Government, Google, and GitHub - March 11th - 17th, 2023 - F5 SIRT - This Week in Security

Editor's introduction 

Let's spin the wheel of editors and see where it lands this week... MegaZone.  Hi folks, it's me again.  Reaching into the grab bag of security news from last week I pulled out a handful of items that particularly caught my interest.  The longest-term impact will likely come from the National Cybersecurity Strategy.  This administration seems to be getting serious about cybersecurity with a number of executive directives to date, and this strategy continues that trend while foreshadowing future mandates.  We're also seeing regulatory movement from the SEC, and some enforcement action from the FBI.

On the industry side, Google Project Zero released a bundle of vulnerabilities for Samsung Exynos Modems which have serious implications for a number of devices, especially popular Android phones from Samsung and Google.  And GitHub is improving account security with 2FA, but the larger issue of secrets leaking via repositories continues to worsen.

I encourage you to check out the earlier editions of TWIS, and the broader content shared by the F5 SIRT.  I think there is some good content there, but I might be a wee bit biased.

2023 National Cybersecurity Strategy

The Biden Administration has released their 2023 National Cybersecurity Strategy, and thirty-nine page document that will certainly reverberate throughout the industry.  Clearly the push is to make vendors, not users, primarily responsible for cybersecurity - including legal and financial responsibility.  The idea is nothing new, I remember Bruce Schneier saying something similarly a couple of decades ago, but it seems we're finally seeing some force behind it.  If vendors bear responsibility for the security of their products and services they have a business incentive to improve said security.  Expect more regulations to this effect - regulation is a recurring theme in the strategy.

Even before regulations there will be immediate impact will be on vendors selling to government customers, but this will also 'trickle down'.  Those in the supply chain to government vendors are going to face pressure to meet the same standards.  Other customers will follow the US government's lead - other nations, of course, but we're already seeing large commercial customers asking for the same commitments as the government.  A good indicator is the Software Bill Of Materials, or SBOMs.  Interest in SBOMs has picked up across large customers since the US government laid out requirements for vendors to start producing them.  The doors have been opened, expect more to pass through them. 

It is past time for the industry to get our house in order.  This is just the beginning.

• https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
• https://www.scmagazine.com/perspective/leadership/four-ways-to-give-the-national-cybersecurity-strategy-some-teeth

Google Project Zero Exposes Samsung Exynos Modems RCEs

I'm pretty deeply invested in the Google ecosystem (though I'm still pissed about Stadia shutting down, even if I did get a refund), and that goes for my phone too.  I've been an Android user since the Motorola Droid came out (replacing my Treo680), and more specifically I've gravitated to Google's 'pure Android' devices, like the Nexus products back in the day (Samsung Galaxy Nexus), and more recently the Pixel family.  I've had a Pixel 2 XL, Pixel 4 XL, and currently a Pixel 6 Pro (and a Pixel Watch).  So I wasn't too thrilled when Google Project Zero broke the news last week of multiple baseband RCEs in the Samsung Exynos modems used in Pixel, and Samsung, devices, amongst others.

As a darkly joked about on social media, I bet intelligence agencies around the world were cursing GPZ.  This is just the kind of thing your friendly neighborhood intel agent would use to remotely suborn a target's phone.  No user interaction required, no indications of compromise to the user, no need to touch the device.  All you need is their phone number.

The issues are bad enough that GPZ is making an exception to their usually-firm 90-day disclosure policy for the four more severe issues, giving vendors more time to patch.

The good news for Pixel users is that Google already released patches for the four most severe issues in the March security update.  Which is nice, since the recommended mitigation of disabling both WiFi calling and Voice-over-LTE (VoLTE) is not that practical for many users of modern networks.  Many use WiFi calling for better quality connections in areas with weak cellular service, not to mention reduced cost, and VoLTE is required for some networks and plans as they move to only 4G LTE & 5G.  Some may not even allow you to disable these in settings.

• https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html
• https://semiconductor.samsung.com/support/quality-support/product-security-updates/
• https://source.android.com/docs/security/bulletin/pixel/2023-03-01

GitHub Mandatory 2FA - But Issues Remain

On March 13th GitHub began the rollout mandatory two-factor authentication (2FA) for all developers, with the objective of universal use by the end of 2023.  This increases the security of GitHub by reducing incidents of accounts, and thereby the projects linked to those accounts, being hijacked by malicious actors.  As GitHub is a major component of today's software supply chain, this is a growing threat.  (If you're a GitHub user, beat the rush and configure 2FA today - if you haven't already.)  However, while this change is laudable, it isn't the only credential issue at GitHub.

GitHub has a serious, continuing issue with credentials, and other secrets, getting checked into repositories for all to see.  The State of Secrets Sprawl 2023, by GitGuardian, shows a 67% increase over 2022 in secrets checked into GitHub, to over 10 million instances out of over one billion new commits, with 3 million unique secrets.  Fully one in ten developers checked in at least one secret - 1.35 million out of 13.3 million.  And 5.5 commits out of every 1,000 exposed at least one secret.  2FA isn't going to help with that - only better developer practices will.  The report is a quick read - and worth sharing with your developers.

These leaked secrets were used in major attacks in 2022, as well as compromising apps, private data, customer information, etc.  Hardcoding secrets, credentials or otherwise, into software is simply a bad practice.  Stop doing it.  Every as a 'temporary' solution for testing - we all know how permanent 'temporary' solutions often turn out to be.  And while won't help with this, as a general rule whenever you're offered 2FA/MFA - use it.  Yes, even SMS 2FA is better than not using it at all.  If you have the option of using an authenticator app (I like Authy), a security key, or a passkey, even better.  

• https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/
• https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa
• https://www.gitguardian.com/files/the-state-of-secrets-sprawl-report-2023

SEC Eyes Cybersecurity

Turning once again to the subject of government and cybersecurity, the US Securities and Exchange Commission (SEC) is also taking cybersecurity more seriously these days.  They've proposed new regulations which would require customer notification of data breaches within 30 days, with immediate government notification, while also expanding the type of information protected by data privacy regulations.

The SEC is serious about their cybersecurity regulations too, as Blackbaud discovered to the tune of $3 million.  Blackbaud had suffered a breach with data exfiltration and a ransomware attack, but underreported the severity of the incident to customers.  While they claimed the attack did not leak banking information or Social Security numbers, but 'only' names, contact info, and some health data, the truth was that not only were bank details and SSNs compromised, but also usernames and password.  The SEC criticised Blackbaud's disclosure controls and procedures, and slapped them with the $3 million fine.

I expect to see more government agencies issuing their own cybersecurity regulations for their areas of responsibility.

• https://www.sec.gov/news/press-release/2023-51
• https://www.sec.gov/news/press-release/2023-52
• https://www.sec.gov/news/press-release/2023-53
• https://www.sec.gov/news/press-release/2023-54
• https://www.sec.gov/news/press-release/2023-48

FBI Pounces On Pompompurin

And one last government story - the FBI arrested the alleged admin of BreachForums, Conor Brian Fitzpatrick aka Pompompurin.  BreachForums is, or was considering it is down now, a popular cybercrime forum known for the publication of numerous hacked databases.  In 2021 Fitzpatrick had taken credit for a breach of FBI systems that was used to send thousands of false emails relating to investigations.  That's probably a good way to get on the FBI's bad side, if I had to guess.  And then in December, 2022 members of BreachForums reportedly infiltrated the FBI's InfraGuard program and sold information on 80k program members on the forums.  So I have to imagine that the FBI has been eager to shut down BreachForums.

This is a win, but just as BreachForums emerged after the FBI shut down RaidForums last year, I'm sure another site will take its place.  We don't have any shortage of criminals, or badly configured sites to breach it seems.

• https://www.theverge.com/2023/3/18/23646476/feds-arrest-alleged-hacking-forum-owner-breachforums-pompompurin
• https://krebsonsecurity.com/2023/03/feds-charge-ny-man-as-breachforums-boss-pompompurin/