![](\"https:\/\/i.giphy.com\/media\/8r9fN7KGsvFAs\/giphy.webp\")
So FYI that the picture doesn’t have anything to do with this post.\u00a0 It’s just getting close to Halloween, so figured I’d roll with that.\u00a0 There are quite a few things in the news today -and a few stories I wanted to comment on.\u00a0 I was planning on doing a “flyover” but then I started noticing a theme and decided to comment on that instead.\u00a0 I’ll go through the items and let’s see if you can tell where I’m going with these as we go through.<\/p>\n
First up, the story about the mysteriously-deleted Georgia election server.\u00a0 There’s a pretty good writeup from Ars Technica yesterday<\/a> but the situation might be summarized as:<\/p>\n Seems pretty shady right?\u00a0 Like, destroying the data just days after the lawsuit was filed?\u00a0 And then the same day as it escalates, they decide to degauss the backups multiple times?\u00a0 I heard that and, truthfully, I was like “holy crap, that’s some Amerikans-level spy shit right there.”\u00a0 But then I went on to read through the large chunks of the email thread that came through from a FOIA request<\/a>.\u00a0 It takes a while to read – but I found some interesting takeaways.<\/p>\n First, I went in thinking something had to be super dirty..\u00a0 Now I’m not so sure.\u00a0 From the read through, the folks at KSU strike me as a fairly diligent security team.\u00a0 You can get a pretty firm handle on their incident response process, including\u00a0measures they took in response to the initial notification, their correspondence with law enforcement (who seemed less on the ball frankly), and their pretty thorough after-incident reports…\u00a0 You can get a good flavor for how that (fairly small) team runs just from these emails.\u00a0 \u00a0Likewise, you can see them proactively reaching out to internal counsel about how long to retain records – before deleting them – to which they did not get (IMHO) a very germane or applicable reply.\u00a0\u00a0Are they the best security team ever?\u00a0 Well, they’re small… and have a lot on their plate.\u00a0 But I’ve certainly seen much worse.<\/p>\n The second story is about the IOActive report about SATCOM.\u00a0 IOActive put out a report<\/a> about issues with this system (fairly standard) and in response the vendor issued a patch<\/a>.\u00a0 Nothing to see here, right?\u00a0 Wouldn’t be… Except now the vendor is pushing back<\/a> saying the research is overblown.\u00a0 The research itself is pretty straightforward: SQLi in the login form and a built-in backdoor account.\u00a0 It happens.\u00a0 Likewise, the report acknowledges that the normative situation would be that these are not “worst case scenario” in most production deployments because of network segmentation in use for a field deployment.\u00a0 In fact, the report says directly, “Vessel networks are typically segmented and isolated from each other, in part for security reasons…\u00a0While the vulnerabilities discussed in this blog post may only be exploited by an attacker with access to the IT systems network, it\u2019s important to note that within certain vessel configurations some networks might not be segmented, or AmosConnect might be exposed to one or more of these networks.”\u00a0<\/em><\/p>\n The position of the vendor seems to be: 1) this product is old, so while it is still in deployment, it’s scheduled for termination.\u00a0 2) It’s hard to exploit. 3) There are compensating controls.\u00a0 OK.\u00a0 I’m all about that.\u00a0 But don’t these same arguments apply in equal measure to something like, for example, SMBv1?\u00a0 Here’s the deal: I’ve commented on this before, but if you’re a product vendor, never ever dispute the researcher<\/a>.\u00a0 \u00a0The PR is terrible.\u00a0 Even if you think the research is completely bogus, don’t fight it.\u00a0 What is particularly upsetting about this one is that the company did the right thing initially: they patched their legacy, soon to be commissioned, likely not that vulnerable product. They already did the right thing.\u00a0 Now, they have undermined those efforts, lost any good PR value, and are going down the “theoretical vulnerability” route (they do, in fact, use that parlance.)\u00a0 Oldsters out there will remember the L0pht’s tagline “making the theoretical practical…”\u00a0 Do you remember why they said that?\u00a0 I do – and, if you read this<\/a>, you’ll know too.\u00a0 The moral of the story is that saying it’s “theoretical” is bait – and most security pros will remember the truly epic “told you so” that happened in that case.<\/p>\n In both of these cases, decent security efforts were undermined by something else going on somewhere else.\u00a0 In the case of the election server, the response team took what appear to be reasonable measures.\u00a0 Now though, the optics are legit terrible — for reasons that I suspect we’ll find out is no fault of theirs.\u00a0 Likewise, the SATCOM vendor (Inmarset) did the right thing in response to a (probably hard to exploit in a normative case) vulnerability.\u00a0 Now their workmanlike (and responsible) efforts to address the issue have been undermined — for example, the reason I even know about the story in the first place is they are already taking the bad PR hit in the press.\u00a0 \u00a0The lesson I guess is that it behooves the organization as a whole to make sure security is addressed holistically.\u00a0 Making one specific team accountable is fine (and a good idea), but that doesn’t mean the rest of the organization can just “do whatevs” and expect the outcome to be a hardened enterprise.<\/p>\n","protected":false},"excerpt":{"rendered":" So FYI that the picture doesn’t have anything to do with this post.\u00a0 It’s just getting close to Halloween, so figured I’d roll with that.\u00a0 There are quite a few things in the news today -and a few stories I wanted to comment on.\u00a0 I was planning on doing a “flyover” but then I started […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[],"class_list":["post-642","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=642"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/642\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n