Category Archives: Security Practices

The Evils of Encryption

People who know me know that I am always railing against people who want to curb encryption, but encryption does present legitimate problems.

Firefox Send is a great program that allows users to encrypt data – large files – and send a link to a recipient to allow them to download the file. I use it regularly. Well, I used to.

This week Mozilla shut it down – hopefully temporarily – while they figure out a solution. What is the problem?????

The service presents several problems; here are a couple.

For example, you can set Send to delete the file after ONE download. That means that investigators who want to look at it to figure out its origin can’t cuz it is gone.

Firefox URLs are typically trusted inside organizations, so in the name of efficiency, they might not be scanned.

Gangs don’t have to figure out an anonymous way to deliver payloads – even big ones. Firefox does it for them.

Files can be password protected making it impossible for man in the middle corporate decryption to scan the files.

While Mozilla is being a good corporate citizen and took the service down until they can figure out how to deal with some of these issues, they are not issues limited to Send. Any file transfer service with similar features is equally vulnerable.

At the corporate level, one solution is easy. Consider Send malicious (even when it isn’t) and block it via a deny-list or firewall rule. Kind of heavy handed. Of course you have to do this for every single competitor of Send.

Also of course, you then need to give users an approved alternative.

It would also seem that you can get your arms around this by always scanning Send attachments.

None the less, apparently it is enough of a magnet for hackers that Firefox shut it down.

Is your organization safe from this type of attack? I suggest you take steps now before it is used against you. Credit: ZDNet

The New Normal – Not So Secure

Facebook says that 50% of its employees could be working remotely in 5 years.

My guess is that this could be the new normal, which is not so good if you own a lot of expensive commercial real estate in a big down town.

Zuck also says that employees that move from say San Francisco or New York and work remotely from Kansas may have the pay “adjusted”. Likely downward, which is another motivation for companies – lower payroll, which means lower payroll taxes and less rent.

I think that is going to be the new normal. Companies have figured out over the last 3 months that people can be productive without sitting in a cube. In some cases, more productive. And, if you remove the distractions of kids at home and the economy in the toilet, they might be a lot more productive.

Which brings me to today’s story.

IBM released a study on work from home security. IBM is not some fly-by-night company. Sure everyone can be wrong sometimes, but this report aligns with a lot of other information I have seen. Here are some of the details.

  • Over half of the people they asked are not aware or unsure of any company security policies around the following areas with slightly lower percents for other policies-
    • Mobile device management (53%)
    • Password managers (51%)
    • Collaboration tools (52%)
  • 45% said that their employer had not provided any special training on protecting the security of devices while working from home
  • 93% said they are confident of their company’s ability to keep information secure even though 52% are using their personal computers for work, often with no new security tools.
  • More than 50% of new work from home employees are using their home computers for work but 61% said that their employer had not given them any tools to secure those devices.

So what does this mean?

It means that if some percentage of employees will be permanently working from home, what do you need to do regarding security?

We already know that hackers are taking advantage of the current situation. If that remains “profitable” (which means money or information), they will continue.

Money, such as business email compromise attacks, spear phishing and whale phishing will likely be detected soon after the attack is launched.

Attacks which only seek to stay inside your system undetected, well, those will work hard to remain, undetected. The longest such attack I am familiar with remained undetected for 12 years. The company eventually filed for bankruptcy and was sold for spare change.

So, as managers, it is your call. Do you beef up your security program? Or, do you collect spare change?

Your choice.

Credit: Help Net Security

Is Your Mobile Phone App Secure? Probably Not!

More than three-fourths of mobile banking vulnerabilities can be exploited without physical access to the phone.

A new report from Positive Technologies has a number of sobering facts:

  • 100 percent of mobile banking apps contain code vulnerabilities due to a lack of code obfuscation.
  • NONE of the mobile banking apps tested had an acceptable level of protection
  • Attackers can access user data on almost all tested apps
  • In 13 out of 14 apps, hackers can access data from the client side
  • Half of the banking apps studied were vulnerable to fraud and funds theft
  • Hackers were able to steal user credentials from five out of seven banks tested

And the list goes on.

From the perspective of being a user of apps, this is a bit disconcerting.

From the point of view of being a company who may be developing apps, this is a bit of a wake-up call.

If you think about the amount of developer support that big banks have and they are still not developing secure apps, what does that mean for small to medium size companies that do not have that infrastructure?

As a user you are kind of dependent on the developers to do it right and it does not appear that the developers are doing such a good job at that. You can look at reviews, but that is of limited value.

If you are using the apps for your company, you can and should test the application’s security and if the app contains sensitive data or acts as an interface to sensitive data, that is probably not optional.

If you are writing apps or, just as importantly, paying others to write apps on your behalf, there are, at least, two things to do.

Make sure the development team has a well implemented secure software development lifecycle (SSDL) program. Don’t just trust the developers when they say sure, we do. Verify that. If you need help either developing or testing a secure software development lifecycle, give us a call.

Second, if you are not already conducting application penetration tests for every major release of applications that you develop or have developed for you, you need to start doing that. Yes, that costs money. But so does having a breach. If your app accesses data of California residents, remember that they can now sue you for $750 per record compromised without showing that they were damaged.

A 1,000 record breach equals a $750,000 liability. Not counting attorney’s fees and reputation damage. You can do a lot of testing for that amount. 1,000 records is a tiny breach. You are not Capital One, but their breach exposed 105 million records. You do the math.

The maturity level of developing apps today is similar to the maturity level of developing web software in around the year 2000. That alone should scare you.

Some questions you can ask your development team:

  • Do you have a dedicated software testing staff?
  • Are they trained to test software for SECURITY FLAWS or only for functionality?
  • Are you using automated testing tools?
  • Are your developers trained to develop software securely?
  • Does the development team have a security development manual? Something that is written down and part of their business process?
  • Who signs off on the security of apps before release? What is their security expertise?

The evidence is that app security is not so great. What are you doing to improve it? Credit: SC Magazine

The Internet of Trouble (IoT)

As IoT devices proliferate, a lot of them don’t get updated. Ever.

Some IoT devices automatically update themselves, but a lot of them do not have the smarts to do that.

Hopefully all of them talk to their controller over HTTTPS – encrypted traffic. But there is a problem with that. HTTPS certificates expire and the root certificate that is used to verify the validity of certificates expire to.

When that happens, the TV or fridge or light bulb can’t talk to its controller.

When that occurs, one of two things happens – (a) the smart device turns into a very dumb device or (b) the smart device turns into a non-working device.

This is exactly what happened last month to some Roku devices. They stopped working as a result. The good news is that Roku does have an update mechanism. It is not clear how many tech support calls they got as a result.

But is tech support even available for that formerly-smart device that you bought a few years ago? If it is, is it free or does it cost?

This is not limited to your refrigerator. It may include older phones too. It also affected BBC’s pay TV service recently.

Until recently, the problem was only theoretical, but after the issues during the last month, the problem is no longer theoretical.

One date to keep in mind is September 30, 2021. This is when the signing certificate for many Let’s Encrypt certificates expire. Replacing the certificate on the server does not solve this problem; you have to replace the root certificate on every single client that needs to access those servers.

This is going to be a bigger problem over the next few years, so if you are responsible for this for your company come up with a plan. Credit: The Register

Minneapolis City Web Sites Hit by Denial of Service Attacks

Last Thursday, early in the morning, a number of City of Minneapolis web sites were disabled by denial of service attacks. The attacks are short lived and the city was able to restore most of the services within a few hours. It is certainly possible that we will see more cyberattacks as a way to continue civil disobedience. Credit: The Hill

GA Gov. Kemp’s (R) Claims that Dems Hacked his SoS Web Site In 2018 Are False

Two days before the 2018 election, then GA Secretary of State Kemp opened an investigation into what he said was a failed hacking attempt of voter registration systems by the Democratic Party.

Newly released case files from the GBI says that there was no such hacking attempt. The report says that Kemp got confused by an authorized and planned security test by HOMELAND SECURITY with a hack. Kemp’s CIO approved the scan by DHS.

The GBI did say that there were significant security holes in the web site at the time, even though Kemp said that patches to the web site two days before the election were standard practice. No one in their right mind would make changes to critical election systems two days before the election unless it was an emergency. Credit: Atlanta Journal Constitution

Chinese and Iranians Hacking Biden and Trump

Google’s Threat Analysis Group (TAG) warned the campaigns that the were seeing the Chinese targeting Biden and the Iranians targeting Trump. Currently, there is no sign of compromise, but we still have months to go before the election. Not only is there lots of information to steal, but they have the possibility of impacting the election or causing a loss of trust by voters in the process. Credit: SC Magazine

FBI Says Big Business Email Compromise Attacks on the Upswing

The FBI has reports of multiple fraudulent invoice BEC attacks in April and May. In on case hackers used a trusted vendor relationship and a transportation company to steal $1.5 Million. They are reporting multiple incidents in different industries, so caution is advised. Credit: FBI Liaison Information Reports 200605-007, security level GREEN.

Cybersecurity and Work from Home

Reports are that reported breaches are down. This is likely not due to the fact that there are less breaches, just less reports.

Wait six months and see what the breach reports look like.

Security firm Tessian released their State of Data Loss report and here are some of the things they found.

  • 52 percent of employees feel they can get away with riskier behavior at home like sharing confidential files by email.
  • Part of the reason for not following safe practices is that many employees are using their own computers rather than a company issued one.
  • Another reason is that security and IT are not watching them.
  • Employees have more distractions at home, making it difficult to concentrate. Distractions include kids, roommates and not being in their normal office environment.
  • Some employees say they are being forced to cut security corners because they are under pressure to get the job done.
  • Half of the people said that they had to find workarounds to the rules in order to work efficiently.

None of this is news.

Employers are the ones that will get to pay for this in the long run. If an employee causes a breach by cutting corners you may fire them (and you may also get sued by them because they may say that you forced them to cut corners – whether true or not), but even if you do, you will get to write that check for thousands or millions of dollars. And suffer the reputation damage.

Many companies do not have good (or any) real time security monitoring and alerting systems in place. The effect of this is that even if you are breached, you won’t know about it.

Do you know the most common way companies find out about a breach?

YUP, it is when some third party like the POLICE, FBI or CREDIT CARD COMPANIES tell them they have been breached.

So while no one really wants to spend the time and money right now, now is the time that you have to spend time and money.

Alternatively, you can spend that money in breach response.

At least 10 times more money.

Assuming you don’t get sued.

or you don’t lose customers.

Credit: ZDNet