Category Archives: Best Practices

Does Your Incident Response Plan Address TLS Certificate Revocation?

Warning: Sorry, this post is way more technical than most of my posts.  If you are an executive reading this, you may want to show this to your security or IT folks and ask “how are we handling this?”.  They should be able to explain that to you in English.

Incident response is all about having already considered the scenarios and having a plan for dealing with it.

Consider this scenario:

You have a web site, mail server or other system which is encrypts traffic using a TLS (or more generally X.509) certificate.  That protection works with a secret encryption key and a public key.  Those keys expire after a time period such as one, two or three years (I have seen ones as long as 10 years).

This all works as long as the secret key remains secret.

But what happens if you have an incident where the secret key, which may live on a server or an admin’s workstation (IT SHOULD NOT!) gets compromised?  How do you deal with that.

The problem is that if the private (secret) key is no longer secret, then a hacker can masquerade as you and even encrypt the data with their victim.  There is nothing that a victim can see that would make them suspicious.

If the secret key gets compromised, you can get a new one, but the challenge is how to revoke the old one.  This is something the industry has been wrestling with for years.

FIRST ATTEMPT: Certificate revocation lists:  The certificate authorities that you get your TLS certificates from maintain a list of revoked certificates.  It turns out that this process was so unwieldy that many browsers don’t even look at these lists any more, so that measure is useless.

SECOND ATTEMPT: OCSP or Online Certificate Status Protocol is an attempt at fixing the first attempt.  Instead of browsers having to maintain and update lists in each user’s computer when you try to connect to a secure web site, the browser can make another connection to the certificate authority’s OCSP server to see if the certificate is good.  Only problem is that what do you do if the OCSP server doesn’t respond?  Do you deny access or do you cross your fingers and hope that the same hacker who stole your certificate is not blocking your access to the OCSP server?  Plus, it means that every time you establish a connection to a  secure web site (almost all of them now), it will take twice as long because you have to make a second connection.

THIRD ATTEMPT:  OCSP Stapling.  With OCSP Stapling, the SERVER sends a copy of the OCSP certificate at the same time that you are negotiating the connection.  The server updates the OCSP proof frequently (say every 10 minutes) so there is much less overhead from the browser’s standpoint.    It turns out that some stapling implementations don’t work right and a hacker might tell the victim’s browser not to use OCSP or stapling and the victim would not know any better.

FOURTH ATTEMPT: As I am guessing that you can tell by now, this problem does not have any easy answers.  The next attempt was ACME or Automated Certificate Management Environment.  ACME creates certificates that have a relatively short life expectancy.  For example, Let’s Encrypt creates certificates that only last 90 days and automatically renews them.  But 90 days is a long time for a hacker to be able to run amuck with your credentials.  What you want to do is make it last only a day or a few hours.  This means if the vendor that is issuing the ACME based certificates is down, you won’t be able to get a new certificate and you will be down.  Still, this is way better than the first three attempts.

FIFTH ATTEMPT: (is this getting a bit out of hand?)  There is a new standard in the pipeline with the Internet Engineering body (IETF).  It is designed for big firms right now, but it will evolve.  It does require a change in the browser to make it work, but Firefox already has it and it is likely that Chromium (the basis for Chrome, Brave, Opera, Edge and others) will likely have it soon.  But remember, this is, right now, only for the big folks.  This is called Credential Delegation.  With Credential Delegation, the certificate authority issues the web site owner a normal signed credential but the web site owner has the ability to create delegated credentials that might only last a day or an hour.  They can only do this to the same domain that the certificate authority originally issued their certificate for.  The win here is that if a Delegated Credential is compromised, it will only be usable for a couple of hours to a couple of days.  For example, Facebook is one of the early adopters and is testing it.  If someone were to steal a Facebook credential but that credential was only good for say, 6 hours – or 30 minutes – the amount of damage they could do is greatly limited.

Here are a couple of takeaways:

1. If you are using traditional TLS certificates, do not create certificates that are valid for more than one year.  At least you are beginning to reduce the risk window.

2. Make sure that your certificate provider supports OCSP.

3. Make sure that your certificate provider implements OCSP stapling and that you have enabled it on your server.

4. If your certificate provider supports it, implement OCSP MUST STAPLE.  This will cause the connection to fail if there is no attestation attached to the connection that a hacker uses to try and scam a victim.

5. Use an ACME provider if possible.  Again, we are trying to reduce the time window that a hacker can use your stolen information.  If that window is reduced from one year or two years down to 90 days or 30 days, that is a huge win.

6. Watch for progress on Credential Delegation.  If might be a year away, but when it happens and is available for everyone, you will have the ability to close that window that a hacker can use your stolen certificate down to a day or a couple of days.  Much better than a year.

I know this is a very technical post;  if you have questions, please reach out to us.

For more technical information, see here, here, and here.

 

Facebooktwitterredditlinkedinmailby feather

Telcos Not Doing Good at Preventing SIM Swap Attacks

A SIM is the (usually) hardware card that gives your phone its “personality”.  The SIM is tied to the carrier and contains all the information that the phone needs to talk to your carrier.

As users SLOOOOWLY migrate to using text messages as an extra layer of authentication for logging in to a variety of online accounts, hackers need to figure out how to compromise that.

One way to do that is to tell your carrier that you have a new SIM (typically a new phone).  If the hacker is successful, then all of the text messages (which may include password reset messages for things like your email or your bank account) are destined for you will go to the hacker, along with all of the money in your bank account.

In theory phone carriers are not supposed to do a “SIM swap” unless they know the request is coming from you.

But they want to be customer friendly and that is sometimes a challenge when it comes to security.

Recently some Princeton researchers did a test of five major phone carriers – AT&T, T-Mobile US, Tracfone, US Mobile and Verizon – and wrote a study regarding the carrier’s authentication procedures.  The results were:

  • AT&T – 10 out of 10 fraudulent swaps successful
  • T-Mobile US – 10 out of 10 fraudulent swaps successful
  • Tracfone – 6 out of 10 fraudulent swaps successful
  • US Mobile – 3 out of 10 fraudulent swaps successful
  • Verizon – 10 out of 10 fraudulent swaps successful

The problem is that the carriers want to make the process simple for their staff so they ask for secret information only you would know – like you address or email or date of birth.  Not so secret.

Sometimes they will try to send a one time password to your phone but if you say that your phone isn’t working, they often give up.

You may remember that Jack Dorsey, the CEO of Twitter, got his own Twitter account hacked following a SIM swap.  Source: The Register

If that doesn’t work, they bribe some phone company employees to give them remote access into the phone company systems so that they don’t have to bother trying to trick other employees – they can do the SIM swap themselves. They just enable RDP into the bribed employee’s workstation.  Source: Motherboard

Several Congress-critters have written to the FCC’s chairman Ajit Pai suggesting that he do his job and actually regulate the carriers.  Don’t count of the FCC doing anything useful.

One thing that you can do is ask the carriers what other security measures they have like passwords and PINs and other measures.

Of course you can lobby your Congress-critters to pass a law forcing the FCC to do what it should do.  Of course the carriers don’t want to have to do any more work than they have to, so they will probably drop bags of cash in Congress to get them not to pass such a law (I guess I am a bit pessimistic that DC will actually do anything helpful).

Ultimately, it is important that yoou be vigilant because that is much less painful that trying to regain control of stolen accounts or getting your money back from your bank.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.

Facebooktwitterredditlinkedinmailby feather

And You Think YOU Have a Problem Finding Cybersecurity Talent

If you have tried to hire any cybersecurity talent recently, you know that experienced folks are hard to find, hard to keep and expensive.  That is why we offer the virtual Chief Information Security Officer program.

But if you are the federal government and you have hundreds of agencies and millions of employees – not to mention adversaries that are working overtime to hack you – you need “a few good people”.  Actually quite a few.

The federal government doesn’t have a great pay scale either, so in order to motivate people, they have to be aligned with the mission.

But the federal government doesn’t seem to have much of a mission when it comes to cybersecurity.  We can’t even seem to agree on whether the Russians interfered with the last presidential election.

So what does that mean for the feds?

It means that senior cybersecurity people are leaving.  Key people.

Jeanette Manfra, who is currently the Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency (how’s that for a title?) is leaving CISA to join Google.  At Google, she is going to head up the Office of the CISO to help customers improve their security.

She is not alone.

Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in and is now Director of Data Governance at Google.

Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, joined Google as an executive for Public Sector Cloud at Google.

Rob Joyce, was forced out of his role at the White House as Cybersecurity Coordinator at the National Security Council by former National Security Advisor John Bolton.  Rob, at least, went back to the NSA where he is appreciated.  Now the White House has no one in that role and some people are saying that we may be back in the same situation as we were in 2014 when the Russians hacked the White House.  Cyber is not a priority for this administration.

Joe Schatz resigned as White House CISO to join technology consulting firm TechCentrics.

In October 2019, Dimitrios Vastakis, Branch Chief of the White House Computer Network Defense and staff member of Office of the Chief Information Security Officer (OCISO) at the White House released a scathing resignation memo saying that OCISO staff are “systematically being targeted for removal from the Office of the Administration (OA) through various means.”

One of the key issues with all of these senior folks leaving is that all of the tribal knowledge is going with them.  Even if you can replace these folks – and the evidence seems to indicate that either this administration doesn’t want to or can’t – there is no way to replace their knowledge of the workings of all of these federal systems.

Back in 2016 then acting director of OPM Beth Cobert said  “…federal agencies’ lack of cybersecurity and IT talent is a major resource constraint that impacts their ability to protect information and assets.”

Another person who left, Michael Daniel, former special assistant to the president and cybersecurity coordinator at the White House, said “Hiring and retaining cybersecurity professionals is difficult for the federal government under normal circumstances, because supply remains low and demand high across our entire economy,

President Trump did sign an EO last May to try and address the cybersecurity staffing gap estimated at 300,000.

I don’t know where that number came from.  Maybe this is in the federal government alone.  I have seen estimates of a nationwide shortage of over 3 million by next year.  If the feds want 10% of that, they are going to have to work very hard and create an environment that is agile and receptive – something no government agency is good at doing in the best of times.

I hope the government is successful at turning this around, but I am a bit skeptical of their ability to do that.   I guess we shall see.  Source: MSSP Alerts

 

Facebooktwitterredditlinkedinmailby feather

Phishing Campaign Takes Different Tactic With Similar Outcome

When phishers attack users, they typically try to steal your credentials – your userid and password.  If you are one of the small percentage of users that religiously use two factor authentication (Google says that 90% of GMail users do not use two factor authentication), these password thefts do not help a hacker unless they can figure out a way to compromise that second factor too.  Since the vast majority of people don’t use two factor, if the hackers do get your password, then they are in and can steal your data.

But what if – just sayin – that you change your password?

I know.  I know.  You are saying that you haven’t changed your email password in 37 years.  But just say that you do.  Maybe you think the password was compromised.  That means that the hacker has lost access to your information.

Hackers have come up with another technique that will actually survive you changing your password.

Here is how it works.

The hacker gets you to click on a link and the link takes you to the legitimate Microsoft (or Google) login page.  With one tweak.

If you  look at the URL, there is a redirect with a request for permissions.

You enter your credentials and you are redirected to a hacker’s site which now asks for permissions to access your mail and contacts, etc.

If you accept this (and you might because you just came from the real [Microsoft or Google] login screen), the hacker now has access to your stuff.

Even if you change your password the hacker will still have access to your stuff.

The only way to turn this off would be to look at your permissions page to see what apps or websites you have granted access to your stuff.

This means that  you have to be VERY CAREFUL when you see a permissions request screen to look at the URL that is asking.  Of course, you may or may not understand the URL.  In this case it was an Office 365 attack and the hacker’s domain was Officemtr.com .  That is close enough that it probably seems legit.

Which the hacker is counting on.

Consider yourself warned.  Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather