90% of buckets are private, and therefore not at risk of leaking data or being corrupted by attackers. Of course, that means 10% of buckets are public…
58% of those public Buckets (in other words, 5.8% of the total number of buckets tested) contained readable files, what might allow data leakage.
20% of public Buckets (or, if you prefer, 2% of the total buckets) are not write-protected.
Only a tiny 5% proportion of those public, write-enabled buckets (in other words, a mere 0.1% of the total) don’t contain any files.
This is pretty bad for the companies who own the 2% of buckets which are writeable – this could lead to data corruption, ransomware, etc.
The cloud is a great way to increase efficiency and integrate best of breed solutions into your business, but it requires that administrators be trained for the specific challenges of security in cloud computing. The information is out there – for example, Amazon has a page chock full of security advice.
The people who are plunging in to the cloud and messing up are making it harder for the rest of us who see the cloud as the future to sell its security to management – let’s get our acts together people!
The train wreck that is Android security continues…
A new strain of malware by security firm Wandera found in China has the following charming characteristics, according to a recent blog post.
Zero-day threat previously unknown within the mobile security community
Group of at least 50 functioning apps containing the sophisticated RedDrop malware
Apps are distributed from a complex network of 4,000+ domains registered to the same underground group
Once the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious functionality
When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected
These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more
RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes
This is frightening stuff as it turns the victim’s phone into a bug, compromising phone calls made on the device as well as conversations in the vicinity.
As usual, the key problem here is that the app follows the rules and asks the user to approve a (long) list of permissions which are then used to compromise the device. Many users don’t bother to read/think about these permission prompts, leading them to basically invite the malware authors to take over their device.
Security pros need to make their users aware of the need to read and think about security prompts EXTRA carefully on their Android devices.
I spend a lot of time telling people to use two factor authentication on their important web accounts. This may explain why I don’t get invited to parties.
While using 2FA is a great idea, there is one issue which you (and your employees) should be aware of.
If your 2FA solution relies on text messages to deliver it’s one time passcodes, it may be vulnerable to “mobile number port out” scams. This article from the always informative Brian Krebs explains the mechanics of this.
The solution? If a site offers the choice between using text messages and an authenticator app, choose the app. If you have to use text based authentication, make sure that your mobile phone account is protected from porting using a PIN or password.
Our main argument is that a message from ETI cannot be decontaminated with certainty. For anything more complex than easily printable images or plain text, the technical risks are impossible to assess beforehand. We may only choose to destroy such a message, or take the risk. The risk for humanity may be small, but not zero. The probability of encountering malicious ETI first might be very low. Perhaps it is much more likely to receive a message from positive ETI. Also, the potential benefits from joining a galactic network might be considerable.
If the aliens have the ability to create Flash content, we are doomed.
A few lessons for us infosec professionals from this:
First: The definition of insiders expands as businesses continue to outsource functions which used to be done in house.
Second: Vendor Risk Management programs need to pay special attention to law firms. These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.
The rest of the world tends to look askance at the way that we here in the US handle airport security. Many of the measures we take are pure “security theatre,” reacting to the last terrorist scheme (exploding shoes, bombs in underwear) that we happened to catch. Checking electronics seems to be a good idea, although the lithium ion batteries in non terrorist devices seem to be more likely to bring a plane down than a booby trapped phone or laptop. Even this, though, may be giving us a false sense of security as terrorists are working to better hide explosives in electronics.
Here’s a pretty funny take on all of this from Australian comedian Jim Jeffries. Warning: it is very sweary, so don’t watch if that kind of thing offends you.
Now, I’m not saying that we should do away with the TSA or many of the security checks it performs. One look at their Instagram account of things taken away from people at security checkpoints is enough proof of that.
What is needed is a more people focused type of security – looking for patterns in ticket purchases, travel, and behavior before and during travel to spot people with bad intentions rather than the specific weapons they use – they have all the time in the world to come up with new and better ways to evade the technical security measures, but like in information security, the real detection gold is to be found in human behavior.
AMP had outsourced parts of it information systems security program to a third party provider who had failed to detect the exposed data during three successive vulnerability audits of AMP’s systemes.
Outsourcing can be a really effective tool for augmenting a firm’s infosec program, but business leaders and CSOs need to remember that the ultimate responsibility for protection of corporate and customer data still remains with them. However, when the firm is a regulated entity, the risks of relying on an outsider to perform critical parts of the infosec program without adequate supervision outweigh the (admittedly attractive) cost savings.
Monitoring third party service provider performance is a hard problem. Most firms don’t have the resources to perform in person audits and most providers don’t have the ability to allow every customer to audit them. This is why external independent audits of third party providers’ security practices are so important. These audits need to be performed against generally accepted security standards with objective audit criteria. ISO27001 and SSAE18 SOC2 are two examples of such audit types.
Even if a business partner gets a clean bill of health from an independent auditor, their performance must be monitored by the line of business who engaged them as well as by the infosec department. Recently, I have been seeing more and more inquiries from my firm’s customers coming between their annual due diligence reviews of our services. Most of these inquiries occur when there is a “celebrity vulnerability” like Spectre/Meltdown – what I am hoping to see in the future are more questions confirming “security 101” procedures and practices.
The advent of security ratings firms like Security Scorecard and Bitsight can also be helpful in this area. While their security ratings cover specific aspects of a vendor’s security program (practices that can be seen from the Internet), they can provide an ongoing data point to be used to detect potential problems in between those annual security reviews. I believe that this industry is in its early stages and that the results that they provide must be examined carefully against the specific requirements of your security program.
As companies outsource infrastructure, applications and services to third parties in order to concentrate on their core competencies, the importance of third party vendor management is going to continue to grow.