Category Archives: Best Practices

Most Mobile Apps Have Encryption Issues

Veracode, a company who assists developers to improve software code quality analyzes the data of their customer’s testing and releases summary data to help the industry understand code quality issues.  Below are a few scary results from their most recent report.

87% of Android apps and 80% of iOS apps have cryptographic issues.  This means that while mobile developers want to create secure applications, they really do not understand how to do that and worse yet, these problems are not detected via the developer’s internal testing processes.

The language that the applications are written in affects code quality.  Over 50% of applications written in Microsoft ASP, ColdFusion and PHP had at least one SQL injection vulnerability on initial assessment compared to 29% of .Net applications and 21% of Java applications.

in addition, Veracode found a 28% higher fix rate for bugs found by static code analysis vs. dynamic code analysis.  Why this is true is not clear and it does not mean that developers should abandon dynamic code analysis.

In looking at the cryptographic issues found in mobile apps, Veracode found these types of issues:

  • Insufficient entropy – 67%
  • Improper validation of certificates – 50%
  • Clear text storage of sensitive information – 41%
  • Use of broken or risky crypto algorithm – 40%

Additional issues are clear text storage on hard disk, inadequate key length, use of hard coded keys, improper verification of cyptographic signature, improper following of a certificate’s chain of trust and missing encryption of sensitive data.

The Veracode report linked below provides additional detail, but what is clear is that while many developers want to protect their user’s information, they don’t seem to be able to do it.  On top of that, testing only detects the presence of bugs, not the absence, meaning that there are likely additional security bugs that were not detected.

Given that the hackers are getting better, the developers need to get better as well.   Veracode also found that developer training improved the fix rate of security bugs by 30%.  That is pretty impressive.  Time for developers to evolve.

Information for this post came from Veracode and SC Magazine.

Facebooktwitterredditlinkedinmailby feather

Why Patching Software Is So Important

Last week Adobe release a set of patches fixing 78 vulnerabilities.  At the same time, Microsoft released patches for 71 vulnerabilities – three-quarters of which Microsoft rated as CRITICAL.

Two vendors, one month, 149 bugs patched.

Think about the amount of software that is out there.  If every other product is as reliable as Microsoft’s and Adobe’s software, that means that there should be millions of patches released every month.

Of course, some vendors (Oracle for example) don’t release patches every month.  Oracle releases their patches quarterly and typically there are one- to two-hundred bugs fixed in each Oracle patch release.

Other vendors don’t release patches at all.  For example, if you have an old iPhone or Android phone – more than say two or three releases of the software old – the vendors don’t issue patches for them.  Many people continue to use old phones oblivious to the fact that the software is no longer being patched.

In the case of this month’s Microsoft patch fest, while some of the patches affect Windows, many of them affect Internet Explorer (30 of them) and Microsoft’s new browser Edge (15 bugs).  The fact that IE or Edge is installed on your computer is enough to likely make the computer vulnerable.

The challenge for users and businesses alike is that they must know each piece of software installed on each computer – desktop, laptop, server, phone, tablet, router, firewall – you name it.  Then they have to figure out how to check for new patches.

After you find out that there are new patches, you have to decide whether to install the patches now or wait.  Why wait?  In this month’s Microsoft patch fest are some patches that affect Microsoft Outlook.  Some users are reporting that Outlook has stopped working after they installed the patches.  Why not wait?  Because as soon as the patches are released, hackers start examining those patches to see what has been fixed – so that they can attack users who have not yet installed those patches.  In many organizations, some patches never get installed.

If you are able to find out that there are patches and that you want to install them, you have to figure out HOW to install them.  Sometimes that is not easy.

When was the last time you patched your internet gateway (modem or router?

If you have a WiFi access point, when was the last time you patched that device?

Do you even know HOW to do that?

You get the idea.

I don’t have a great answer, but even though it has downsides, I recommend that most users let programs check for patches and install them automatically.

The problem is, for example, if you don’t  use a program but it is installed on your computer, that program can’t check for patches.  Some programs install a small task that runs in the background that only checks for new patches and warns you.  Not all programs do this,  If the program is installed but not patched, the bugs are often still a valid attack vector.  Not always, but usually.

Some programs don’t automatically check for updates and others do not check for patches even when you first start them.

What this means is that the onus is on users.  Many users install software because it seems cool.  Then they don’t like it.  But they don’t uninstall it.  That software is highly unlikely to be patched.

I wish I had a better answer, but I don’t.  Until software makers get their collective acts together, caveat emptor.  The ball is  in your court.

 

Information for this post came from Krebs On Security.

Facebooktwitterredditlinkedinmailby feather

Mark Weatherford Speaks At TiE Rockies

Mark Weatherford, first deputy undersecretary for cybersecurity at the Department of Homeland Security, chief information security officer for the State of California and chief security officer for the State of Colorado, among other jobs, spoke at TiE Rockies, an entrepreneur group based in Metro Denver.

Mark spoke on his views regarding cybersecurity.

A video of his talk is available on YouTube and runs about an hour.  It can be found here.

Facebooktwitterredditlinkedinmailby feather

Why Hackers Win So Easily

It might be a fair fight if companies would do just a few of the right things, but for a lot of them, they do not.

There is a form of ransomware going around now that attacks web sites rather than workstations.  Encrypting all the data on your web site will probably make you willing to pay a bigger ransom than Joe’s PC in the marketing department.  This particular attack doesn’t try to compromise the operating system; it goes after buggy plugins and addons that companies don’t seem to be able to patch.  In this case, described by Brian Krebs in his blog, the ransomware writers are going after plugins.  One they found is a shopping cart addon called Magento.  There was a patch released in February of this year and the vulnerability was disclosed in April, but still many web sites haven’t installed the patch.  PATCHING JUST THE OPERATING SYSTEM IS NOT ENOUGH – YOU HAVE TO PATCH EACH AND EVERY TOOL THAT YOU USE AND YOU HAVE TO DO IT QUICKLY.

For some ransomware victims, the problem is even bigger.  Apparently the Power Worm ransomware has a bug in it so that even if you pay the ransom, the attacker is unable to decrypt your files.

Given that this is your web site, having it offline, even for hours (and if you don’t have good backups, then maybe for days or more) is likely a problem for your business.

Now back to how the hackers get in.

They use the unpatched vulnerabilities to hack your own company’s web site.  Then they add a new page that looks like all of the other pages on your site.  Finally, they phish your employees to get them to click on a link to a web page on your own company’s web site and poof, they are in.  Once they control one machine, they escalate their permissions and propagate themselves all over your network.  It can happen VERY quickly.

So, what mistakes do companies make?

  1. Underestimate the risk of unsecure web applications. This means that you have to have a security development life cycle, test your applications and apply patches, among other things.
  2. Lack of continuous monitoring.  If you are not watching in real time what is going on in your network, you have made it pretty easy for the attackers.   Testing your web site once or even twice a year is a guaranteed fail.
  3. Lack of a disaster recovery, business continuity and incident response plan.   If you don’t plan for it and don’t test the plan, then when the kaka hits the rotating-air-movement-devices (aka when the sh*t hits the fan), you will be that proverbial deer in the headlight.
  4. If convenience or features that marketing wants always win out over security, then you give the hackers a free pass.  That does not mean that security always wins, but you need to have a clear process for evaluating security issues and understanding what risks you are willing to accept and which ones you are not willing to.
  5. Not dealing with third party security issues.  Whether it is vendor risk management (think the Target breach, Home Depot Breach or OPM breach) or third party software bugs (like the Magento bug described above), problems with a third party are your problems and if your contracts are not written correctly, you probably don’t even have any recourse to go after them for damages.  Most software licenses say that they don’t warrant that their software works correctly – you use it at your own risk.  If that software (or a third party vendor) lets a hacker in, good luck getting any money out of them.

So this is an opportunity to tighten things up and make it a little harder for the bad guys.  Maybe they will go after some other company rather than yours.

Information for this post came from Krebs on Security and CSO.

Facebooktwitterredditlinkedinmailby feather

Microsoft Internet Explorer Users Have Six Weeks To Get Current

January 12th is the deadline for Windows Internet Explorer users to upgrade to the current version of IE or lose support and patches.

Last June Microsoft told the nearly 370 million IE users that they had until January to switch to IE 11.  There are a couple of exceptions.  Windows Vista and Windows  Server 2008 users can run IE9 and Windows Server 2012 users can run IE10.  Everyone else has to upgrade to IE 11 or Microsoft Edge.

Over a hundred million users were running IE9 in November.  Over 70 million users were running IE10.

The good news is that those browsers will continue to work – but Microsoft won’t patch any bugs that hackers find.

And you can count on the fact that hackers will start targeting those users knowing that they are on their own.

Likely the biggest groups of users using elderly versions of IE are large corporations and government entities at all levels – those groups don’t deal with change well.

So, if you are one of those users who are using an outdated version of IE, then you should either upgrade or use an alternative browser such as Chrome or Firefox.

And if you work for one of those organizations that won’t let you do that, hope that they paid for extended support, assuming Microsoft is offering it – which it looks like they are not offering.

For enterprises that need older IE version compatibility, Microsoft has built a number of addins that allow IE11 to act like older versions.  See the article below for more details on that.

Consider yourself alerted.

Information for this post came from Computer World.

Facebooktwitterredditlinkedinmailby feather

Encryption Keys Hard Coded In IoT Devices

Researchers from the security firm SEC Consult did a little research.  They reverse engineered a number of routers, IP cameras, VoIP phones and other embedded devices.

They discovered two things:

  1. Manufacturers seem to have a bad habit of hard coding secret encryption keys inside the firmware of their Internet of Things devices.
  2. Manufacturers of IoT devices do not understand the world of software or secure software development.

As a user of IoT devices, this means that until they do understand security (if they ever do), you are going to have to protect yourself.

The researchers looked at the firmware inside over 4,000 different IoT devices and found over 580 different “secret” encryption keys in these devices.  These keys allow someone – anyone – to establish an encrypted session with the device.  It might be a web session or it might be a different Internet protocol such as SSH.

The problem is that IF the researchers were able to find the keys, so could the bad guys or hostile governments or … you name it.

Going back to these 580 keys that the researchers found.  They then correlated those keys to devices actually on the Internet.  230 of those keys controlled over 4 million Internet connected devices.

If you have those keys, you can pretend that you are the devices.  You can decrypt traffic.  You can, ultimately, with a little work, take over the device.  If you can take over the device, you can take over the network that the device is on – like your home network or your business network.

All this because the manufacturers reuse secret keys.  Kind of like when you use the same password on Facebook and email – only 4 million times worse.

Read the article if you want more details, but hopefully, you get the general idea.

So what do you do?  Luckily, unlike yesterday’s post, there are actually simple, concrete things that you can do.

  1. DO NOT connect your <pick a device> to the Internet.  Do you REALLY need to web surf on your refrigerator.  If it is not connected, it cannot be easily hacked.
  2. For some things, they are not very useful if they are not connected.  For example, if you have a burglar alarm that calls the police over an Internet connection, then not connecting it is not an option.  In those cases, you do need to connect them
  3. IF you have the option, isolate IoT devices from the rest of the network.  For businesses with fancy firewalls, you can segment those devices into a zone of their own.  At home you may have cable Internet.  Buy a DSL connection from the phone company for $15 a month and put all your IoT devices on that slow DSL connection.  They likely don’t care.  You can’t do the firewall trick that businesses do because unlike the expensive business firewall, even though it says in the manual that it has a DMZ, it doesn’t really.  They are lying.  They have a function that sorta kinda acts like a DMZ, but just like in the TV commercial, sorta kinda isn’t the same thing.
  4. Inventory your connected IoT devices.  You may have a baby monitor, a security camera, a Ring (R) doorbell and a smart TV.  Do you even realize how many IoT devices you have on your network?
  5. Log on to each device and attempt to disable as many unneeded services as possible.  Don’t fool yourself into thinking this is perfect – it is not.  But, in this case, less is better.

And finally, if you have a geek friend, buy your friend dinner and ask him or her to look at things and make some suggestions.  It is likely a cheap dinner.

Just sayin’.

Information for this post came from Infoworld.

Facebooktwitterredditlinkedinmailby feather