Giuliani’s Website – Security Swiss Cheese

Former NY mayor Rudolph Giuliani has been in the security business since leaving the mayor’s job in 2001 and is now the cybersecurity czar for President Trump.

After he was nominated, security experts checked out his website.

The web site, GiulianiSecurity.com is a tad bit unsecure.

The site is built using Joomla, a low end content management system.  That’s probably OK, EXCEPT that the version that they were running was released in 2012 – kind of like an antique in the software world.  In the last four plus years Joomla has released many, many patches and new versions.  None of them installed.

The site was also running a version of PHP that was released in 2013.

Within a few minutes experts were able to find 41 publicly known vulnerabilities and 19 publicly known exploits.  Not a good show for a security company.

Also, the (HTTPS) SSL certificate was expired.  Qualys Labs scored it with a grade of “F”.

The site went down for a few hours after the experts began scoping it out and supposedly came back up.

But today, it is down again.

Giuliani’s role in the Trump administration will be to come up with a strategy for companies to improve their cyber security.  Trump has given him 90 days to come up with a plan.  It will be very interesting to see what he comes up with.

According to Politico, this is a volunteer gig so he doesn’t fall under the ethics rules that apply to government employees.  He is not resigning from his security company nor from the law firm of of Greenberg Traurig, where he chairs the global cybersecurity practice.  In an interview Giuliani downplayed any conflict of interest.  On the other hand, in an interview he acknowledged that some of the people that he introduces to Trump might be people he has business ties to.

Stay tuned for details in a few months.

Information for this post came from Business Insider and Politico .

 

 

 

Facebooktwitterredditlinkedinmailby feather

Mac Malware Uses Antiquated Code

A new piece of Apple Mac malware was discovered recently but may have been running around the Mac universe for two years.  The malware dubbed Fruitfly by Apple, is apparently a pretty simplistic piece of code.  It can capture webcam images , screenshots, information about every device on the network and then tries to connect to each of the devices that it found.

The malware was discovered by an administrator who saw unexpected outbound traffic from his network.  I am not sure how many admins would detect suspicious traffic coming from one computer.

The code uses programming functions that were popular prior to 2001 and uses a code library that was last updated in 1998.

There are also some other markers – a comment in the code – that indicates that, at least this version of the malware was released after OS X Yosemite was released in 2014 – but that means that it could have been infecting machines for more than two years.

Given this information, it is certainly possible that the code could be a decade old and updated as needed as Apple modified OS X.

Pure speculation is that the malware was only used in very targeted attacks, POSSIBLY by the Russians or Chinese, to steal US and European scientific research.

Malwarebytes now detects the software as OSX.Backdoor.Quimitchip.

As is often the case with malware these days, once the malware is installed, it downloads other modules from its command and control server.  For example, it was detected downloading several Perl scripts – used to map the network and attempt to logon to other machines.

Apple has released an update that will protect against future infections.  One article says that the Apple patch will detect currently infected machines but another one says future infections, so that part is not clear.

As a side note, the code also runs on Linux machines with the exception of one module which is a Mac binary, so even computers running Linux are not safe.

So, while Mac virus are still very rare, as Microsoft locks down Windows, hackers are branching out and looking for new opportunities.  If it is true that this malware was used to steal scientific and biomedical research, it makes sense that it would be geared towards Apple and Linux computers.

Information for this post came from Ars Technica and Malwarebytes Blog.

Facebooktwitterredditlinkedinmailby feather

CEOs Confident in Their Cyber Security As Losses Quadruple

Houston, we have a problem!

So goes the famous NASA mis-quote (Apollo 13 astronaut Jack Swigert actually said “Houston, we HAD a problem here”.  You may recall that the Apollo 13 capsule did limp home after aborting its mission.  The “problem” that they had was more like a catastrophe and it was, to most people, absolutely amazing that NASA was able to get the astronauts home safely.

This time the problem is CEO’s perception of their organization’s cybersecurity preparedness.

According to a study by the security firm Redseal, 80% of the CEOs responding are very confident of their cybersecurity strategy.

This is in spite of numbers from the accounting firm PriceWaterhouseCoopers that says that loses from cyberattacks will jump from $500 BILLION in 2014 to $2 TRILLION in 2018.

Back in 2014, FBI Director James Comey issued that now famous quote to 60 Minutes that said “there are two kinds of big companies in the United States – those that have been hacked and those that don’t know that they have been hacked.”

On the other hand, 87% of CEOs said that they need a better way to measure the effectiveness of their cybersecurity spending – while at the same time almost the same percentage, 84%, said that they will increase spending on cybersecurity in 2017.

The research firm IDC said that companies forecast spending over $100 billion in 2020 on cybersecurity software, services and hardware – up 38% from 2016.

There are several positive stats, however.

90% of the CEOs want information on a daily basis about their network’s health – but they need it in terms that they can understand. 79% of the CEOs say that cybersecurity is a strategic function that starts with the executive team and not IT.

The only stat that I am concerned with is that first one. If 80% of the CEOs think their cybersecurity posture is good, then why are we seeing the breach of the week.  These breaches are not from small companies – Target, Home Depot, Hilton, Starwood, etc.

I think that CEOs need to come to the realization that their preparation for and ability to respond to cyber attacks is not in good shape and then make it a corporate strategic program to deal with. If companies do not acknowledge the state of their cyber security preparedness then they will never be able to deal with the problems.

Information for this post came from Information Management.

Facebooktwitterredditlinkedinmailby feather

Changes to State Privacy Laws

Every year at this time there are new laws and this year is no exception.

Illinois, Nebraska and Nevada have added usernames or email to data elements that are considered personal information if that information is combined with other information that would let a hacker access your online account.  In other words, a username with a password or an email address with the answers to online security questions would be considered personal information.

California, Florida and Wyoming had already  passed laws adding these items to the list of personal information in 2014 and 2015.  In some of these states, an email address with the password OR security questions and answers EVEN if a person’s name is not attached to those items is considered personal information.

What this means is that businesses that collect email addresses need to be concerned about the fact that email addresses, when combined with certain other information, may be considered protected information.

Some states including Nevada, Rhode Island and Wyoming say that in order for an email address to be considered personal information it must be associated with at least a last name and first initial.  This means that the rules are different between, say, Florida and Nevada.  This makes things difficult for companies to be compliant.

Nevada and Rhode Island have added something called, in the law,
“access code” to the list of potential personal information, even though they do not define what an access code is.

Come the middle of 2018, American companies that do business in the European Union – meaning that they collect data on EU residents – will be required to follow the General Data Protection Regulation or GDPR.

Under the GDPR companies are required to notify the appropriate data protection officials WITHIN 72 HOURS  of a data breach unless it is unlikely that people will be at risk.

There have been a number of attempts to create a national data privacy/data breach law, but in all cases, those proposed federal laws would supersede state laws and offer less protection then the state laws that they would replace.  The proposed federal laws, for the most part, are the least common denominator of state privacy laws.  None of these attempts to pass a law have been successful and all have been met with strong opposition.

This does not mean that a federal law will not be passed at some point in the future because complying 47 or so state laws in the day of the Internet is really extremely difficult.  The JDSupra article below has a list of resources that will help people as they wrestle with the privacy law challenge.

Information for this post came from JDSupra.

 

Facebooktwitterredditlinkedinmailby feather

Browser Fingerprinting – Almost 100% Effective at IDing Anyone

Advertisers and web site owners have always wanted to know who is visiting their web sites and tracking interests across web sites.

Early on advertisers used cookies, but then users started blocking cookies or erasing them.

Then they moved on to Flash cookies which are very hard to erase.  But of course, a lot of people no longer run Flash.  In fact, several browsers (most recently Microsoft Edge on Windows 10) are blocking Flash entirely.

Advertisers and web site owners are never going to give up, of course.  It is too important to them to be able to track your behavior.

Browser fingerprinting has been popular for a little while.  The process uses API calls that the browser provides to characterize the system.  What fonts are installed in what order, the OS version, graphics card features and other parameters are combined to create a profile.  Put that all together and it provides a good picture of the device.

It used to be that browser fingerprinting was around 80% accurate.  Researchers in France last year bumped that up to around 90%.  A new technique from a group of U.S. researchers has bumped it up to over 99%. This new technique has the extra benefit of being able to track users across different browsers, so if you use Chrome sometimes and Firefox other times, this technique still tracks you.

There are ways to defeat this technique but none of them are simple.  Basically, you have to either present fake data to the browser or block the browser from calling certain APIs at all.

For example, there is a new API which allows the browser to see the percentage of charge left in your device’s battery.  While I am sure that you could come up some reason for why this is important, it isn’t that important.  Block the browser’s ability to get an answer to the battery charge and there is one less data element to use in mapping your device.

What you have to be careful about is that you don’t block too much information or the web page might not display correctly.  For example, if the browser tells the web site that your screen size is different than it is, it may not render the web page the way you want it to.

One way that does work is to use the TOR browser since it is designed to make your browsing experience anonymous.  It already disguises a lot of the browser parameters.  Most people are not going to take the performance and inconvenience hit of using TOR, so that is not really practical for most users.

But, stay tuned because as this technique becomes more popular, developers will make browser add-ons to deal with it. There already are some add-ons and there likely will be more.  How well they work – or not – is the next chapter in the cat and mouse game of tracking your actions.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Peace Sign Could Mean Trouble – For Your Identity

Japanese researchers released a paper talking about the (hypothetical) risk of flashing the peace sign.

As we saw a couple of years ago with a German politician, a high definition photo from close enough (a few meters away according to the researchers) , with the right lighting, allowed the researchers to replicate the fingerprint.

Apparently, in Japan, taking selfies with the peace sign is popular, so people are posting many pictures with their fingers in them with their prints facing the camera.

While Snopes went all crazy on it and said the article was no longer there, it is there tonite, at least for me.

Since we know that this has already been done, there is really not much new here.

What is important to understand is that this is technically feasible and will only become more practical for an actual attack as digital cameras get better or people take better photographs.

In fairness to Snopes, they didn’t deny this was possible, they suggested that we should not panic.  I agree with Snopes on that, there is always time to panic later.

However, this is a good opportunity to point out that people are using biometrics in the place of passwords and I suggest (and many people agree) that this is a terrible idea.

One more time, we are trading security for convenience.

If you lock your iPhone with your fingerprint and someone compromises your fingerprint, how do you change your fingerprint?  I guess, the good news is that most people have ten fingers so you can keep rotating fingers until you run out.  If your fingerprints are compromised several at a time (say by lifting the prints of all of your fingers of one hand off a glass, then you might only be able to change it one time.

For most people, protecting their iPhone (and I am only using Apple as an example) is a pretty low priority and a low risk.

For other people biometrics protect a higher value asset, such as a safe.

For those of us who have seen Mission Impossible and other movies, they use biometrics incorrectly.

There is a distinction to security folks, between identifying someone and authenticating them.

Using biometrics to identify a person is fine.  Think of using your fingerprint (or iris or retina or other biometric) as a replacement for your user NAME, not your password.

Using it in that way is fine because it is not required to remain secret.

In data centers it is common to use biometrics to control access.  You look into a retina scanner or use a fingerprint to identify yourself.  Then you enter an 8 digit, for example, PIN to authenticate that it is really you.

This is a form of two factor authentication, there are two things that are required to gain access – something you have – like a fingerprint or hand geometry and something you know – a PIN.

So while I agree with Snopes that we should not panic over this Japanese report, I also think it is a reminder about the appropriate way to use biometrics and that is NOT to use it for authentication.

We have seen a few cases where law enforcement has forced people to press their finger on their phone to unlock it.  This is because your fingerprint is something your have.  There have been way fewer courts that have said that you can be compelled to unlock a device protected by a password.  That subtle distinction – something you have vs. something you know, makes all the difference when it comes to the Fifth Amendment.

And, on a more practical plane, whether it is the Japanese or the Germans or anyone else, you just make life much harder for the bad guys if you use two factor authentication.

So, it all boils down to security or convenience.  Your choice.  And all risks are not created equal, so sometimes convenience is fine.  Just not always.  Just make an informed decision.

Information for this post came from Japan Times and Snopes.

Facebooktwitterredditlinkedinmailby feather