Apple iOS Quicksand Vulnerability Revealed

Now that Apple is becoming a more mainstream IT player rather than just a consumer electronics vendor, hackers are starting to take more notice.  Appthority, an application risk analysis and mitigation firm has announced Quicksand, an iOS vulnerability that allows malicious apps or anyone who can get physical access to an iOS device to steal credentials and then exfiltrate corporate data.

As a “good guy”, they worked with Apple to develop a patch which Apple has released with iOS 8.4.1 .  Anyone who is running a version of iOS older than that is vulnerable.

Unfortunately, it is estimated that, especially in the corporate environment, 70% of the users are running old, outdated versions of iOS.

In addition, many companies, especially smaller ones, do not have any corporate mobile device management solution deployed.  As a result, these companies not only do not have a way to push critical patches such as this to their mobile users, but often they do not even know how many devices are out there accessing corporate resources , never mind knowing what operating system, application software or version those the devices are running.

As companies become more dependent on mobile devices (mostly phones and tablets), they need to deploy the tools that can manage those devices.

Alternatively, they can fly blind.  An analogy would be driving your car on the highway, blindfolded.  Generally, that does not produce good outcomes.  Based on the number of breaches we are seeing, neither do current corporate mobile device management practices produce good results.

For a while it looked like Apple was immune to the issues that we were seeing in the PC world.  My opinion was that as long as Apple was a bit player, the hackers chose to ignore them.  Now Apple is in the hacker’s crosshairs – just like Microsoft, Google and every other large software developer.

And users and businesses need to adjust to the new reality.

 

 

 

 

Information for this post came from PRNewsWire.  PRNewsWire, in an interesting twist of fate, was in the news last week as a hackee instead of a reporter.

IRS Breach Grows – Do They Really Know The Answer?

The AP is reporting that the IRS didn’t really know how many taxpayers had their information stolen by hackers who used the Get Transcript web site.

Originally, the IRS said that hackers tried to get information for about 200,000 taxpayers and were successful in getting information for 100,000 of them.  Originally, they said the hack started in February.

Now they are saying the hack started in November and the hackers attempted to get information for over 600,000 taxpayers and were successful for over 300,000 taxpayers.

That means that they were off by a factor of 3 in how many taxpayers had their data stolen.  That is a big discrepancy.

The fact that they did not know when the hack started or how many records that the hackers attempted to get and succeeded at getting is not a big surprise.  While we can point to antiquated systems in the government – the IRS has been trying to “modernize” their systems unsuccessfully for years, many private businesses are in the same boat.

Even for private businesses who don’t have antiquated systems, they often don’t log all of the information necessary to answer those questions.  And, if they do, they often don’t save the data long enough to have it around when the breach is discovered.  The issue is usually cost.

The specifics of what happened is the balancing act that every organization has to deal with – CONVENIENCE OR SECURITY.

The IRS, like lots of organizations, opted for convenience.

All that was required to get a copy of your tax return “transcript” (the data on your return) was a few bits of supposedly private information – birthdate, the amount of your income from last year – things like that.

With all the breaches in the last few years, that supposedly private information is no longer private.

Any company that assumes that this sort of “out of wallet” information is really private is playing Russian roulette.

After the breach became public, the IRS shut down the web site.  Sort of like closing the barn door after ….

The convenience vs. security aspect comes from the fact that you are trying to make things easy for your customer.  In the case of the IRS, the customer is the taxpayer, the convenience is making it easy to get a copy of your tax return.

Web site password resets are an example of this in the private sector.  To make it convenient when customers forget their passwords, web sites often give you a link that you can click on to reset your password.  Often all you need is access to your email to reset your password.

The good news for the IRS is that they are unlikely to get sued and even less likely to go out of business.

That is not the same for you.  If you were to lose control of customer information for 300,000 customers, you are likely to get sued and for many small businesses, they go out of business.

So, as I always say – security or convenience.  Pick one.  My suggestion is that you pick carefully.

 

 

Information for this post came from the AP.

Hackers Drop 10 Gigabytes Of Ashley Madison Data

UPDATE August 19, 2015 – As I predicted, there are now web sites which allow you to search the Ashley Madison data.  Check this Wired article for links:

http://www.wired.com/2015/08/check-loved-one-exposed-ashley-madison-hack/  .

The hackers who broke into the Ashley Madison web site last month threatened to make the data that they stole public if Ashley Madison’s parent company did not shut the site down.  Well, they didn’t and the hackers did.

Today about 10 gigabytes of data, representing over 30 million customers, was dumped on the dark web for anyone who cares to look to see.   Researchers and gawkers are downloading the data furiously.  A directory listing of some of the files was posted on Ars technica and reproduced below.

Ashley1

Ashley Madison’s parent company has not confirmed that the data is theirs, but they also haven’t denied it.   Here is how the hackers explained what they were doing:

time is up

The data includes emails, profiles, credit card information and other data.  While the passwords were included, the encryption algorithm that they used (bcrypt) makes it computationally intensive to brute force crack millions of passwords.  This doesn’t mean that people won’t try, but it does mean that it will be hard.

Still, there is other identifying information – credit card information and email addresses.  I am sure some people used burner cards and email addresses, but there have already been 15,000 .mil and .gov addresses found.  Really.  You use your government email address at a site like Ashley Madison?  Interesting, but not too smart.

Ashley Madison attempted to use all sorts of laws to take down the data when the hack first happened, but the way the hackers dumped this data (via TOR) means that there are likely hundreds if not thousands of copies floating around the internet already.  Not to mention that many people have likely downloaded it to their own computers.

Ashley Madison is putting on a brave face by saying that they will continue to put forth “substantial effort” to remove any information posted.  That likely might work with some traditional news sites – who probably would not post the data anyway – but it will be totally ineffective on the dark web.

Just like Ashley Madison is not based in the U.S. making it outside the reach of many U.S. laws, many of the dark web sites are based in countries you would say are not too friendly towards the west.  What do you think Putin would say if Ashley Madison sent a Russian web site a take down notice?  After he got up from the floor where he fell down laughing, he might use it to light one of his cigars.

Sorry boys, the cat is out of the bag.

Probably, a lot of the data is made up – supposedly most of the women on the site are fictitious;  most of the people looking for extra marital affairs are apparently guys.  There was no verification of the data customers provided – I assume on purpose – so if I wanted to call my self Sam Spade, I could as long as that name wasn’t already taken.  To prove that point, Tony Blair’s name was in the dump and I suspect the former prime minister was not a customer.

The part of the data that can be validated could be used by divorce attorneys and blackmailers.

Now let’s forget, for the moment, that this is Ashley Madison and people might say that the business is sleazy and people who use it got what they deserved.

Let’s say that this was your company and your customer data, credit card transactions, customer profiles, names and addresses were leaked.  What would the impact be on your business?  Do you have a plan for dealing with that situation?

No company has zero enemies.  Not even Mickey Mouse and Donald Duck.  That means that someone might be out to get you.  Could be a customer, employee, supplier, contractor  or someone completely unrelated to the company.

Avid Life Media is privately held and not U.S. based, so it is highly unlikely that we will find out what the financial impact is on the company, but I can’t imagine that anyone is signing up for their service.

By way of example, two years after the Target breach, it appears that Target and Visa kissed and made up in exchange for a $67 million check and the agreement that individual banks can still sue Target.  Right now, the cost of the breach is above $200 million, after insurance and it is far from over.  They will still be dealing with it for years to come and when I mention Target to average people, the general response is that they avoid shopping there.

 

Information for this post came from Ars Technica and Wired.

The Year Of The Car Hack? GM Onstar, VW, Audi and Many Others

GM Says that they have fixed the vulnerability that allowed a hacker to take over the GM Onstar Remotelink software.   Once the hacker has taken over the software, she can do anything the owner can do – remote unlock, remote start, etc.   The attack worked because GM was not validating the SSL certificates used by the app.   The researcher says not only does it still work but he has extended the attack to work on BMW Remote, Mercedes-Benz mbrace, Chrysler’s Uconnect and Viper SmartStart.

The researcher only tested his attack on iPhones, but I suspect the same technique will work on Android phones too.

The challenge here, of course, is designing mobile software securely.  While you may not like it if your mobile game leaks your name or age, you really won’t like it if your mobile apps gets your car stolen.  Banking apps figured this out a long time ago.  I guess automakers have to learn it all over again.

Now, on to VW.

Bloomberg is reporting that VW has been fighting security researchers for two years because they want to release a paper on a security vulnerability that they found the remote keyless entry system.  The vulnerability affects not only VW, but also Fiat, Audi, Ferrari, Porsche and Maserati.  VW has finally given in and the paper will be published with very minor redactions.

The rub is that the only fix is to replace both the keys and the controller inside the car.  Given that this likely affects millions of cars and VW would have to pay for all of these car manufacturers to recall these cars, VW would like this to go away.

Pretending security flaws don’t exist is kind of common and unless security researchers are allowed to continue exposing them, the only people who will know about the flaws are the bad guys.  There are some proposed U.S. laws that would make this research illegal.  Those in the know have been fighting against this, but it is a continuing battle.

Would you prefer that security researchers operate in public, tell companies and product owners that they are vulnerable and allow the vulnerabilities to get fixed.  Or, would you prefer they operate in the shadows and sell their exploits to organized crime?  How much do you think a car theft ring would pay for an exploit that allows them to own a high end Audi or BMW in less than 60 seconds?  I assume that would be worth tens of millions.

The London police say that 42% of stolen vehicles is done via hacking the keyless entry systems.  That’s pretty amazing.

As I keep saying – convenience or security, pick one.

On the other hand, it doesn’t mean that you cannot make technology bullet resistant (notice I didn’t say bullet proof), but it takes some work.

I am not sure why, but this year seems to be the year of the car hack.  They year is not over  yet, so stay tuned.

 

 

 

 

Information for this post came from SCMagazine and Bloomberg.

The Consequences Of Not Conducting Cyber Due Diligence

As I have talked about before, the PNI division of Staples provides digital photo kiosks and online printing to the likes of Costco, Walgreens, CVS and Walmart and announced they had been breached in July of this year.  This resulted in all of these customers taking their photo processing sites off line.

Costco had previously announced that it would re-enable the site in early August but has now said that it will take more time.

Costco has said that it was unsure as to whether customer data was compromised.  So far, they still don’t know or at least aren’t saying.

So what is the take away here? Just to be clear, I don’t have any insider knowledge here, so I am speculating.

First, Costco and the other customers of PNI may not have done sufficient cyber due diligence both before entering into the agreement to hitch their little red wagon to PNI’s and on a continuing basis.  Although this is hard to tell given the very little information that has been released, there clearly is a problem and given that they are delaying the re-enabling of the service, the problem is likely bigger than they thought.

In this case, since Costco and others were private labeling PNI’s services, the brand damage is to Costco, not PNI.  No Costco customer thought they were leaving Costco’s web site or store and doing business with a third party.  This also means that the lawsuits, if any happen, will be with Costco, although it is likely that PNI/Staples would get dragged in.

Also, very clearly, the brand damage to PNI is significant and could even be fatal.

I assume, and it is only an assumption, that big companies like Costco and Walmart have active and effective VENDOR cyber risk management programs, but many companies do not and no one is talking right now, so we do not know.

Second, Staples may not have done sufficient cyber due diligence before writing a check for $67 million to acquire PNI.  For a company like Staples, $67 million is lunch money.  Unfortunately, the checks that they may have to write, absent insurance coverage which hopefully they have, could dwarf the purchase price.  It is also not clear whether the restart of, for example, Costco’s photo service will be with PNI or someone else.  Lost business and future lost business could devalue this acquisition substantially.

While Staples is a multi-billion dollar company, so are the affected customers such as Costco and Walmart.  Everyone has lots of lawyers.  Expect there to be claims and potentially lawsuits.

While I would be foolish to suggest that cyber due diligence and effective vendor cyber risk management programs would eliminate issues like the one that PNI/Staples, Costco, Walmart and others are dealing with now, it is fair to say that that it improves your odds of dodging issues like this.

Given the size of all of the companies involved, they will all likely survive.  Whether that would be true for smaller companies is not at all clear.

See my earlier post here.

Information for this post came from Investopedia.

Lenovo Caught Installing Backdoor – Even If You Wipe The Disk

Lenovo has stopped installing software which allows them to overwrite system files with their version of those files, even if you wipe the disk.  They have released a patch for it and recommend that users install the fixes, especially on laptops, quickly.  How they do it is quite amazing.

Lenovo has built, into the firmware of the laptops and desktops, something called Lenovo Service Engine or LSE.  What LSE does is to check, on startup, if their version a file called Autochk.exe is installed in the Windows system folder.  If Microsoft’s version was installed installed instead of Lenovo’s, they nuke Microsoft’s version and replace it with their own.

This is very similar to hardware based root kit malware that the NSA uses and that I have written about before.  In those cases, they infect the firmware in a disk drive or on a peripheral device so that there is no way for you to delete the malware.

Once Lenovo has their somewhat-evil version of Autochk installed, every time you boot up, it looks to see if two of their programs, LenovoUpdate.exe and LenovoCheck.exe are installed on the system.  If not, they copy them to the system folder.

These programs execute on startup with full system administrator privileges and download drivers and other Lenovo bloatware from the Internet without asking your permission.

The software sends personally identifiable information to Lenovo as part of this process.

What they download and install on your computer is completely up to them – they neither ask you nor tell you.

The feature in the firmware which enables this, Windows Platform Binary Table or WPBT is designed to make sure critical system files are present, however, it seems like this makes installing a Root kit a “paint by numbers” task for hackers, according to The Register.

When the Register asked Microsoft for an explanation of WPBT, all they heard was the crickets chirping – no comment.

I think Microsoft’s intentions are good here.  Their strategy to sell more copies of Windows is to make things very simple so that even grandpa can use it.  That means that we have to trust the PC makers to use this appropriately, which once again, Lenovo has failed at.

It also means that they have to implement it securely and we have to trust that they do that.  Which Lenovo failed at.

Curiously, Lenovo did NOT install this rootkit on their Think branded computers, targeted at businesses, only on some Lenovo branded models – reinforcing the thought that they think that some of their customers cannot manage their own computers without training wheels.

Becase they got caught at it, they have now released patches for the various models that have LSE installed.  Some of the patches are labelled low severity but other models, due to even more vulnerabilities found, are labelled  high severity and Lenovo recommends users install those fixes ASAP.

If Lenovo was not on your DO NOT BUY list before this announcement, it should be now.  First Superfish, now this.  They just don’t get it.

I hope that security researchers, who found this gem, are going to be looking at what other manufacturers are doing with WPBT.  Personally, I had never heard of it before yesterday.

If I was a conspiracy theorist, I might suggest that this tool could easily be manipulated by repressive governments to spy on their citizens.  Which repressive government(s) I am talking about I will leave up to your imagination.

It does point out that we are really dependent on hardware and software makers to do the right thing.  If some government agency comes to you and tells you to do something, doing the right thing may not be easy.

Information for this post came from The Register.