Cybersecurity is not an IT Problem

O P I N I O  N

People sometimes ask why IT can’t fix the cybersecurity problem.  The reason is pretty simple.  Cybersecurity is not an IT problem.

IT can make systems very secure.  Only problem is that employees won’t be able to get their job done.  No mobile.  No WiFi.  No personally owned computers.  Really long complex passwords.  You get the idea.

Several British companies have decided that the way to improve security is to implant a microchip in the hand of several hundred thousand employees instead of giving them a badge.

After all, what could go wrong?

Kind of like your cat.  After all, the pet door that is supposed to open with your cat’s chip always works, right?

If an employee wants to go to the bathroom, wave your hand in front of the bathroom door.  If you have already taken a bathroom break this morning maybe the door won’t open.

What happens when your “badge” stops working (I am sure that those of you who have a work badge or have gone to a hotel have never experienced that)?

Who pays for the medical bills if there are complications?

What happens when you change employers?

And, of course, you can’t turn it off on the weekends or at night.

Can you opt out?  Your cat didn’t have a choice.

Now the PR Spin.

KPMG said it was not considering microchipping it’s employees and would, under no circumstances, consider doing so.

So while, apparently, some employers ARE considering microchipping their employees, think about this:

  • Equifax couldn’t patch all of their servers
  • Target didn’t isolate a server that a refrigeration vendor used to find out what cooler needed repair from their credit card system
  • Home Depot wasn’t PCI compliant when they were hacked;  their lead security engineer was a convicted felon (Ricky Joe Mitchell was convicted of sabotaging his former employer) and it has been widely reported that when the security team asked for more funding to improve security they were told that Home Depot was in the business of selling hammers – how does this help us sell more hammers.
  • It seems that every week we hear about another company that “accidentally” allows anyone on the planet to download the content of their Amazon S3 storage buckets containing userids, passwords and all kinds of confidential information.

If businesses cannot handle the security basics, microchipping their employees is not going to help.

99% of the time, security is about the basics.  Every now and then it requires heroic efforts, but those times are relatively few.

This issue is gonna be with us for a while.  A long while.  Anyone who is hoping for a silver bullet solution – I have a bridge in Brooklyn for sale cheap.

SORRY!

Information for this post came from Slate and The Guardian.

Facebooktwitterredditlinkedinmailby feather

Amazon Continues to Try and Secure S3 Storage

As we continue to hear in the news about Amazon storage bucket breaches, Amazon continues to try and stem the reputational damage.  I am not aware of any of those data spills being caused by bugs in Amazon software, but the reputation damage is still real.

Over the past year or so Amazon has made a number of changes:

  • All newly created S3 buckets are by default private.  This means that breaches of data from any S3 buckets created after the date of this change were caused by a user intentionally making the data public for some reason.
  • Next, Amazon created a tool that allows admins to figure out what S3 objects were publicly visible (See this article for more details). After this change, any admin could, with a small amount of effort, see if any their S3 data was publicly exposed.

Even after these changes, there were breaches every month.  To be really blunt, companies that were still leaking data just weren’t paying attention.  There just is no reason why we continue to have data leaks, but we do.

In fairness, part of the problem is that it is so easy to create resources on Amazon and companies often do not have the right controls in place.  People create storage repositories and forget about them or leave the company or change jobs.  Now we have orphaned data.  Sometimes publicly exposed.

Whether data is stored locally or in the cloud, proper IT governance is critical to protect company information.

Enter S3 Block Public Access.  With this new feature admins can selectively or totally block all public access from a single console.

While this may be a bit of a sledge hammer, it is pretty effective if used correctly.

This tool will actually block public access to S3 data even a user accidentally tries to make it public.  It should be totally effective if people use it correctly.

However, I predict that people will not use it, just like the tools that have already been deployed.

If this tool is used correctly, it will also protect those orphaned buckets,

What it will not protect against is unauthorized Amazon accounts that are not tied to the main corporate accounts.

Amazon is trying very hard to protect people’s information, but it requires people to do their part.

Information for this post came from Help Net Security.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .

 

The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.

 

HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .

 

U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.

 

Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.

 

This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

Facebooktwitterredditlinkedinmailby feather

IoT Security Issues Costing Enterprises Millions

One of my favorite quotes from a past life:  There is never time to do it right.  But there is always time to do it again.

IoT is like that.

As businesses rush at breakneck speed to do something cool with IoT, they are repeating past mistakes and not considering security.  Given that the “S”in IoT stands for Secure,  think back to the early days of Windows 95 or maybe even Windows 3.1 .  That is where we are in terms of IoT security.

According to a Digicert report:

Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years.

People who responded to the survey were broken into three categories:

 

  • Top-tier: Enterprises experiencing fewer problems and demonstrating a degree of mastery mitigating specific aspects of IoT security.
  • Middle-tier: Enterprises scoring in the middle range in terms of their IoT security results.
  • Bottom-tier: Enterprises experiencing more problems that were much more likely to report difficulties mastering IoT security.

Every single bottom tier enterprise encountered an IoT security related incident in the last two years.

In general, those bottom tier folks were:

  • More than six times as likely to have experienced IoT-based Denial of Service attacks
  • More than six times as likely to have experienced Unauthorized Access to IoT Devices
  • Nearly six times as likely to have experienced IoT-based Data Breaches
  • 4.5 times as likely to have experienced IoT-based Malware or Ransomware attacks.

The reasons for those $34 million in costs?

  • Monetary damages
  • Lost productivity
  • Legal/compliance penalties
  • Lost reputation
  • Stock price.

So, given this, what should you be doing?

Make sure that any device that you connect is being actively supported by the vendor with security patches and will be for as long as you plan to own the device.

Encrypt all data, but especially sensitive data.

Use micro-segmentation when designing the network.  Isolate IoT devices from each other and from the rest of the network.

Since updates are likely done over the air via WiFi,  make sure that it is done securely.  Aruba, for example, was outed this week for using the same password to update the firmware on every device they shipped of a particular set of models.

Always authenticate actions.  Don’t assume the bad guys won’t find you.

Design to scale up for what you think you might do in the future.  It is much easier to design that way now then redesign it later.

These are just a few things to consider;  there are many more, but do consider the matter before you deploy the devices.

Information for this post came from Help Net Security.

 

 

Facebooktwitterredditlinkedinmailby feather

Adobe is Being Sued for Bug that Deleted User Files

This could be a very interesting lawsuit and we will watch it and see where it goes.

In 2017 Adobe released Premiere Pro Creative Cloud 2017 version 11.1.0 ,  Apparently, like a lot of software, this product was not bug free.

In fact, a feature called clean cache not only cleaned the cache of Premiere work files, but also cleaned the user’s original files, irretrievably.

The freelancer who filed the lawsuit and is seeking class action status lost over 100,000 video files which he says cost him bigly in his inability to license those videos after Premiere went wild.  He says that the lost files cost him a quarter million dollars to create.

Adobe acknowledged the bug and released version 11.1.1 which, Adobe said, will only delete files within the media cache. Files, they said, that sit next to it will no longer be affected.

Cooper (the freelancer) tried but failed to settle with Adobe.

The thing that is strange about this lawsuit is that most end user license agreements – the ones that almost no one reads – usually state that the vendor does not guarantee the software will work or that it will be free of bugs or that it is suitable for what you are planning to use it for.  Given that, why is Adobe responsible?

He is alleging that Adobe breached a duty of care and failed to disclose what was, at the time, an unknown bug.  They filed this lawsuit in California which has stronger consumer protection laws than many states do, but they are filing it in the U.S. District Court.  They are also saying that Adobe was unjustly enriched as a result of charging a fee for this buggy software.  Part of the suit is claiming negligence under California law.  They say that Adobe should have known that the software bug existed.

If the court holds that to be true then every software vendor that has a bug that impacts a user will be similarly at risk. I do think that a bug that deletes all of your data is more serious than, say, a bug where a particular feature does not work as advertised.

They are also claiming that Adobe has strict liability for a defective design and are claiming that deleting the files is a safety failure, similar to, for example, your iPad catching fire due to the battery overheating.

They are also making a number of other claims.

This suit was filed this month so we have not heard any response from Adobe, but I assume that they will claim, among other things, that the license agreement that every user agreed to even if they chose not to read it, says that we don’t guarantee the software will work.

I have several thoughts here.

First of all, if you sell or even give away open source software, you need to watch this trial (they have asked for a jury trial).  The outcome could impact your company.

You should also check your product liability insurance and make sure that it covers you in situations like this.

But in this case, unfortunately, I put 90% of the blame on the user.

IF YOU HAVE DATA THAT IS IMPORTANT TO YOU, YOU NEED TO HAVE BACKUPS.  I Can’t make it any clearer than that.

Who would he blame if his house was broken into and his computer stolen.  In both the current case and my hypothetical one, absent good backups, he would have lost his data.  Who’s fault would it be in my hypothetical case?

He said that the files cost him a quarter million dollars to create.  If you had a digital asset worth that kind of money, wouldn’t you periodically copy those files to a USB disk – or preferably two – and stick it in a bank vault.  I just bought a 4 terabyte disk for $80. 

Seems like cheap insurance to me.

Without regard to the outcome of this suit, which could be in the courts for years, users, both business and consumer, should know that their data is at risk in any number of ways and make appropriate backups.

When it comes to cloud backup systems like iCloud or OneDrive, those systems will back things up on a best efforts basis.  If those backups fail, you will be in the same boat as these guys.

Bottom line, based on the value to you, you need to create and maintain backups as appropriate to reconstruct your data.

Even if this guy wins, and it seems unlikely to me but who knows, in the end, he still doesn’t have his videos and pictures.

As they sang in the movie Hoodwinked, be prepared, be preparedThat is way less pain than losing your data.

Me, personally, I keep multiple copies of my data in a bank vault and each copy is split across multiple physical devices so that if any one device fails and that same device fails on multiple generations of the backup, I only lose a part of my data.  Bank vaults are controlled for temperature and humidity and are relatively speaking, pretty secure.  However, that is only ONE measure that I take. 

Depends on how important your data is to you.  Source: Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

Cathay Pacific is Beginning to Fess Up and it Likely Won’t Help Their GDPR Fine

As a reminder, Cathay Pacific Airlines recently admitted it was hacked and lost data on over 9 million passengers.  Information taken includes names, addresses, passport information, birth dates and other information

They took a lot of heat for waiting 6 months to tell anyone about it (remember that GDPR requires you to tell the authorities within 72 hours).

Now they are reporting on the breach to Hong Kong’s Legco (their version of Parliament) and they admitted that they knew they were under attack in March, April and May AND it continued after that.  So now, instead of waiting 6 months to fess up, it is coming out that they waited 9 months,

They also admitted that they really didn’t know what was taken and they didn’t know if the data taken would be usable to a hacker as it was pieces and parts of databases.

Finally, they said after all that, they waited some more to make sure that the information that they were telling people was precisely accurate.

Now they have set up a dedicated website at https://infosecurity.cathaypacific.com/en_HK.html for people who think their data has gone “walkies”.

So what lessons can you take away from their experience?

First of all, waiting 6 months to tell people their information has gone walkies is not going to make you a lot of friends with authorities inside or outside the United States.  9 months isn’t any better.

One might suggest that if they were fighting the bad guys for three months, they probably either didn’t have the right resources or sufficient resources on the problem.

It also means that they likely did not have an adequate incident response program.

Their business continuity program was also lacking.

None of these facts will win them brownie points with regulators, so you should review your programs and make sure that you could effectively respond to an attack.

Their next complaint was that they didn’t know what was taken.  Why?  Inadequate logs.  You need to make sure that you are logging what you should be in order to respond to an attack.

They said that they wanted to make sure that they could tell people exactly what happened.  While that is a nice theory, if you can’t do that within the legally required time, that bit of spin will cost you big time.

Clearly there is a lot that they could have done better.

While the authorities in Europe may fine them for this transgression, in China they have somewhat “harsher” penalties.  Glad I am not in China.

Information for this post came from The Register.

 

 

Facebooktwitterredditlinkedinmailby feather