If you are going to use Infrastructure as a Service providers like Amazon, make sure that the people using them take the time to learn about and use the security features. Amazon provides the means to store data securely and has a wealth of documentation on security best practices. Having a breach due to an improperly configured S3 bucket is amateur hour, folks.
When acquiring new companies, especially small ones, security due diligence needs to be job one. Finding out where sensitive information is stored and how it is protected is a must.
Know your third parties (and those of your acquisitions) – FedEx blamed the breach on an un-named third party. Remember – you can outsource the function, but you cannot outsource responsibility for security. When doing an acquisition, look at the list of every vendor that the target company pays and figure out which ones might be holding data.
I have been through the acquisition process a few times in the past ten years – identifying show stopper issues during due diligence is important, but it is vital to keep the process going after the deal is done. The more you dig into the security of the acquired firm, the more “interesting” security issues you will find.
…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.
In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.
Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).
There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.
The price for this treasure trove? US$600.
With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision. They could choose victims to concentrate their effects on for maximum profit. Real world attackers could also use this information to plan crimes such as burglaries or kidnappings. Governments (both foreign and domestic) could use this information to select targets for surveillance.
The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use. If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection. If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.
This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real. If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.
A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free. Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices. This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.
Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.
We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks. The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.
Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…
Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. This information would be sent to the attacker, who would then have access to all of the user’s passwords.
Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.
I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts. In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.
One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk. Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally. I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites. In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.
I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. I’ll let you know how it goes.
To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes. However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion. Password managers are still a great security solution.
A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.
While the “Internet of Things” has great potential, it also opens up new attack surfaces for those with nefarious intent to exploit. A good example of this was found by a security researcher last week. LIFX offers wifi controlled LED light bulbs that can be turned on an off as well as color adjusted via an iOS or Android app. In order to operate, the light bulbs must authenticate to the wireless network in the user’s home or office. The researcher found that it was possible to retrieve the wireless network password from the bulbs themselves, giving them access to the rest of the devices on the same network. LIFX has issued a patch to correct this issue, but this serves as a reminder that all of those new, whiz bang network connected devices are part of your network’s security perimeter. Many of these devices are coming from startup companies which may not have a security culture embedded in their development process. To be fair, the researcher had to do some fairly sophisticated to pull off this hack, but as IoT devices begin to proliferate, the payback for attackers will be worth the extra effort.