At a glance.
- Alexa's privacy issues and smart home security.
- Recent data exposures.
- Pulse Secure offers an account of issues involving older versions of its VPN server.
Alexa vulnerabilities fixed, but eye-opening.
Check Point this morning published research indicating flaws in Amazon’s Alexa that could have enabled attackers to access personal information when users interacted with Alexa skills. Users’ information at risk included “voice history, home address and control of their Amazon account.” Amazon has fixed the vulnerabilities, which involve cross-origin resource sharing misconfigurations and susceptibility to cross-site scripting.
In a relevant but unrelated discussion, NIST outlined security considerations for smart home devices. As these devices see increasingly widespread use, approaching ubiquity, Susanne Furman, a NIST cognitive scientist, shared the questions they asked consumers in a recent study of smart home devices. The questions are simple and direct, but they're also unsettling when one realizes how few of us have any answers to them (let alone good answers):
- Why did you purchase the device?
- Who do you think is responsible for the privacy of the information the devices collected?
- How is that information secured?
- What, if any, remediation did you take to protect the privacy of your information and device security?
Updates on two recent data exposures.
An investigation by CyberNews yesterday reported another major data exposure. In June they found seven gigabytes of unencrypted files exposed in an unsecured AWS S3 server. The sixty-seven files exposed included email addresses, some hashed and some hashed and salted, but others, numbering in the tens of millions, completely open to inspection. It's unknown who owned the databases, and Amazon shut the bucket down whenCyberNews contacted them on June 10. The data don't appear obviously valuable, at least not immediately, but email addresses are traded on the criminal market for their usefulness in spamming, phishing, and in brute force attacks on credentials in which the attackers guess associated passwords.
The day before that researcher Bob Diachenko reported finding a database that may have belonged to Adit, a provider of medical and dental patient management software. It appeared to hold data on some 3.1 million patients, including such information as name, email address, home and work phone numbers, marital status, gender, and the name of the medical practice they used. Nine days after the exposed data were discovered, they were erased, apparently by the Meow bot.
We received comment from two industry sources. Joe Moles, Vice President for Customer Security Operations at Red Canary, wrote:
“Unsecure servers containing databases with large swaths of email addresses can be a tremendous resource for any adversary, whether they’re conducting an indiscriminate spam campaign or a targeted spear-phishing attack. While there isn't any indication that these email addresses were ever exposed to an adversary, organizations can protect themselves from possible threats by shoring up email filters and implementing or improving employee security awareness training.
"Additionally, given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use. At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: better security through better IT.”
And Senserva President Casey Kraus finds it interesting that in the case CyberNews found, the misconfiguration was in the server itself as opposed to the more usual bucket. He sees this as an indication of the way in which cloud technology may be outrunning users' ability to manage it effectively and securely. The second incident, the apparent exposure of patient data by a software vendor, is disturbing in a way that's characteristic of third-party risk. Many of the affected patients probably don't even know their data were exposed. "Adit should be making their clients aware so they can inform the patients involved," Kraus said.
Pulse Secure provides an update on exploitation of older versions of its VPN server.
Pulse Secure sent us an update on the recent issues with outdated versions of its VPN server:
“Like other vendors, Pulse Secure takes vulnerabilities seriously and continues to apply industry best practices to expedite work with threat researchers and protect our customers. We urge all our customers deploy the security patch fix, available since April 2019, to protect themselves from threat actors and potential attacks. We have already contacted customers that have yet to apply the patch fix multiple times using contact information available to us, and we will continue to do so until the deploy the patch to all their systems. For more information, please visit SA44101,” said Scott Gordon, chief marketing officer at Pulse Secure.
The company added, in an emailed comment:
"We appreciate researchers, agencies, and ZDNet and other media highlighting the risks and importance of patching vulnerability systems - in particular informing the industry of those Pulse Secure VPN servers that have not been updated by their respective owners and remain vulnerable. These and other derivative exploits relate to CVE-2019-11510, which was a vulnerability that publicly patched and reported by Pulse Secure in April 2019. Pulse Secure had also issued a security advisory SA44101 and our company has been pro-actively contacting all customers to apply the patch fix. We estimate that over 97% of customers have applied the patch are no longer vulnerable. Since April of 2019, Pulse Secure has been reaching out to customers by phone, email, in-product alerts and through online notifications to install the server-side patch fix and change their system access credentials immediately to all their VPN appliances. Our support team has also been providing 24/7 support to any customer who needs assistance deploying the patch fix regardless of whether they have an active maintenance contract or not."