Not all two factor authentication is created equal

IMG_0097.jpg
And apparently, not all ambulances are created equal, either

Two factor authentication  is an important security tool; by using 2FA, an attacker get ahold of your user name and password still can’t get into your accounts.

But not all two factor authentication is created equal.

Good two factor authentication uses an app on your phone or a hardware key to provide the secret codes needed to complete the login process.

Bad two factor authentication uses SMS (text) messages to send you the login code.

Why is this bad?  Attackers have increasingly been using social engineering techniques to get mobile phone companies to switch victims’ phone numbers to phones which the attackers control.  Once this is done, the attacker with a user name and password has everything they need to drain your bank account or read your email.

What you need to do to protect yourself:

Make sure that your mobile phone account is protected by a PIN code which must be given in order to port your phone number to a new phone.  You can do this on your mobile carrier’s web site or by calling their customer service number.

Some services give you a choice as to whether to use an app on your phone or an SMS message to complete your login.  Whenever you have this choice, choose the app.

If you are using services which provide SMS only 2FA, let them know that this is not acceptable in today’s security climate.  Hearing a requirement from customers is the only way these companies will make the investment in the improved technology.

If you would like to read more about this scam and how to protect you and your loved ones, here is an article on the topic.  And here is an example of a recently announced data breach at Reddit which was the result of this type of attack

While SMS based 2FA is better than no 2FA, it is time to stop using it wherever possible.

Not all two factor authentication is created equal

Open S3 Buckets: From Bad to Worse

cloud-147710_640.png

Just when you thought that the whole “globally readable Amazon S3 storage buckets” thing couldn’t get any worse, it did.

According to a study by a French cybersecurity firm which looked at 100,000 Amazon S3 buckets…

  • 90% of buckets are private, and therefore not at risk of leaking data or being corrupted by attackers. Of course, that means 10% of buckets are public…

    58% of those public Buckets (in other words, 5.8% of the total number of buckets tested) contained readable files, what might allow data leakage.

    20% of public Buckets (or, if you prefer, 2% of the total buckets) are not write-protected.

    Only a tiny 5% proportion of those public, write-enabled buckets (in other words, a mere 0.1% of the total) don’t contain any files.

This is pretty bad for the companies who own the 2% of buckets which are writeable – this could lead to data corruption, ransomware, etc.

The cloud is a great way to increase efficiency and integrate best of breed solutions into your business, but it requires that administrators be trained for the specific challenges of security in cloud computing.  The information is out there – for example, Amazon has a page chock full of security advice.

Businesses should consider getting their employees trained and certified in the ways of the cloud either via vendor neutral certifications or, if you have chosen your cloud platform, via vendor specific certifications like Amazon’s and Microsoft’s.

The people who are plunging in to the cloud and messing up are making it harder for the rest of us who see the cloud as the future to sell its security to management – let’s get our acts together people!

Open S3 Buckets: From Bad to Worse

The (not paranoid enough) Android

train-wreck-1935

The train wreck that is Android security continues…

A new strain of malware by security firm Wandera found in China has the following charming characteristics, according to a recent blog post.

 

Zero-day threat previously unknown within the mobile security community

Group of at least 50 functioning apps containing the sophisticated RedDrop malware

Apps are distributed from a complex network of 4,000+ domains registered to the same underground group

Once the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious functionality

When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected

These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more

RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes

This is frightening stuff as it turns the victim’s phone into a bug, compromising phone calls made on the device as well as conversations in the vicinity.

As usual, the key problem here is that the app follows the rules and asks the user to approve a (long) list of permissions which are then used to compromise the device.  Many users don’t bother to read/think about these permission prompts, leading them to basically invite the malware authors to take over their device.

Security pros need to make their users aware of the need to read and think about security prompts EXTRA carefully on their Android devices.

The (not paranoid enough) Android

Beware of mobile number port out scams!

key-benefits-unlocking-mobile-device

I spend a lot of time telling people to use two factor authentication on their important web accounts.  This may explain why I don’t get invited to parties.

While using 2FA is a great idea, there is one issue which you (and your employees) should be aware of.

If your 2FA solution relies on text messages to deliver it’s one time passcodes, it may be vulnerable to “mobile number port out” scams.  This article from the always informative Brian Krebs explains the mechanics of this.

The solution?  If a site offers the choice between using text messages and an authenticator app, choose the app.  If you have to use text based authentication, make sure that your mobile phone account is protected from porting using a PIN or password.

 

Beware of mobile number port out scams!

The ultimate outsider threat?

LUdY8-1491939642-244-show-940x370_ALF
Not so fast there, Alf…

I know I have been blathering on about insider threats lately, so let’s go to the other extreme – the ultimate outsider threat.

A pair of researchers have given some thought to the possibility of aliens hacking us (us being Earth) via interstellar messages.

From their paper:

Our main argument is that a message from ETI cannot be decontaminated with certainty. For anything more complex than easily printable images or plain text, the technical risks are impossible to assess beforehand. We may only choose to destroy such a message, or take the risk. The risk for humanity may be small, but not zero. The probability of encountering malicious ETI first might be very low. Perhaps it is much more likely to receive a message from positive ETI. Also, the potential benefits from joining a galactic network might be considerable.

If the aliens have the ability to create Flash content, we are doomed.

The ultimate outsider threat?

Insiders on the outside

defending-against-insider-threat-landingPageImage-w-67Homeland Security Magazine has a very interesting case study on an insider threat case involving DirecTV.  In this case, the insider was a sort-of third order insider, as they worked for the document management contractor of DirecTV’s law firm.

A few lessons for us infosec professionals from this:

First:  The definition of insiders expands as businesses continue to outsource functions which used to be done in house.

Second: Vendor Risk Management programs need to pay special attention to law firms.  These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.

Third:  Trust no one.

Insiders on the outside

Outsourced security program failure leads to $100K regulatory fine

one-hundred-thousand-100000-dollar-bill-img

Another reminder of the importance of managing third party vendor relationships…

The Commodity Futures Trading Commission fined AMP Global Clearing (an electronic trading firm) $100,000 for a disclosure of 97,000 files containing customer information to an unauthorized third party due to a misconfigured network attached storage device.

AMP had outsourced parts of it information systems security program to a third party provider who had failed to detect the exposed data during three successive vulnerability audits of AMP’s systemes.

Outsourcing can be a really effective tool for augmenting a firm’s infosec program, but business leaders and CSOs need to remember that the ultimate responsibility for protection of corporate and customer data still remains with them.  However, when the firm is a regulated entity, the risks of relying on an outsider to perform critical parts of the infosec program without adequate supervision outweigh the (admittedly attractive) cost savings.

Monitoring third party service provider performance is a hard problem.  Most firms don’t have the resources to perform in person audits and most providers don’t have the ability to allow every customer to audit them.  This is why external independent audits of third party providers’ security practices are so important.  These audits need to be performed against generally accepted security standards with objective audit criteria.  ISO27001 and SSAE18 SOC2 are two examples of such audit types.

Even if a business partner gets a clean bill of health from an independent auditor, their performance must be monitored by the line of business who engaged them as well as by the infosec department.  Recently, I have been seeing more and more inquiries from my firm’s customers coming between their annual due diligence reviews of our services.   Most of these inquiries occur when there is a “celebrity vulnerability” like Spectre/Meltdown – what I am hoping to see in the future are more questions confirming “security 101” procedures and practices.

The advent of security ratings firms like Security Scorecard and Bitsight can also be helpful in this area.  While their security ratings cover specific aspects of a vendor’s security program (practices that can be seen from the Internet), they can provide an ongoing data point to be used to detect potential problems in between those annual security reviews.  I believe that this industry is in its early stages and that the results that they provide must be examined carefully against the specific requirements of your security program.

As companies outsource infrastructure, applications and services to third parties in order to concentrate on their core competencies, the importance of third party vendor management is going to continue to grow.

Outsourced security program failure leads to $100K regulatory fine

Leaky buckets and acquisition best practices

leaking-bucket-1

There are three interesting things for CSOs to think about in this story on a leak of passport and other personal information on tens of thousands of people:

  1. If you are going to use Infrastructure as a Service providers like Amazon, make sure that the people using them take the time to learn about and use the security features.  Amazon provides the means to store data securely and has a wealth of documentation on security best practices.  Having a breach due to an improperly configured S3 bucket is amateur hour, folks.
  2. When acquiring new companies, especially small ones, security due diligence needs to be job one.  Finding out where sensitive information is stored and how it is protected is a must.
  3. Know your third parties (and those of your acquisitions) – FedEx blamed the breach on an un-named third party.  Remember – you can outsource the function, but you cannot outsource responsibility for security.  When doing an acquisition, look at the list of every vendor that the target company pays and figure out which ones might be holding data.

I have been through the acquisition process a few times in the past ten years – identifying show stopper issues during due diligence is important, but it is vital to keep the process going after the deal is done.  The more you dig into the security of the acquired firm, the more “interesting” security issues you will find.

Leaky buckets and acquisition best practices

Two factor authentication on web apps should be the default

zoidberg

tl;dr – If you are using Microsoft Office 365 (or any other hosted email solution) and have not enabled two factor authentication, you are bad and you should feel bad

Microsoft and other cloud vendors really need to make two factor authentication the default for their email and other business critical cloud applications.  You should have to make an active decision to turn off 2FA and be forced to watch a video about companies who were hacked as a result of lack of 2FA in order to make the decision stick.

I spent too much time today dealing with two business partners (one small and the other large) from whom my users received multiple emails containing PDF phishing documents.  These emails were hard for users to recognize as bad –  they came from a real email account of a real person at a real firm that they had done business with.

What had happened is that our partners were using hosted email and had not enabled two factor authentication.  A user at each got phished and the attacker in each case took control of their email to send the evil documents to all of their contacts.

Fortunately for us, our protections worked – user awareness training and multiple layers of web and email filtering alerted us to the problem and none of our users fell into the trap lain by the attacker.

It could have been much worse.  A more sophisticated attacker could have utilized the identities of the email senders in a more sophisticated way, such as to redirect payments on invoices or to get our users to disclose confidential information.  Or who knows what.

That being said, it still is pretty bad – any information we sent to those email accounts in the past is now in the hands of who knows who. We are reviewing the traffic to the hacked accounts to  determine what could have been exposed.  While it seems that these guys were not after intellectual property, we will never know where that information ends up.

The decision on the part of these two partners to not have 2FA has real costs for my firm – users had to be notified, all emails sent to those partners need to be reviewed for sensitive information and an incident report written.

For now, I am pulling all of our email logs to determine which of our vendors are using various hosted email platforms and sending them a note inquiring as to whether they use 2FA.   If not, we are going to have some serious talks with them about their security posture.  We’re also going to start monitoring for partners who move from on-prem to hosted email.

This type of attack is happening way too often and opens up companies who never signed up for these hosted services to risk which just should not be there.

Off to look at emails…

Two factor authentication on web apps should be the default

Response to Russian government cyber attacks – a lost opportunity?

Where is James Bond when you need him?

Russia’s apparent interference in the United States’ Presidential election marks an escalation in the targeting of state sponsored cyber attacks.  What the US does in response to this strike against the very basis of our (somewhat) fair and free elections process really matters.

Letting Russia achieve its goals without any response is problematic, as it would encourage them and other state and non state actors to continue to target the US without fear of retribution.  If you believe (as I do) that cyber operations will play a significant role in 21st century conflicts, doing nothing is clearly not an acceptable response. 

So, if the US were to respond, what is a proportionate response?  As imperfect as our electoral system is, interference in Putin’s sham elections in which there is no opposition with a snowball’s chance in hell of winning, is clearly a non starter.  A limited attack on critical infrastructure (shutting down the electric system in Novosibirsk) sounds good at first, but would seem to violate the laws of war about collective punishment and targeting civilians. There is also a risk that mounting such an attack would tip off Ivan to methods and sources, and make it harder to use such weapons in war time.  An attack on a manufacturing control system aimed at shutting down production or damaging machinery might be more appropriate as a demonstration of both capabilities and intent.  

So, if the US were to take out Vodka Distillery No. 6, should we take public credit or would a private note government to government be enough to deter future attacks?  It seems to me that taking public responsibility for such an attack is important if we want to deter Russia and other state and non state actors in the future.  

Of course, all of this seems to be academic as the next administration clearly benefited from this attack and seems to include many with close ties to Russia and Putin.  Even if the Obama administration could plan, mount, and execute a response it is unclear whether the new administration would pursue a policy of continuing response over the next four years. Without threats of future retaliation for new cyber attacks, a response now would be a one time gesture of revenge. 

Getting political here for a minute, it seems to me that a President who does not pursue a program of responding to serious attacks by a nation state on our homeland would be, at the very least, not be doing their job and at worst, acting as an agent of a foreign state. Time will tell what President Trump will do, but you will have to pardon me if my expectations are low.

In the coming days, the Obama administration should make every effort to collate and make public all the evidence of the Russian government’s role in this affair.  Then, it is up to we as a people to demand a proportional response from our elected officials.

Response to Russian government cyber attacks – a lost opportunity?