All posts by mitch tanenbaum

Mandatory Password Changes – A Good Idea?

For a decade the feds recommended frequent password changes. A couple of years ago NIST changed their mind and said it was the worst recommendation they ever made. Still a lot of companies and regulators require frequent password changes. Is that a good idea?

Microsoft used to recommend frequent password changes. Their current guidance:

According to Microsoft, requiring users to change their passwords frequently does more harm than good.

Humans are notoriously resistant to change. When a user is forced to change their password, they will often come up with a new password that is based on their previous password. A user might, for example, append a number to the end of their password and then increment that number each time that a password is required. Similarly, if monthly password changes are required, a user might incorporate the name of a month into the password and then change the month every time a password change is required (for example, MyM@rchP@ssw0rd).

Again, people are creatures of habit:

What is even more disturbing is that¬†studies have proven¬†that it is often possible to guess a user’s current password if you know their previous password. In one such study, researchers found that they were able to guess 41% of user’s current passwords within three seconds if they knew the user’s previous password.

On the other hand Larry Ponemon says that it takes, on average, 207 days to identify a breach. If you don’t make users change passwords, then the bad guys have access for that long. If you make users change passwords every 90 days, then maybe you limit that access.

Of course, if you require two factor authentication and you do that robustly, knowing someone’s password isn’t that helpful.

So what should you do? Fix the underlying problems:

  • Make users choose strong passwords
  • Use password managers
  • Check selected passwords against a compromised password list
  • Implement a self service password reset solution
  • Implement multifactor authentication

So there is no good or bad answer; just a business risk decision. Personally, if you implement the items in red above, you can reduce password change frequency safely.

On the other hand, if you have a regulator who says you have to change passwords, then you really don’t have a choice, but that is a small minority. Credit: Hacker News

Apple Airtags – A Low Cost Surveillance Tool for Good or Evil

Ever see a scene in the movies where the cops (or the bad guys) plant a tracking device on someone and later catch the person doing something?

Ever hear stories about an ex stalking his or her former partner?

Well Apple just made that ‘affordable’.

Probably too affordable.

And folks have already tested it.

Like putting an airtag in a Fedex envelope and mailing it somewhere. Then tracking it. Apparently, WAY more precise than Fedex’s own tracking system.

In part, that is because of how they work. If they are within a few feet of any iDevice, poof you know where it is. That works great in the city where the number of Apple devices per square inch is high. Go out into the woods and it doesn’t work so well. Unless the person you are tracking has an iDevice.

You want to know where your kids are? Covertly slip a $29 tracking device in their backpack.

Want to know if your spouse is cheating? You can buy 4 tags for less than a hundred bucks.

Want to keep tabs on your ex? Ditto.

You could hide one in a car or any number of places, depending on how devious you are.

Here is the worst part.

In many cases, it may not even be illegal. But it might be. Depends.

Point of information: A tag is tied to an Apple device. If the Apple device can be tied to you or someone you called or an email account you accessed, the cops will be able to find you.

Just in case you were thinking of doing something illegal.

Tracking your kids? That’s not illegal. But kids are usually smarter than parents, so they might be tracking you right now. If they have $29.

Credit: Ars Technica

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC

Government is No Better at Managing Supply Chain Risk Than we Are

The GAO, formerly known as the General Accounting Office, works for Congress and does studies of how horribly inefficient the government is. In theory, that is so Congress can create new laws to make them do what any sensible organization would do without the laws. Here is one example.

The GAO reviewed the security practice of 23 government agencies with regard to information and communications technology products (what you and I call networks and computers). They identified 7 practices for managing these risks and then they graded the agencies on how they were doing. What they found was:

  • Few implemented the practices
  • None had FULLY implemented the practices
  • 14 had implemented NONE of the practices

Feel better? The only downside is the government gets hacked too – as we have seen very publicly lately.

Here are some of the highlights from the report.

Here is where these agencies get their stuff from. This is not where the sales office is, but rather where the stuff is made.

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

The one practice that was implemented by the most agencies – that only included 6 of 23 agencies. OUCH!

So then they tallied up the results. Here is what they found:

\\vdifs02\FR_Data\WatsonA\Desktop\Bar.tiff

Notice all the white? That is the part where the agencies are not implementing any part of the practice to reduce their risk. The vast majority of the agencies are asleep at the switch.

The most common excuse given was “no one told me how to do this” or something close to that. So, a billion dollar agency, apparently, needs to be treated likely a toddler and told how to do its job. Lets ignore for the moment that NIST issued guidance in 2015 and the OMB told all agencies to implement supply chain risk management (SCRM) in 2016. But no one held their hand. Or, until now, swatted their behind.

Most agencies, when called on the carpet by the GAO said, oh, my bad, I will fix that (yeah, maybe). A few said bug off. Those are the ones who should not be allowed to use computers or networks.

Here are the 7 areas that the GAO asked about. See how many of these you are doing company wide.

  1. establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

2. developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

3. establishing an approach to identify and document agency ICT supply chain(s);

4. establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

6. developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

7. developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

Credit: the Government Accountability Office

Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

8% of Companies That Pay Ransom Get All of Their Data Back

Well that is a pretty depressing headline, but that is what the statistics say.

According to a Sophos study, the average cost of a ransomware attack jumped from $761,000 to $1.85 million over the last year. The average ransomware payment is now $170,000.

More worrysome, only 8% of the organizations say that they got all their data back. 29% said they got less than half of their data back.

In part this is not because crooks are dishonest. They are just not great at developing software that works – no different than the rest of us. So, when you pay the ransom, only then you find out that their software is buggy and cannot decrypt your data.

Fewer organizations were attacked last year – the number fell from 51% to 37% and fewer of them had to deal with encryption. That number fell from 73% to 54%.

What the hackers have figured out is that you steal the data and then threaten to publish or sell it if the company doesn’t pay up. That is almost impossible to defend against unless you just keep the hackers out.

Now here is a bit of bad news. The number of companies that paid the ransom increased from 26% to 32% – even though only 8% said they got all of their data back. That may be because they don’t want their data on the front page of the New York Times.

And, recovering can take years. Even if you pay the ransom, you still have to recover the data that you lost and you have to rebuild your systems from the ground up because you certainly can’t trust a previously hacked system. Then you have to figure out how to harden them. And, of course, there are lawsuits. And on and on.

So what should you do?

  1. Assume you are going to be hit and plan to deal with it.
  2. Make backups. Several copies. Make sure that at least one is offline. You can’t hack what you can’t get to.
  3. Build layers of protection. One solution will not stop everything, no matter how great it is.
  4. Use human experts. Smart people with smart software is more secure than software alone.

And if you don’t have the skills in house – well (plug) hire us or (not) someone else. Don’t hope you are going to skate by. Hope is not a strategy. Credit: Help Net Security