Today, we discuss the recent Chirp Systems smart lock vulnerability, Delinea’s rapid response to a critical API flaw, and the ongoing debate over ransomware payment policies. Explore the implications of these security breaches and the strategies to enhance digital safety without compromising on the details.
Keywords: Cybersecurity, Chirp Systems, Delinea, Ransomware Payment Ban, Smart Locks, API Vulnerability, U.S. Cybersecurity & Infrastructure Security Agency
Sources:
- Chirp Systems Smart Lock Issue: krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak
- Delinea Secret Server SOAP API Vulnerability: helpnetsecurity.com/2024/04/15/delinea-secret-server-vulnerability
- Ransomware Payment Ban Debate: cybersecuritydive.com/news/ransom-payment-ban-pushback/713206
Feel free to let me know if there are any tweaks you’d like to make!
Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Tags for the Episode: Cybersecurity, Chirp Systems, Delinea, Ransomware, Smart Lock Security, API Vulnerability, Digital Safety, Cyber Attack, Security Breach, Tech News
Search Phrases:
- Chirp Systems smart lock security issues
- Delinea SOAP API vulnerability fix
- Ransomware payment policy debate
- Cybersecurity latest news
- Smart lock vulnerabilities and solutions
- How to secure digital locks from hackers
- API security breaches and responses
- Impact of ransomware payment bans
- Expert analysis on Chirp Systems breach
- Preventing unauthorized access in smart devices
Transcript:
Apr16
Welcome back to the Daily Decrypt.
Chirp system’s smart locks are compromised With hard coded credentials, potentially unlocking 50, 000 U. S. homes remotely, warns the U. S. Cybersecurity Infrastructure Security Agency, highlighting severe oversight in digital security protocols. What can be done to secure these smart locks and prevent unauthorized remote access?
Delinea acted swiftly to patch a critical vulnerability in their secret server SOAP API, which could have allowed attackers to gain administrative access and seize sensitive data.
And finally, ransomware victims in the US shelled out 1. 5 billion between May 2022 and June of 2023 amidst heated debates over the effectiveness of ransomware payment bans, as highlighted by the Institute for Security and Technology. What strategies are cybersecurity experts recommending to reduce ransom payments without implementing a ban?
In a recent warning issued by the U. S. Cybersecurity and Infrastructure Security Agency, or CISA, an estimated 50, 000 smart locks across the country are vulnerable to breaches due to hard coded credentials that allow remote access. These locks, developed by Chirp Systems, have been criticized for storing sensitive access information within their source code, making them susceptible to unauthorized entries with a CVSS severity rating of 9.
1 out of 10. Despite these concerns, Chirp Systems has yet to respond or collaborate with CISA to address these vulnerabilities.
The issue first came to light when Matt Brown, a senior systems development engineer at Amazon Web Services,
detected the flaw. Brown, while installing the Chirp app to his Access His Apartment, opted to scrutinize the app’s security. He discovered that the app stored passwords and private keystrings in a decodable format, leaving residence doors wide open to potential hackers.
In response to his findings, Brown approached his leasing office, which provided him with a 50 NFC key fob as a workaround. However, Brown pointed out that the FOB still transmitted the credentials in plain text, vulnerable to cloning via NFC enabled devices.
The parent company of Chirp Systems, RealPage, Inc., is currently facing legal challenges including a massive lawsuit supported by the U. S. Department of Justice and multiple state attorneys general. The suits accuse RealPage of using its software to artificially inflate rents through collusion with landlords, employing algorithms that limit negotiation and push maximum possible rents on tenants.
In a swift response to a security breach, Delinea, a leading provider of privileged access management solutions, recently addressed a critical vulnerability in their secret server SOAP API. The company first became aware of the issue late last week and took immediate action by blocking SOAP endpoints for its cloud customers.
This precaution was necessary to mitigate any potential unauthorized access. while the cloud service was patched on the same day. By Saturday, Delenia confirmed their awareness of the vulnerability and assured that their engineering and security teams had conducted thorough investigations, revealing no evidence of compromised customer data or attempts to exploit the flaw.
By Sunday, the company had released an update for Secret Server on premises, version 11. 7. 000001.
Effectively fixing the vulnerability and announcing forthcoming patches for earlier versions upon completion of testing. Moreover, Delinea has provided a guide for customers using on premise versions to help determine if their systems were compromised. This includes instructions to generate custom reports to trace potentially unauthorized access, particularly from unfamiliar IP addresses which could indicate malicious activity.
Kevin Beaumont, a security researcher, noted that the temporary unavailability of Delinia’s secret server cloud last Friday stemmed from a published blog post by security engineer Johnny Yu, who discovered the vulnerability. Yu’s post, which included a proof of concept for creating a golden token allowing admin access, was crucial in prompting the company’s rapid response.
Delinia has also established a continuous monitoring process updates on their service status to ensure ongoing security for their users. They urge all users to review any unusual audit records and verify the authenticity of the secret server mobile application access as part of their comprehensive security measures.
In a report issued this past Wednesday, the Institute for Security and Technology’s Ransomware Task Force has decided against the need for a ransomware payment ban. The report highlights several reasons, including concerns that a ban might discourage victims from reporting ransom payments, potentially pushing these transactions underground, and the complexity of any Exempting critical infrastructure.
Instead of implementing a ban, the task force recommends focusing on 16 milestones they believe will effectively reduce ransom payments.
And there’s a quote from the RTF co chairs from an email that says, while a ban may be an easier policy lift than activities designing to drive preparedness, it will almost certainly create the wrong kind of impact. They noted a decline in organizations making payments, suggesting that current strategies may already be making an impact.
Despite the resistance to a payment ban, the task force revealed that more than half of their proposed measures are already in progress or completed. These include significant policy changes like the requirement for publicly traded companies to report substantial cyber incidents, and the upcoming rule from CISA mandating that US critical infrastructure entities quickly report cyber attacks and ransom payments.
The discussion on how best to tackle ransomware continues to evolve. While the Biden administration previously steered clear of a complete ban on ransomware payments, there are renewed calls for reconsidering this policy. Brett Callow, a threat analyst at Emsisoft, is an outspoken supporter of a ban, suggesting that even if attackers may not be aware of state level bans, a national policy might have a significant deterrent effect.
The Ransomware Task Force, by figures like Kemba Walden, the former acting National Cyber Director, advocates for bolstering existing efforts rather than imposing new bans, indicating a strategic commitment to enhance cybersecurity resilience amidst ongoing debates.
That’s all I got for you today. Thanks for tuning in to this quick, news focused episode.
Be sure to tune in later this week for
a discussion on HackspaceCon, which just took place last weekend in Florida at Kennedy Space Center.
Still working on editing that episode, but dogespan and I discussed our key takeaways and we wanted to share them with you. So stick around for that.
Related Posts
CyberSecurity News: Expensive AWS S3 Bucket, No MFA for Change Healthcare, Wpeeper Android Malware uses WordPress
Dating App Verification Scam, China’s DNS Reconnaissance, and Google’s Play Store Security Overhaul
