Escalating the war on passwords, post-Roe threat modeling and more Log4j lessons

Blake Sobczak/README

Welcome to Changelog for 5/8/22, published by Synack! I’m your host, Blake. Last week’s Hack the Capitol event was a hit — I tried my hands at my first-ever Escape Room, hosted by the Department of Homeland Security and designed with input from industrial control system gurus at the Energy Department’s network of national labs. I couldn’t stay long, but I did find the answer to this clue after tinkering with a water pump’s human-machine interface. Keep an eye out for the ICS escape room at DEF CON this year. In the meantime, here’s your news roundup:

 

The payload

Passwords are a huge pain: They’re clunky, rarely unique, easily phished, and — unlike the landline phone number of your childhood best friend — all too easy to forget.

So I cheered the news that Apple, Microsoft and Google are rallying behind a set of common standards for a password-free future, joining forces with the FIDO Alliance and the World Wide Web Consortium to roll out new authentication options across billions of devices in the coming year. (Think face scans, fingerprints or PINs on your physical device rather than finicky combos of numbers and special characters.)

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called the announcement “an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords.” She also penned a groan-worthy ode to multifactor authentication on “World Password Day,” turning the rock music reference dial up to 11.

But even if passwords are going the way of the dinosaur, they’re still in the early Cretaceous. In 2007, a landmark Microsoft-backed study showed that the average user has 6.5 passwords shared across 3.9 different sites, for a total of 25 accounts requiring passwords. Ten years later, another study led by Carnegie Mellon University researchers found the average participant used an average of nearly 10 passwords across 26 different web domains — hardly an encouraging trendline for password foes.

You might think the advent of password managers has put a dent in those numbers, but the tools aren’t yet used effectively and have only been adopted by a fraction of the population. (Plus, such security services still revolve around at least one password.)

I’ll call it: We’re still decades away from being able to celebrate World Passwordless Day. But kudos to Microsoft, Apple and Google for getting the ball rolling.

The week, compiled

Late last year, the far-reaching Log4j vulnerability shook the open source community to its core, setting off a scramble to patch before the holidays. Though publicly known for less than a month in 2021, the flaw in the popular Java logging tool catapulted to the top of CISA’s list of the most routinely exploited vulnerabilities for the whole year.

“Log4j is incorporated into thousands of products worldwide,” CISA said in a recent advisory. “The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.”

 1_zJQC9wYS_Y3SLLZj3TJjeQ
Illustration: Si Weon Kim

We’re not out of the woods yet, as Robert Lemos reports in his first story for README. Log4j laid bare an entire ecosystem of open-source software bugs that developers aren’t equipped to sort through. Many potential security problems are tucked away under layer upon layer of open-source codebases. One app may rely on an open-source tool that in turn incorporates another, and so on until there are so many layers it’s hard to pick out which one may be hiding the next Log4j-level vulnerability.

“A lot of good news happening in this space, but the adversaries, the threats are only growing over time,” Brian Behlendorf, general manager for the Open Source Security Foundation, told Lemos.

Here’s what else made a mark last week:

TechCrunch: With the U.S. Supreme Court slated to overturn Roe v. Wade, some cybersecurity experts are urging people to consider deleting period-tracking apps and other tools that collect potentially sensitive data for fear it could be abused in a post-Roe world. “It is abortion providers and people working in abortion support networks who are in the most immediate danger right now,” Eva Galperin, director of Cybersecurity at the Electronic Frontier Foundation, said.

CyberScoop: The U.S. Treasury unveiled its first-ever sanctions against a cryptocurrency “mixer” allegedly tied to North Korea’s infamous Axie Infinity heist.

ZDNet: The White House released a plan aimed at keeping the U.S. ahead of the curve on quantum computing technology, which could be used to break many conventional encryption standards.

A message from Synack

Going to the RSA Conference this year? Stop by Synack’s “Journey by the Bay” experience that includes executive thought leadership sessions, demonstrations of Synack solutions and a showcase of emerging cybersecurity companies. And don’t miss our parties that will rock the City by the Bay with live music, libations and food. Find us anytime at Fogo de Chão — 98 steps from RSAC at the Moscone Convention Center. Find out more here.

Flash memory

Exactly one year ago, Colonial Pipeline announced it had been forced to cut off its massive fuel delivery system to the U.S. East Coast after a cybersecurity incident disrupted its IT networks.

 1_2AJhmjLG0Io_DhnYJG4zZA
Colonial Pipeline fuel storage tanks in Alabama. ChapstickAddict/Flickr

The culprit? Ransomware (go figure).

The dayslong shutdown caused gas prices to spike in parts of the U.S. as panicked drivers rushed to load up on fuel. And the event was a key driver of a White House push to tighten the screws on U.S. critical infrastructure networks, an effort that has since extended to the rail and water sectors.

Jason Tama, director of resilience and response at the White House National Security Council, said on a panel I moderated Wednesday that the Colonial incident “invites us to question: ‘What are our expectations as a nation, as shareholders, for critical owners and operators to be resilient?”

As disruptive ransomware attacks continue plaguing critical sectors, “we’re not there” yet, he added.

Local files

Vice: Location data broker SafeGraph stopped offering info that could reveal people’s visits to Planned Parenthood after Motherboard reporter Joseph Cox showed it had been up for sale. One cybersecurity researcher told Cox he had unearthed a “bonkers dangerous” corner of the data trading marketplace in light of threats to abortion clinics.

The Washington Post: Online voting company Democracy Live is opening up its networks to Synack Red Team hackers to shore up its cyber defenses ahead of voting pilots in West Virginia, North Carolina, South Carolina and Alabama.

Bleeping Computer: Germany-based car rental giant Sixt reportedly reverted to pen-and-paper bookings at some locations after suffering a disruptive cyberattack.

Off-script

Snooker legend Ronnie “the Rocket” O’Sullivan bested rival Judd Trump (no relation to the former president) in an epic showdown last week at the Crucible in Sheffield, England, hoisting his record-tying seventh World Snooker Championship trophy.

For those unfamiliar with the sport, snooker’s like pool, but it’s played on a larger table with smaller pockets. Its convoluted rules simultaneously make it more difficult and much more entertaining.

If you haven’t given snooker a watch, I’d recommend you check it out. You’ll be in good company: Former U.K. National Cyber Security Centre CEO Ciaran Martin and well-known infosec researcher The Grugq are fans.

 1_Ce_uv_lmLgvgztWxVO2E4Q
Ronnie O’Sullivan is widely considered to be the greatest snooker player of all time. DerHexer/Wikimedia Commons

That’s it for this week — please send tips, feedback and infosec dad jokes to bsobczak@synack.com. Happy Mother’s Day — see you next Sunday!