Cybersecurity News & Commentary - August 2019

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

August, 2019


Critical VxWorks Vulnerabilities Leave Countless Devices Vulnerable

Research from security company Armis has uncovered eleven critical vulnerabilities in the popular VxWorks Real-Time Operating System.  The vulnerabilities, dubbed the Urgent/11, reside in the network stack of VxWorks and allow for remote code execution.  This means that if an affected device is connected to the internet, an attacker could possibly take complete control of the device.  The exact number of affected devices unknown, but the count could be in the billions, depending on the versions of VxWorks being used and if the devices are connected to a network.  VxWorks is used to control everything from critical industrial processes to aircraft in flight to consumer devices such as routers and telephones.​

IISP Analyst Joel Odom A Real-Time Operating System (RTOS) is different from an enterprise OS in that an RTOS is designed to run on embedded systems such as computers on airplanes, industrial process controllers, and IoT devices.  These kinds of devices usually don't require all of the features provided by an operating system like Linux, but they may require certain guarantees about when critical actions will happen.  Have you ever had your computer act sluggishly because the OS was busy with some system-level task?  Annoying as this may be, it's usually acceptable for our computers to pause for a second here or there when we're typing cybersecurity news commentary.  If, however, my computer is controlling the heads up display of a landing aircraft, even a little bit of jitter in the response of the computer to the aircraft's status could throw off the pilot's concentration.  An RTOS guarantees that the inputs from the aircraft's sensors will be translated to visual cues for the pilot without any noticeable jitter or delay.

VxWorks is everywhere, and is generally known to be a stable, reliable and secure operating system.  That having been said, I wonder if the reason that VxWorks is known to be secure is because perhaps it hasn't been the target of much serious vulnerability research?  The Urgent/11 vulnerabilities were found in the network stack.  This is a prominent attack surface, so you'd think that it would have been scrutinized extensively for security problems (network stack implementations on other popular operating systems have been refined for security after decades of bug discovery and patching).  If the Urgent/11 vulnerabilities put VxWorks in the spotlight for security research, that will be a good thing for the future security of the multitude of important devices running this OS.



Equifax Breach, Lessons Learned​ 

Equifax has reached an agreement to pay 700 million dollars to various consumers and government agencies as part of a settlement regarding their 2017 breach. This breach occurred when multiple attackers exploited a known security flaw in Apache Struts, which was used in an Equifax web application. From there, the hackers were able to pivot through the network and access the personal and financial information of almost 150 million people, exfiltrating millions of social security numbers and hundreds of thousands of credit cards. The settlement includes fines paid to regulatory agencies and fees related to identity and credit card monitoring for those affected by the breach.

IISP Analyst Kennon BittickThe Equifax breach was caused by multiple failures to abide by industry best practices for network security. The subsequent monetary and reputation damage to Equifax, as well as the overall damage to the general public, will hopefully encourage better compliance by both Equifax and others.

There are a number of specific lessons that can be learned from the incident. The initial breach was caused by a vulnerability in Apache Struts (CVE-2017-5638), which was discovered in 2017. According to the FTC, the Equifax security team did notify the operational team to update Struts; however, the update was never applied and the security team did not follow up on the patch. The lesson to learn here is to ensure that all systems are patched regularly. Ideally, patches should be managed from a centralized tool to automatically distribute patches and verify that all systems on a network are patched at the appropriate level.

After the initial attack, the attackers were able to pivot through the network (helped along by administrative credentials stored in a plaintext file). In a properly secured network, different components are isolated from each other depending on their trust levels. As an example, the internet at large is the least trusted area of a network, and defenses should be created with that in mind. Even internally, it is best to segment individual nodes or groups of nodes by their roles and required access. For example, a database with credit card information can be isolated from a database with less critical information. In essence, it is good to establish trust boundaries and limit inter-trust boundary communication to well-known and controlled interfaces. Operate by the principles of least privilege and defense in depth, and do not store admin credentials in plaintext files on production servers.

At least some sensitive information (like social security numbers) was stored by Equifax in plaintext. PCI DSS is an industry standard enforced by the major credit card vendors that controls the way that credit card information is stored. It mandates, among other things, that credit card numbers cannot be stored in plaintext. It is not clear if Equifax stored credit card numbers in the clear or if the attackers were able to find the encryption keys and recover the plaintext. But even if they did store credit card numbers correctly, they did not apply the same standards to social security numbers. Regardless of regulatory requirements, sensitive data should always be encrypted and secured.

None of the failings of Equifax are particularly esoteric: all could have been prevented with basic security hygiene and conformance to commonly accepted best practices. It is important to have a strong security team which coordinates with the network administrators, database administrators, operations, and developers to ensure that security best practices are followed.