Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday August 27th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
With me this week to talk about a couple of items is Terry Cutler, head of Montreal’s Cyology Labs. But first a look back at some of the stories from the past seven days:
Websites run by some of the world’s biggest organizations including some U.S. state governments, Ford and Microsoft left personal information of people open on the internet. Why? Because staff used Microsoft’s Power Apps tools to develop applications. Power Apps is a platform for quickly creating apps. It’s aimed at people who don’t know a lot about writing code but need to put up an app quickly. But researchers found a quirk in the platform’s web portal configuration meant that some developers didn’t realize they were leaving sensitive data out in the open.
This is one of the stories Terry and I will talk about.
Another is how a New Hampshire town lost $2.3 million in a business email compromise scam. Crooks fooled city employees into sending expected payments to bank accounts the criminals controlled.
Microsoft this week urged administrators of on-premise versions of Exchange Sever to patch the applications as soon as possible. This came after the U.S. Cybersecurity and Infrastructure Security Agency issued an urgent alert to admins to get cracking on the updates. This is to close a series of vulnerabilities called ProxyShell. Two of the security patches have been available since April, the other in May. Hacker are actively looking for unpatched Exchange Servers. You have been warned.
Here’s a summary of security updates issued this week by vendors: If you use products from F5 Networks the company has issued critical patches for its BIG-IP line. VMware has released security updates to address vulnerabilities in multiple products including Cloud Foundation. Patches are available from the OpenSSL Software Foundation. And Cisco Systems has released security updates for products that use its Cisco FXOS and NX-OS operating systems.
How can governments fight ransomware? That was a question asked this week at a cybersecurity panel run by the Institute for Security and Technology. And the answer was — forbid organizations and individuals from paying ransomware gangs. But, the panelists added, it can’t issue a ban without first being ready to deal with the possible ramifications. That would include the disruption of essential services by a determined attacker.
Finally, Bitdefender has found a new backdoor used by a threat actor that researchers call FIN8. This gang often tries to compromise financial institutions and point-of-sale devices. This backdoor is still under development, but it uses a PowerShell script for loading onto victims’ servers. Companies are warned to segregate their point of sale network from other parts of the IT network, as well as do normal cyber hygiene like educating employees about spotting phishing emails that would start a compromise leading to the installation of a backdoor.
(The following is an edited transcript of my talk with Terry Cutler. To hear the full discussion play the podcast)
Howard: I want to first talk about the Microsoft Power Apps story because of its ramifications. UpGuard, the Australian cybersecurity company, found the configuration vulnerability in the way Power Apps web portals allow access to data. It says at 47 organizations accidentally left 38 million records of information open on the internet — a record being like one piece of information, like a name, a date of birth, social security number. So first of all, what is Power Apps and the Power Apps portal?
Terry: In a nutshell, Power Apps is a low code platform which will help improve and automate processes that businesses use every day. It has things like drag and drop templates and all that fun stuff. And what’s happened here is that the Power Apps portal was configured to allow public access. One of the options inside the platform is what’s called OData, which is the open data protocol for the API, which allows the apps to retrieve information from the portal. One of those things is a table. The table can have a list of usernames passwords or medical information, depending on what table you have access to. But one of the problems was that OData feed allowed anonymous access to the list and the data.
This is known as a misconfiguration attack. Even though the [Power Apps] manual says if you configure this you expose the data. But if you’re not familiar with how to set up these types of web services, you’re not going to know. And a lot of times when you’re an administrator and you don’t know what you’re doing you just enable everything because you want convenience. You don’t want users to call in saying, ‘Hey, this stuff doesn’t work. We’re moving to somewhere else.’ So basically the tables were misconfigured.
I believe UpGuard made several requests to Microsoft saying there’s a vulnerability here. And Microsoft came back saying, no this is working as designed … Microsoft [later] came back and changed the way the tables work.
Howard: So what went wrong in Microsoft’s approach to Power Apps and the Power Apps portal?
Terry: I think they made it too convenient for it to be set up. Because the tables had anonymous access [as default] when it’s being configured that [potentially] allowed scammers to pull data down without permission. Microsoft has now turned on table permissions by default. So now not anybody can just drive by and download the data, which is a great step. Microsoft developed a tool recently to go and check to see if your [Power Apps] systems are misconfigured. So that was a good step.
Howard: So if a developer wants a user to have general access to data on a portal, the developer has to go out of their way to turn that on.
Terry: Correct. And that’s the best approach because if it’s set up for too much convenience you’re not going to know if something’s misconfigured.
Howard: So what’s the lesson for software developers who want to create tools to help people create applications.
Terry: Get familiar with the latest attack tactics, like the top 20 [OWASP] guide that tells you where the most vulnerable misconfiguration flaws occur and how data breaches are easily done. When you follow those best practices you’ll learn how to test the security [of an applciation] and make sure it’s safe. That’s the only way that we’re going to move forward. We’ve got to educate the developers on how to code with better practices in mind.
Howard: And what about the lesson for those who are creating applications and websites? What are the lessons to them about security and data access?
Terry: Again, security’s not about convenience. You’ve got to get your sites tested, because remember, as a developer, you might only know what you know. When you hire a cybersecurity expert, they’re going to complement your skillset. They’re going to see stuff that you missed or didn’t think about.
Howard: I want to turn that to the business, email compromise story. And this involves the town of Peterborough, New Hampshire, which acknowledged that it was recently victimized by scammers to the tune of $2.3 million. In one incident, the regular monthly $1.2 million direct payment that the town was supposed to transfer to the local school board went to crooks. It happened because the town’s finance department was fooled by emails pretending to be from the school board. There are no details, but probably the scammers told the town that the board’s bank account was being moved to another financial institution and the payment should go there.
And in the other incident, two bank transfers that were meant to go to a contractor working on a bridge in the town didn’t go to the company. Again, probably the scammer sent emails, pretending to be from the contractor saying that he changed banks. It isn’t clear if the town’s insurance will cover the loss. This type of scam is called a business email compromise. It works because government departments and companies understandably often announce who they’re doing business with. For example, a municipality will proudly announce the winners of a bid to build or restore a bridge. Terry, what’s your experience been with victims of this type of scam?
Terry: I think it…