Author Archives: Cheryl Biswas

Unknown's avatar

About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

Ransomware: Don’t Get LOCKY’d Out

Posted on by
Reply

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime

 

Apple vs the FBI: The Case for Privacy

Posted on by
Reply

apple-logo-41

This is about backdoors and Pandora’s boxes. It is monolithic in its implications, and everyone who is anyone right now is weighing in.  Because this matters. Start by reading the letter by Tim Cook and Apple, defending privacy against dangerous precedents. My stance here does NOT justify the behaviour or actions of the terrorists in San Bernardino, or  terrorism anywhere.  This is about our privacy, and our rights.  And once the decision is made, there will be no turning back.

February 16, 2016

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Tim Cook

Watching Your Backdoor

Posted on by
1

It’s a thing. Backdoors. Add no, not the fun kind with screens that keep out mosquitoes. The kind I’m going to reference here are the ones that actually let worse things in.

backdoor

Backdoors in tech aren’t just the stuff of legend, or part of the plot in tales of espionage. They are very real,  and there is nothing secure about them. They exist as an intrusion point, hidden, secret. These deliberate manipulations of code allow access into a network or application and bypass the necessary security protocols.  What matters to me isn’t so much that these are used by foreign governments to spy on us, or for corporate espionage. Rather, it’s the further legitimization of attacks on our privacy.  How do we secure against this mindset? Backdoors are essentially a weakness built into the code. Something unsecured that when discovered can be readily exploited, because nobody is supposed to know it’s there. Until it’s too late.

Several backdoors have recently been revealed just over the past few months.Here’s the rundown of shame by John E Dunn in his article in Forbes:

NSA Clipper Chip, 1993

The most reviled backdoor in history, the NSA’s infamous Clipper chip, endorsed by the Clinton administration, still gets people’s backs up more than two decades on from its heyday. In 1993, encryption was new and strange. Few used it but the experts and Government spooks could, however, imagine a world in which they might. Their answer was to neuter the possibility of unbreakable security with an escrow-based system based around the Clipper chip that would cache keys. Assuming anyone had agreed to use it the NSA would have had a ready means to decrypt any content.

As Whitfield Diffie, creator of the famous Diffie-Hellman key exchange protocol observed at the time, the problem with building in backdoors is that they are deliberate weaknesses. Should a third-party find them they become less a backdoor than an open one.

Borland InterBase backdoor, 2001

This weakness in the firm’s InterBase database was essentially a secret backdoor account that allowed anyone with knowledge of it access to data. Making the serious comic, the username and password in question were ‘politically’ and ‘correct’. At the time, the assessment was that while deliberate the hole was probably put there by one or a small number of programmers as a convenience. But we’ve included it because the fact that perhaps only one person knew about it doesn’t mitigate its seriousness for the seven years until it was discovered.

Huawei v the US, 2011

The huge Chinese equipment maker spent millions trying to reform its image after being accused of building backdoors into its telecoms equipment. In 2012 a US Congressional investigation concluded that the firm (and mobile vendor ZTE) should be banned from the world’s largest market over state surveillance worries. In the UK BT had been installing Huawei equipment since 2007 so it was all too late to do much about it beyond GCHQ setting up a special unit to monitor its systems in cooperation with the company itself.

Irony or all ironies, a Snowden leak then suggested that the NSA’s Tailored Access Operations (TAO) had set up an operation to spy on Huawei to work out how far any collusion went.

The modern (i.e. post-Aurora and Stuxnet era of backdoor scandal began here.

Cisco et al, 2013

Dragged out of Snowden’s famous cache by a German newspaper, this concerned unpublished security flaws in the networking equipment of a group of vendors, headed by Cisco but including Juniper, Samsung among others. These weren’t classic backdoors except in the sense that they allegedly offered a huge amount of surveillance control over the equipment. Very unusually, Cisco’s CSO John Stewart issued a statement denying any knowledge of the compromise.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” he stated. The fact he was even having to say this was a sign of changed times.

More recently in 2015, a backdoor compromise called SYNful Knock was discovered on Cisco equipment. Described by security fir FireEye as a Cisco router implant, already it was clear that the simple idea of intelligence engineers building in massive holes from day one of a product’s life was probably out of date. Why build them in when juicy ones could be found later on?

Juniper, 2015

Discovered just before Christmas 2015, this looked like a biggie in Juniper’s NetScreen ScreenOS from the off. The company finally admitted to suspicious researchers that the Dual_EC_DRBG encryption random number generator contained a backdoor that would allow anyone with knowledge of it to eavesdrop on secure VPN connections. This flaw might or might not have been deliberately put there by the NSA, which was he source of the RNG, but it was exploited at some point, possibly by a third-party government. A backdoor in a backdoor or just weak coding?

Fortinet, 2016

Hard-coded passwords are an absolute no-go for any system these days so it was disconcerting to discover that Fortinet appeared to have one in an SSH interface accessing its FortiOS firewall platform. Researchers looked on this as a backdoor although Fortinet strenuously denied this interpretation. In fairness, this was probably correct although the lack of transparency still bothers some.

CESG’s MIKEY-SAKKE, 2016

Was the revelation that this protocol, promoted by the UKs CESG for end-to-end encryption in VoIP phone calls, a real backdoor or simply part of the spec? According to Dr Steven Murdoch of University College London the escrow architecture used with MIKEY-SAKKE simply has not been fully explained. Was this a way to spy on conversations without anyone knowing? According to GCHQ, that’s exactly what it was. As an enterprise product, escrow was perfectly appropriate and organisations deploying this technology needed a system of oversight.

In fairness to MIKEY-SAKKE setting up end-to-end encryption without some form of backdoor is now unthinkable for large enterprises that need control over their encryption infrastructure. Whether this compromises the system in a wider sense seems over-blown assuming the architecture has been correctly documented.

 

My First ShmooCon – This Time It’s Personal

Posted on by
1

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.

shmoosat

 

With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.

russiahouse

And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

Embracing the Shadow – wait! What?

Posted on by
Reply

Let me share a few more thoughts about Shadow IT with you as we head into 2016. The good folks at AlienVault were kind enough to ask, and let’s just say that we don’t expect the Shadow to fade anytime soon…

shadow

https://www.alienvault.com/blogs/security-essentials/embracing-the-shadow-wait-what?utm_medium=Social&utm_source=Twitter

There was a time when the IT security lords ruled. Mere mortals only had whatever devices and access they were issued. Companies had “standards” and if you wanted something it had to exist on the approved equipment list. But decisions took time and the lines of business didn’t always get the answer they wanted. Regulating tech was getting in the way of getting stuff done. Security had become an inconvenience.

It was easier to regulate things back then, when there were fewer things. The available tech was enough to get the job done. But that’s the thing. Tech is always evolving, to meet the demands for faster, better, more. And how do you do more better and faster? Shadow IT and Shadow Data.

Welcome to GenMobile, “a flexible, transparent and collaborative presence, ” which actually means folks who don’t follow the rules. Yes, Houston, we have a problem and it’s called self-service IT. Guess what percentage of workers are doing it for themselves? Aruba Networks cites 77%. Hello Shadow.

Be afraid. Be very afraid. Because we can’t see all the stuff, all the time. Easy-to-use devices are everywhere, creating an unprecedented level of end user entitlement. And a little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access.

So what do you do when employees make independent decisions about devices, data storage and transmission? Accept it? Regulate it? Or ban it? Because “keep it secret” definitely does not keep IT safe.

No Idea What They’re Using, No Idea What They’re Losing

We need to start by getting our head in the cloud. Ah, the Cloud. It’s the solution to everything: storage, countless productivity applications, Office 365, Google Docs. Face it. Cloud is accessible anytime, anyplace, anywhere, anywhen. But the truth hurts:

  • 15x more cloud services are used to store critical data than CIOs have authorized
  • IT says 51 active cloud services. Survey says 730
  • Use growing exponentially
  • 1000 external services per company by 2016
  • 30% of business critical info is in the cloud

Here’s where we worry: The combination of Insider Threat plus Shadow IT. What if the interfaces and APIs with which users interact aren’t secure? Attackers are actively searching for these types of vulnerabilities to exploit them. And how do you protect against what you don’t know, because there’s a whole lotta activity going on up there unreported.

Shadow as the New Norm?

What if I said to you Shadow IT isn’t going away. In fact, it’s being heralded as the new norm, the way work is going to get done. Ponemon Institute reports an average of 50% of cloud services are deployed by departments other than corporate IT. And an average of 44% of corporate data stored in the cloud is neither managed not controlled by the IT department. Control over network infrastructure and physical hardware like firewalls is supposed to be the realm of the IT folks in charge of securing proprietary data. But the cloud has a way of making things go all fuzzy.

Twelve years ago technology spending outside of IT was 20 percent of total technology spending. But according to the experts at Gartner, it will become almost 90 percent by the end of the decade. At the Gartner Symposium in Orlando in June this year, the new attitude toward Shadow IT was this: “to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon.”

Hank Marquis, research director at Gartner, declared:

“Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It’s called innovation. It’s happening in the edges where we don’t deliver the solutions. You might not agree with it but you should think that way. You’re not going to stop shadow IT. It’s not going to go away. You’re not going to suppress it. You might as well embrace it, leverage it, use it.”

His is not the only voice out there with that message. Jeanne Ross, Research Director and Principal Research Scientist, Center for Information Systems Research, MIT Sloan School of Management expressed similar sentiments in the HP Enterprise blog for December 10, entitled “Why Smart Companies are Embracing Shadow IT.” She talks about how business is using “demand shaping”, where companies identify their most “valuable and achievable business –change opportunities”, and then use this to select those projects best suited to invest IT dollars in. As for those rejected projects that would find their way into Shadow IT:

“This all comes down to relationships, and to the right conversations happening between people at all levels of IT and business. But if mutual respect exists between IT architects and program managers and their counterparts within the business units, demand shaping and shadow IT can forge an extraordinarily productive partnership.” Read more.

And then world peace can happen?

Ed Macnair, CEO, CensorNet, weighs in with this. “There is a case here for innovation versus risk. By allowing shadow IT, new solutions that will benefit the wider business can be found. However, shadow IT is a security nightmare as those members of staff who are likely to use their own solutions will inherently be from the generation of risk takers and will therefore be less concerned by the need for all encompassing security measures.”

The Innovation Trade Off

The recommendation by Gartner is that Shadow IT not be contained but encouraged and allowedwithin established boundaries to abide by existing compliance, regulatory and security rules. Innovation without peril. Even better, it’s a more prevalent and well-understood aspect of technology management among companies, and leaders might want to take a completely different approach to handling this matter.

As illustrated by IDC Senior Research Analyst Mark Yates, employees are operating with tacit permission, making their own decisions, and nobody is in control. The business environment has become a “Wild West.” Entitlement and empowerment are enabling employees to fake compliance and use what they want.

Simon Mingay, Vice President of Research, Gartner Inc., drives the point home. “For most IT organizations, resistance is futile. Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”

And there we have the corporate buy-in. Lower IT costs, increased flexibility, speedier task completion and less interference from IT. Yes, it is being echoed from suite to suite. Because innovation leads to profit. But at what price to security?

A New Hope for The Phantom Menace?

Again, there is a collective chorus on the new approach to take. There need to be guidelines and boundaries to help corral Shadow IT without driving it completely underground and out of scope. Mingay advised “bring shadow IT out of the shadows, make it transparent, provide services that support it.” He advocates “Rather than try to eradicate shadow IT, let’s rename it “dispersed IT,” since everyone has a piece of it.” Frank discussions need to happen to identify why Shadow IT is happening, and those users and business units engaging most heavily identified and consulted. Why are existing policies and rules being circumvented when the consequences are known?

Is it possible to construct a mutually viable arrangement whereby IT can assume the role of broker, an intermediary between users and their apps? Gartner recommends IT organizations engage the business as a partner, and ask senior executives what they think IT’s role should be. And the conversation should extend to outliers and users not operating within the daily confines. Marquis reiterates points we’ve all been saying, like the importance of having visible support from the top execs. Of great importance is IT collaborating efficiently with audit and asset management to ensure compliance.

Clearly, the game has changed and there’s no going back. We have to shift gears, project from the rapid developments of Cloud, Everything as a service, and Big Data. It’s going to mean moving out of our comfort zone to get a better handle on what people really need and want. Buy-in comes when we show the CSuites how security is the strategic partner to help them move toward innovation. It’s a different terrain, but we’ve still got to run it faster, better than the guys who are out there waiting, counting on what our end users will do and the rules they won’t follow.

Thanks for reading!

 

My InfoSec Least Favourite Things

Posted on by
Reply

2015 has been one heck of a year for those of us in the Security Community. I’d like to pay a little hommage to the year that was, and celebrate the incredible community that is – InfoSec!

(to the tune of that famous ditty from Sound of Music)

Three heads of state who do not get encryption

cam and bam

Fighting the black hoodie hacker description  (I wear purple)

hacker

Cleaning up after what Patch Tuesday brings

These are my InfoSec least favourite things

 

Munin’s got lore

munin

Lesley helps more

hacks

DA’s Storytime

dastorytime

This is what’s great when you’re in InfoSec

Security hack sublime

 

EULA and Wassenaar setting the rules

reg

Researchers disclose to be treated like fools

Zero day brokers who act like they’re kings

hackingteam

These are my InfoSec least favourite things

 

BSides reaches

bslv

Each con teaches

We’ve got stuff to share

This is what’s great when you’re in InfoSec

Security hackers care

 

Shadow; BYOD; Password disgrace

passwordmeme

No DRP or insurance in place

Check mark security, blinky box pings

These are my InfoSec least favourite things

 

When we mentor

When we disclose

When we all unite

bsto2

This is when InfoSec truly is great

Hack all the things – that’s right!

Big Data, Big Problems

Posted on by
Reply

In the wake of the recent VTech breach big questions are being raised about Big Data.  It’s prompted an excellent response by many knowledgeable folks within infosec which is good, because this is a conversation we’ve needed to have for some time. The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our Privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.

 

I wrote a piece in response for LinkedIn Pulse, but I want to build off that here, because there is so much more that needs to be said. We’re battling a culture of entitlement and indifference, which casts a dark shadow across everything we think we know and understand.  BYOD reigns supreme. The IOT has run amuck right into our once-regulated work spaces. And when it comes to IT, now it seems everyone is doing it for themselves. Because who needs guidelines when you’ve got google? It’s not just the stuff, it’s the attitude. Which is creating a huge problem: how do we secure what we don’t know?

So what’s going on with BYOD anyway?  The view from the trenches isn’t pretty.  ”cyber security policy success is having the authority to tell the userbase no and having that decision stick.” @da_667 tweet and “telling users no, when it matters,  to protect themselves and your company network” @lslybot tweet #abusepolicy.  How do we regulate a society that is essentially device-driven?

It isn’t just the servers and desktops at the office… everywhere we go, anything we touch – we’re connected. Fitbits, Applewatches, tablets, flash drives, Smartphones – this ability to portably “plug in,” and then help ourselves is one we don’t understand and we’ve lost any control over it we had.

In our corporate realm, we have regular users and superusers.  And for good reason. We need privileges in order to do certain things and we need privilege hierarchies to establish the right levels of access. With higher levels of privilege come higher levels of risk.  The problem is that what we’re seeing happen in organizations and companies is a less discriminating assignment of privilege.

We have all these devices, and a pervasive BYOD culture, demanding access to the networks and the data, all that lovely “big data”. And so we comply. We keep opening doors that should just. Stay. Closed.

When it comes to Access and Privileged identity management, we aren’t controlling what we can and need to control.  Per Erika Chikowski, while 92 percent of organizations in the US have some user monitoring in place only 56 percent are handling privileged identity management. Almost a third of those companies do not have someone actually analyzing or auditing how and when employees and contractors have privileged access to systems on even a weekly basis.  Meanwhile, 60% of IT decision makers admit to sharing their credentials.

In her recent piece “Employee Password Habits that Could Hurt Enterprises“, Erica shows that we’re still not learning despite recent breaches and training programs. As the line between personal and professional grows more blurry, 60% of employees do work activities from a personal device and 55% of employees do personal activities on work devices.  Work data is accessed from personal devices more than once a day by over one third of employees. Passwords remain an Achilles heel that the most novice attacker can exploit to gain access to our networks and then find their way, or stumble upon, our corporate crown jewels.  Half of employees reuse passwords at work and that number only increases for personal use. Remember that blurred line – it factors in here.

Cutbacks and reductions mean fewer guardians at the gate in IT.  Under pressure to keep things running and meet demands, we resort to the path of least resistance so that we are “simplifying the process.”

Okay. Why not enable users to resolve some of their own problems by raising their status?

What the heck? Let Marketing have access to all the data – it’s just reports.

Why not? Let people update corporate social media accounts – there’s nothing to worry about there.

But here’s the bottom line: Privilege loses its meaning when that account status is being freely handed out.

“It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.”

– David Gibson, VP at Varonis.

One word: exposure.

It is as bad as it sounds. When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March2015 IBM-Sponsored Ponemon institute Study, nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers.

Add to that “9 in 10 websites leak user data to parties of which the user is likely unaware”.  This is according to work done by Tim Libert of University of Pennsylvania.   We are talking about siphoning and sharing data everywhere.  So when Joe from work goes to a site like AirBnb to book his trip to Regina, the user data gets sent to 9 other sites on average . These include Google, Facebook and WordPress.  Factor in that 6 in 10 sites generate third-party cookies, while 8 in 10 load javascript from external parties onto users’ computers. How do you control what you don’t even know?

This scenario is bad enough for your personal information. Now imagine an employee is accessing unauthorized sites. And don’t count on the Do Not Track me setting in the browser. Press it all you like. It’s like that button at the traffic light. Nothing really happens.

There are a whole host of security issues when it comes to data. So what happens when individuals operate as individuals, and make independent decisions about data storage and transmission? What do you do when your greatest security threat comes from within?

Lets talk Legalities. While business may love that employees pay for their own devices, and BYOD is all about convenience, it comes at a cost and everyone needs to be prepared. You can’t protect what you don’t know. And with Shadow it/Shadow data, you are exposed. I’ve spoken with Chris Case, the resident expert on cyber insurance at Dan Lawrie insurance brokers.  Most businesses have no idea what they are really covered for. Here’s a sobering thought: the insurance you currently have won’t cover breaches. You need Errors and Omissions, and to make sure your riders address the new cyberrisks your data and reputation face. No. Insurance does not replace good security fundamentals, but it is a mandatory component in your security toolkit.

Let me reiterate something Mark Nunnikhoven recently wrote in his recent piece “The Attack Surface of Data” on LinkedInPulse. He re-establishes a point we all need to remember: The more data you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe. Mark points out that, as we here know too well, security is an after-thought at best. “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”

The situation has evolved drastically from what we are used to protecting. This requires a different level of data breach prevention at the point of network entry. One where we need to really understand  the risk profile of the device and the user.

“It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home…”
John McAfee

Because at the end of the day, what do our continued efforts to secure the corporate walls mean when this is the current reality?

Data Here, Data There

Posted on by
Reply

Data here, Data there, data data everywhere.  And no – it’s not funny

In the wake of the VTech  breach from last week big questions are being raised about Big Data. Which is good because this is a conversation we’ve needed to have for some time.  The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.

iceberg

It’s beginning to look a lot like what we don’t want for Christmas are those toys and gadgets that connect. Certainly not when you look at the rising numbers from the VTech breach: details, photos and chat logs on 200,000 kids and 5 million parents. You can’t just make that all better.

VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.

Twitter was ablaze with commentary about how this impacts our most vulnerable sector: the kids.  Because there is no acceptable level of tracking or exposure when kids factor in. While one hacker demonstrated the extent of the VTech breach without abusing the data, the fact is that there are others out there who have no scruples. Attackers know our failings and weak spots. They’ve invested time, money and effort into finding these.  In the cyber realm, the Grinch doesn’t steal Christmas – he goes after identities.

twitterablaze

In response, Mark Nunnikhoven recently wrote “The Attack Surface of Data”  here on LinkedIn Pulse. In it he re-establishes the point we all need to remember: Data=Risk. The more of it you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe.  Mark points out that, as we here know too well, security is an after-thought at best.  “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”

marktwit.JPG

He then proposes following “The Principle of Least Data,”

“An organization must collect and store only the data needed to complete their task”

which adapts one of security’s core tenants, least privilege. Because it’s easy and “tempting to collect and store as much as you can”.

But we’re only just seeing the tip of that insecurity iceberg.  I gave a talk on Digital Literacy for Tech Soup recently to help non-profits better manage information using digital technology. The concept is that we need a “critical and creative means of interacting with the world” while consuming increasing amounts of data.  Critical thinking came up a lot in my research on digital literacy. Ironically, it has failed to address how we handle and store all that data we want to interpret, communicate and manage. And as tech flows into our schools, the focus is on free, not on security.  The kids aren’t the only ones learning: marketing has staked its claim with beacons, tracking apps, and getting teachers to sign up kids without parental consent.  Free education apps come with a high price tag. Those sites that collect kid’s personal info don’t all have accessible ways to delete account info.

Per FTC Chairwoman Edith Ramirez, “While tracking itself is not new, the ways in which data is collected, compiled stored and analyzed certainly is … Not only can these profiles be used to draw sensitive inferences about consumers, there is also a risk of unexpected and unwelcome use of data generated from cross-device tracking.” I don’t know about you, but that doesn’t give me the warm and cozies.

lucidpress

Eric Rand (@munin) writes about how Big Data alalytics are tools, and as such can be wielded accordingly, given that “math has no morals.”  Once there is a tool, anyone can use it.  So governmentt or industry backdoors don’t just serve one interest. They potentially serve many.  What our government claims to do for our “good” is potentially advantageous to our adversaries. In his blog Brown Hat Security  he also says “any data at all that can be traced back to an individual can be conceivably used as evidence to order such force to be used against you.” Data gathered is never gone. It can come back to haunt us. It can be used against us.  A permanent record if you will, that can cause considerable damage while putting considerable control in the hands of another.  “Whoever controls the flow of information and how it is disseminated controls how the world works”

Jerry Bell and Andrew Kalat host the always informative Defensive Security Podcast, which is one of my go-to resources.  In Episode 138 last month, they talked about how we don’t do data right. As ransomware evolves and more damaging variants debut weekly, the risk to data is rising exponentially. “We now have to re-evaluate our backup strategies.”   Backups are no longer a mitigation of the original accidental threat vectors they were based on but must now become a primary defense against attacks on files. Factor this into “the ROI and considerations for backup schemes and strategies”.  Which changes how much you need to be spending, and how you think about backups. Worth a hard second look? Yes indeed!

But that means we need to step up our game accordingly. Former magistrate and Judge John Facciola, a host on Data Privacy Pioneers, gave these recommendations on a recent show: that anyone holding information must know and adhere to the rules; have a technical infrastructure to conform; have people with expertise; check every tool in use and question it well before adopting it into the process.  Take a common sense approach to evaluating the risk and lock it down.

Here’s the hard truth: we’re coming late to the game on this one and we know that we can’t take back what’s already out there.  We need to pay way more attention to how we are handling all that data, because attackers are counting on what we are not doing. When it comes to the bottom line, people’s lives are not numbers. Our privacy matters.

What Lurks In The Shadow

Posted on by
Reply

There was a time when the Security Lords ruled. When there was less tech, and MOAR compliance. But then the Internet of Things happened in a big way. People wanted to access all the data, all the time, and Mobile couldn’t happen fast enough. Security had become an inconvenience, and BYOD became the solution. Things got Cloudy quickly, as data went up, up and away and end users started doing it for themselves. Shadow Data and Shadow IT have become how work gets done. And that’s a growing problem for security.

Here’s a little story about What Lurks in the Shadow. From my recent talk at BSidesTO.

BSidesTO: Bringing IT Home

Posted on by
Reply

In my first year of security cons, and sharing them with the world, it means a lot to pen this tribute to BSidesTO, the one in my hometown. Hitting its stride in its third year, tickets sold out in advance, there was an excellent roster of speakers, and I was thrilled to be selected.

Let me start with kudos and congratulations to the small but powerful organizing team who put together a terrific event and made themselves readily available.  The venue was packed with an appreciative audience of over 160 security folk who engaged each of the speakers in lively question and answer sessions following their talks.  And yes, there was such a thing as a free lunch, which was served up with smiles by the BSidesTO team. They even arranged a movie to end the session, for those not already engaged in the post-con convos. If anything went awry, it wasn’t evident.

bsto1

Given that our space was full to bursting, and that Toronto is Canada’s largest city, and one of the largest cities in North America, I think it’s time we had a major hacker con, along the lines of ShmooCon, GrrCon, or DerbyCon. Because it isn’t a corporate event, BSides has that potential, and has established itself as a much-loved, homegrown series of security cons that started in the US and have been spreading because of the community they build and the innovation and exploration they encourage.  It’s where the security community shares their hacks to learn, to improve, and to make the world a safer place. I really look forward to participating again next year, and to getting involved.

bsto2

Unfortunately, that isn’t always how hacking is perceived. This past year brought us the short-sighted Wassenaar agreement, which would penalize those who hack to protect, and several governments working to ban encryption. But someone has to scrutinize the ever-growing devices added to the Internet of Things; to dissect the code that builds the websites we are all accessing. Decision makers need us to give them regular reminders that hackers watch over all the connections we make, and that they serve as our early warning security system.

Which is why having a local BSides really matters – it fosters the free exchange of ideas and supports this community in their varied approaches to security. Because as the impact of breaches continues to increase, and average users discover the extent of their vulnerability online, the world needs to know that hackers are here – for good.