SolarWinds compromise focuses new attention on trust in vendor supply chain

Solarwinds

Recent media attention on the successful intrusion of multiple commercial and government organizations using a backdoor embedded in the popular SolarWinds Orion software platform has (justifiably) focused on learning the extent of the compromise and the potential damage or loss to SolarWinds’ customers. Both the trade press and companies suffering breaches or intrusions are typically quick to characterize these situations as the result of “sophisticated” attacks perpetrated by advanced or highly capable threat actors. Early reports of the ability the SolarWinds intruders had to evade detection for months after their backdoor was successfully installed and the way they disguised their malicious software suggest that the “sophisticated” moniker is actually warranted in this case, although the precise circumstances surrounding the initial penetration of SolarWinds’ software development operation are far from clear. The consensus seems to be that the attackers were able to gain access to SolarWinds’ toolsets and processes for building release packages (either the source code repository where the build components were managed or a release or package manager elsewhere in the process) and insert malicious code into the build cycle while avoiding detection. When the software update packages were built for release to customers, the malicious code was included with the actual software modules and signed using a cryptographic hash function. The end result is that customers who downloaded and installed the SolarWinds software updates had every reason to believe the software was legitimate and fully authorized by the company. Add to this the fact that, at the time the malware-infested software was distributed, no commercially available anti-malware tools recognized the backdoor as malware, and you have an effective means of intrusion while evading detection. On a side note, it’s much less clear why the external connections to the intruders’ command-and-control servers weren’t detected as anomalous, either by the U.S. Government’s EINSTEIN intrusion detection system or by any of the intrusion detection technologies deployed by commercial entities’ who were victimized by the SolarWinds exploit.

Given what has been publicly reported so far, including by the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security, it is difficult to suggest that any of the affected organizations should have been able to identify the problem with the infected SolarWinds software itself. This incident has brought supply chain attacks into the mainstream (to be fair, NIST first published its Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, more than five years ago) but calls for greater due diligence by customers of enterprise-class software tools like SolarWinds are both overly simplistic and not particularly feasible. There reason software vendors release things like cryptographic hash values is to help customers verify that the software customers download can be verified as authentic. Most buyers of such software lack the technical knowledge or capabilities to perform deep analysis of the software products they buy and, if such software has an embedded vulnerability somewhere it its source code, in most cases there is no way for a customer to examine the source code at all (not to mention that reverse engineering commercial software tools typically violates the license agreement governing the purchase of the software). Buyers of commercial software tools have little alternative than to rely on their chosen vendors to deliver software that is free of malware like the SolarWinds backdoor. When dealing with well-established software vendors, it is probably not overstating the situation to say that customers trust their vendors not to deliver products rife with hidden vulnerabilities. Software vendors, like other types of organizations, may in fact be worthy of customers’ trust, but it is at least a semantic mistake for any buyer to say they trust software. Organizations may demonstrate trustworthiness by (depending on your characterization) exhibiting competence, honesty, openness, credibility, or reliability. Among these attributes, however, software can only demonstrate reliability or unreliability; a product that performs consistently and predictably may be highly valued by its users, but that does not make it trustworthy. The future prospects for SolarWinds among public sector and private sector organizations remain to be seen, but the guidance issued to government agencies in the past week suggests that CISA is skeptical of many of SolarWinds’ assertions about which product releases are affected about the company’s ability to prevent further exploitation of its platform.

Repeal of planned FCC privacy rules leave ISPs largely unregulated

FCC-FTC Privacy

Last week Congressional Republicans successfully passed legislation to repeal privacy regulations that would have imposed several constraints on the ability of broadband Internet service providers (ISPs) to collect, analyze, sell, and otherwise manage personal information about their customers and their use of the Internet. The repealed rules, which were developed by the Obama administration and passed by the Federal Communications Commission (FCC) in October 2016, were set to go into effect this year. The new, now abandoned, FCC rules applied key privacy principles like transparency, choice, and consent to different categories of personally identifiable information, notably requiring customers to give affirmative consent (that is, to “opt in”) to use or sharing of sensitive personal information. The rules consider sensitive information to include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications. ISPs would have had more freedom to use or share non-sensitive personal information, but customers could still opt out of any use of their information if they choose to do so.

Beyond consent and use of personal information, the FCC would have added requirements that ISPs provide customers with “clear, conspicuous, and
persistent notice” regarding what information the ISPs collect, how that information may be used, and with whom and under what circumstances it will be shared. This element is consistent with notice of privacy practices requirements that the Federal Trade Commission (FTC) imposes on many types of companies, including e-commerce vendors, social media sites, and website operators. ISPs also would have been obligated to implement industry best practices for data security, authentication, monitoring, and oversight, again consistent with FTC best practices and the Consumer Privacy Bill of Rights, and to notify customers and law enforcement agencies notice of data breaches or other failures to protect customer information.

Instead, now that President Trump signed the measure into law, ISPs like Comcast, Verizon, and AT&T have few practical restrictions on how they handle their customers’ information and are subject to substantially fewer regulations than web content providers, e-commerce companies, and technology firms like Google and Facebook that depend on the ISPs so that end users can reach their products, content, and services. Since the new FCC rules never went into effect, it might seem that privacy protections for customers of Internet service providers are no worse than they were before, but unfortunately that is not the case, due to a separate decision the FCC made in early 2015. That decision, when the FCC voted in its Open Internet Order to adopt “net neutrality” principles, reclassified Internet service providers as common carriers, placing them under the jurisdiction of the Telecommunications Act of 1934 and, by treating them in a manner analogous to conventional telephone companies, shifted the regulatory authority for ISPs from the FTC to the FCC. The exemption from FTC oversight was made explicit in a landmark ruling last year by the 9th Circuit Court of Appeals, which found AT&T was not subject to action by the FTC, even for behavior that occurred prior to the Open Internet Order. One clear intent of the Obama-era FCC privacy rules was to bring regulations for ISPs in line with FTC rules and enforcement actions applicable to other technology companies. Now, unless further regulatory changes are introduced that somehow alter the common-carrier designation, Internet service providers are uniquely positioned to capitalize on the personal information and online behavior patterns of their customers.

Tax season means it’s time to watch out for W-2 scams

W-2 phishing

As American individuals and companies head into tax season, the Internal Revenue Service (IRS) is warning organizations of all types to be on the lookout for attempted W-2 phishing attacks as part of a broader pattern of business email compromise attempts. The urgent alert issued by the IRS on February 2 was the second such notice in a span of just eight days and emphasized that the phishing scam centered on employers’ Form W-2 information appears to be affecting many types of organizations beyond the commercial corporate entities typically targeted by this sort of attack. The IRS has for several years included phishing on its “dirty dozen” list of tax scams, although historically the most prevalent scams seem to have been attempts by attackers to send fake emails purportedly from the IRS. Beginning just last year, this class of attacks evolved to include phishing emails directed to company employees working in payroll or human resources that claim to be from the company CEO, asking the recipient to send copies of employee W-2 forms. According to data compiled by industry media sources such as CSO Online, data from more than 40 companies was compromised by these attacks in 2016. This “success” rate, coupled with what the IRS says is new notifications it has received already this year for the tax year 2016 filing season, prompted a renewed alert to corporate payroll and HR departments.

It should come as no surprise to anyone that paperwork or data related to tax returns are attractive targets for attackers, or that phishing scammers have gotten more creative about who the originating party is supposed to be in the emails they send. What is perhaps harder to understand is why so many of these emails make it through to their recipients, whether or not the recipients actually fall for the scam. A phishing email of this type is almost always sent from a source outside the targeted organization, so while it is a trivial matter for a scammer to change the “reply to” value in the email to be a corporate CEO or other official, it is technically much less trivial to hide the true origin (server, IP address, and domain) of the email. It should be simple to apply a rule to to incoming email that essentially says, “reject any email received from an external domain that claims to originate from an address in the internal domain.” Essentially every network firewall implements an analogous rule by default (dropping packets from external sources that have an internal source IP address), but few managed email service providers allow such rules to be defined and enforced. This deficiency leads to a market opportunity for email security gateway vendors like Barracuda, Cisco, Proofpoint, Sophos, and Websense. While many organizations have treated phishing avoidance as a security awareness issue, the increasing frequency of specialized attacks like the W-2 scams might push more companies to augment their phishing prevention capabilities so they don’t have to rely so heavily on their employees.

European Court of Justice rules against UK on data retention

ECJ

The Court of Justice of the European Union (familiarly known as the European Court of Justice or ECJ) issued a judgment this week explicitly against laws in the United Kingdom and in Sweden that require telecommunications service providers to collect and retain data about telephone calls and other electronic communications (for 12 months in the UK law and for six months in the Swedish law). In its ruling, the ECJ found that the British and Swedish data retention regulation “prescribes general and indiscriminate retention of data” in a manner inconsistent with norms of democratic society and, in particular, with privacy protections for electronic communications included European Council Directive 2002/58/EC. The Court’s ruling makes clear that it is possible for European Union member nations to establish targeted data retention rules for specific purposes, such as supporting criminal or anti-terrorism investigations, but the December 21 judgment further clarifies interpretations of EU policy since the Court ruled invalid the EC-wide Data Retention Directive in 2014.

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.

To put this recent ruling in context, a little history may be in order. Even those with only a casual interest in personal privacy protections are often aware that, in general, regulations governing the collection, use, and disclosure of personal data are stronger in the European Union than privacy regulations in the United States. Despite those overarching privacy protections, enumerated in multiple EC Directives dating at least to 1995, the European Parliament and the European Council established Directive 2006/24/EC in March 2006 to harmonize member countries’ retention of data related to electronic communications services. The 2006 Directive concerned location and telecommunications metadata that could be used by law enforcement authorities or other authorized entities to identify the source and destination of electronic communications (including telephony services and Internet transmissions such as email) and the identity of the subscriber or registered user initiating such transmissions. Individual countries were free to establish their own specific retention periods, but Directive 2006/24/EC set the minimum at six months and the maximum at two years. Laws such as the Swedish regulation addressed in this week’s ECJ ruling were crafted specifically to conform to the guidelines in 2006/24/EC.

Directive 2006/24/EC was in effect for approximately eight years; in April 2014 the ECJ declared the data retention directive invalid, largely because it did not require any “differentiation, limitation, or exception” in the collection of electronic communications data nor did it ensure that government authorities could only use the collected data for preventing, detecting, or prosecuting serious crime. The Swedish case brought to the ECJ challenged a law that was enacted prior to the 2014 ruling invalidating 2006/24/EC, while the UK case concerned the Data Retention and Investigatory Powers Act of 2014, which was enacted specifically in response to the invalidation of the EC data retention directive. Dubbed the “snoopers’ charter” by opponents, the UK law requires telecommunications carriers and Internet service providers to hold data about all electronic communications by subscribers or users for a period of 12 months. While many national data retention laws (and Directive 2006/24/EC) exclude the content of electronic communications, news reports about the UK law suggest that service providers would be required to retain, and to make available to law enforcement, details such as the Internet websites individuals visit and the applications and messaging services individuals use. The UK efforts to increase this type of data retention stand in stark contrast to actions by other EU nations in the years while 2006/24/EC was still in effect, such as the rejection by the German Federal Constitutional Court of a data retention law that had been designed to comply with the EC Directive. As for the U.S., while there is no mandatory data retention law currently in place, Congress has tried several times to enact these rules, including failed efforts in 2009 and 2011, and U.S. law enforcement authorities have well-established legal procedures under the Stored Communications Act to access any data or records that electronic communications providers choose to maintain for their own business purposes.

After Yahoo! breach, can users do anything to protect their online data?

After news broke last week that online services giant Yahoo! had suffered a data breach resulting in the compromise of account information on 500 million users, customers were left wondering how the breach would affect them while news organizations and industry observers heaped criticism on the company. Yahoo! public disclosure of the attack against its user database, which reportedly occurred at least two years ago, comes in the midst of the company’s efforts to see itself to Verizon, which said it learned of the breach at about the same time the public did. Subsequent news reports have charged that Yahoo! business executives, including CEO Marissa Mayer and Senior VP Jeff Bonforte (who has responsibility for Yahoo! email services), made public pronouncements and took actions that seemed to indicate that cybersecurity was a high priority, but in reality chose to de-emphasize security in favor of strategies to retain current users. This approach stands in strong contrast to other major online services providers such as Google that have suffered attacks (and compromises) in years past and responded by aggressively invested in rolling out stronger security controls, including protection for email messages and user account data.

The group that seems most overlooked in the aftermath of the breach is Yahoo! customers. As the New York Times and other media sources has reported, executives including Mayer chose not to implement even widely-accepted practices such as automatically resetting user account passwords when a breach occurs. This is of course problematic when account credentials for email services are compromised, because end users may not be able to receive communications from the breached company if their password is changed and such changes would normally be communicated to them via email. Yahoo! apparently also chose not to pursue end-to-end encryption for its messaging services, because doing so would eliminate the company’s ability to scan message content for use in pitching services to customers. This leaves users more or less on their own to take corrective action, where the guidance remains pretty much the same whether we’re talking about Yahoo! or any of the many other online companies that have suffered data breaches that compromised usernames, passwords, security questions, or other personal or credentialing information. Users sticking with Yahoo! should at the very least change their account password and the passwords of any other online accounts that are setup with the same username and password. Many articles recommend keeping an eye on your accounts to try to identify any unexpected activity, but for Yahoo! customers it seems more likely that the data disclosed about Yahoo! users would potentially be put to use in account penetration attempts against other online providers (particularly those where the account username is a Yahoo! email address). Lastly, while it is not always an easy or consistent option, one of the best ways to limit the value of breached account credentials is to add two-factor authentication, although even with this addition level of protection accounts that use the same login credentials may continue to be at risk.