Category Archives: Best Practices

Two Factor Authentication is not Security Magic

While any form of two-factor authentication is better than none, there are still security holes.

In a story I read tonight, a tech-savvy user fell for a social engineering attack. He received what he thought was an Instagram message from a friend and responded to it. It turns out it was a social engineering attack.

Combine this with really crappy security services on the part of social media companies.

Then combine that with their effectively non-existent tech support.

In this particular case, the attack vector was a password reset attack. Most companies – and not just social media – opt for the least possibly secure password reset mechanism. Because they don’t have any tech support. After all, since you are paying zero dollars and zero cents for the service, they can’t give you a lot of tech support.

In the case that I will link to at the end, the user never did get his account back.

In my case, I might be a little sad – probably not – if I lost my Facebook account, but if you are a business and you depend on your social media presence, that could be a real problem.

So what do you do?

The first thing is to make sure that you have a CURRENT OFFLINE backup of any cloud data you care about. DO NOT count on your cloud provider to keep a backup and make it available. Especially if your account is compromised.

Make sure that you implement the best of the crappy security your cloud provider offers. This is not just social media. If you do not like that provider’s security AND YOU HAVE A CHOICE TO MOVE, do so. Vote with your feet. That is about the only thing they understand.

Train any user who has access to the account about security. In the case today, it was a very subtle mistake the user made. It didn’t seem like a security problem, but it was.

Finally, hope that good luck goes your way.

The problem is that online services are not responsible when things go badly and that is not likely to change without legislation. You can rest assured that if there is legislation, they will fight it tooth and nail because it means real money to them. And a precedent. They don’t want to be liable.

That means that you have to be careful enough for the both of you.

Credit: ZDNet

N. Korea Has Yet Another Way to Fund Terror

We all know that North Korea has been funding their terrorism – and their economy – using ransomware attacks and other malware. Now they have a new way and it is pretty creative.

According to an advisory from the feds, North Korean IT workers have been trying to get IT jobs in the United States – both in the government and private sectors.

The money they earn from working for U.S. companies and government agencies goes back to North Korea to fund WMD and ballistic missiles.

And apparently, we are not talking about 1 or 2 IT workers. According to the feds, they are sending thousands of these IT workers out to countries across the world.

Sometimes they act as freelancers, where the checks are less strict.

Or they look for telework, so they never have to meet a coworker in person.

Both perfect in a pandemic/post-pandemic world.

A team of DPRK IT workers can make $3 million a year. To fund North Korea.

To support this, the country has a whole network of high end university programs to train around 30,000 students at a time.

The fed’s advisory provides detailed information on how the North Korean IT workers operate, red flags to look for, payment platforms that they use and general mitigation measures companies can take.

Yes they are interested in your money.

But stealing your intellectual property is a side benefit.

Not to mention sharing your credentials with hackers at home.

The details in the advisory are fascinating as to how sophisticated they are at creating false identities and false locations. They never leave North Korea.

While you are not likely going to be prosecuted for hiring one of these people (unless it is obvious they are North Korean), it certainly is within the rules of engagement for the Office of Foreign Asset Control (OFAC) to do that. The rest of it – that could be really bad for your company.

Credit: Data Breach Today

Advisory: DoJ/Treasury Guidance

Bluetooth Spec Says it is not Secure – They Are Right

There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.

In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.

A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.

Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.

While they only tested a model 3, they think the attack will also work on a model Y.

Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.

It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”

Credit: The Register

These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).

Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.

The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.

This is one of those cases where convenience won out over security. Credit: Helpnet Security

UK, Australia, Canada, New Zealand and US Warn of Attacks on MSPs

Many or possibly most small businesses don’t have an internal IT department. They rely on a third party to help them manage their IT assets. These third parties are called Managed Service Providers (MSPs) or sometimes Managed Security Service Providers (MSSPs). This is not inherently bad. But many of these MSPs are not much larger than the companies they are managing. Many have 25 or fewer employees.

MSPs have to be trusted by their customers and have to have god-like permissions on their customers’ networks and systems. There is no way around that if you want them to manage things for you.

One example of an attack on an MSP right here in Colorado was an attack against Complete Technology Solutions. The attack on CTS compromised over a hundred Dental Practices that were CTS’s customers.

Another was the attack against Kasaya. Kasaya provides software to MSPs. Compromise Kasaya and you compromise a thousand MSPs, each of which has hundreds (or more) customers, each of which has many users.

There are lots more examples – SolarWinds, Microsoft Exchange, and others.

It is not surprising that hackers want to compromise a company that can allow them to leverage their resources and maximize the damage they can do.

But now we have a joint advisory from the cybersecurity agencies or group of nations (the Five-Eyes) that are telling people to beware. The alert provides recommendations for both MSPs and their customers.

For the customers, you are the ones that are responsible for your network. It doesn’t matter that you outsourced the work to someone else. If your network is attacked, you are in trouble. That means that you have to take action to make sure that your MSP is following best practices.

If you need help, contact us.

Credit: The Register and CISA

NIST Releases New Supply Chain Risk Guide

Here is another short read for you (sorry).

For those who read this blog on a regular basis, you know that we talk about supply chain risk a lot. Formally, the government calls it Cybersecurity Supply Chain Risk Management or C-SCRM.

Supply chain attacks are very popular because if you pull one off (think SolarWinds), you can infect millions of machines. SolarWinds was just one very visible one, but it seems like there is at least one every week, to varying degrees of severity.

This is another product to come out of NIST as a result of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

At a short 300 plus pages, you are not going to consume this all at once, but starting now is a good idea. The problem is not going away any time soon.

One thing they have done is integrated C-SCRM into a broader enterprise-wide risk management conversation. Risk management includes cyber risk, but that is far from where it ends.

They also have a section on critical success factors. Definitely worth a read.

Finally, it has 10 appendices of nuts and bolts, including S-SCRM security controls, a framework, templates and resources.

You can find the document at NIST’s website, here.

If you want to have an in-depth conversation on C-SCRM, please let us know.

Secure Software Development Program – Its Now The Law if You Sell to the Feds

As we watch hackers compromise systems of both large and small companies in every country every day, it kind of points out the obvious – whatever security programs companies that develop software have in place are not adequate to the threat.

Up until now, software companies have not suffered because their license agreements say that you use their software at your own peril.

Microsoft alone releases, typically, one hundred patches every month – a thousand plus a year.

Oracle, which releases patches quarterly, typically releases 300-400 patches a quarter.

This is not to pick on these companies. Software is complex and a lot of it, contrary to the claims of the vendors, is very old.

Windows 11 is Microsoft’s new, bright, shiny toy. How much of the code in Windows 11 is new? Microsoft will never admit this because it is embarrassing, but the new code in Windows 11 probably represents, maybe, 10 percent of the Windows code. And that is generous. Even if this code is perfect – and it is not – what about the 90 percent that is old. Some of that code is 25+ years old.

As of March 2022, any company that sells software to the government (or sells software to companies that sell software to the government) must have a rigorous software security program in place. This includes traditional, on-premise commercial software, software that is provided as a service, and any open-source software components that are included in that software.

NIST published a secure software development framework (SSDF) earlier this year and it is certainly reasonable to say that any software security program that is not, at least, as rigorous as NIST’S SSDF probably won’t meet the requirement. You don’t have to do what NIST recommends, but it better be, demonstrably, as good as what NIST is recommending.

On top of this, the Office of Management and Budget is about to release attestation guidelines. This is the rope that the government will use to hang you. If your executives attest to the security of your software development program and they stretch the truth, so to speak, well, the results might not be pretty.

Also, consider this.

If I was a large commercial business, it would be smart of them to say that we will only do business/buy software or products from vendors who comply with NIST’s SSDF and can attest to that fact.

This means that even if you don’t sell software to the government it is likely this will affect you because your customers, in their RFPs and contracts, will require compliance as a matter of the contract, not a matter of law.

Credit: The White House