Two factor authentication on web apps should be the default

zoidberg

tl;dr – If you are using Microsoft Office 365 (or any other hosted email solution) and have not enabled two factor authentication, you are bad and you should feel bad

Microsoft and other cloud vendors really need to make two factor authentication the default for their email and other business critical cloud applications.  You should have to make an active decision to turn off 2FA and be forced to watch a video about companies who were hacked as a result of lack of 2FA in order to make the decision stick.

I spent too much time today dealing with two business partners (one small and the other large) from whom my users received multiple emails containing PDF phishing documents.  These emails were hard for users to recognize as bad –  they came from a real email account of a real person at a real firm that they had done business with.

What had happened is that our partners were using hosted email and had not enabled two factor authentication.  A user at each got phished and the attacker in each case took control of their email to send the evil documents to all of their contacts.

Fortunately for us, our protections worked – user awareness training and multiple layers of web and email filtering alerted us to the problem and none of our users fell into the trap lain by the attacker.

It could have been much worse.  A more sophisticated attacker could have utilized the identities of the email senders in a more sophisticated way, such as to redirect payments on invoices or to get our users to disclose confidential information.  Or who knows what.

That being said, it still is pretty bad – any information we sent to those email accounts in the past is now in the hands of who knows who. We are reviewing the traffic to the hacked accounts to  determine what could have been exposed.  While it seems that these guys were not after intellectual property, we will never know where that information ends up.

The decision on the part of these two partners to not have 2FA has real costs for my firm – users had to be notified, all emails sent to those partners need to be reviewed for sensitive information and an incident report written.

For now, I am pulling all of our email logs to determine which of our vendors are using various hosted email platforms and sending them a note inquiring as to whether they use 2FA.   If not, we are going to have some serious talks with them about their security posture.  We’re also going to start monitoring for partners who move from on-prem to hosted email.

This type of attack is happening way too often and opens up companies who never signed up for these hosted services to risk which just should not be there.

Off to look at emails…

Two factor authentication on web apps should be the default

The other big hack of 2016?

hacker
Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

In DPRK, Linux Watches You

He might actually be looking at something here…

A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression.  Case in point – the DPRK’s Red Star Linux distribution.  In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines.  One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data.  The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.

The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.

Watch here…

 

In DPRK, Linux Watches You

your passcode can take the fifth, but not your finger

VA court gives tech savvy criminals the finger

Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence.  While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases.  I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime.  Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.

your passcode can take the fifth, but not your finger

hacking wifi via lightbulbs?

While the “Internet of Things” has great potential, it also opens up new attack surfaces for those with nefarious intent to exploit.  A good example of this was found by a security researcher last week.  LIFX offers wifi controlled LED light bulbs that can be turned on an off as well as color adjusted via an iOS or Android app.  In order to operate, the light bulbs must authenticate to the wireless network in the user’s home or office.  The researcher found that it was possible to retrieve the wireless network password from the bulbs themselves, giving them access to the rest of the devices on the same network.  LIFX has issued a patch to correct this issue, but this serves as a reminder that all of those new, whiz bang network connected devices are part of your network’s security perimeter.   Many of these devices are coming from startup companies which may not have a security culture embedded in their development process.   To be fair, the researcher had to do some fairly sophisticated to pull off this hack, but as IoT devices begin to proliferate, the payback for attackers will be worth the extra effort.

hacking wifi via lightbulbs?

so… about that hedge fund hacking story…

 

BAE Systems Spokeman

An update on the “hedge fund hacking” story from a couple of weeks ago… it appears that this attack (in which it was alleged that hackers penetrated hedge fund trading , delayed HFT orders and sent order information to servers in eastern Europe) did not actually happen. Apparently, this scenario was used internally at BAE Systems as a “what if” during table top exercises. For some reason, a BAE employee described this scenario to a reporter as if it was an actual incident. This is a real black eye for BAE (which probably explains why they waited for the holiday weekend to announce this).

More information:
http://www.cnbc.com/id/101807792

I still think that the kind of attack described in this scenario is bound to happen in the future as organized crime figures out that the capital markets provide much more profit potential than stealing credit card info – but there is no confirmed case of such an attack happening so far.

so… about that hedge fund hacking story…

apple security fail leaves email attachments unprotected

One of the nice things about Apple’s iOS platform is the “hardware level encryption” that protects “all of the information on the device.”  At least, that used to be the case.

Starting in iOS 7,  email attachments stored on iPhones, iPads, and iPod Touches (remember those?) are not stored in encrypted form.  A security researcher recently announced that he was able to retrieve plaintext attachments from encrypted iPhones using standard forensic tools.  Apple never corrected its previous statements indicating that all data in iOS was “protected by hardware encryption,” so millions of personal and business users have been working under a false assumption of security for a couple of months now.

When the researcher reported the issue to Apple, he was told that they were aware of it but had no date for a fix.

This is why I continue to recommend that corporate users stick with containerized solutions for their iOS and Android mobile users.  Consumer level mobile devices are not designed with the level of security appropriate for business (especially in highly regulated industries like Finance and Health Care).  Yes, it would be nice to use the native apps on personal devices to deliver corporate data from an ease of use point of view, but if your users are carrying around sensitive information in their email attachments, you have to consider the risk of an adversary extracting that information from the device relatively easily.

Apple really dropped the ball on this one.  They were not up front with their users regarding the loss of a key security feature and didn’t give them the chance to make an informed decision based on that information.   Not cool.  This incident underline’s Apple’s lack of commitment to and understanding of  the corporate market.  If they want to be a corporate player, they need to step up and accept the responsibilities that the role entails – otherwise, stop trying to do things half way, guys.

apple security fail leaves email attachments unprotected

how not to do a risk assessment

So, the risk management mavens for the City of Portland, Oregon have provided us all with an object lesson in how not to make risk based decisions.  It seems that one of the local young rowdies had the audacity to urinate into one of the reservoirs supplying the city with drinking water.  This particular reservoir contains 38 million gallons of water.   Horrified at this sullying of the public water supply, the city fathers made the obvious decision – empty and refill the reservoir.   I mean, it had pee in it!   Never mind that the uncovered reservoir contains all sorts of other contaminants (animal urine and feces, dead birds, pollutants carried by rain, etc.) as a matter of course.   Never mind that the concentration of urea caused by the wayward urinator would be around 3 parts per BILLLION – the EPA allows up to 10 parts per billion of arsenic in tap water, people.  No, because this particular infintessimal contamination made the news, 38 million gallons of water is going to be dumped.  As someone who has witnessed small children lugging jerry cans of water to their homes located miles away from the communal tap in Rwanda, this makes perfect sense to me.

It is this kind ridiculous approach to risk management that ensures that society will spend billions of dollars protecting itself from the wrong risks, and leave us vulnerable to the ones that really threaten us.

We need to get better at this, folks – science knows that people are bad at judging risk.  That’s why we need to train professionals in all fields to use evidence based methods and processes which compensate for our built in handicap in this area.  The basis of for good risk analysis is to train kids in critical thinking skills early and often throughout their education.  Maybe, they’ll be better at this stuff than we are.

 

how not to do a risk assessment

heartbleed forecast: continued heartburn

heartbleedIt seems like Heartbleed is going to be keeping  infosec people busy  for a while.

First, multiple people have succeeded in extracting the private signing keys of a website’s SSL certificate using Heartbleed.  This is not good news, since it makes it possible for attackers to set up sites with phony baloney SSL certificates which look and act like the real McCoy.    I think we’ll be seeing a lot of revoked and reissued certificates this week.  Nobody is likely to be happy about this except for CAs, who stand to profit from this debacle (although, since they had nothing to do with causing the problem, can we blame them?)

Obviously, any site which was Heartbleed vulnerable needs to get new certs toot sweet.  But what about sites which were not vulnerable?  From a technical point of view, if you never ran one of the vulnerable versions of OpenSSL, you really don’t need to buy a new certificate.  However, given the fact that Heartbleed was around for 2 years, site owners will have to think back to whether they were ever running vulnerable software in combination with their current certificates.    Hope you had good version control on your site!

And its not just web servers we need to worry about.  Other, non port 443 services like email, databases, directory services, APIs and the like also use OpenSSL to protect their communications in transit.  We may be hearing about Heartbleed attacks on these services in the coming weeks and months.

And the good news just keeps on coming – there’s a lot of client and embedded device software out there running vulnerable OpenSSL code.   At least one expert thinks that malicious servers can be set up to exploit clients and extract passwords and crypto keys from devices which connect to them.   While Apple’s OS X and iOS products are Heartbleed-free, Android version 4.1.1 (said by Google to be in use on millions of devices) is vulnerable to the bug.

Finally, I think it is safe to assume that phishers are going to make the most of Heartbleed – fake “password reset” notices will be filling our inboxes, trying to make the most of Heartbleed hysteria to steal credentials in a low tech fashion.

So, expect Heartbleed related heartburn for the foreseeable future, folks…

 

heartbleed forecast: continued heartburn

more iPhone fingerprint issues

Another attack on the iPhone 5s TouchID sensor… a German security firm has claimed to be able to use an iPhone 4s camera to grab a fingerprint image and then make that image into a fake finger mold.  It still takes a bit of effort, but one barrier to entry (hi res camera) has been removed.

In addition, the same company claims to have defeated the Activation Lock feature which cripples lost/stolen phones by:

Getting a good photo of the target’s fingerprint

Making a fake finger mold

Putting the device into airplane mode

Going to another computer and requesting a password reset on the target’s Apple ID

Unlocking the phone with the fake fingerprint

Turning airplane mode off just long enough to receive the password reset email and resetting the password on the account.

Once this is done, the attacker would have the ability to unlock the phone.  The key to this attack is getting the phone into airplane mode, which can be done from the lock screen if Siri and/or the Control Center are enabled on the Lock Screen.  I would again recommend that 5s users turn off access to Siri and Control Center from the Lock Screen.

The same webpage includes a video showing the fake fingerprint technique used successfully on another phone as well as on a Lenovo laptop.

It is starting to look like fingerprint based authentication on corporate/consumer devices is still a work in progress and CISOs in organizations with BYOD policies need to do a risk analysis to determine whether the convenience of fingerprint authentication is outweighed by the potential risks.  This is not a “one size fits all” calculation and really depends on the profile of your attackers.  For some organizations, this is easy – I would hope that a defense contractor targeted by nation states would not use fingerprint authentication.  For small businesses or consumers who are mostly concerned with device loss and non targeted theft, fingerprints may be good enough (especially if devices were not protected with passcodes in the past.  Unfortunately most businesses fall somewhere in the middle of these two cases.

PS – One small positive item I left out from my previous posts on this topic… if you power off your 5s altogether or have not authenticated to the phone for 48 hours, you will be required to enter your passcode to access the phone.

more iPhone fingerprint issues