Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations' code repositories and application images, according to Orca Security researchers.

The firm's Research Pod today published details about a "critical" flaw, and warned that it could have been exploited to achieve a supply-chain attack along the lines of SolarWinds - or, more recently, MOVEit - with "far reaching consequences."

After word of the vulnerability reached the Chocolate Factory, Google deployed a fix - though it doesn't fully address the issue, according to Orca researcher Roi Nisimi. 

"It only limits it - turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk," Nisimi said. "It requires security teams to put further measures in place to protect against this risk."

The issue, as Google describes it, is more about poorly defined permissions.

Cloud Build, as an automation service, uses service accounts to authenticate requests made during a build. 

As Orca researchers discovered, if someone enables the Cloud Build API in a project, the product automatically creates a default service account to execute builds. Up until June, this contained a flaw that gave builds access to the private audit logs showing a complete list of all permissions on the project.

When asked about Orca's claim that this only provided a partial fix, a Google spokesperson gave The Register little in the way of explanation - saying only that its vulnerability rewards program exists to find those sorts of issues, and that it appreciates Orca's help. 

But will Goog deploy a further fix for the bug?

"We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June," Google told us. We'll take that as a no.

In the meantime, it's on you, IT leaders.

"It's … important that organizations pay close attention to the behavior of the default Google Cloud Build service account," Nisimi said, adding that applying the principle of least privilege is vital to reducing an organization's risk. 

Amazon agrees to pay $25 million to settle Alexa COPPA violations

The US Department of Justice said this week that it had reached an agreement with Amazon regarding its alleged violations of the Children's Online Privacy Protection Act (COPPA). 

The settlement stems from charges that Amazon had a policy of retaining voice recordings of those under the age of 13 indefinitely by default - which violates COPPA rules - among other privacy violations.

Amazon agreed to pay the DoJ $25 million, or 0.78 percent of its Q1 2023 profit, to settle the issue without admitting or denying responsibility. Along with the pittance of a fine, Amazon has agreed to delete inactive child profiles, stop misrepresenting its Alexa recording retention policy and to report to the DoJ on its compliance with the orders for the next decade. 

The suit, which was brought in late May, extracted a bargain from Amazon as soon as it was filed. Writing on the same day the accusations came to light, Amazon said it disagreed with the FTC's claims, but was still settling to put the matter behind it.

"We will continue to invent more privacy features on behalf of our customers and ensure they are aware of the controls and options available to them," Amazon said, as ordered.

Cyber security labels coming soon to US smart tech

The Biden administration announced plans this week to introduce a US Cyber Trust Mark for smart devices - think Energy Star, but for internet-connected devices.

Proposed by Federal Communications Commission chairwoman Jessica Rosenworcel, The Cyber Trust Mark could begin appearing on smart fridges, microwaves, TVs, climate control systems, fitness trackers and other devices as soon as next year. 

"This new labeling program would help provide Americans with greater assurances about the cyber security of the products they use and rely on in their everyday lives," The White House said in a statement. "It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace."

The actual plan for implementing the Cyber Trust Mark is forthcoming, with the FCC still to introduce proposed rules for public comment. 

What a device will need to do in order to qualify is also still to be defined. The Biden administration said the voluntary program would be based on cyber security criteria from the National Institute of Standards and Technology and may include "unique and strong default passwords, data protection, software updates, and incident detection capabilities." ®

https://www.theregister.com//2023/07/24/infosec_in_brief/