Logon Using Facebook ID? Understand the Devil’s Bargain You Made

Security.  Convenience.  Pick one!  That is my forever mantra.

Now we are finding out that when you login to your favorite site using “Login with Facebook” your data is exposed to third parties.  Nice.

According to research from “Freedom to Tinker” at Princeton, when a user logs in using Facebook’s API, Javascript on the site is able to grab your profile data and email address and maybe more.

Facebook, currently in a world of hurt (worldwide) over the Cambridge Analytica mess is magically very sensitive to people – other than them – stealing your data.

As of right now, they have suspending the ability to link Userids to Facebook profile pages and are looking at what else they are willing to do to contain the damage while not damaging their business model of allowing everyone to capture and sell your data.

If all of a sudden web site operators and advertisers can no longer scrape your data, ad revenue may be flushed down the toilet.

Information for this post came from CNBC.

So, given the above, what should you do?

First I want to make one thing clear.  Facebook is only one culprit in this game and while it is fun beating Facebook up, we should not lose track of the bigger picture.

Anytime you login to website “B”  using the userid and password from website “A” (such as using your Facebook ID to log into BandsInTown), you run the risk of exposing yourself.

While right now we are only talking about your profile and email being exposed, the developer API documentation on Facebook’s web site says:

To ask for any other permission, your app will need to be reviewed by Facebook before these permission become visible in the Login Dialog to the public who’re logging into your app with Facebook.

I gather this means that other apps may have more of your information than we are talking about in this situation based on how well the app developer has conned Facebook (think Cambridge Analytica) or even how much they paid Facebook.

Also, the site that you are using your Facebook ID to login to with could compromise your ID and password and then all other sites that you also login to with your Facebook ID will also be exposed.

The best solution to this is log in to each site with its own userid and password.  

Use a password manager to track this for you .  Most password managers will pick crazy passwords for you and since they enter them in the login page automatically for you, you don’t have to remember them.  Win-Win – better passwords and easier for you.

If you are not willing to do this, then, at least, only do this for accounts that you don’t care about – what I call throw away accounts.  Don’t do it for any account that has access to your credit card information (any e-commerce site) or bank account information.

Ultimately, the choice is yours.  Security or convenience, pick one.

And Facebook is only one site that does this shared login thing.  The problem is the same with all of them.  The list of OAuth providers (which is the technical term for what this process is) is long including Google, Etsy, Flickr, Instragram and many more – see a list of them here.

Facebooktwitterredditlinkedinmailby feather

Friday News

FDA Begins Process to Change Patching of Medical Devices

The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly.  They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board.  They are talking about requiring medical device makers to integrate patchability into device design.  Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time.  Note that mostly, this is talk, so expect this process to take years.  In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).

Hey Alexa, Are You Hacked?  Again?

Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo.  Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo.  Glad they are the good guys.   The moral is that with convenience comes risk.  You have to decide what your acceptable level of risk is.  (Source: Threatpost).

For Drupal Users is the Third Time a Charm?

For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions.  This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks.  Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework.  If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).

Ever Wonder if Hotel Keycard Locks are Safe?

Well wonder no more.  Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference.  The attack takes about a minute and creates a master key for the entire hotel.  The bad news is that there really is nothing that you, as a guest, can do about it.  Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).

FISA Court Denies More Requests in Last Year than in Entire History

The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part.  That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency.  Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Software Supply Chain Attacks are Real

For those of you who have been reading my blog for some time, you know that I have written about the software supply chain security problem.  In a nutshell, the problem is that programmers rarely write code from zero anymore.  Instead teams write pieces of code and integrate it.  Then there is limited testing due to time and budget.  Finally, everyone crosses their fingers and the code is released.

The folks at CCleaner discovered the hard way that it doesn’t always work out the way you expected.  Or hoped.

About 6 months ago researchers at Talos (a part of Cisco) and Morphisec discovered that the absurdly popular disk cleaner software CCLEANER had been compromised and was downloading infected software from the official web site and had been doing so for a month.

Worse yet, the code was cryptographically signed, meaning two things.  Most users would trust it and the attack happened from within Ccleaner’s four walls.

Finally more details of the story are coming out; useful for anyone else that writes software, for free or for money, and distributes it to outside parties.  This could be YOU!

2.27 million infected downloads (in just a month) later, Avast, the owner of Ccleaner is spilling the beans.

Not only is this a software supply chain lesson, but it is also a merger and acquisition lesson because this was discovered right after Avast bought Ccleaner from Piriform.

The attackers had stolen credentials and used them to log into Piriform’s London network using the remote desktop software Team Viewer that Piriform used.  From there they infected other computers, only working at night when the computers were likely not used, to avoid detection.

They then installed some malware called Shadowpad, which allowed them, among other things, to log every single keystroke on the infected machines.

Then they waited.  Two months after the acquisition closed, they infected the software inside the fence and waited for the infected software to be signed and uploaded to the web.

The attackers were very smart on top of this.  While 2.27 million infected copies were downloaded and 1.65 million copies asked the control server for instructions, only 40 payloads, representing 11 highly targeted companies, were activated with a second stage.  That is very patient.  To be willing to download over two million copies to only infect 40 very precise targets.  Those targets were in particular tech companies like Cisco .

Information for this post came from Wired.

So what does this mean for you?

First, if you are acquiring a company – or selling one – this could happen to you.  If you are the seller, you could sued for millions.  If you are the buyer you could be on the hook for millions.  It all hinges on the words in the contract.  CONDUCTING SOFTWARE SECURITY DUE DILIGENCE DURING AN ACQUISITION IS VERY IMPORTANT.  This is an example of why.

While this is not an example of downloading an infected library, the library did get infected.  How did the bad guys infect the code and get it checked in to the official library?  How come no review detected the added code that no one officially added?  The SECURE SOFTWARE DEVELOPMENT LIFECYCLE process might have caught this.

Could this have been caught during testing?  Probably.  You would have needed to be watching for where on the Internet that CCleaner was talking to – that it shouldn’t have been.  In fact, since it was trying to talk to Russian and Korea, that could have been an alarm bell since the test network likely should never have tried to do that.  But you have to be looking for it.

How come the attackers were able to compromise Team Viewer in the first place.  My bet is that Piriform was not using two factor authentication.  Bad boys and girls.  I know two factor is not friendly.  Neither is having 2 million infected copies of your software downloaded by your customers.

In the end you need to look at the entire software development process and think like a hacker to decide where he or she could compromise the process.

Obviously, these guys did.

How many other companies are already infected and don’t even know it?  THAT IS WHAT IS SCARY!

Facebooktwitterredditlinkedinmailby feather

Better, but not Good Enough

There is a term in the cyber security world called dwell time.  Dwell time is the amount of time between the time an attacker breaks in and the good guys figure that out.

In 2011 the average dwell time was over 400 days.  According to a just released Mandiant report, that number is now only 100 days.

Over half of the attacks are discovered by the the company that was hacked, but more than a third of the attacks are still discovered by outsiders like the police.

Compare that 100 days to this.  Verizon says that the time from the first attacker action to compromise is measured in seconds.  Or, maybe, in minutes.  That gives the attacks 99 days and change to laugh.

Information for this post came from Dark Reading.

Given this insane difference between the time to compromise and the time to be discovered, what should you be doing.

First, the amount of auditing or logging that companies do needs to increase dramatically.  If you are not auditing the right events then you cannot detect attacks.

Second, there needs to be an effective alerting process.  Effective means not too much.  Not too little.  Like Goldilocks, just right – but if you have to err, unfortunately, err on the side of too much.

Once those alerts are created, there needs to be an effective response plan.  There are plenty of situations were alerts are generated and then ignored or even unseen.

It is not a simple problem, but it is possible.  If we have cut the dwell time from 400 days to 100 days, can we cut it from 100 to 25?  Or less.  Improvement is incremental.

Facebooktwitterredditlinkedinmailby feather

Google to Add GMail Features – Maybe – For A Fee?

Google has a interesting strategy.  Build prototypes of products.  Show them or leak them.  See if anyone cares.   Kill them if it doesn’t work out – there are lots of examples.  After many users are already using them.

One other thing that they do is attempt to lock users into the Google ecosystem.  Of course.

Tech Crunch is reporting that Google is working on a self destructing email (like Snap Chat for email?).  But it only works if both users are on GMail and only if both users use the web client for GMail.  Sounds a bit limiting.  If one user is not using the GMail web client, they get a link instead that takes them to the web.

They may also be adding a feature to stop printing and stop forwarding.

Again, if they do, it will only work for GMail on both ends and only with the GMail web client.

Information for this post came from The Register.

So what does this mean?

Well first, what seems to be missing is end to end encryption, which seems like a pretty important feature.  

But encryption stops them from reading your email and doing things that they like to do.  They don’t read your emails to target ads – they have better ways to target ads – but they do read them for other features.

Next, the speculation is that this will only be available under the paid GMail model (GMail for business).  The paid version costs either $10 or $25 a month per user.  At that price there are competitors.

As of last year, Google said that they had 3 million paying users.  Microsoft says that they have 60 million paying Office 365 users and adding 50,000 customers (not mailboxes) a month.  Google never wants to play second fiddle.

It is certainly possible that they will give it away for free, but given that they are so far behind Microsoft, maybe not.  With GDPR taking effect in the European Union next month and other countries, not including the U.S. following the EU lead, maybe ad revenue might be less predictable going forward.  Millions of monthly paying customers might be nice.

If you are looking for a free answer for secure email, Proton mail is a good choice.  They also have a paid version with more features, but the free version is pretty good.

Office 365 has nice security features at well below $25 a month.  Microsoft has said that they are about to roll out end to end encryption for all paid Office 365 users at all levels.

The bottom line is that if you are looking for a secure email solution there are some decisions to make.  To me, Google’s solution is not so great.

 

Facebooktwitterredditlinkedinmailby feather

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather