txt

Where to begin. It’s almost impossible to comprehend what the fallout of this breach will be in the immediate to medium term; in fact, there isn’t enough information out there yet to conduct an effective post-mortem so to speak.

One thing is for certain - organisations are going to be wary of trusting ‘technology solutions’ from vendors. This isn’t to say that SolarWinds (and FireEye) did not have adequate measures in place; just that breaches are inevitable and organisations that rely on technology vendors are also dependent on these vendors having adequate controls in place alongside stringent self-audits. Organisations out there that trusted SolarWinds to push Orion to their networks in effect trusted that SolarWinds had a strong handle on their security posture. In Australia, CPS 234 mandates that APRA-regulated entities will need to have information security measures in place and includes cybersecurity assessments by independent assessors. Obviously, the effectiveness will boil down to the thoroughness of the assessor.

All this gets more complicated when you start to look into how the breach occurred in the first instance. It is starting to increasingly seem like hackers leveraged widely-used protocols and solutions. Ars Technica has a fascinating report referencing security firm Volexity, who encountered the same attackers in 2019; at the time, they bypassed MFA protections for Microsoft Outlook Web App (OWA) users.

Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.

Krebs on Security has a great write-up with a sobering quote from the DHS’s Cybersecurity and Infrastructure Security Agency.

CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”

The CISA goes on to advise that if an org identifies ‘SAML abuse’, mitigating individual issues might not be enough; you’ll need to consider the entire identity store as compromised. And unfortunately, the only remedy to that is building back identity and trust services from the ground up.

Additional Reading:

VMware Flaw a Vector in SolarWinds Breach?

SolarWinds hackers have a clever way to bypass multi-factor authentication

[FireEye Threat Research

](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)

So, the ‘Sign in with Apple’ feature had a significant vulnerability that’s been thankfully patched. An independent bug bounty hunter, Bhavuk Jain has posted up a detailed take on how he found the vulnerability and reported it to Apple. It’s a pretty fascinating read.

My favourite Apple Sign-In feature has been how you can choose to mask or not share your email ID with a third-party during the authentication process (bye unsolicited emails!). When the email address is hidden, Apple generates a JSON Web Token (or JWT (or JOT if you’re that guy) which is a standard to transmit claims securely between two parties) that is then used by the third-party app to authenticate the user. Bhavuk found that the payload returned by Apple included a URL accessible on Apple’s servers to which he could send just an email address (any email address) and could get authenticated without a password. Apple essentially sent back a valid authentication token that could be used with the third-party app.

This was no doubt a glaring flaw no matter how you slice it. OpenID Connect and OAuth consent flow standards exist for a reason - no matter how excellent your engineers are or how sophisticated your own spin on existing standards are, the risks of rolling your own authentication is pretty damn high.

The Australian government rolled out their contact tracing app, COVIDSafe through the Apple and Android app stores at 6 last evening. Understandably, there has been quite a bit of apprehension leading up to it but the it’s starting to sound like there might be a cautious uptake of the app among the general public given that 1 million people downloaded it in the last 12 hours. If the AFR’s readership (possibly right-leaning and more trusting of the current government) is a reliable metric, the consensus is that the app may eventually help ease restrictions in place.

A few things:

• It’s an app with a purportedly singular purpose - contact tracing. It’ll use low energy Bluetooth to exchange a handshake between two devices that are 1.5 m apart for over 15 minutes.

• The only data that’s collected are a name or pseudonym, age range and your phone number. I realize that you’ll need phone numbers to get in touch with individuals who may have spent time with a diagnosed person but having that unique identifier in the database negates any perceived benefit of using a pseudonym. An alternative would be notify people of proximity to confirmed cases through just device notifications; granted, it’ll be harder to ensure quarantine or isolation measures.

• ”Not even a court order can penetrate the law, not even a court order, or the investigation of an alleged crime would be allowed to use [the data]”.

• There’s two levels of consent to go through registration and they’re quite detailed - it’s harder to implement something stricter without sacrificing usability and uptake.

• The data store is hosted on AWS instances in ACT - assume they’ll use the same protected instances that the government already use.

• The data stored on devices is held on for rolling period of 21 days much like how you can configure browsing history deletion on Google’s My Activity page.

• It’s a bit unclear what permissions and privileges the ‘COVIDSafe Administrator’ will have but I assume quite a bit given they can delete registration data.

• The punishments for misuse of app data are quite onerous - 5 years jail time and $63,000 in fines.

• Law firm Maddocks conducted a 48 page privacy assessment and made 19 recommendations which all seem to have been accepted.

• Source code will be released over the coming days.

• Singapore’s version of the app, the source code for which has been leveraged for COVIDSafe, hasn’t quite seen the uptake you’d want for something like this. Approximately 20% of Singapore residents have downloaded the app and Australia wants at least 40% of the population to download it for it to be useful.

The debate over this has been lively and has no doubt contributed to the way the app has been rolled out - fingers crossed that every safeguard in place is meaningfully enforced.

Links:

AFR: ‘Privacy by design’ approach for COVIDSafe app

The Verge: Why Bluetooth apps are bad at discovering new cases of COVID-19

ITNews: Australia’s COVID tracing app better than Singapore’s: Health chief