Why Application Penetration Testing is Critical

Application penetration testing or pen test is more critical than ever and news today is only the most recent example of why.

Spiral Toys makes a line of Internet connected teddy bears (aka smart bears, I guess) that allows parents and children who were physically apart to share personal messages.

Unfortunately for the purchasers of those bears, security was apparently an afterthought as you will soon read.  There is the issue of brand reputation damage, of course.  My guess is that the sale of Spiral’s smart bears is now zero.

The story is that between last Christmas and early January, the messages and other account information including passwords were stored on a Mongo Database, open to the Internet, not behind a firewall and with not even a password protecting it.

This was right around the time that researchers were pointing out that the default installation configuration of Mongo databases was not secure and did not even include protecting the data with a password.

The result is that 2 million messages of 800,000 customers, including those passwords were exposed to anyone who looked.

The passwords were encrypted with the bcrypt algorithm, but researchers say that they hackable anyway due to user’s poor choice of passwords.

Spiral Toys, which Motherboard says appears to be located in California could not be reached for comment.  Multiple emails were not answered and no one answered their phones.

Motherboard says “the company appears to be in financial trouble and might be going bankrupt, given that their stock value is around zero.”

THAT is the ultimate consequence of making unsecure products.  If the market responds appropriately, companies will go out of business.

For companies developing application software – whether it is for smart bears, business use or consumers, independent, third party, application pen testing is a critical part of the software development process.

AND, you do not get to do that one time.  Every time you release a new version you need to go through the testing process again.  Every.  Single. Time!  This is not optional.  It is mandatory.

We know of a company who was ready to sell a new software product to a very large multi-national.  Making this sale was very important to the financial well being of the company.  The multi-national insisted on completing an application pen test prior to doing the deal.  When the third party testers attempted to hack the software, they found it to be an easy target.  The developers spent a lot of long days and nights trying to redesign their software on the fly so that the penetration testers could retest it.  In many cases, the third party won’t do that – they produce a report of the software security state as it was and then let the company deal with the fallout – which may include having to wait for another available testing window, paying for the retest and possibly, losing that deal.

In this particulaar case, the good news for the buyer is that some major security holes in the software are now fixed.  The bad news for the software vendor is that while they were able to band-aid some fixes, they now have to do some long term software re-engineering.

If this company had included independent third party application penetration testing as part of their security development lifecycle process, these security flaws would have been caught much earlier in the development cycle, would have been easier to fix, would have cost less to fix and would not have impacted the sale.

For their sake, I hope the toy company does not go out of business, but that is not a sure bet.

All because they didn’t consider application pen testing a mandatory requirement.

Information for this post came from Motherboard.


Google Sues Uber Over Stolen Documents

Google and Uber are both working on self driving cars, for different reasons.  Google has had a strong lead in the game – until.

Google’s self driving car subsidiary called Waymo says it has spent millions of dollars perfecting the technology for self driving cars.

A former Google employee, Anthony Levandowski, started the self driving truck company called Otto.  Uber, sensing it was behind in the self driving game, bought Levandowski’s company and put him in charge of their effort to create self driving vehicles.

Only one problem.

Google claims that Levandowski “acquired” 14,000 documents from Google prior to leaving and starting what amounts to a competitor.

I’m guessing that Google looked at the Otto technology and figured it looked a little bit too familiar to them.

While this may seem like a game between giants – and it certainly is at one level – it is also a lesson for companies at all levels.

Every company has intellectual property.  Whether it is a customer list, software, business plans, or technical knowhow as is claimed by Google in its lawsuit against Uber, it is cheaper to steal it than to invent it.

While it is impossible to completely stop a person who is intent on stealing your IP, you can make it difficult.

We have one client who has disabled USB flash drives.  Another client who has removed DVD writers from PCs.  You can and likely should restrict access to data based on a need to know and you certainly should have legal agreements in place between the company and employees regarding ownership of information.  You should also be logging, auditing and alerting.

Information theft is not limited to big companies like Uber and Google –  it can affect even tiny companies.

And it even happens to security conscious organizations like the NSA (remember Booz, Allen NSA contractor Edward Snowden)?  Last year Another Booz – NSA contractor, Harold Martin, was arrested – accused of stealing 50 terabytes of information and storing it at his house.  It does not appear he was out to sell it to anyone, he just liked to horde data, although some of it may have been sold or hacked.

The real question is whether you have any information that might be valuable to a competitor.

And what you are doing to make it harder for them to get it.


Information for this post came from Wired.

You Own Your Car, But Do You Control It?

Smart cars are very in these days.  You can start it remotely, lock or unlock the doors, even find out where the  car is.  We also saw a smart car get taken over – turning the steering wheel 90 degrees while the car was going 60 MPH and controlling the gas and brakes.  But what happens when you sell it?  Conversely, what happens when you buy it?

In many cases, smart cars allow you to control the car from an app on your phone.  While you can’t slam on the brakes from your phone – the researchers had to do quite a bit of work to accomplish that, you can do other things – whether you own the car or not.

A researcher at IBM’s X-Force Red gave a presentation on the subject of dumb Internet of Things devices.  Not only could you control your car remotely – or more nerve wracking, someone else’s car – but recently we heard of a person who returned a web cab after setting it up to talk to his phone and a few weeks later got a message saying there was activity on the web cam – he was able to watch the new owners on his old camera.

In the case of the car, you can do a factory recent and/or delete your data, but neither of these will remove the app’s ability to control your car.  Only the dealer can, apparently.  Likely, this is dependent on the car model and whether the equipment is original or add-on.

In addition, the data that has been collected over the years lives in the cloud and doing a reset on the car will not wipe the data out of the cloud.

For the most part, when people are done with an Internet of Things device, they kind of forget about it.  We are beginning to get trained about data on cell phones, but not used web cams, cars or refrigerators.  With many of these devices having cameras, the original owner could get some “interesting” pictures.

My recommendation is that before you sell or dispose of an IoT devices other than by crushing it to bits, you need to find out what it takes to disconnect from it.

On the other side, if you are buying an used IoT device (such as a used car), you need to make sure that you understand who has control of it.

In many cases, the seller or the middle man who is acting as the seller’s agent has no clue how to remove access or maybe, whether anyone has access.  All they want to do is get their money, so they will likely blow you off or belittle the problem. You are going to need to take the bull by the horns and likely not trust the first answer that you get.

This is a bit of the wild west.  Time to get that lasso out and wrestle that security steer to the ground.  But just like in the Old West, wrestling that steer to the ground may  not be easy.

Information for this post came from Naked Security.



Cloudflare Exposes Customer Secrets

Cloudflare, the company that helps web sites perform when under stress, including when under denial of service attacks, was the victim of a self induced cyber breach.  For those who are not familiar with Cloudflare, it acts as a front end to a customer company’s web servers. With Cloudflare in front of a company’s servers, the servers can stand up to incredible loads and massive denial of service attacks.

What is more amazing is how they handled it.

First a little bit of the story.

The bug likely exposed data between September of last year and this month.

Cloudflare modifies web pages that pass through its servers as part of the process that it uses.  To do that, they created some software that parses web pages and makes the needed changes.

Tavis Ormandy, a security researcher that works for Google, discovered a bug that caused the Cloudflare servers to send unintended data out with the modified web page.  Among the data that was exposed included authentication tokens, cookies, encryption keys and text of the whole packet.  To make matters worse, the data that was exposed might be from any of it’s customers, not just the web site that the user was visiting.

In addition to that, some of the data was cached by  Google.  While they didn’t say, it is likely that Google web page crawlers were probably among the “users” that visited Cloudflare cached web sites.

Now the good part.

Once Tavis figured out what was going on, it was a Friday night and he knew that he needed to act fast.  An email to the help desk wasn’t going to cut it.

So it put out an emergency plea on his Twitter page.  Given who Tavis is, a LOT of people follow his Twitter feed.   The plea said that he needed to talk to someone on Cloudflare’s security team NOW!.

Again, given who Tavis is, Twitter did it’s Twitter thing and Cloudflare security reached out to Tavis quickly.  He explained the problem to them and within 47 minutes they had deployed a fix that mitigated the problem, but did not completely fix it.

Because of Cloudflare’s size, they were able to quickly create a cross functional team in San Francisco and another in London to work on the problem.  Working 12 hour shifts, they handed off the work internationally 24 hours a day until they were convinced they had all of the leaked data under control.

Within 7 hours they had a complete fix in place but it took several days to work with Google to delete all of the cached data off Google’s servers.  Working 24×7 with Google they now feel that all of the leaked data has been purged, so they were able to notify customers of the situation.

I already received one email from a web site hosted behind Cloudflare telling me that I should change my password.  They said that we should expect many more notices given that Cloudflare protects millions of web sites.

Obviously, this was a pretty subtle bug but what was amazing was that within 47 minutes they were able to deploy the initial mitigating changes and within 7 hours they were able to deploy a complete set of fixes.  Right now, by comparison, the same team that Tavis works for, Google’s Project Zero, just disclosed a Microsoft bug because Microsoft was not able to even release a fix, never mind get it deployed, in 90 days.  7 hours vs 90 days+ is the power of the cloud.  One platform; total control over the environment.  That is an amazing benefit of cloud based services.

While there is nothing for you to do regarding this breach, watch out for notices that tell you to change your password.  Unless you want to suffer the same fate that the DNC did last during the election cycle last year, DO NOT click on any link in those emails – Go to the appropriate website yourself, log in and navigate to the password change page to change your password yourself.

Pretty amazing story.

Information for this post came from Ars Technica and the Cloudflare Blog.

Yahoo Breach Update and the Verizon Merger

Right after Yahoo announced all of the different breaches, the expectation was that Verizon merger offer would be modified or totally go away.

Well, there is some news and it is probably not as bad as it could be. Many people were suggesting that the price would go down by a billion dollars and that Verizon would ask for a hold back of another billion dollars.

Luckily for Yahoo shareholders, it is not quite that bad.

Verizon negotiated a number of changes.  The first change is that the purchase price is reduced by $350 million.  Ignoring all other costs, and there are a lot of them, that means that this breach will cost Yahoo shareholders at least $350 million pre-tax.

Next, Yahoo and Verizon will split the cost, 50/50 of many of the expenses associated with the breach such as some government investigations and third party litigation related to the breach.

However, Yahoo will be completely liable for all expenses related to the SEC investigation and of shareholder lawsuits.

Put all that together and that is likely to cost Yahoo shareholders a half billion dollars or more.  Some of that is likely deductible from their taxes, so that will reduce the after tax cost of that, but still, it will be a significant number.

Depending on what the SEC does, that could be a significant cost – or not.

Shareholder lawsuits are much more dicey.  Most of the time, shareholder lawsuits, of which a number have been filed, fail.  This one COULD be different since apparently Yahoo was aware for over a year about the breaches and didn’t tell shareholders.  That would seem to be a problem.

For example, the shareholder lawsuit against Home Depot was dismissed and The Target shareholder lawsuit was withdrawn, but not until Target spent a lot of money dealing with it.

Bottom line here is that this is an example of a real world cost of a breach.  The good news for Yahoo may be that Verizon didn’t walk away from the deal completely as it would be unlikely that they could get another $4+ billion offer.

I am sure that it will be years before all the dust from the lawsuits and government reviews settles and until then, both Verizon and Altaba (which is what the part of Yahoo that did NOT get sold will be called) will have to spend precious time and money dealing with it.  Both companies will have to reserve no doubt many tens of millions of dollars to pay for these costs.

All of this might have been avoided if Yahoo spent more money on security rather than a pretty user interface.

Information for this post came from CNBC and JD Supra.

Do Employers Have To Protect Employee’s Personal Information?

At least in Pennsylvania, a court says the answer is no.  Here are the details.

The University of Pennsylvania Medical Center was hacked and employee’s personal information was taken and used to file phony tax refunds.  Information taken included names, socials, birth dates, addresses and salaries.

The Superior Court of Pennsylvania recently ruled that employees had no reasonable expectation that the data will be safe.

Really?  You have to be kidding!

In the court’s defense, the court claims that Pennsylvania law does not require employers to protect employee’s personal data.

The court says that the workers turned over their data as a condition of employment, not for safekeeping, therefore no expectation of it being kept safe.

The court went on to say that businesses should not be required to spend the money to protect employee’s data since there is no guarantee that they won’t be hacked.

That seems sort of like saying that car makers shouldn’t have to spend money on making your car safe since it is not possible to guarantee that nothing will ever go wrong with your car.

The judge claimed that the benefit of storing this information electronically outweighed the downside that the data may be compromised,

This is good news for employers in Pennsylvania since, apparently, they don’t have to spend any money protecting employee records and bad news for employees since they apparently have no recourse if employers do not adequately protect their information.

The Superior Court is one of the appeals courts in Pennsylvania;  it is unclear what recourse the employees might have to appeal this further.

It also only applies in Pennsylvania, so, maybe, the rest of the country may still be safe.

The challenge, of course, is that the law moves very slowly compared to the rest of the world.  And for the rest of the world, that is a problem.

I don’t pretend to be a lawyer, even on the Internet, so this may be a perfectly legally reasonable decision.  As a non-lawyer, this seems like an insane decision.  These people were hurt.  Since the hackers filed false tax returns, when the employees filed real returns later, those people won’t get their refunds or will have to spend time and money to get their refunds.

This court, in their decision said, why should employers have to spend money to protect employee’s information, but they, apparently, are perfectly fine to force employees to spend money to deal with their employer’s lack of security.  That doesn’t seem right to me.

The courts are basically saying that the Pennsylvania legislature needs to deal with the problem, not the courts, and I can understand that, but in the mean time, 60,000 employees are left with a mess not of their making, but of their cost to deal with.

Information for this post came from Network World.