Category Archives: Best Practices

Viacom is the Newest Company to Leave Data Unprotected on Amazon

Viacom is playing down the significance of this, but that could just be damage control.

One of our favorite security researchers, Chris Vickery, discovered yet another Amazon S3 storage bucket unprotected on Amazon.

In this case,  it did not contain non-public personal information of customers, according to Viacom.  They touted this as a good thing,  After Equifax, it probably is a good thing FOR US, but what was there is definitely worse for Viacom.

For those of you not familiar with Viacom, they own the likes of Paramount, MTV, Nickelodeon and Comedy Central, among other brands.

What was in there was the access key and secret key to an Amazon web services account owned by Viacom.  Whether it is their main corporate Amazon web services account or maybe a test account, we don’t know (yet), but the attempt to deflect the question leads me to believe that it is the main corporate account.  If it was, it would allow anyone who had that key to totally own the account, all the servers in it and all of the data associated with it.  Likely nothing important.

But that is not all that was there.

The Amazon storage bucket also contained the GPG (open source version of PGP) data encryption/decryption keys.   Depending on what those keys were used to encrypt, having the decryption keys would have allowed an attacker to read any data protected with those keys.  Generally speaking, encryption keys don’t protect the lunch menu.  If you go to the trouble to encrypt something, it is likely important and sensitive.

Chris contacted Viacom on August 31st and within a few hours, the data was gone.

The Amazon subdomain in question was called mcs-puppet.  MCS likely refers to Viacom’s Multi-platform Compute Services.  Puppet likely refers to the devops automation tool Puppet that allows IT operations teams to automate the deployment and management of corporate compute services.

While Viacom attempted to deflect the seriousness of the matter, without knowing what those Puppet scripts controlled, what the PGP keys controlled and what the AWS private keys were used for we really don’t know how much damage it could have done.

We also don’t know whether Chris was the first outsider to find the stash or whether it was downloaded many times.

Viacom’s attempts to make it go away would suggest to me that the damage was worse than they wanted to let on.

In the bigger picture, this is just one more case of a company not understanding where their data is, how it is protected and who has access to it.  In this case, access was restricted to anyone who could find the data.  Not a great plan for your private encryption keys and configuration scripts.  Not a great plan at all.

But Viacom is hardly unique.

Does your company actively track the location, access controls and identities of all data and users who can access that data, whether it is located in a company owned data center or some cloud service that an employee set up without asking or telling anyone?  I didn’t think so.  THAT is what needs to happen and it is not a one time event;  it needs to be managed in real time, FOREVER.

Or, your company could become the next Viacom.  Your choice.

Information for this post came from Gizmodo.

Facebooktwitterredditlinkedinmailby feather

An Equifax Lesson For Everyone To Learn

One of the MANY lessons to be learned from the Equifax breach is how not to handle a breach.  Here is just one of those lessons and it is a lesson for BOTH users and webmasters.

NOTE:  TO SEE A BIGGER IMAGE OF ANY OF THE PICTURES IN THIS POST, JUST CLICK ONCE ON THE IMAGE.

When the breach finally became public – months after it happened – they created a web site for victims to go to in order to find out about the breach.  That web site, equifaxsecurity2017.com, looks like this:

You will notice that it has the Equifax logo on it and that it has the little green padlock indicating that it is encrypted, but, of course, anyone can steal the Equifax logo and put it anywhere they want – like right here, for example:

But that doesn’t mean that the site belongs to Equifax.

You will notice that the web site URL includes the name Equifax, but so does www.equifaxsucks.com (yup, a real site.  Totally benign, but real – see below).  So, just because the word Equifax is in the web site name does not mean that it is owned by Equifax.

In this case, since the word Equifax is probably a trademark, they can, eventually, get this site taken down if they want.   But, Equifaxx is not a trademark (note that there are two xxs and not one).  That site is real (see below) and curiously, it seems to belong to EXPERIAN, their biggest competitor.  Why they didn’t buy up similar sounding web sites for $10 a year each is beyond me and a lesson to learn from this.  Here is Equifaxx.com.

But that is not the worst failure.

Why wouldn’t they send you to a site that you KNOW is theirs. Send people to BREACH.equifax.com or Equifax.con/BREACH or something like that?  At least people know that they are going to a site owned by the company that they are looking for.  In fact, this site was hastily set up and initially, if you looked, it wasn’t even owned by Equifax, it was owned by an Equifax vendor.

Still, that is not the worst failure.

Here is the worst failure and the lesson for everyone – users and webmasters both.

While they secured the site with HTTPS – what we geeks call an SSL (or more correctly a TLS) certificate protected site, they used the cheapest, least secure certificate they could find.  What is called a DOMAIN VALIDATION certificate.  All that certificate proves is that the person who requested it – you, me, my kid, whoever – had sufficient access to the web site to store a file on it.  If the site had been hacked, a hacker could buy that kind of certificate.

THAT IS WHAT A GREEN PADLOCK PROVES.  NOTHING MORE.

Now lets look at Apple’s website for a minute (see below).

Note that the address bar is different from the address bar on Equifax’s breach web site.  This has the name Apple, Inc [US] in green in front of the URL.  This is an EXTENDED VALIDATION certificate.  In order for Apple (or Equifax) to get this, they had to prove they were Apple and not Mitch.  This is a higher level of verification and a more expensive certificate.

It is designed to give the user a higher level of confidence that they really have landed on an Apple – or Equifax – web site.

Why is this important.

One more time, Equifax is the poster child for how to screw up.

Equifax’s offical Twitter account tweeted not once, not twice but three times, an incorrect web site for people to go to.

Instead of sending people to EquifaxSecurity2017.com, they instead sent people to SecurityEquifax2017.com.

Now it turns out that this alter ego site was set up by a security researcher, so even when Equifax’s crisis communications team sent people to the wrong site, it didn’t infect their computer.  But if it was a hacker’s web site, it certainly could have.  Or asked for and stolen even more information.  Here is a look at the wrong web site.  This site proved it’s point so it has been taken down, but the Internet never forgets, so here is a copy from the Wayback machine, the Internet Archive.

Notice that this web site ALSO had a green padlock and was accessed using HTTPS.

Which is why, as users, we need to look for the company name in the address bar and why, as webmasters, we need to pay a little bit more for an extended validation or EV certificate.

In this case, if, say, there was a phishing campaign and it got people to click on the link and it sent people to a bogus web site, the extended validation certificate is much harder to forge.

Be a smart Internet user.  Look for the extended validation certificate.

Now that you are aware, as you surf the web, notice what companies have extended validation certificates.  And which ones do not.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

Legal Risks of Cloud and Collaboration Tools

Many employees use consumer grade, unmanaged cloud services such as Dropbox and Google Drive as part of their work.  This is sometimes called BYOC for Bring Your Own Cloud.  It is convenient, but is it a good idea for the business?

Loss/theft of intellectual property

One of the obvious risks of BYOC is the loss of control (AKA theft) of corporate intellectual property.  These personal cloud services make it quick and easy to steal hundreds to thousands of confidential files by merely dragging and dropping.  AND, since the account does not belong to the company, the only way the company can force an employee to let them into their account is via a court order – an expensive and dicey proposition.  By the time that order is granted and appeals are exhausted, any evidence is likely gone.

Data breach and regulatory violations

Just because your company chooses to allow (or not stop) employees from using BYOC does not mean that company does not have liability if the data on the employee’s personal cloud, that the company does not control, is breached.  In fact, likely, the company is fully liable even though they have no authority over that data.  Violation of regulations such as HIPAA also fall on the company.

Litigation risk and electronic discovery exposure

If a company allows users to use BYOC and is involved in litigation, it is very difficult to preserve evidence that could exist on employee’s personal clouds.  If it is discovered that evidence has been destroyed or compromised, the judge could hold the company in contempt or even instruct the jury that they should assume the worst – that whatever was destroyed would have helped the plaintiffs and hurt the company.  A Florida court recently faulted a company for allowing an employee to destroy files in a personal Box account.  Also, depending on what an employee does with the files on the BYOC account, the company  may lose the ability to assert attorney-client privilege.

So what is a company to do?

There are only a couple of options –

Allow BYOC and deal with the risk.  This doesn’t seem like a great solution, but it is what many companies are doing today – understanding that they are going to lose corporate intellectual property in the best of circumstances.

Outlawing BYOC.  Done right, this can work.  After all, the employee just wants to get his or her job done, but done wrong, it can really annoy the employee.

Allow but regulate.  This is likely more complicated.  The company has to decide what BYOC services are OK, create rules for using them and then enforce these rules, but it is possible for this option to work.

For most companies, providing a corporate owned solution that works at least as easily as the employee owned consumer grade solution is probably the best solution, but every company will need to decide for itself.

Information for this post came from JDSupra.

Facebooktwitterredditlinkedinmailby feather

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Facebooktwitterredditlinkedinmailby feather

Making Sense of the Equifax Breach

Earlier this week Equifax, the credit reporting giant, announced that hackers wandered inside their systems between May and July of this year.  143 million records were compromised.  In addition to that, credit card numbers on 200,000 people were compromised and personal identifying information on 182,000 people were also released.

Information compromised includes names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license information.

Equifax said that the hackers got in by compromising a web application.

The did say that they are going to notify certain people who are affected and also are offering their own credit monitoring service to anyone who wants it, whether they were affected by the breach or not.

Beyond that, Equifax has not said much.

Ultimately, there are going to be a lot of investigations – the states, the feds, Congress, the CFPB and out of them we may find some answers, but if we do, it will be a long time coming.

143 million represents pretty much anyone in the United States that has any credit in their name.

Equifax is offering people a year’s free credit monitoring, but your Social Security number doesn’t expire in twelve months.  All that means is that the hackers will wait a year before they start exploiting your data.

There are some things that you can do.

  1. First, Federal law allows you to get a free credit report from each of the three national credit bureaus once a year.  If you spread that out, you can get a copy of one of your credit reports every four months for the rest of your life for free.  You should do that.   You can do this by going to a web site set up for this purpose.  WARNING:  There are lots of sites that are designed to look like the free government coordinated web site.  The site to go to is AnnualCreditReport.com .   You can also call 877-322-8228 to obtain one.  In addition to the free annual report there are several other situations in which you can get a free report in addition to the annual report, such as if you are turned down for credit due to the contents of your credit report.  Some states also allow you a free annual credit report (like Colorado) in addition to the free Federal report, so if you live in one of those states, you could get a free credit report every other month.
  2. Check your bank statements regularly.
  3. Sign up for your bank’s free text messaging service.  The features vary but most of them will text you if there is a deposit or withdrawal to your account.
  4. Sign up for the free text messaging service for each of your credit cards.  You will get a message every time the card is used.
  5. Monitor your medical bills and insurance information to make sure that someone is not obtaining health care pretending to be you.
  6. If you get a notice from the IRS, do not ignore it.  It is possible that someone used your information to file a fraudulent tax return or something like that.
  7. Consider signing up for Equifax’s free credit monitoring service.  You can do that by visiting www. EquifaxSecurity2017.com .  Note that there is a clause in their terms of service that forces you to arbitrate disputes.  After a “visit” from the New York Attorney General, Equifax issued an announcement that those terms did not apply to the breach, but only to people who bought the paid version of their service.  If you do go to that site, you will be put in queue to sign up (they could not handle 143 million people signing up in one day).  One source reported that you have to provide them with a credit card which they will bill after the free period is up if you don’t cancel.  If this is true, I WOULD NOT sign up.  You can pretty much do most of what they do with more effort by yourself and the principle of having to give them a credit card after they screwed up – well it kinda, sorta upsets me.
  8. Issue a credit freeze.  This is free and asking one bureau to do it will affect all three bureaus automatically, but there is a downside.  If you want to open an account like when you buy cell phone service, they do a credit check and if you have a freeze in place, that will fail.  In that case, you have to remove the freeze, for which they charge you and then put it back in place.

One thing that makes this breach more interesting is that three Equifax  executives sold stock in recent days.  These sales were outside normal scheduled sales that are reported to the SEC in advance.  The three are:

  • CFO John Gamble – $946,000
  •  Rodolfo Ploder – $250,000
  • Joseph Loughran – $584,000

These sales were not scheduled and occurred within 2-3 days after the breach was discovered but before it was announced.  I am sure that this will be part of at least some of the investigations.

Normally, when there is a breach, you know that you have given a business your credit information.  For example, after the Target breach, you could rest easy if you didn’t have a Target credit or loyalty card and you never used your credit card at a Target store.  In this case, you are not the customer.  The banks and stores that issue credit are Equifax’s customer.  You never gave Equifax your information.  This means that you have no business relationship with Equifax.  It is an unusual deal.

It also means that, unlike the Target breach, you cannot close your account in a show of disapproval.  You can’t take your business to another company because you are not their customer.

Since there are only three major national credit bureaus, businesses will likely continue to do business with them.

What is likely is major lawsuits and regulatory fines.  That is probable.  In fact, the first lawsuit has already been filed.

But this is not the first time a breach at a credit bureau has happened.  You may remember the T-Mobile breach from 2015.  That was at Experian.  And there have been others.  Not many, but some.

It is just a mess.  Stay tuned for details.

Information for this post came from CNN,  The Chicago Tribune,  The Washington Post,  The LA Times, Bloomberg,

Facebooktwitterredditlinkedinmailby feather

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather