It was a fairly close call this week between this title and the somewhat more obvious NO2, of course not referring to the (hopefully) going out of fashion laughing gas N2O fad), but rather to the fact that O2 took down considerable portions of its and attached third-party networks yesterday by allowing certificates to expire on core Ericsson kit.
That isn’t a threat, it is incompetence, but as we all know availability is a pillar of security so, ho-hum.
This week’s real threat was the announcement that the ‘open source container-orchestration system’ Kubernetes has (or had) a really nasty bug (CVSS score 9.8, that’s very nasty).
Before we proceed, it is probably a good idea to get our heads around what Kubernetes is and how to pronounce it. We shall do this through the medium of crossword clues:
- The noise that Doves make / What Scots folk call a cow
- Big grizzly animals that like to eat salmon
- A way to catch fish / After Tax
- Pills popular with ravers
‘Coo-Bear-Net-E’s’. There you go. Tenable have even done a video to explain.
Kubernetes, named after the Greek for helmsman or Captain (see what they did there?) was spawned out of Google and is an Open Sourced system, which (according to the Wiki) aims to provide a “platform for automating deployment, scaling, and operations of application containers across clusters of hosts”.
Now we are aware that many people are still none the wiser and might be thinking that Kubernetes can be cured by over the counter salves and ointments. Unfortunately not.
As the World+Dog rushes to deploy scalable applications, driven by re-usable Application Programming Interfaces (APIs), pressure to develop and deploy quickly and autonomously using Agile development methodologies, with associated Sprints, Scrum Masters, Black Belts, Wizards, Dark Lords etc. (we made some of those up, can you guess which?), there is much reliance on code like this and it is at the core of a huge number of applications, public and private. How secure the huge amounts of shared code are? Time will tell.
Give thanks then that the system has been patched, because this vulnerability allowed unlogged privilege escalation and one must assume that:
Because there is no way of telling whether this security flaw has been actively used or not, you must assume that your sensitive data has been compromised. Rotate passwords and other secrets.
Orchestration and containerisation architectures, methodologies and tooling are manifestly complex to the uninitiated, pretty much like SNA back in the day, which is why large consultancy outfits (no names, no pack drills) are making huge amounts of money advising Enterprises.
What we can be sure of however, is that administrators of Kubernetes based systems will be busier than bricklayers in Baghdad patching this. We wish them well.
In other news it is increasingly mind boggling to look at Western Governments’ offensive against Huawei. Just this week we have had the Chief of the UK Secret Intelligence Service Alex Younger calling out the potential issues with the Chinese outfit’s 5G kit (clearly formerly a pupil of S. Holmes Esq.). This was quickly followed by the Canadian arrest of the Huawei CFO (daughter of the founder, job clearly on merit, no strings pulled) and seeming intent to extradite her to the USA for reasons not clear.
Trade war, sabre rattling, bluster, the special relationship or something more sinister? What we do know is that attacks at the nation-state network level are real. Governments must face up to these risks and deal with them. We will see more rather than less of this in the coming year. Chinese Year of Earth Pig, since you ask.
If you would like to know more about containerisation security, we can hook you up with the right people. As ever, our Christmas jumper clad (not the whole year round, obvs) crack team of Cyber Santas await your requests at: [email protected] or 020 7517 3900. There is a special offer on Cyber Elf checks and they would love to talk with you.