meantime, known cyber adversaries such as Russia, continue to increase military utilization of drones and other autonomous methods.
Summary: Phishing attacks persist as 2018 comes to a close, but this time, the social security numbers, home addresses and other Personally Identifiable Information (PII) of students was intercepted by malicious actors.
Why it matters: This recent attack against California’s San Diego School District stands as a milestone, an omen and a reminder. Countless innocent victims have become entangled in various breaches over the last decade. The 2015 Office of Personnel Management (OPM) Breach not only affected federal employees and contractors, but also resulted in the compromise of more than 21.5 million social security numbers, many of which were simply connected because of the intensive security clearance process. Last month, the personal data of more than 500 million Marriott customers was stolen as a result of a hotel merger. Because of the sheer volume of breaches and attacks, the consequences are often viewed as imminent; however, this attack on students—those under the age of 18—puts the severity of a compromise in a very different light. Cyberattacks have mostly been an adult problem in recent years—stolen credit cards, fraud and ransomware, to name a few. However, as the youth of today become engaged and even reliant upon technology and the connected world at an early age, often considered digital natives long before grade school, those same children are exposed to not only the wealth of knowledge the Internet provides, but also the plethora of cyber risks. Put simply, bad actors do not discriminate based on age. Personal data sells on the black market regardless of age, race or ethnicity, and attackers desperate to make a profit will pursue any means necessary. And, while the youth of today are—to a large degree computer savvy and digitally self-sufficient—that independent expertise often only extends to creative development and execution, not security. It is absolutely critical that both parents and educators invest in the education of the rising generation of IT leaders and innovators. While there are a number of nationwide programs underway to enable adolescents interested in pursuing a career in cybersecurity, general cybersecurity education needs to start earlier. If you’re in high school, it’s almost too late and it’s important for the parents of children with a knack for IT to help cultivate their skills in a positive way before they launch independent attacks against other countries.
Summary: With headlines swirling around recent Huawei news, it’s important to understand the timeline of events and accusations as well as the facts.
Why it matters: The headlines surrounding Huawei, the Chinese telecom giant, are as ubiquitous as they are disparate. To the outside observer, Huawei might appear as a leading IT innovator, paving the way for a flexible, reliable and secure 5G network. Viewed by many as the leader in 5G technology, the company might seem months ahead of the competition. Yet, more recent news—from the ban of Huawei in Australia and New Zealand to the American distrust of Huawei products evidenced in the nixed Wi-Fi deal with the Chinese colossus and barred bidding on U.S. government contracts—put the company in a different light. Just this month, the U.S. took action against Huawei by having the company’s CFO arrested in Canada. Retaliation has since escalated, as have Chinese accusations and threats. China has accused Canada of having different human rights standards yet a former Canadian diplomat has been detained by the Chinese and denied access to lawyers. With that background and timeline in mind, there’s a lot to unpack in just a paragraph, but in short, this type of threat isn’t new—it’s really about the supply chain. The U.S. and other world leaders have a constant eye on threats, reliance and socio-economic impact of international company growth and advancement beyond native country bounds. Such advances are complex, with implications on the competitive market, as well as potential long-term, strategic cyber consequences. Regardless of the ending to the Huawei chronicle, the supply chain will remain a constant threat, requiring costly resources and continuous monitoring. As the story continues to unfurl in the latter part of this week, the White House is now considering an executive order—first introduced more than eight months ago—that would declare a national emergency and bar U.S. companies from using Huawei and ZTE telecommunications equipment. Doing so would certainly limit Huawei expansion and send a clear message to the Chinese company, but it would also impose significant expenses on domestic companies that would be required to purchased new equipment to replace the Chinese-made tech.