Better, but not Good Enough

There is a term in the cyber security world called dwell time.  Dwell time is the amount of time between the time an attacker breaks in and the good guys figure that out.

In 2011 the average dwell time was over 400 days.  According to a just released Mandiant report, that number is now only 100 days.

Over half of the attacks are discovered by the the company that was hacked, but more than a third of the attacks are still discovered by outsiders like the police.

Compare that 100 days to this.  Verizon says that the time from the first attacker action to compromise is measured in seconds.  Or, maybe, in minutes.  That gives the attacks 99 days and change to laugh.

Information for this post came from Dark Reading.

Given this insane difference between the time to compromise and the time to be discovered, what should you be doing.

First, the amount of auditing or logging that companies do needs to increase dramatically.  If you are not auditing the right events then you cannot detect attacks.

Second, there needs to be an effective alerting process.  Effective means not too much.  Not too little.  Like Goldilocks, just right – but if you have to err, unfortunately, err on the side of too much.

Once those alerts are created, there needs to be an effective response plan.  There are plenty of situations were alerts are generated and then ignored or even unseen.

It is not a simple problem, but it is possible.  If we have cut the dwell time from 400 days to 100 days, can we cut it from 100 to 25?  Or less.  Improvement is incremental.

Facebooktwitterredditlinkedinmailby feather

Google to Add GMail Features – Maybe – For A Fee?

Google has a interesting strategy.  Build prototypes of products.  Show them or leak them.  See if anyone cares.   Kill them if it doesn’t work out – there are lots of examples.  After many users are already using them.

One other thing that they do is attempt to lock users into the Google ecosystem.  Of course.

Tech Crunch is reporting that Google is working on a self destructing email (like Snap Chat for email?).  But it only works if both users are on GMail and only if both users use the web client for GMail.  Sounds a bit limiting.  If one user is not using the GMail web client, they get a link instead that takes them to the web.

They may also be adding a feature to stop printing and stop forwarding.

Again, if they do, it will only work for GMail on both ends and only with the GMail web client.

Information for this post came from The Register.

So what does this mean?

Well first, what seems to be missing is end to end encryption, which seems like a pretty important feature.  

But encryption stops them from reading your email and doing things that they like to do.  They don’t read your emails to target ads – they have better ways to target ads – but they do read them for other features.

Next, the speculation is that this will only be available under the paid GMail model (GMail for business).  The paid version costs either $10 or $25 a month per user.  At that price there are competitors.

As of last year, Google said that they had 3 million paying users.  Microsoft says that they have 60 million paying Office 365 users and adding 50,000 customers (not mailboxes) a month.  Google never wants to play second fiddle.

It is certainly possible that they will give it away for free, but given that they are so far behind Microsoft, maybe not.  With GDPR taking effect in the European Union next month and other countries, not including the U.S. following the EU lead, maybe ad revenue might be less predictable going forward.  Millions of monthly paying customers might be nice.

If you are looking for a free answer for secure email, Proton mail is a good choice.  They also have a paid version with more features, but the free version is pretty good.

Office 365 has nice security features at well below $25 a month.  Microsoft has said that they are about to roll out end to end encryption for all paid Office 365 users at all levels.

The bottom line is that if you are looking for a secure email solution there are some decisions to make.  To me, Google’s solution is not so great.

 

Facebooktwitterredditlinkedinmailby feather

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Credit Cards in the Cloud, Oh My!

Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud.  It was 52 pages.

This month the PCI SSC released a new version of that same document.  It is now 83 pages.

This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.

Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”.  For a copy of the new standard, click here.

Information for this post came from The Register.

What does this mean for you?

Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.

Some companies have outsourced payment cards to companies like Paypal or Square.  That used to mean that you weren’t accountable for security, but that changed a couple of years ago.  The requirements are simpler, but you still are responsible.

But lets say you are a company that does e-commerce and the servers run in the cloud.  You may collect the credit card info and hand it off to a gateway.  This applies to you.

In general, all companies that accept credit cards are required to complete an assessment at least once a year.  The PCI Council has created over a dozen different assessments, depending your configuration.

For everyone but the largest players, you can do the assessment yourself.  You can also get an outside provider to help you complete the assessment.  We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.

Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.

Also, the assessment is pass-fail.  Either you answer all the questions correctly, or your fail.  One NO is a fail.

If you have questions, please give us a call.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

GrayKey iPhone Cracking Software Can Unlock Phones in a Few Hours

it wasn’t so long ago that 4 digit passcodes were the norm.

Now 6 digit passcodes are obsolete.

GrayKey, the new kid on the block offering low cost cracking of iPhones up to and including the iPhone X requires users who are concerned about that to change their password habits.

Pricing on Graykey, supposedly, is $15,000 to unlock 300 phones ($50 a phone) or $30,000 to unlock an unlimited number of phones.

At that price, the cops are falling over themselves to buy these things.  DHS is interested, along with the FBI.  The Maryland State Police has bought some as has Cincinnati.  My guess is that, at that price, there are lots of other agencies that have bought them.  This likely means that the conversation about “going dark” is a bit overblown.

In fact, Congress asked the FBI to ‘splain itself.  As the FBI is saying that they need to weaken device and app security by adding back doors that are unlikely to stay secret for long (you may remember that the master keys that DHS has for those travel locks on your luggage were ALL compromised when some genius at DHS allowed reporters to take pictures of the keys for an article), Congress is asking if they have used products like GrayKey to try unlocking those devices.

Since, for the most part, people choose short, obvious PINs (1234 or maybe 123456), those tools likely work pretty well.

6 digit passcodes (I gather this means 6 numbers) can be cracked in 11 hours on average (double that, worst case) using the software.

According to noted Johns Hopkins Cryptographer Matthew Green, an 8 digit passcode would take 92 days worst case (46 days on average) and a 10 digit passcode would take 9,259 days.

Information for this post came from Motherboard.

 

What this  means for the user is that, if you care about privacy, longer passcodes are better.  Alphanumeric passwords are better.  Words not in the dictionary are better.  Combining upper case, lower case and numbers is a somewhat random way (Monkey123 doesn’t count as a strong even though it technically meets most of the criteria) is the best strategy.

It’s really pretty simple.  Longer is better.  The Graykey software cracked some passwords in 30 seconds.

Facebooktwitterredditlinkedinmailby feather

Email Breach at Oxygen Equipment Maker Affects 30,000

Oxygen equipment maker Inogen announced that information on 30,000 customers was hacked as an attacker compromised the credentials of an employee.

In the grand scheme of breaches, this one barely registers.  Yes, HIPAA protected information was taken (and Health and Human Services may come after them in say 2021, but it is another example of totally preventable self inflicted wounds.

OK, now that I have sufficiently beaten them up, lets look at what they did wrong.

The company is publicly traded so they need to be SOX compliant.  They should have a Board advising them on issues like cybersecurity, but likely not.  Totally silent on the issue.

The breach went from January 2 to March 14 – certainly not the longest breach, but certainly not the shortest.  I know of an incident recently where a company received indicators of a breach at 6:30 AM one day and had contained and mitigated the breach before 9:00 AM the same day and they are looking to shorten that window.  What kind of monitoring and alerting did Inogen have?  Over two months for the hacker to do the dastardly deed?  Obviously, not good enough.

The stolen emails contained name, address, phone number, email address, date of birth, date of death, Medicare ID number, insurance information and type of equipment.  What is that doing in email?  That belongs inside a secure application or web portal.  Not only is this a HIPAA violation before the breach, it is a privacy breach after the event.  The company is based in California, so the Attorney General may be rattling their cage as well.

The worker’s credentials were compromised and then the attacker logged in. From another country.  Two factor authentication would have neutered the attack and, failing that, conditional access geo-fencing would have stopped the attacker cold.  Where was their CISO?  Do they even have one?

One thing they did right – they disclosed the breach in their latest SEC filings. In light of the SEC’s new cybersecurity transparency rules, that is probably a very smart move (to disclose).  One less party out to sue them.

In the SEC filing the company said they hired a forensics firm and made users change their passwords.  Definitely impressive (not).

They have also turned on two factor authentication.  A little late, but better late than never.

Oh, yeah, they have started training.  Nice.  Would have been nicer years ago.

One challenge is the founders are a few young kids who did not, until this, have many battle scars.

I am guessing they are getting those scars now.

Finally, they say in the SEC filing that they have insurance but it may not cover the costs.  Cyber insurance is good, but you better have enough and the right options.  Depending on what lawsuits happen and what regulators (such as Cali and HHS) go after them, this could cost them a couple of million or more.  Depending on what coverage they have, they could be writing all or part of that check themselves.

As a side note, Airway Oxygen, likely a competitor, told HHS last June that they had a breach affecting 500,000 customers.

Cardionet paid a fine to HHS last year of $2.5 million.  That is just the fine and doesn’t cover any other costs.  With a fine like that, Inogen’s total costs could be in the $3-$5 million range.  If they have a $1 million cyber policy, they will be writing a large check.

Other companies could learn from their lessons.  The learning part is free.  OR, they can wait until their story is in the news.  That can be a tad more expensive!

Information for this post came from Careers Info Security.

Facebooktwitterredditlinkedinmailby feather