Trust, Supply Chain, CVEs, Patching, and Schneier - Nov 5th - 11th - F5 SIRT - This Week in Security
Editor's introduction
Hello all, MegaZone is back in the editor's chair this week. This time around I present a collection of topics which have one thing in common - they caught my attention and interest enough to make a note to myself to remember them when it came time to compile This Week in Security. And, remarkably, I have - and here we are.
The first entry, Delegation of Trust, originally caught my eye via Cory's Tweets, and certainly caught my interest enough to spend some time looking for more information. It does raise some suspicions for me as the behaviors and issues cited, while they could have innocent explanations, certainly seem questionable for a supposedly reputable vendor.
Supply Chain Security has been a major topic in the Infosec world for several years now. It seemed to really come to the fore with the 2018 Bloomberg article which claimed Chinese vendors had embedded tiny spy chips into major products. The story was widely denied, debunked, and discredited by all of the companies named, but it certainly focused attention on the supply chain which has remained. Now the NSA, CISA, and ODNI are publishing supply chain security guidelines.
When I'm not writing This Week in Security, I live and breath vulnerabilities at F5. Most of the day-to-day work I do is related to vulnerability management and disclosure - from tracking, to working with product teams to secure fixes, to publication and disclosure. And some of that work includes being F5's primary contact point with the CVE.org, as a CNA, and participating in a few working groups. Recently CVE Services 2.1 & the CVE JSON 5.0 Schema Launched, and I thought some of you might be interested in the mechanisms behind the scenes.
Finally, a couple of quick items. The MS Patch Tuesday this week contained several zero-day patches and it is highly recommended that you patch systems ASAP - hopefully that's already done by the time this is published. And Bruce Schneier has announced a new book on the way, A Hacker's Mind, available for pre-order now.
Until next time!
- Editor's introduction
- Delegation of Trust
- Supply Chain Security
- CVE Services 2.1 & the CVE JSON 5.0 Schema Launched
- MS Patch Tuesday
- New Bruce Schneier Book
Delegation of Trust
Cory Doctorow posted an interesting examination of the delegation of trust. Everyday we trust in systems we use - but what is that trust built on? You may trust your browsers and PKI for TLS. But that's just the first layer. There are many, many layers of trust involved - all the way down to the compiler used. Or the compiler that compiled that compiler. The hardware it is all running on - and all of the individual vendors behind the components in that HW. Beyond that are trust in systems - commercial and government. And the people who comprise those systems.
All of this serves as a background to the meat of the article - which is a look at Trustcor as a Certificate Authority, and why they're arguably problematic and may be undermining the web of trust millions of daily transactions are built upon. Trustcor is one of the root CAs trusted by default in Chrome, Firefox, and Safari - meaning they can provide certificates which compromise all TLS traffic in those browsers. Which isn't to say they are, just that they can, and some things about the company are more than a bit off.
I found it an engaging and interesting read, and I encourage you to spend a few minutes reading it for yourself. Cory's article got me to looking, and The Washington Post also covered the Trustcor story. And researcher Prof. Joel Reardon goes further down the rabbit hole of questionable behavior by Trustcor and related firms.
https://pluralistic.net/2022/11/09/infosec-blackpill/#on-trusting-trust
https://twitter.com/doctorow/status/1590301458926161920
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4
Supply Chain Security
The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) released a new report on supply chain security for suppliers - the aptly named Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. This follows an earlier supply chain security report for developers - yes: Securing the Software Supply Chain: Recommended Practices Guide for Developers.
Still to be published are recommended practices for customers, though I suspect we can predict that that will be titled when it is released.
CVE Services 2.1 & the CVE JSON 5.0 Schema Launched
My primary role in the F5 SIRT is as "The Vulnerability Guy". I've been involved in the publication of nearly every F5 (and NGINX, etc.) CVE for several years now, and my role also includes acting as our primary point of contact with the CVE program, as F5 is a CNA (CVE Numbering Authority). In this role I have also been a participant in the CNA Coordination Working Group (CNACWG), the Automation Working Group (AWG), and the Quality Working Group (QWG). And the major projects of the latter two have recently launched! Those being CVE Services 2.1, from the CWG, and the CVE JSON 5.0 Schema, from the QWG. The two go hand-in-hand.
As part of the launch activities, on November 2nd a half-day CVE Services Workshop was held, and now the materials and recordings of the sessions are available to all. There is also a site dedicated to the transition activities. While the primary audience for all of this is the CNA community, if you're interested in, or curious about, the inner-workings of the CVE program it is worth checking out. Especially if you're thinking of becoming a CNA yourself, or interact in other ways with the CVE program - for example as a security researcher or just as a consumer of CVE data.
https://cveproject.github.io/CVE-Services-Workshop-Slides-02November2022-FINAL.pdf
https://www.youtube.com/playlist?list=PLWfD9RQVdJ6etGbopVxE5Nb-8TzjY5cl9
https://cveproject.github.io/automation-transition
MS Patch Tuesday
This week's Microsoft Patch Tuesday was bountiful, with a large number of CVEs addressed, including eleven Critical severity issues. A few of those were zero-day vulnerabilities; the most severe of these, CVE-2022-41128, is a CVSS 8.8 resulting in Remote Code Execution. Most versions of Windows and Windows Server are affected, so patch early, patch often.
New Bruce Schneier Book
Bruce Schneier announced that he has a new book arriving in February, A Hacker's Mind. From the blurb:
In A Hacker’s Mind, Bruce Schneier takes hacking out of the world of computing and uses it to analyze the systems that underpin our society: from tax laws to financial markets to democracy. He reveals an array of powerful actors whose hacks bend our economic, political, and legal systems to their advantage, at the expense of everyone else.
https://www.schneier.com/blog/archives/2022/11/new-book-a-hackers-mind.html