Malicious data leaks and corporate liability – a tale of two countries

UKWaterCrisis had a link to a very interesting article about corporate liability for an employee’s malicious leaking of employee information.¬† What was most striking to me was the contrast between cases in the UK and the US.

In the UK, a disgruntled employee leaked payroll data for 100,000 employees of a very large supermarket chain to newspapers in order to embarrass the firm after they were disciplined for bad behavior.¬† The courts found that employees have the right to sue the supermarket chain for damages as they were “vicariously responsible” for the acts of their employee.

In contrast, a similar case in the US against Coca Cola had a very different outcome.¬† A Coca Cola employee sold laptops which they were tasked with destroying and these laptops contained personal information of employees.¬† Employees sued, but the courts dismissed all of their claims, saying that Coca Cola could not have known about the rogue employee’s activities.

This case has a few lessons for infosec professionals:

First, if your firm operates in multiple jurisdictions, the laws and norms in these jurisdictions can be very different.  When judging risk and formulating policy, work with your legal departments to make sure you understand these differences.

Second, I feel that this case also shows the differences in attitudes to personal information in the US and the rest of the world.  It seems like the US does not value individual privacy nearly as much as other countries. Again, if you operate in multiple jurisdictions, you need to keep this in mind.

As the stakes get higher for organizations (for example $20M or 4% of global revenues for each breach of the EU GDPR), these are things we need to worry about.  Buy your general counsel a beer and talk it out before you have to deal with a lawsuit.

Malicious data leaks and corporate liability – a tale of two countries

No, you don’t need to close your LastPass account…

Your passwords…

Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. ¬†He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. ¬†This information would be sent to the attacker, who would then have access to all of the user’s passwords.

Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. ¬†This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.

I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts.  In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.

One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk.  Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally.  I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites.  In particular, the ability to use these programs with both mobile and desktop devices is important Рnon synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.

I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. ¬†It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. ¬†Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). ¬†Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. ¬†Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. ¬†I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. ¬† I’ll let you know how it goes.

To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes.   However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion.  Password managers are still a great security solution.


No, you don’t need to close your LastPass account…

In DPRK, Linux Watches You

He might actually be looking at something here…

A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. ¬†Case in point – the DPRK’s Red Star Linux distribution. ¬†In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. ¬†One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. ¬†The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.

The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.

Watch here…


In DPRK, Linux Watches You

attackers are doing their homework – are you?

Some spear phishing wisdom from Security BSides SFO today…

Rohyt Belani of PhishMe told an interesting story highlighting just how much research attackers do when choosing their targets and crafting spear phishing payloads. In an attack on an energy company, employees received an email appearing to be from the company’s HR department offering information on discounted health care premiums for employees with more than 3 children. The only employees to receive the message? The two people at the company with 4 or more children.

This raises two issues for InfoSec professionals…

First, the attackers are doing their homework, people. They are taking the time to craft their social engineering payloads in ways that target very specific targets. This means (IMHO) that they are extremely motivated – most probably by money or ideology.

Second, our coworkers are helping the attackers with their targeting by sharing all sorts of personal information via social networking platforms. We need to educate them about:

+ The fact that their social media profiles are visible not only to friends and family, but also bad guys who will use that information to craft their attacks. The “familiarity cues” which we tend to use to determine whether a message or request is from a friend or a foe just don’t work anymore.

+ Their ability to control who sees their social networking information by using the privacy features offered by Facebook, LinkedIn, and to a lesser extent, Twitter. They need to think about what they are posting and who will see it – not only to protect the company, but to protect the privacy of themselves and their families.

While we put all sorts of technical solutions in place to protect our systems and information from malware, our users are the front line defense against the most serious threats we face. Educating them to be aware of how their actions both inside and outside the office affect the organization’s security is one of the most important tasks we face as InfoSec professionals.

attackers are doing their homework – are you?

it’s not always nice to share

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. ¬†Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

it’s not always nice to share

location based validation of card transactions and more?

Should I validate that transaction?

An interesting idea from Visa (of credit card fame) over in Europe… using card members’ mobile phones as location based tokens to verify credit card transactions and ATM withdrawals. The thinking is that if your mobile phone is in the same location as where a purchase or ATM withdrawal is being made, it is more likely that you too are present and that the transaction is valid.

On the pro side:

Using this as one of multiple factors to validate a transaction seems like a good idea… people tend to keep track of their mobile phones and keep them close and adding a token (something you have in addition to the credit card itself) without requiring the user to do anything provides an extra layer of security without adding inconvenience.

This would be particularly handy for those of us who travel a lot – I usually find my card shut down due to a fraud alert at least once per international trip (even if I provide the card issuer with an itinerary in advance).

On the con side…

Some people may see privacy issues with this… The card issuer already knows where you are based on the transaction data and the phone location information does not really add much to the information being disclosed. ¬†However, this assumes that the only time that the issuer avails themselves of the location data from the phone is when a transaction is made. ¬†I could conceive of ¬†situations where the issuer could use the location data for other reasons – for example, detecting that you are at the mall and offering an incentive to use their card rather than the other cards in your wallet.

This model breaks down if a thief gets hold of my mobile AND my credit card or if I forget to take my phone with me.   However, if the phone location is used as one of multiple validation criteria, the system should be able to handle these edge cases.

The verdict:

I think that this could be a good idea IF protections could be put in place to limit the use of phone location data by card issuers to validation of transactions. ¬†I could also foresee this as a tool that could be used by enterprises as an additional authentication factor for remote access to systems and networks. ¬†If the carriers could provide an API which would allow geolocation of corporate phones and that information could be cross referenced with IP geolocation, we could get alerts or block access when the locations don’t match… ¬†this has potential, but the proverbial jury is still out.

Read more at Fast Company…

location based validation of card transactions and more?

this conversation may be recorded, just cause i wanna…

From the US Federal Courts (via ThreatLevel)… it turns out that recording a conversation on your iPhone (and I assume any other device capable of making such recordings) with the permission of the other person you are recording is not a violation of the Wiretap Act unless you plan to use the recording for “nefarious purposes.”¬† (The court did not weigh in on whether secretly recording your conversation makes you obnoxious, however).¬†¬† Now, in order to do this legally, you must be one of the participants in the conversation, triggering the “one party permission” exception to the law.¬† One of the interesting (and somewhat unsettling) statements made in the opinion was that a person having a conversation with another person in their own kitchen did not have a “reasonable expectation of privacy.”¬† It was also noted that one does not need to have been invited to participate in the conversation being recorded to be considered a participant allowed to record.

Recording conversations is getting easier and easier as more of our devices include the hardware, software and storage¬†needed.¬† Products such as LiveScribe’s¬†Echo Smartpen¬†and iPad apps such as Audiotorium add a productivity bonus, allowing recordings to be quickly tied to written notes.¬†¬† This decision seems to remove the last legal barrier to people unilaterally recording their conversations for later reference – or to make sure that the person they are talking to cannot claim they said something different or was misunderstood later.

My takeaways from this:

I think we are going to see a lot more personal use of recording devices in the coming years… storage is cheap and the ability to index and search recordings is only going to get better.¬†¬† The idea of having a permanent record of your normal daily interactions for later review will become more mainstream.¬† While this has some advantages (“You did so promise to have my home renovations done in 30 days, shady contractor… and here you are saying it”), it also has the potential to change the dynamics of conversations.¬† Will this make us more careful in choosing our words?¬† (Probably not, but it will make it more entertaining to trip people up with their own words.¬†¬† I hope my wife is not reading this…)

Forensics to prove that a voice on a recording belongs to a specific person already exist; they will become more of an issue (and profit center) as more recordings are used in civil cases.¬† I wonder if geotagging of recordings will also play a role here… if you checked in to FourSquare at the same time and place as my recording of a conversation with you, does this make the conversation more attributable to you?

This seems to present a dilemma for corporate security professionals.¬† Recording conversations can be a great memory aid and productivity enhancer, however, how can we know that those same recordings (probably on devices not owned by the organization) will be stored and handled securely?¬†¬† There is also the question of the effect of such recordings on corporate culture – will people be willing to share ideas and opinions freely knowing that their words may be recorded for posterity?¬† It seems to me that organizations need to make a conscious decision as to whether to allow recordings of meetings and conversations to be made on their premises – and if the answer is “no,” to make the policy known to employees and visitors.

this conversation may be recorded, just cause i wanna…