Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
- Misconfigured Google Groups
- Git Bug
- Rental Car PII Risk
- JScript Bug
1. Misconfigured Google Groups
Thousands of organizations have been discovered to be leaking sensitive data due to a widespread misconfiguration in Google Groups. Those afflicted include Fortune 500 companies, hospitals, colleges, newspapers, T.V stations, and even government agencies.
Google Groups is a web forum that allows administrators to create mailing lists for specific recipients, and they are able to adjust privacy settings in respect to domains and certain groups. This forum is made available online to users. Many groups are visible to the Internet, and the ability to share outside of the organization is left open.
While this is a misconfiguration issue, Google has not issued any special sort of update or patch. The following link should be used for admins to lock down their google groups: https://gsuiteupdates.googleblog.com/2018/06/configure-your-google-groups-settings.html
Permissions and outside access to users to should be limited within the scope of the organization and respective of how it conducts its business.
2. Git Bug
Popular git repository hosting services such as Github, GitLab, and MS VSTS were discovered to have two bugs that would allow an attacker to perform arbitrary code execution. An attacker would be able to gain access when a user, or developer, accesses a malicious repository. The more serious of the two is described as a submodule configuration flaw. These submodules can be malicious and directed to execute code. Submodules are used to reference from within a project in an almost hierarchical way. Essentially, submodules allow a developer to keep a Git repository as a subdirectory of another Git repository; letting you clone another repos into your project.
The main concern with the Git vulnerabilities is that a malicious or rogue submodule will trick the repository into running code that is out of its own context (code that it should not be running). This arbitrary execution could allow an attacker to exfiltrate data, pull down a web shell, plant a cryptominer, or even take complete control over the machine that the repository or clone is being run on.
While the aforementioned repository hosting services have patched the vulnerabilities, there are still some best practices to follow with git repos:
- A git repository cannot contain “..” as a path segment.
- Examine submodule folders more closely for flaws and inaccuracies.
- Submodule folders should not be symbolic links.
3. Rental Car PII Risk
Rental cars now pose a real threat to Personally Identifiable Information (PII). It is common for people to connect their smart phones to their car, either through Bluetooth or USB cable, to either play music, make a phone call, or charge their battery. This common habit, however, may result in the download and retention of your PII. The smart system within the car may store the cellphone number, your location data, and may also store call logs and contacts that have been previously dialed or texted.
Before returning your rental, we recommend the following to protect your PII:
- A USB connection may transfer data automatically, use a cigarette lighter adapter instead to power and charge devices.
- If your rental car is equipped, grant access to just the information you want to reveal by using the rental car’s permission screen.
- Delete your PII from the car’s system. There should be an option to remove your phone from the list of paired devices, which should wipe call logs and remove contacts.
- Remember to erase your location history from the car’s navigation system by entering the settings and clearing your driving record.
- Your rental car may have an option to clear all user data or do a factory reset. Talk to a staff member or check online before you drive away in your rental, you may forget or be in a hurry at the end of your trip.
4. JScript Bug
It should also be noted that this vulnerability does not lead to full system compromise. Further exploits would be required to advance exploitation however, information accessed on the right computer, like that of a CEO, could be disastrous for a company.
Microsoft is currently working on a patch, however, there are preventative measures that can be taken. We recommend discontinuing the use of applications that rely on JScript as feasible. This includes Internet Explorer, wscript.exe, etc. that process untrusted JS code or files. Users should also be aware of:
- Malicious email attachments
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
How can Netizen help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.