A Lesson From The Bitstamp Bitcoin Exchange Breach

Bitstamp, a European bitcoin exchange, suffered a breach on January 4th of this year.  According to a breach report apparently prepared for Bitstamp, the breach was a result of a determined adversary and a very typical but rookie mistake on the part of a Bitstamp administrator.

The breach cost Bitstamp 18,997 bitcoins worth a little over $5 million.  Just because money is digital does not mean it isn’t attractive to bank robbers.  The report is attributed to forensics firm Stroz Friedberg, the Secret Service and the U.K.’s cybercrime unit.

The report said that Bitstamp was the victim of a concerted phishing attack against 6 employees.  The phishing emails were highly tailored to each of the employees and showed background knowledge on the part of the attackers, according to the report.

The first target was Bitstamp’s CTO, who was offered free tickets to a  punk rock concert (he apparently is into punk).  All he had to do was click on this link and download a Word document to get his tickets.  The Word document had malicious scripting in it, but it appears that it failed to run for some reason.

Over the next few weeks, several more Bitstamp employees received highly customized targeted emails.  One was from a journalist, another from a headhunter — supposedly.

None of these attacks worked, apparently, because none of these employees had credentials that would allow the hacker to get to the master bitcoin wallet.

But then a system administrator – who did have the credentials to the “cookie jar” received an email purportedly from the Association for Computing Machinery, supposedly offering him a position in the ACM Honor Society.  It was sent to his GMail account.  He then had several Skype conversations and received – you guessed it – an application form, which he did open.  The rest is history.   And $5 million dollars later, there is a lesson to be learned.

DO NOT ACCESS GMAIL, SKYPE OR WORD FROM AN ACCOUNT THAT HAS THE KEYS TO  THE KINGDOM.

It’s really a pretty simple lesson and it seems to need to get learned over and over again.

The problem is that having ONE account to do EVERYTHING a user needs to do makes life easy.

If you want easy, retire.  Play golf.  Watch TV.  Sorry, but protecting your firm’s assets could, possibly, be hard.

This attack did not require the hacker to break into Fort Knox.  It did not require the hacker to factor super large prime numbers (the basis of public key cryptography).  All it required was to learn what key employees “hot buttons” were and to appeal to them.  Then the employees just opened the door and let the hackers in.  Oh, yeah, and let the money out.

And, don’t use privileged accounts to access GMail.  Separation of duties is as old a rule as their is, but people just don’t do it.  Because, it is not convenient.

Food For Thought.

 

 

 

Source material for this post came from Data Breach Today.

Donald Trump Hotels Newest Credit Card Hack Victim

BBC is reporting that several of the Trump hotels point of sale systems likely have been hacked.  Trump’s initial response to questions was to decline to comment.  Later, after the news of the breach was published, Eric Trump, Donald’s son, said that like “virtually every other company these days” they had been alerted to suspicious activity and are in the midst of a “thorough” investigation.  They also reminded the media that they “are committed to safeguarding all guests’ personal information”.

Before I fly off the handle, there really isn’t a lot that they can say as they investigate the breach.

However, saying that “like virtually every other company …” reminds me of the old Tom Peters (In Search Of Excellence and many other books) quote.  Peters,  in lamenting how poorly most American businesses were run, said that most businesses fundamental operating principal was “we’re no worse than anyone else“.  That seems to be the principal that the Trump chain is using.

And, to be clear, while there are many, many credit card breaches every year, to say that virtually every other company has had their credit card data hacked is a bit of a stretch.  Even if it were true, to use that as a justification of why they were hacked is probably not going to sit well with the high end customers that his hotels court.

Brian Krebs wrote, in his coverage of the Trump breach, that maybe hackers are doing one last effort to grab credit cards before the October 15 deadline for liability for credit cards.  I would like to dissect that statement because it is problematical.

(a) The October 15th date is when merchants start absorbing liability if they do not have credit card machines that accept chip based credit cards – that the rest of the world has been using for years.

(b) The new cards that your banks will issue will still have a mag stripe on it.  That means, at least to a degree, those cards are still vulnerable.

(c) We will have to see if merchants stop swiping (and therefore collecting) mag stripe data on cards after that date.  IF THEY DO STOP SWIPING THE MAG STRIPES then that data will no  longer be collected and therefore no longer available to hackers.  We are going to have to wait and see what merchants do.

(d) There is no law or rule that will stop merchants from swiping your mag stripe after October 15th and, in fact, many merchants will not have new credit card readers by then, so they will continue to swipe your card.

(e) Banks are worried silly that if it is a little bit harder to use your credit card  you might pay cash (and possibly get a discount!) and they will lose out on the fees.  As a result, they have decided both to leave the mag stripe on the new cards and not require you to use a pin with your chip card – as the rest of the world does – and instead use the totally ridiculous option of having you sign your virtual receipt.  Since NO ONE checks your signature (again, for fear that you might bail on the transaction) this will reduce certain types of fraud but it will not reduce other types.

(f) The October 15th deadline does not apply to a variety of merchants such as gas stations, and, I expect, banks will not have all ATMs upgraded by then either.

(g) The chip card has no effect on Internet based sales and most people expect Internet fraud to go through the roof as hackers move their efforts to ecommerce web sites once it becomes harder to hack places like Trump’s hotels.

This migration to chip cards – and hopefully, eventually, to chip and pin, will take years.  Many years.

Both BBC and Krebs are saying that this breach goes back to February.  If so, this is July, which means that it only took the banks 3 or 4 months to detect the breach and, Trump’s response seems to indicate that they were not aware of the problem at until until the banks told them about it.  Believe it or not, that is pretty quick.

While I am beating on the Trump chain pretty hard, as Tom Peters said, they really ARE no worse than anyone else.

My two cents.

Information for this post came from BBC and Brian Krebs.

Why Patching Doesn’t Work – Using Apple As An Example

Apple released patches to fix a family of security flaws called Masque the other day in iOS release 8.4 .  Researchers then came up with a new variant of the flaw that the patch doesn’t fix.  Apple had fixed earlier variants of the Masque attack in iOS 8.1.3 , Anyone see a theme here.  Unfortunately, in today’s world, putting yellow duct tape on top of green duct tape on top of silver duct tape is what we do.

For years, people thought Apple was immune to hackers.  In reality, while Apple’s software is good, it is not perfect.  Hackers considered Apple to be a niche player and instead focused their efforts on Windows users.  Now that Apple is considered a mainstream product, hackers are focusing some energy on it and finding holes.

Apple, in turn, is doing the only thing they really can do in the short term and that is buying cases of duct tape.  Unfortunately, as Microsoft figured out years ago, duct tape is neither elegant nor does it provide a lasting solution.

Bill Gates wrote has famous Trustworthy Computing memo in 2002 that started a culture change at Microsoft that is still unfolding today.  In the battle between security and features, features usually win.  In both Microsoft’s and Apple’s cases, real security means a lot of time, people and money to re-architect their products.  It is very rare that you see that in the commercial software world.  Usually it takes some sort of catastrophic failure like a nuclear reactor meltdown.  We did see major changes in the chemical process industry after the Union Carbide chemical plant disaster in Bhopal, India that killed or injured hundreds of thousands.

In the software world, vendors are not responsible if you are hacked and lose all your money, intellectual property or your nude pictures are published on the Internet for the world to see.  Until that changes, expect duct tape to be a hot commodity.

A few details about the problem.

In Apple’s case, the Masque flaws involve impersonating existing apps and getting users to install hacked versions, typically though Apple’s enterprise provisioning system which allows companies to use apps that are not published on the app store.

The fixes that Apple made last November in iOS 8.1.3 fixed the URL Masque and Plug-in Masque variants.

FireEye, the company that found these bugs, disclosed two more variants, called Manifest Masque and Extension Masque after Apple partially fixed them in iOS 8.4 .  Expect more variants to follow.

Based on traffic to high profile web sites, a third of Apple iOS users are using versions of iOS earlier than 8.1.3.  Unless a user downloaded 8.4 this week, all users are using a version older than 8.4 .

Older iPhones may not even be able to upgraded to 8.4 due to compatibility issues, so they will be vulnerable until they are crushed and recycled.

There is no easy answer and this is certainly not just an Apple problem.  As software becomes more sophisticated, the problem multiplies.  And, worse yet, all vendors, including Apple, abandon old versions of hardware.  Try getting updates for an iPad 1, for example.  However, the fact that the vendor doesn’t update does not mean that people don’t use them.

I do not think there will be a solution any time soon.  Both the U.S. and British government still have tens of thousands of PCs running Windows XP.  The U.S. Navy agreed to pay Microsoft for private support for a few of these.  The British government, which did pay Microsoft millions last year for that service opted to let it expire this year.  That does not mean those computers are not being used – just not being updated.

No. Easy. Answers.   Soooooooorry!

Source material for this article came from PC World (see article).

Max Schrems Vendetta Continues Against Facebook

In March I wrote about Max Schrems one man war against Facebook and their privacy-stealing policy (see post here).  He originally went to the Irish data protection commissioner but withdrew that complaint after it became clear that nothing would get resolved in that venue for years.  Then he went to the Vienna District Court saying that he was a resident of Austria.  That decision came down on June 25th.  They decided to kick the can down the road (I guess they have been watching American courts for too long) and said that the laws that he was accusing Facebook of violating were designed to protect consumers and he was a business.  They did say he was an attention hound, but other than that, did not rule on the merits of the case.

Schrems said he was disappointed and surprised, but said he plans to appeal.  Schrems was a law student at the time of his initial filing;  I assume he is an attorney now, so if he wins, it would be good for business and his legal costs are pretty low (just his time).  Facebook of course, said they were happy.

Separately, Schrems has filed suit in the ECJ – the European Court Of Justice, so between the appeal and the ECJ action, Facebook is still fighting a war on several fronts.  Stay tuned, this likely to go on for years.

The Irish Times article can be found here.

Drug Infusion Pump Vulnerable To Hackers

Wired reported that some Hospira drug infusion pumps are vulnerable to a number of attacks.  The article also says that Hospira was not receptive to the news when told of the problem and it took DHS a year to issue an alert – only after someone made the facts public.  In fact, Hospira initially refused to fix the vulnerabilities and would not test other pumps to see if they had  the same problems.

The researcher was told that the pumps are undergoing re-certification by the FDA since the fix requires a core change to the firmware.  Hospira is now saying that the pump is not being re-certified.  They said that there are already protections in place, but would not say what those protections are.  Somehow, I am more trusting of the researcher.  The Wired article can be found here.

Some details about the vulnerabilities – you can read a lot more in the Wired article.

The pumps are loaded with libraries for each drug.  The library tells the pump what the allowed dosages are for the drug, so that if a nurse prescribes a dosage that could kill the patient, the pump will alert.  These libraries however, are not authenticated and the pump does not authenticate who is sending it an update – any device on the hospital network could send an update.

There is also no way for the practitioner to see what limits are in the actual pump, so there is no easy way to see if the pump has been hacked.

The server software can also send firmware updates to the pump and the server software is no more secure than the pump. Some userids and passwords are stored in clear text and cryptographic keys are hard coded.  SQL database passwords are also hardcoded and stored in the clear.  This, along with other vulnerabilities would allow a hacker to take over the server.

Apparently Hospira thinks that stonewalling is the best defense.  It will work until someone dies.  It is unfortunate that things work that way.  Unfortunately, it would likely cost Hospira a lot of money to fix the tens of thousands of pumps out there, as well as the server software and get it all certified.

In the mean time, it appears that the FDA is on the side of the manufacturer – the best we got from them was a memo  – after a year and after the flaws were publicly disclosed by someone else.

Do you see anything wrong here?

 

The Gov Isn’t Very Good At Fixing Software

According to Veracode, the government isn’t very good at fixing software flaws.  In fact, of 7 vertical segments, they rank last.  The financial and manufacturing sectors do best at fixing vulnerabilities.  Healthcare organizations don’t do well and cloud vendors (SaaS) fail the OWASP top 10 almost 75% of the time.  Given this, it is not surprising that hackers are having a field day.

Veracode makes software and sells services to help companies squash bugs, so that is how they get their data.  According to Veracode’s study:

The level of compliance on the first risk assessment test, by industry is ranked like this:  Financial (42%), Manufacturing (35%), Tech (32%), Healthcare (31%), Retail (30%), other (30%) and, last and apparently least, Government (24%).

Remediation is a very important metric.  What percentage of the bugs that you find do you fix.  You might think the answer is all of them and maybe in a perfect world that would be true, but there are lots of reasons why it isn’t true.  Manufacturing wins this contest at 81% fixed, followed by Financial (65%), Retail (60%), Other (52%), Tech (50%), Healthcare (43%) .  Government brings up the rear at 27%.  Usually, time and money drive fixing the bugs, along with the PERCEIVED risk that is that the flaw represents.  I say perceived because many companies don’t think that they are going to be attacked.

According to the report, cryptographic issues seem to be a big problem.  Cryptographic issues could mean that sensitive data isn’t encrypted or the implementation of cryptography is poor.

Turning to risk improvement, the report says that while only 14% of the overall flaws detected were fixed between the first assessment and the most recent one, 58% of the high and very high severity flaws were fixed.  Said differently, more than 40% of the high and very high severity flaws are still out there and over 80% of the total flaws are still left in the code.

This data says that there is a lot of room for improvement.  Interestingly, internally developed software seems to test better than commercial software, which is counter intuitive.  Overall, internally developed software was compliant on the first pass of testing 37% of the time while commercial software passed 28%.

The report is available at this link.