Category Archives: infosec

My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

Posted on by
1

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.

tweetsamsa

WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.

NEEDS TO HAPPEN:

Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.

Sources:

Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Back it up! Back it UP!

Posted on by
Reply

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Why The Internet Is Broken … Again

Posted on by
Reply

drown1

In the ongoing saga of our quest for powerful encryption online for all, free from backdoors and government restrictions, this week we stumbled again over the inherent brokenness of what the existing standard is.  Yet again, there is a massive vulnerability impacting the TLS or transport layer security.  And it stems back to a very short-sighted decision by the US Gov’t during the ’90’s.

DROWN attack renders messages vulnerable that are sent online between HTTPS servers – yes, that is correct, you saw the letter ‘s’. When stuff like this happens, it kind of defeats the whole purpose of making things HTTPS. The acronym is pretty self-explanatory. It stands for “Decrypting RSA using Obsolete and Weakened eNcryption”. Obsolete and Weakened says it all.

The impact is huge. It means that TLS connections to over 33% of HTTPS servers are open to attack using fairly fast and easy methods. That’s the other problem. The attackers won’t have to work hard for the money on this one. More about how later.

TLS matters because encryption matters, so it is the most important security protocol on the internet.  It began as SSL, or Secure Socket Layer, back when dinosaurs sat in power. And if we recall from previous briefs about similar problems, those stem back to the US government meddling in the ‘90s and making encryption work for their purposes ie dumbing it right down to do business abroad.

So the cause, simply put, is dangerously outdated SSLv2.  Gone but so not forgotten.While browsers or clients have gotten rid of SSLv2, many servers still support the protocol.  This can be attributed to carelessness and obsolete embedded devices that don’t get updated.  And while OpenSSL was supposed to offer a configuration option to disable SSLv2 ciphersuites, it doesn’t seem to be working because even when that option is selected or set, clients still can choose the SSLv2 option.  Here is an excellent explanation of why this is so serious by cryptography expert Matthew Green, and you can read his thoughts in detail in his recent blogpost on DROWN

If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client toever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.

So what happens is that a server is using both SSL/TLS. Double the flavour, double the fun  would necessitate separate certificates and private keys. Except that people don’t want to do more or pay more: so they use the same thing on both.  And yes, Virginia, a buggy SSLv2 will impact the security of TLS.

drown2

NOTE: a patch for this matter was issued in January but not well publicized. This doesn’t help because we need folks to get the patches up on their systems. Otherwise, we have what is still ongoing because of Shellshock Bash.  Unpatched instances propogating exploits. So please, do everyone a favour and patch your systems.

How does the bad stuff happen? In what is called a cross-protocol attack. It uses bugs in one protocol say SSLv2 to attack the security of connection made in another and different protocol ie TLS.  The irony is that while TLS is designed to defend against well-known attacks on this encryption  SSlv2’s export suites have been proven not to do that (via the Bleichenbacker Attack, and that’s all you really need to know about it here).

What we need to acknowledge is just how realistic an attack actually is. The answer is very. It will only cost a few hours and $440 dollars using the available power of Amazon EC2. The attacker would watch about 1000 TLS handshakes to find a vulnerable RSA ciphertext, use 40000 queries to the server and 2to the 50th offline operations. That may sound like a lot, but it really isn’t given today’s resources. We know attacks only get faster and more sophisticated.  Researchers have now found a new version that can decrypt a TLS RSA ciphertext in ONE minute on a single CPU core.

What can you do?  Start by checking your systems. Follow this link here:  https://test.drownattack.com/ (the link is safe). While there is a patch again that should help, it only works when applied. The DROWN Attack site will help you to learn more about how this vulnerability impacts various systems and how to disable SSLv2.

Read more here:

http://www.symantec.com/connect/blogs/drown-vulnerability-could-sink-secure-internet-connections

https://drownattack.com/

http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

Hope that was helpful! Thanks for reading.

Ransomware: Don’t Get LOCKY’d Out

Posted on by
Reply

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime

 

Watching Your Backdoor

Posted on by
1

It’s a thing. Backdoors. Add no, not the fun kind with screens that keep out mosquitoes. The kind I’m going to reference here are the ones that actually let worse things in.

backdoor

Backdoors in tech aren’t just the stuff of legend, or part of the plot in tales of espionage. They are very real,  and there is nothing secure about them. They exist as an intrusion point, hidden, secret. These deliberate manipulations of code allow access into a network or application and bypass the necessary security protocols.  What matters to me isn’t so much that these are used by foreign governments to spy on us, or for corporate espionage. Rather, it’s the further legitimization of attacks on our privacy.  How do we secure against this mindset? Backdoors are essentially a weakness built into the code. Something unsecured that when discovered can be readily exploited, because nobody is supposed to know it’s there. Until it’s too late.

Several backdoors have recently been revealed just over the past few months.Here’s the rundown of shame by John E Dunn in his article in Forbes:

NSA Clipper Chip, 1993

The most reviled backdoor in history, the NSA’s infamous Clipper chip, endorsed by the Clinton administration, still gets people’s backs up more than two decades on from its heyday. In 1993, encryption was new and strange. Few used it but the experts and Government spooks could, however, imagine a world in which they might. Their answer was to neuter the possibility of unbreakable security with an escrow-based system based around the Clipper chip that would cache keys. Assuming anyone had agreed to use it the NSA would have had a ready means to decrypt any content.

As Whitfield Diffie, creator of the famous Diffie-Hellman key exchange protocol observed at the time, the problem with building in backdoors is that they are deliberate weaknesses. Should a third-party find them they become less a backdoor than an open one.

Borland InterBase backdoor, 2001

This weakness in the firm’s InterBase database was essentially a secret backdoor account that allowed anyone with knowledge of it access to data. Making the serious comic, the username and password in question were ‘politically’ and ‘correct’. At the time, the assessment was that while deliberate the hole was probably put there by one or a small number of programmers as a convenience. But we’ve included it because the fact that perhaps only one person knew about it doesn’t mitigate its seriousness for the seven years until it was discovered.

Huawei v the US, 2011

The huge Chinese equipment maker spent millions trying to reform its image after being accused of building backdoors into its telecoms equipment. In 2012 a US Congressional investigation concluded that the firm (and mobile vendor ZTE) should be banned from the world’s largest market over state surveillance worries. In the UK BT had been installing Huawei equipment since 2007 so it was all too late to do much about it beyond GCHQ setting up a special unit to monitor its systems in cooperation with the company itself.

Irony or all ironies, a Snowden leak then suggested that the NSA’s Tailored Access Operations (TAO) had set up an operation to spy on Huawei to work out how far any collusion went.

The modern (i.e. post-Aurora and Stuxnet era of backdoor scandal began here.

Cisco et al, 2013

Dragged out of Snowden’s famous cache by a German newspaper, this concerned unpublished security flaws in the networking equipment of a group of vendors, headed by Cisco but including Juniper, Samsung among others. These weren’t classic backdoors except in the sense that they allegedly offered a huge amount of surveillance control over the equipment. Very unusually, Cisco’s CSO John Stewart issued a statement denying any knowledge of the compromise.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” he stated. The fact he was even having to say this was a sign of changed times.

More recently in 2015, a backdoor compromise called SYNful Knock was discovered on Cisco equipment. Described by security fir FireEye as a Cisco router implant, already it was clear that the simple idea of intelligence engineers building in massive holes from day one of a product’s life was probably out of date. Why build them in when juicy ones could be found later on?

Juniper, 2015

Discovered just before Christmas 2015, this looked like a biggie in Juniper’s NetScreen ScreenOS from the off. The company finally admitted to suspicious researchers that the Dual_EC_DRBG encryption random number generator contained a backdoor that would allow anyone with knowledge of it to eavesdrop on secure VPN connections. This flaw might or might not have been deliberately put there by the NSA, which was he source of the RNG, but it was exploited at some point, possibly by a third-party government. A backdoor in a backdoor or just weak coding?

Fortinet, 2016

Hard-coded passwords are an absolute no-go for any system these days so it was disconcerting to discover that Fortinet appeared to have one in an SSH interface accessing its FortiOS firewall platform. Researchers looked on this as a backdoor although Fortinet strenuously denied this interpretation. In fairness, this was probably correct although the lack of transparency still bothers some.

CESG’s MIKEY-SAKKE, 2016

Was the revelation that this protocol, promoted by the UKs CESG for end-to-end encryption in VoIP phone calls, a real backdoor or simply part of the spec? According to Dr Steven Murdoch of University College London the escrow architecture used with MIKEY-SAKKE simply has not been fully explained. Was this a way to spy on conversations without anyone knowing? According to GCHQ, that’s exactly what it was. As an enterprise product, escrow was perfectly appropriate and organisations deploying this technology needed a system of oversight.

In fairness to MIKEY-SAKKE setting up end-to-end encryption without some form of backdoor is now unthinkable for large enterprises that need control over their encryption infrastructure. Whether this compromises the system in a wider sense seems over-blown assuming the architecture has been correctly documented.

 

My First ShmooCon – This Time It’s Personal

Posted on by
1

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.

shmoosat

 

With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.

russiahouse

And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

Embracing the Shadow – wait! What?

Posted on by
Reply

Let me share a few more thoughts about Shadow IT with you as we head into 2016. The good folks at AlienVault were kind enough to ask, and let’s just say that we don’t expect the Shadow to fade anytime soon…

shadow

https://www.alienvault.com/blogs/security-essentials/embracing-the-shadow-wait-what?utm_medium=Social&utm_source=Twitter

There was a time when the IT security lords ruled. Mere mortals only had whatever devices and access they were issued. Companies had “standards” and if you wanted something it had to exist on the approved equipment list. But decisions took time and the lines of business didn’t always get the answer they wanted. Regulating tech was getting in the way of getting stuff done. Security had become an inconvenience.

It was easier to regulate things back then, when there were fewer things. The available tech was enough to get the job done. But that’s the thing. Tech is always evolving, to meet the demands for faster, better, more. And how do you do more better and faster? Shadow IT and Shadow Data.

Welcome to GenMobile, “a flexible, transparent and collaborative presence, ” which actually means folks who don’t follow the rules. Yes, Houston, we have a problem and it’s called self-service IT. Guess what percentage of workers are doing it for themselves? Aruba Networks cites 77%. Hello Shadow.

Be afraid. Be very afraid. Because we can’t see all the stuff, all the time. Easy-to-use devices are everywhere, creating an unprecedented level of end user entitlement. And a little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access.

So what do you do when employees make independent decisions about devices, data storage and transmission? Accept it? Regulate it? Or ban it? Because “keep it secret” definitely does not keep IT safe.

No Idea What They’re Using, No Idea What They’re Losing

We need to start by getting our head in the cloud. Ah, the Cloud. It’s the solution to everything: storage, countless productivity applications, Office 365, Google Docs. Face it. Cloud is accessible anytime, anyplace, anywhere, anywhen. But the truth hurts:

  • 15x more cloud services are used to store critical data than CIOs have authorized
  • IT says 51 active cloud services. Survey says 730
  • Use growing exponentially
  • 1000 external services per company by 2016
  • 30% of business critical info is in the cloud

Here’s where we worry: The combination of Insider Threat plus Shadow IT. What if the interfaces and APIs with which users interact aren’t secure? Attackers are actively searching for these types of vulnerabilities to exploit them. And how do you protect against what you don’t know, because there’s a whole lotta activity going on up there unreported.

Shadow as the New Norm?

What if I said to you Shadow IT isn’t going away. In fact, it’s being heralded as the new norm, the way work is going to get done. Ponemon Institute reports an average of 50% of cloud services are deployed by departments other than corporate IT. And an average of 44% of corporate data stored in the cloud is neither managed not controlled by the IT department. Control over network infrastructure and physical hardware like firewalls is supposed to be the realm of the IT folks in charge of securing proprietary data. But the cloud has a way of making things go all fuzzy.

Twelve years ago technology spending outside of IT was 20 percent of total technology spending. But according to the experts at Gartner, it will become almost 90 percent by the end of the decade. At the Gartner Symposium in Orlando in June this year, the new attitude toward Shadow IT was this: “to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon.”

Hank Marquis, research director at Gartner, declared:

“Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It’s called innovation. It’s happening in the edges where we don’t deliver the solutions. You might not agree with it but you should think that way. You’re not going to stop shadow IT. It’s not going to go away. You’re not going to suppress it. You might as well embrace it, leverage it, use it.”

His is not the only voice out there with that message. Jeanne Ross, Research Director and Principal Research Scientist, Center for Information Systems Research, MIT Sloan School of Management expressed similar sentiments in the HP Enterprise blog for December 10, entitled “Why Smart Companies are Embracing Shadow IT.” She talks about how business is using “demand shaping”, where companies identify their most “valuable and achievable business –change opportunities”, and then use this to select those projects best suited to invest IT dollars in. As for those rejected projects that would find their way into Shadow IT:

“This all comes down to relationships, and to the right conversations happening between people at all levels of IT and business. But if mutual respect exists between IT architects and program managers and their counterparts within the business units, demand shaping and shadow IT can forge an extraordinarily productive partnership.” Read more.

And then world peace can happen?

Ed Macnair, CEO, CensorNet, weighs in with this. “There is a case here for innovation versus risk. By allowing shadow IT, new solutions that will benefit the wider business can be found. However, shadow IT is a security nightmare as those members of staff who are likely to use their own solutions will inherently be from the generation of risk takers and will therefore be less concerned by the need for all encompassing security measures.”

The Innovation Trade Off

The recommendation by Gartner is that Shadow IT not be contained but encouraged and allowedwithin established boundaries to abide by existing compliance, regulatory and security rules. Innovation without peril. Even better, it’s a more prevalent and well-understood aspect of technology management among companies, and leaders might want to take a completely different approach to handling this matter.

As illustrated by IDC Senior Research Analyst Mark Yates, employees are operating with tacit permission, making their own decisions, and nobody is in control. The business environment has become a “Wild West.” Entitlement and empowerment are enabling employees to fake compliance and use what they want.

Simon Mingay, Vice President of Research, Gartner Inc., drives the point home. “For most IT organizations, resistance is futile. Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”

And there we have the corporate buy-in. Lower IT costs, increased flexibility, speedier task completion and less interference from IT. Yes, it is being echoed from suite to suite. Because innovation leads to profit. But at what price to security?

A New Hope for The Phantom Menace?

Again, there is a collective chorus on the new approach to take. There need to be guidelines and boundaries to help corral Shadow IT without driving it completely underground and out of scope. Mingay advised “bring shadow IT out of the shadows, make it transparent, provide services that support it.” He advocates “Rather than try to eradicate shadow IT, let’s rename it “dispersed IT,” since everyone has a piece of it.” Frank discussions need to happen to identify why Shadow IT is happening, and those users and business units engaging most heavily identified and consulted. Why are existing policies and rules being circumvented when the consequences are known?

Is it possible to construct a mutually viable arrangement whereby IT can assume the role of broker, an intermediary between users and their apps? Gartner recommends IT organizations engage the business as a partner, and ask senior executives what they think IT’s role should be. And the conversation should extend to outliers and users not operating within the daily confines. Marquis reiterates points we’ve all been saying, like the importance of having visible support from the top execs. Of great importance is IT collaborating efficiently with audit and asset management to ensure compliance.

Clearly, the game has changed and there’s no going back. We have to shift gears, project from the rapid developments of Cloud, Everything as a service, and Big Data. It’s going to mean moving out of our comfort zone to get a better handle on what people really need and want. Buy-in comes when we show the CSuites how security is the strategic partner to help them move toward innovation. It’s a different terrain, but we’ve still got to run it faster, better than the guys who are out there waiting, counting on what our end users will do and the rules they won’t follow.

Thanks for reading!

 

The Internet & Wassenaar: This Changes Everything

Posted on by
Reply

reg

Legislation is tricky stuff. Hard to understand, hard to follow. Hard to undo.  Which is why we need to be aware of things that have the potential to impact us be so we can get ahead of them incase there is a problem.  The reality is, time won’t be on our side.

As is the case with the Wassenaar Arrangement, and the proposal to enforce it by the US Business of Industry and Security (BIS).   Wassenaar is a voluntary agreement between 41 countries, with the purpose of regulating the knowledge of how to create “intrusion software,” which is defined as “software that is capable of extracting or modifying data or modifying the standard execution path of software in order to allow the execution of externally provided instructions.”   Their mandate is for controls to be put in place over intrusive software that could become digital weapons, used by regimes to subjugate their citizens, or  spy on their personal lives. While this sounds like a good premise, it’s actually far-reaching and has the potential to create a lot of collateral damage. And the direct recipients of that damage are the very people we need to keep us and our information safe online: those who work with security testing, research and software.

wassenaar-arrangementThe objectives of Wassenaar and the BIS have only been furthered by the recent publicity over the attack of Hacking Team, a cyber espionage outfit that counted governments as clients and whose dealings were kept secret for the benefit of both sides. As per the recent article by Katie Moussouris in Wired,

“Security experts warn that overzealous laws will stifle this vital security research that aids defense. Many also fear these regulations will put legitimate tech companies out of business due to excessive license application burdens and delays in the ability to sell security products and compete globally.”

Here’s the truth of it. By enforcing the broad mandate of Wassenaar as per BIS, we shut down the very organizations and people who can best act as our first line of defence. There is no question that malware and cybercrime are evolving rapidly, and that we do not have full control over our security.  Those who seek to profit from using and abusing technology will continue to do so, and find ways around any legislation, or risk existing penalties in favour of what they stand to gain, be that money, power or both. Wassenaar will not rewrite human nature any more than it will prevent the inevitable from happening.

finfisher

We need to have people finding the bugs in our software that could be exploited and making that knowledge available through vulnerability research and disclosure. But the legislation would control information necessary for research, testing & development. Security researchers and companies must be able to watch over existing traffic and monitor it for threats without fear of reprisal.  To fully appreciate just how BIS and Wassenaar will impede security providers I encourage you to read the full article by Katie Moussouris in Wired here.

“One thing is constant: Those who wish to create tools and use or distribute them to cause harm will continue to do so with the impunity that was revealed in the internal communications of the hacked Hacking Team. No regulation will stop them. It is our job to collectively ensure that no regulation stops defenders.”

BIS has invited public feedback about what they propose but the deadline is today, July 20.  If you can, speak up today. Here are some helpful guidelines:

  1. Give examples of what technology is caught by these rules and what the impact will be.

  2. Explain in detail the burden to organizations and individuals who will have to apply for export licenses under the new rule.

  3. Show how the new rule won’t achieve the stated goal of protecting human rights, but instead will hinder defense of the Internet.

Comments on this rule may be submitted to the Federal rulemakingportal (www.regulations.gov). The regulations.gov ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to publiccomments@bis.doc.gov or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments.

https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19

We all have a stake in how Wassenaar plays out. And today, we all have an opportunity to influence that outcome.

Back It Up, Back It UP!

Posted on by
Reply

(A cautionary tale and my little take on “Shake It Off” by Taylor Swift)

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up
Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up
Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up
If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Superfish and Lenovo: One Big Fish Fry

Posted on by
Reply

“Superfish” by @EddieTheYeti

There’s a nasty little game afoot where new laptops come with undesirable extras. I’m talking about “crapware” – all those annoying little programs and invitations to sign up and buy that suddenly fill your screen moments after you first boot up.  That’s not the way anyone deserves to experience those heady first moments with a major new purchase. And yet, it’s exactly what happens with nearly all new laptops and pcs.

If you ask, you’re told that it’s been in practice by big companies for a while; that it’s the way business is done; that it’s nothing to worry about.  That doesn’t make it right.  And as of today, that doesn’t make it safe.

lenovolaptopIt has been discovered that the plethora of advertising extras pre-installed on Lenovo laptops contains a hidden danger.  A piece of adware, known as “Superfish Visual Discovery”, actually conducts a type of attack known as “MiTM” or Man-in-the-Middle, where it messes with that lovely new laptop’s configuration, and actually compromises a key security component. And no, that is not supposed to happen.  Which is why I think it’s time to speak up and speak out about this practice.

Plenty of top-drawer securitytech experts are currently dissecting and revealing the ugly truth about “Superfish”.  Simply put by Marc Rogers on Marc’s Security Ramblings,:

 badcert Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.

Rik Ferguson offers this explanation on CounterMeasures:

 Superfish also installs its own self-signed Root Certificate Authority… Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security

twittererRob Graham on Errata Security described how he was able to “intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops)”. On Twitter, he challenged the supposition by Peter Hortensius, CTO of Lenovo, that the problem was “theoretical” by saying how he had tested and proved otherwise.  And Steve Ragan on Salted Hash Security News hits the nail on the head when he states:

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

What really bothers me is that most users don’t have the technical skillsets to understand what is actually happening, let alone to diagnose and disinfect.  From my years of experience working with end users, cleaning up this kind of mess definitely  falls outside reasonable expectations of what we should ask most people to do. Helping folks overcome their fear of technology is always challenging.  Most people would just like the problem to go away. Or for someone else to fix it.  There is a point to which you can lead users, but then they balk.certs

My team and I are all about simplifying technology for users. And honestly, if you can teach someone the easy ways to do things right, like security, then it’s like teaching that proverbial man to fish: they’ll be fine for the rest of their lives. But there is nothing simple about cleaning up malware, spyware, adware and the technical mess they inflict on devices.  Nobody who really cares about their customers should be asking them to start prodding around in program or registry files even if the customer is technically qualified.  Because confusion happens and mistakes can be made.

It’s really great to hear the outcry against what’s been going, and to put the issue squarely in front of major manufacturers. Time for certain parties to take a good look in the mirror: How can you proclaim your commitment to improving security when you’re actually contributing to a key source of problems? I love this statement by Marc Rogers on Marc’s Security Ramblings :

We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position

That said, what can you do about it? First and foremost, you need to get that junk off your device.  I’m happy to report that some terrific folks have been addressing that and there are some good suggestions on how to detect and remove.  For those inclined to do take the task on, read the steps through carefully a couple of times to make sure it’s clear before you undertake anything.  I can recommend this piece by PC World.  As well, I found this piece by ZDNet a little more detailed and perhaps easier to follow.

Crapware serves no purpose other than garnering profit.  Lenovo has a PR nightmare ahead, and they have a lot to answer for. While they claim to have halted shipping it back in January, that does nothing about what’s already out there.  Hopefully this serves notice to other distributors about cleaning up their acts so they don’t get caught up in the same net with “Superfish”.   Because the only real victims in this fish fry are the end-users.

NOTE: The awesome pic up at the top is by talented InfoSec member and artist @EddieTheYeti