Secure With Celerity Episode 14
DAVID TAYLOR [00:00:06] Hello and welcome to Secure with Celerity. The show where we try and digest the week’s top cyber security news stories in around 30 minutes or so, and I’m joined today by Celerity’s cyber security duo. We’ve got Joshua Reed and Steve Laidler. Welcom on, guys.
STEVE LAIDLER [00:00:19] Dave, you’re right?
JOSHUA READ [00:00:21] Are you alright?
DAVID TAYLOR [00:00:22] Not too bad, enjoying the sunshine, mustering those. But as ever, well, Cloud or some cyber security news. Alright guys, so let’s kick off of our first story of the week. So this is a BootHole GRUB2 bootloader arbitrary code execution vulnerability that was discovered by Eclipsium and bit of a mouthful and not like some of it, it’s got a little bit over my head. So I’m gonna go straight to you, Josh, to give us a bit more information on this one.
JOSHUA READ [00:00:49] Yeah, this one has taken me so long to understand the full spectrum of it all. So, yeah, this was announced on Wednesday. So it’s essentially a BootHole bootloader vulnerability in the Grand Unified Bootloader of Group, which is commonly used on Linux distributions. Social used in Windows. BootHole is known as there’s a hole in my boot, which just reminds me of the famous saying from Toy Story is there’s a snake in my boot. But yeah, this ultimately could allow secure boot bypass, which is massive and effects red hot fedora and bunu as Ali s open Suzy Debian VMware, Microsoft and Hewlett Packard infrastructure. So back in 2012, when those secured boot was a security standard developed to help make sure that the devices being only used in software is trusted by the original equipment manufacturer. Essentially, it’s a vaccine against ripkits which are rife in the cyber security world for a long time. And there were amongst the hardest and most difficult to remove and detect when the system started all. The firmware checked the signature of each piece of big software encoded in the UEEFI firmware drivers, the EFI applications and the operating system. If the signatures are valid, then the PC boots and the firm, I guess controls the operating system. So essentially a check period at the start when it systems turn down is the stuff that I’m running. To boot this operating system legitimate are you know is that stuff in here that isn’t meant to be in there. And if you could bypass that, then you could potentially implant malware in the start-up sequence. So as you can imagine, if it’s affecting the boot sequence is a nightmare to patch and you aren’t wrong. Especially the transit environment is a massive headache to patch at this moment in time. And if you start messing around with that, some of the DB-ZATZ grilled shims curve on Linux, you could have potentially a fatal error on your hands. And it will stop the machine from boot in. And to make matters worse, Red Hat yesterday recalled all of the updates that they provided for this vulnerability. And. Basically, they released an announcement saying Red Hat notify customers of the BootHole vulnerability on Wednesday, July 29th. This email is a follow up to inform customers that some Red Hat enterprise Linux seven and eight users may unsuccessfully reboot through after playing group to FWUPD, FW updates or schimel updates. Red Hat has published an interim solution to address this issue. Red Hat has identified the cause of his work on a resolution to provide to our customers a strongly recommended that customers do not apply GRUB2, FW update that day or ship updates until new packages become available. Customers receive full email when these updates are available. So obviously Red Hat have…
STEVE LAIDLER [00:04:35] The issued a patch or an issue some abidance that and found maybe that it didn’t work quite as well as we thought it would. And they say hang on for the next one.
JOSHUA READ [00:04:43] So, yeah and that for me is when you’re dealing with stuff that is thurm where level just to both VMware level, you have to be really, really careful because a lot of those processes are dependent on the functional core of the operating system and the system itself. So it’s a very, very treacherous path starting to edit stuff like this, especially if you don’t fully understand what is being added at all. What’s being updated now?
STEVE LAIDLER [00:05:17] Such a that either it’s when you’ve got like a lot of different technologies as well that are all kind of interlinked, especially with the world hyper vises these days. You know, you can have any number of different operating systems affected by this and then potentially, you know, you’re dealing with firmware. And, you know, and probably the biggest part of this isn’t probably not, you know, obviously rolling patches are obviously a big deal, but it’s also the planning that goes into it to understand how vulnerable you are and making sure not just not just that, but actually getting a good grip of it. So you really understand what you’re going to do when you’ve got a plan to roll it out. So a lot of these vendors will post it over time and they will come up with fixes for this. But it’s making sure that they’re all, you know, everything is gonna operate together. Everything is really fixed. And like I said, the plan is usually most of the work.
JOSHUA READ [00:06:14] Yeah, definitely with this one. I spent two days now looking in this vulnerability and understanding it fully. So. And it is so complicated? Essentially, to update your enterprise, you need to update the group to components to address the variability on each end point, then Linux distributions and other vendors using group to, we’ll need to update their installers, boot loaders and shims. And then new shims will have to be signed by a third party, Microsoft EFI certificate authority. Then administrators have the effective devices will have to update and installed versions of operating systems both in the field and also in images and powered off systems. And then eventually the new EFI relocation less, which is the DVX needs to be updated in the firmware of each affected system to prevent running vulnerable code during boot and that process across your whole enterprise, across several different OS types and possibly infrastructure as well is a mammoth task. Currently, the Windows patch their are mitigations but we’re still waiting for a patch. My advice? Wait for a patch. Do not try the mitigiations whatever you do, I’ve looked at them and they can seriously break systems if you stop applying the mitigations. The next patchin, they were released on Red Hat. Red Hat recalled the patches and we’re still away in the updated packages to be released from Red Hat. Though on OS, there was a new image deployed to the GitHub repository for VMware felt on OS. However, limited testing has been done with this, an open source operating system. So I would wear to while we put it into production and seriously to test the OS before you put it into production.
STEVE LAIDLER [00:08:24] Operational viral doesn’t get it for this magnitude is make sure you understand what the ramifications are in testing, test it all. In one of the other things with, you know, the red with is it you’ve got to do all of these steps because, you know, patch the original vulnerability. The remote, the buffer overflow vulnerability and then update the group loader as well. Because if you don’t do that, you know, you’ve got to get that signature changed because otherwise you could update the crop loader. If there was somebody in there in the system, they could then downgrade the group load. And, you know, all of a previous group loaders have to be basically banned from that from executing as part of the upgrade to make sure you can’t roll back to an affected one and really kick them out of the running for execution.
JOSHUA READ [00:09:20] Yeah, the whole advisory that makes up released around this. I find it quite humorous when they got down to the mitigation section. They basically said, just wait for the patch but we’re gonna give you mitigations just in case you really do think you’re vulnerable to this and you’re at risk. And there was about five warnings before you even got to the mitigation steps. One of them was insulation dispatch of incompatible systems could result in runtime error. System, hang on. Unrecoverable failure to boot. Please contact your M to determine if your equipment is compatible. Another warning modification to the EUFI secure boot configuration can trigger a bit locker, recovery and failures in security software. Be sure to suspend bit locker and have bit locker recovery available if you are performing this operation. So there is quite clearly an abundance of warnings and if that is enough warning those watching that, you know, maybe you wish you should look for these patches rather than make them allegations, then how to handle is it? You know, it is a long while. I’ve been weaponized in my personal opinion. They’ve provided a proof of concept, as it were. It’s been provided to the vendors. The vendors are making the patches but this to be in a widespread malware campaign or anything, really. It needs time to develop. It needs time to be refined. And if, you know.
STEVE LAIDLER [00:10:58] It’s in the early ages, isn’t that it? Hang on for the patch.
JOSHUA READ [00:11:04] Yeah. And one thing I would advise as well is don’t read news articles. It’s a bit contradictory. As that way, we’re basically providing you with the news. But, you know, each vendor has provided more than clear information. Read the vendors information first. Understand what you’re reading before, you know. There’s a lot of media hype runs venerability. They will, you know, doused in petrol and set it on fire to make it ten times worse than it already is viewed as the put from the public. You know that it’s you’ve just got to read the information that the vendors are supplying that every single vendor that’s involved is given countless web pages upon pages of information and a centuries on them to provide the patch. So they will have to provide the patch, provide clear instructions on how to apply the patch safely.
STEVE LAIDLER [00:12:06] Best call a best source of information on this one as security fixes.
JOSHUA READ [00:12:11] Well, yeah, I can advise this moment in time is really take recollection of what you have in your state and fully understand your risk and understand how it could be potentially attacked in reference to your network. Apologies in reference to infrastructure design and also, you know, really try to understand what the patches and mitigations are and deem whether almost a risk assessment as to whether it needs to be applied. But, yeah, it’s definitely a developing story since the patches I’ve actually been released yet. So make sure to keep people today and keep an eye on it.
DAVID TAYLOR [00:12:57] Alright guys so it’s gonna be a long ongoing one and maybe we’ll drop back to it in the weeks to come and people have a better idea how to get it sorted. All right. Let’s move on to our second story of the week. So this is that half of UK university staff have a zero security awareness training. Which in this day and age is probably quite crazy. So we got some report research done on a freedom of information asking 86 universities participated. And of those that the questions on that, 46% of staff had received no training at all. Which I know we often offer service. We’ve made it mandatory that all celerity staff have gone through security awareness training. And I’m very shocked that only half of our university has not had any as well given that they, you know, not only just the employees, but imagine how many students are in each university and how much data they’re holding. Would have thought that would be kind of a top priority.
JOSHUA READ [00:13:59] I had a truckload on this. I did back when I was at university, I did some phishing research and ethics branded my projects unethical. So essentially, I couldn’t do my projects and I had to read completely redesigned the way that I was doing the project. And I said at the time, you know, regardless of whether it’s ethical or unethical. It happens and mainly brushed under the carpet does not solve the issue. And obviously. Well, I took my advice and thought that was only one university. I was speaking to all universities. But, you know, as we have said time and time again, it isn’t all you know, training isn’t a be all and end all cyber security issues, you know. It’s far, far too easy for general use there on a trading platform, literally just spam, click next, next, next, next, next. How do you know that the training that you are paying for and providing to your user base is being actually taken on board and not literally just being spent like next next next?You need you to almost put them in that scenario, the best way I think of it is put it into something else that is important, which is fire drills, fire alarms. You know, you’ve got a fire alarm, which, you know is so you got the fire, which is really, you know, a real phishing attack. You’ve got the procedure of informing people as to what they need to do if there is a fire, which is the training, and then you’ve got your fire drill, which is efficient simulations. You know, if you don’t practise a fire drill. If there is a fire, everyone in the building burns alive. It’s you know, it works on the same premise. It’s you know, and it’s about time, university is almost really understand the complications of phishing and understand and respect that cyber security training is an important element is far, far too glossed over.
STEVE LAIDLER [00:16:15] I think it’s it’s one of those. But I did there was a statistic that I think was eight percent of 86 universities had reported five or more breaches in the last 12 months. So the fact that, you know, universities are reporting breaches suggests that, you know, some training, even at a fairly rudimentary we would would probably help an MIT driver the number of breaches down. And again, universities are probably under the same constraints that a lot of other organisations are. You know, timem people, budgets. But one of the statistics that they did say was, you know, the average number of cyber security professionals that the university had was three. So at least they do have some mitigation, mitigating factors or some, you know, something on the plus side that they are they do have access to, you know, trained professionals to help in their cyber security. But they’re going to be overwhelmed if everybody in the rest of the university, especially, you know, if students in the mix and the rest of the cyber security controls and across the organization are not robust enough to know that the top and potentially thousands of people who may not have a have or have varying degrees of cyber security hygiene. And when they’re going about stuff and whether those laptops and desktops have got controls on them, there is potential for, you know, as the statistics seem to say, you know, multiple breaches because people just fire up anything on their laptops. Given the chance.
JOSHUA READ [00:17:57] That was something I picked up on this when I was at university, there was almost an element of burden account mentality towards email accounts from a student perspective. Now, there may be security topology changes. You know, there might be a student network where, you know, it’s completely locked down so they can access any internal servers. But there will be holes in that network is there isn’t any network, you know, that, you know, quite often university networks, colleges and user account set-ups infrastructure selves are very, very complicated. And it matches up in a human element as well. You know, in any one year, a university can have, you know, 4000 people graduate in a fall apart, 4000 people leaving that organization as customers, 4000 more coming in at the other end. And essentially, they’re not really customers because they have elements of it. Difficult to explain, will you get an email account on on their Office 365, you’ll get access to their CRM palls, you’ll get access to differing areas based on what calls you do.
STEVE LAIDLER [00:19:09] It seems like pseudo employees aren’t they?
JOSHUA READ [00:19:12] Yeah. And yeah, exactly what that is. It’s a pseudo employee. It’s someone that isn’t quite an employee, but has the access potentially that an employee would have a standard employee. Now it’s they come off the back of this black power supply chain attack. Another thing, another vector that universities are incredibly susceptible to is supply chain. There is a great deal of third parties involved with universities. And the data that’s shared between the university and the third party, in order for them to provide a Cloud platform for the university students are equally as important. So if there’s a data breach for that company in this casem black power were actually that’s a fair ransomware attack, but both paid off the principal criminals. But now, you know, they know if they’re still notifying customers of this breach. Newcastle University demand for University in Brunel University there’s to tell their students and alumni that their data was handed to criminals. And it’s embarrassing for the institute because they’re having to, you know, mop up after something that necessary, it wasn’t their issue. Well, then it’s impact in the supply chain relationships is impacting more the stakeholders at the university, and it’s also impacting the whole education sector. So it’s in terms of cyber security in the education sector has got a long way to go.
STEVE LAIDLER [00:20:53] Which is ironic thing is that we’re asking them if they’re not educating themselves about cyber security almist.. That’s where the irony lies. You know.
JOSHUA READ [00:21:02] I was frankly astounded at within the report was last year, the Academic Joint Information Systems Committee said the pen testing exercise, it run resulted in a 100% compromised. Right. Now, if this is based on efficient simulation and they manage to compromise every single user that they said phishing email to, then that is horrendous. That is a horrendous fail. And they implicate that. If that isn’t a warning sign or a wake up call for the education sector in terms of cyber security, then I don’t know what will wake them up. It’s frankly shocking. I wish I were. I read the hours note. Quite often when you run efficient simulations, you probably get out of no. 2 or 3% turnover of credentials, but a 100% compromised right now. It didn’t give details of what the penalties will mean for a pen test.
STEVE LAIDLER [00:22:09] Being alone any of them might have might have been enough to compromise.
JOSHUA READ [00:22:15] The compromise rate usually a compromise is associated with a system or a user. Yes. Both managed by credentials. It’s you know, I mean, it’s. And so it’s. It’s frankly shocking, but I’m not surprised. Based off my experience at University and obviously some of the reports I’ve read in. It’s about time educational institutions aren’t viewing cyber security as a priority. It was very much glossed over from a student perspective and from speaking to lecturers in some lectures of professors at the university. They I remember talking to one university professor who was saying hebquite often really received phishing emails with the sole aim of stealing his research, because obviously there’s a world break, you know, run new research being developed at universities every single year. Yeah. Why do the hard work when you can phish someone, steal their research and basically, you know, claim it as yours and get a doctorate for it. It works. And it works on the same premise. And he also raises the reputation of the individual as well. So if they care about their information and their research, then it’s, you know, cyber securtiy as become a priority.
DAVID TAYLOR [00:23:36] Is there any one at work in the universities needs help with cyber security. Give Celerity a call, we’ll help you out. So after that, let’s move on to our next story, which is you talked about the Black Bob I’ve been ransomware. It’s the story of Garmin was hit by, we’re gonna say suspected ransomware attacks. I don’t believe they’ve actually come out and said it was ransomware but it was speculated.
JOSHUA READ [00:24:01] It’s not being confirmed by some government employees that came out online and basically said that it was a strain of ransomware called Waste Locker. Which when that was initially detected and analyzed, it revealed, well, back a couple months ago. There was an article about it. They said that there was a demanded payments into the millions of US dollars. It’s quite that. A serious ransomware. But, yes. It hasn’t been confirmed from Garmin. I think the main thing here is that next Wednesday that due to provide the financial earnings of the last quarter. So on Sunday, the Garmin Phoenix smartwatches couldn’t offer distance GP. tracking on rooms. Garmin aviation apps currently operational, but they’re being closely monitored. After some initial issues, Garmin began to restore some services to Garmin connect. What functionality was limited and, you know, it’s no one’s really known what’s gone on. And there’s been employees and come out and said what they think happened. You know, they may have some good evidence as to what’s happened. But until the official components say that this is what happened, we can’t speculate.
STEVE LAIDLER [00:25:29] It’s interesting. The other thing with Garmin is, you know, I think in recent history, people think of them as manufacturers of wearable sports devices. And you know what they say from running and biking and all that kind of stuff. And thd also they run that sort of automobile car GPS and certainly they’ve always been big into that. But also, they have to think, you know, like you said, areas and marine or various radars and, you know, marine navigation equipment, but also like the aerospace industry. So things like, you know, aeronautical GPSs but also radar truckers say, you know, systems that look at engine management and engine information. So they do a huge cathar of devices across industries. And I guess that the real takeaway from this is, you know, if somebody could breach something like Garmin, you know, the lightest part is, you know, somebody might steal I guess maybe you’re running data or something like that. But actually, what the impact could be to other areas of the business that control that, you know, people rely on for aviation. And for marine as well, for controlling and directional information. There could be could be quite catastrophic. So I guess that that’s probably why the monitoring the aerospace stuff definitely very, very closely in case anybody’s tampered with any of the code or the updates or any anything to do with those systems. Just quite bad.
JOSHUA READ [00:27:05] Yeah, we all realize, oh, that’s critical infrastructure. You know, I look into aviation. I know if marine, it’s stuff that countries depend on. So state sponsored attackers probably got Garmin in the corner of their eye and the peripherals look at them and keeping an eye on them. It doesn’t surprise me that, you know, it’s like Strava. Strava last year they were breached and the breach would you know, it was you’re able from the breach, they were able to pinpoint troops. Now, if you can realize, obviously, that the value of that other countries, it’s massive.
STEVE LAIDLER [00:27:49] Because a lot of like, you know, troops and military personnel had, you know, we’re using Strava and that thing was active on the devices. And anybody logging on to the Strava app could then start using that information to pinpoint you find you find potentially bases out in the Middle East or wherever, wherever these things were in the desert and whether these troops were moving in, probably that daily patterns as well, you know. So for the Garmin sight, we’re doing something similar. Could yield the same kind of results and maybe even further if they’re also embedded with, you know, ships and planes. Whether that’s commercial or whether that’s, you know, private planes or private marine, I’m not sure the extent of how far Garmin get into and a lot.
DAVID TAYLOR [00:28:41] But I think they’d be very disappointed if they managed to get their hands on my running data. Alright guys. Let’s move on to a final story, so away that we’re kind of creeping up on time it. And this headline is that the Zoom bug allowed snoopers to crack private meeting passwords in minutes ago. So Zoom in headlines again for more cyber security. What are your thoughts on this one, Josh?
DAVID TAYLOR [00:29:06] Yeah, obviously from Zoom. I’m gonna quickly gloss over this one. It’s not too complicated from the vulnerability perspective. And so essentially on a median I.D., you have given it’s a six digit six character number. Now that number can be any digits from zero through to nine. So based on that, there are one million different combinations of that six digit character that can be put into that mean I.D.. And that mean I.D. failed. So, someone clever basically worked out, right, what if I try and root passwords? Have they got any password policies to stop me from repeatedly trying each iteration of the numbers? So zero, one, two, three four five, zero one, two, three, four, six, etc.. And yeah, there was no evasively.
STEVE LAIDLER [00:30:03] There was no real limit. You could…
JOSHUA READ [00:30:04] No there was no limit. They posted a million hits, TTP requests to trial, which meant one million combinations. And it worked. And more worryingly as well. There was researchers also found the same procedure could be repeated with scheduled meetings, which have the option to override the default passcode with enough numeric marion. So it’s like text on numbers. So running against the web client, they run the top 10 million passwords and they were able to break pass login. Which, you know, if someone’s using password, one, two, three, or one, two, three. Any of the common ones as a me in password, then it’s incredibly easy to breach, especially with a brute force program like Jack the Ripper also and something like that.
STEVE LAIDLER [00:31:01] But it was patched pretty quickly, I think.
JOSHUA READ [00:31:05] Yes.
DAVID TAYLOR [00:31:10] They’ve always been quite quick to do the patches.
JOSHUA READ [00:31:12] Yeah, well, they’ve announced the 90 day freeze on releasing new features to better identify and address issues more actively. So they’re actually going through a patch. There’s a development freeze at the moment where they’re going through and patch and everything. So hats off to them. I think it’s the right move. It’s getting a lot of attention at the moment, especially from penetration tests put down risk. Anything they can make money from it. They’re going to try and find a weakness in it. And it’s a popular platform at the moment, so I don’t see why they wouldn’t. So, yeah, this is, you know, essentially the right way, responsible disclosure and responsible fix. And it’s working. Well, yeah, they obviously need to make sure they have. Essentially, you know, a password policy, as it were, to stop people from brute force, password policy by a trusted mitigation for a reason.
DAVID TAYLOR [00:32:14] Yeah, definitely. Alright guys. Well, yeah, we’ve just crept over the 30 minute mark, which isn’t too bad, but yeah. Thanks a lot for your time toda guys. Really good stories and everyone else watching at home. Thanks for watching. Secure with Celerity. And we’ll join you next week for more cyber security news stories.