iPhone/iPad user’s turn in the SSL bug spotlight

For those of you who read the security news, you know that this last 12 months has brought an amazing number of SSL bugs to the surface (see a few of my blog posts here and here and here).  Now iPhone and iPad users have their turn to deal with an SSL bug.

The bug, in an open source toolkit used by developers to connect to the web called AFNetworking, disabled validation of SSL certificates that iApps received from a server.  What that means is that any old certificate would be just fine.  One from your bank.  Or a hacker.  Or anyone else.

If I can get on my soapbox for just one minute, this is another example of software supply chain issues just like the Lenovo/Superfish bug.  The developer (Uber is one, for example), used a third party library.  In this case, they may have tested the heck out of it – or not.  When they first started using it, it was reasonably secure.  Then they came out with an update that was not secure. Now Uber’s app is vulnerable.  Worse yet, even if Uber did test the updated app, it is unlikely that they would have tested for the condition that made this app vulnerable.  The software supply chain problem is not going away any time soon.

The good news is that the bug didn’t exist for long.  The bug was created with the software release dated Feb 9, 2015 and fixed with a release dated March 26, 2015 – a period of about six weeks.

Now the bad news.  There are over 100,000 apps in the iStore that use this library.  However, we only have to deal with ones that were updated during this period (technically, this may not really be true because a developer could download the affected library during this window and not update it before releasing it outside this window, but this is the best indicator we have) – that represents about 20,000 apps.  Next we have to narrow it down to which, of the 20,000, used the SSL features of AFNetworking.  That is only about a thousand apps.

Now the badder news – or maybe gooder.  The affected apps include ones from Yahoo, Microsoft, Uber, Citrix and others.  Which means while over a million downloads were affected, those big companies will likely read the newspaper and update their apps quickly.

SourceDNA has created a web site where you can enter a developer name (such as Microsoft) and see what apps they have and if they are affected.  This means that you have to enter each developer’s name and read the results – a time consuming effort.  What would be much nicer is if someone would write an app to look at what is installed on your iDevice and tell you what is affected.  That I have not found yet.  Still, it is better than nothing.  The website for SourceDNAs lookup is here.

For more details, see this article in ITWorld.

Facebooktwitterredditlinkedinmailby feather

Why are companies losing the cyber breach battle?

Two articles in Bloomberg BNA today point to some of the reasons.  First, a panel at the ABA Business Law Section spring meeting said that boards have a fiduciary obligation to assure a reasonable information technology reporting system for cybersecurity threats and breaches.  They said that this can be an issue for some companies because “most directors cannot even spell IT”.  Well, that’s direct.

The panel proposed a few questions that the board should be asking management such as “how have you prepared for a security incident?” and “how do we keep the business going if breached?” among others.

The article (subscription required) goes on to talk about cybersecurity insurance and it goes further than just cyber liability insurance.

The panel agreed that prevention is almost impossible, but how the board RESPONDS to a breach is just as important.

The panel contrasted the board at Target (characterized as “the board effectively fell asleep”) and Wyndham (the board held 14 meetings and the audit committee 16 to deal with the breach).

While the Delaware Chancery Court held that only a sustained or systematic failure of the board to exercise oversight will create liability, one panelist suggested that “Looking to see what other similarly situated companies are doing is important because that may become the standard of care”.

Boards can no longer say that they didn’t understand the risk and that is why they were not actively managing cyber risk.

The other article (subscription required) analyzed Verizon’s 2014 data breach report (available here).

Verizon says nearly a quarter of the people who get sent phishing emails open them and 11 percent proceed to download the attachments.  This even includes fake emails from a bank asking them for a password.

In 2012, Columbia sent out (fake) phishing emails to 2,000 faculty, students and staff about a bogus iPad promotion.  176 of them opened the email and clicked on the link.  The clickers were then told that their action made them very susceptible to phishing attacks.

Three weeks later, the school sent a second email to those 176 people and 10 of them opened the email and clicked on the link.

A few weeks later, another round of phishing emails and 3 people still opened them and clicked on the link.

Given it only takes one person to do that and infect the company, what are the odds that a large business can make sure that ZERO people open that email and click on the link, assuming clicking is even required.

Marcus Ranum, well known security consultant put it this way:

Ranum said it costs companies more in the long run to have to continually react to intrusions than it would to steer clear of threats altogether by putting more resources into better detection. “Your seat belt and air bags are great, and you’re stupid if you don’t use them,” he says. “But it’s smarter to avoid the semitrailer in the first place.”

Food for thought.

Facebooktwitterredditlinkedinmailby feather

Do you keep your car keys in freezer? Maybe you should!

A recent Network World article talks about the world of high tech auto theft.

Using a $17 amplifier, thieves were able to boost the signal between your car and your key fob sitting on the kitchen table and convince your car to open up.

The article has links to several other articles including one that talks about cloning a high end BMW with a blank key in less than 3 minutes.  Break a window (and block the alarm going off too), plug something into the diagnostic port near the steering wheel and clone the key.  Then just plug it in and drive off.  Apparently hundreds of BMWs have been stolen this way in Europe.

And the freezer?  Apparently the freezer acts as a shield for the radio waves and the amplifiers don’t work.

I suspect this is more difficult that it seems and requires a degree of skill, but given the payoff for stealing the car – the crooks are working on it.  And the cops don’t seem to have a handle on it – sometimes blaming the car owner for leaving the car unlocked.

In one video, the crook opened the car, stole a laptop out of the back seat and a $15,000 custom bicycle out of the hatch.  This problem is easy to solve – don’t leave valuables in your car.  Oh, and the considerate crook even locked the car again when he left.  All caught on video.


Facebooktwitterredditlinkedinmailby feather

How One Tweet Ruined A Career

As reported in the New York Times, Justine Sacco became an instantaneous celebrity when she sent out a Tweet prior to boarding a flight to South Africa from JFK.  Social media can be both powerful and cruel.  In this case, it changed Justine’s life.

The Tweet, along with one of the many photos of her, is shown below and can be found by merely entering her name in your favorite search engine.  Prior to sending this tweet, she likely was invisible to the search engines.


The Tweet was at best ill-advised, at worst inappropriate.  Justine should have known better – she was a senior director of corporate communications for IAC, the huge Internet brand that owns over 150 Internet companies including Vimeo, Dictionary.com. HomeAdvisor.com and many others.  And social media can be exceptionally cruel.

As she checked her phone, she did not see any responses to her Tweet as she only had 170 followers.

What she did not know is that while she slept on the 11 hour flight, her tweet had become the number one trending Tweet in the world.  Someone forwarded it to Sam Biddle, editor of Valley Wag and he retweeted it to his 15,000 followers.  The rest is history.

Needless to say, she lost her job and her life was turned upside down.  For more details, see the New York Times story here.

Months later she told the NY Times reporter that she couldn’t even date someone because, of course, you always Google a new date.

She went to Ethiopia for a month to hide, but then returned to look for a job in New York.  Sam Biddle found out about her new job and sent out another (nasty) Tweet to his followers:

“Sacco, who apparently spent the last month hiding in Ethiopia after infuriating our species with an idiotic AIDS joke, is now a ‘marketing and promotion’ director at Hot or Not.”  “How perfect!” he wrote. “Two lousy has-beens, gunning for a comeback together.

One year later, on the anniversary of the event, Biddle did post an apology on Gawker.

She, not surprisingly, is not alone.

This is the power of social media and it is amazing.  It can take up causes and tear down leaders.  It can also make something very small (a wisecrack to Justine’s small circle of friends) extremely large (THE #1 trending tweet in the world).

So next time you are getting ready to press the enter button on that snarky Tweet or Facebook post, think twice about it.  It could be a life altering experience.


Facebooktwitterredditlinkedinmailby feather

Wall Street Needs Better Safeguards Against Hackers

The International Business Times is reporting that Benjamin Lawsky, New York State’s top bank cop surveyed 40 banks and found that fewer than half regularly inspect the security systems of their outside vendors.  Both the Target and Home Depot breaches were caused by compromised third party vendors.

Regulators are concerned that light oversight of bank’s vendors, who are connected to the banking network, could have grave consequences.  Regulators are concerned that hackers could cause a systemic meltdown.

Lawsky’s office is developing guidelines around bank vendor security practices.  While he did say that banks are not to blame for a rapidly changing cybersecurity landscape, he also said that European banks are doing a better job or securing third party relationships than U.S. banks are.

Translating that – expect more regulations in the area of third party connections.

While Lawsky’s office only regulates banks, brokerage firms and insurance companies and only those licensed to do business in New York State, he is often a canary in the coal mine for other regulators.

Even if you do not fall under Lawsky’s supervision, now is probably a good time to review your organization’s practices regarding third party relationships.  It is a small step from a hacked vendor to your organization being hacked.

Facebooktwitterredditlinkedinmailby feather

PCI Council Releases New Version of Payment Card Security Standard

The PCI Council normally releases a new version of the standard which governs merchants that accept credit cards once every three years.  Given that version 3.0 came out in January, everybody thought they were safe for a while.  Version 3.1 was released today and even though merchants have 14 months to become compliant, there is work that they have to do between now and June 2016 (see article).

SSL or secure sockets layer and its cousin TLS or Transport Layer Security are the underlying protocols that protect all of our credit card transactions, online and often in stores too.  Unfortunately, there have been a number of major security issues with SSL and what they call the early versions of TLS (1.0 and 1.1 in particular).  These problems caused the PCI Council to release version 3.1 so quickly after 3.0.

For most small merchants, they rely on a packaged system and while they are still required to be compliant, what that will mostly mean is asking their vendors to certify that they are compliant and use their evidence of that in the documentation the merchant creates to satisfy their credit card accepting bank.

In what is an unusual move for the PCI Council, merchants are prohibited from implementing new systems using these non-secure protocols, effective immediately.

This standard says that unless you can prove that your installation of SSL or early TLS is immune to all of the known attacks, current and future, you have to replace it with a secure version.

In addition you  must document your plan to migrate away from SSL and early TLS and how you are going to mitigate the risk in the mean time.

While these moves are really required in order to keep consumers using their credit cards (i.e. to make sure that consumers are confident in the protections), it is still a major pain in the neck for businesses.

Also, the requirement that ALL businesses do penetration testing that was started in PCI 3.0 is clarified in PCI 3.1.  For businesses, this is a king size pain in the tush because penetration testing (or pen testing) is significantly more complex (and hence expensive) than what most businesses were doing before, which is checking for known vulnerabilities.

Pen testing must be conducted from both inside the business and from the outside (Internet side) and it must cover the entire cardholder data environment, the controls that limit that environment and must use a recognized testing framework like NIST SP800-115.  These requirements go into effect this July (see article).

All in all, this is a significant effort and while small merchants used to be exempted for some of these requirements, this is no longer the case.  This likely will require specific technical expertise to be brought in or contracted for.



Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed