Just In Case You Thought Two Factor Authentication Was a Silver Bullet

I will start with the spoiler – it is not.

Pentesters and hackers now have a new tool in their arsenal to defeat two factor authentication.

The tool was just released at the security conference Hack-In-The-Box and is now available on Github.

Hackers had to get creative  in order to attack web sites that were protected by two factor authentication because they need to some how force the target web site to generate a two factor request.  If they are running on a separate web site in a different domain that they control, that is harder.

But of course, there is a way.

If the hacker’s web site acts as a proxy in between the user and the real web site, the web site will generate the needed request and the user will provide the second factor.  Then the hacker needs to steal the cookie that the server sets before it expires.

That has been around for a while but was hard to do.

Muraena and NecroBrowser now automate most of this process so even a script kiddie (well, maybe not a script kiddie) can steal your money or information, even if two factor is operational.

This attack does not work if the company is using hardware tokens such as a Yubikey because the web site needs to interact directly with the key, but the attack does work against either SMS based 2FA or authenticator apps.

While the article does not say so, I think the attack will not work in the case where you are using client side certificates for the same reason as the Yubikey.

All of this means is that users cannot drop their guard.  In the case of these man in the middle attacks, the user is directed to the hacker’s web site instead of the real one, and that site has a different name, even if it is only a little different.

Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

White House Acting Budget Chief Wants to Delay Huawei Ban

 

O P I N I O N

Acting budget director Russel Vought is seeking to delay the ban of Huawei for another two years (or for a total of four years after the ban was enacted).

If they are a risk to national security, is it okay to compromise national security for two more years?

Apparently so – or is it that they are not really a risk to national security and this is just an effort to get China to the bargaining table?  We don’t know.

What we do know is that Vought is saying that the ban would cause a “dramatic reduction” in companies that supply the government.  Obviously, if the government can’t get parts or systems that they need, that is a risk all by itself.

More bizarrely, the budget office says that not banning Huawei for four  years as suggested wouldn’t go against the policy of Huawei not being allowed to do business in the US.  So doing business for four years doesn’t go against the policy of not being allowed to do business in the US?  I am having a hard time grasping that government double speak.

The ban would also apply to companies getting federal grants or loans.  This includes rural telephone companies.  Banning Huawei would mean that these rural telephone companies would no longer be able to deploy 5G cell systems – maybe forever unless the government comes back with billions in more loans or grants to cover the extra cost of using another vendor.  France just announced that replacing Huawei – which they have NOT agreed to do – with another vendor would cost them 52 BILLION Euros.  The United States is bigger and more complicated than France, so likely someone will need to cough up hundreds of billions of dollars to replace Huawei equipment.

Alternatively, Americans, especially in rural America (like me who lives 20 miles from downtown Denver), who already have cell service on par with countries like Nigeria (really!) will continue to have crappy cell and Internet service.

Maybe that is okay.  I know my Internet is 1/10th the speed of my brother’s home Internet connection in Europe at twice the price –  a factor of 20 difference.  In fact, legally, my Internet service cannot even be called broadband because it is too slow.

It does seem that if we really think Huawei is a security problem, then we need to ban them now and not in four years as planned and continue to have crappy Internet and cell service.  That will put our businesses, consumers and students at greater risk of becoming second class to other countries, but that is the price we may have to pay.  It may motivate people to think outside the box and come up with breakthrough solutions.

The good news is that our slow, crappy Internet and cell service makes it harder to hack us, so maybe there is a silver lining.  Source: CNet.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bytes for the Week Ending June 7, 2019

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom.  The attackers only wanted $103,000 or less than 1 percent of what they are going to spend.  Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore.   Who’s fault is that?  Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data.  Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop.  Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the  ransomware after an 18 month run.  The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”.  Of course, other malware will replace it, but the sheer magnitude of this one is amazing.  Source:  Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised.  Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency.  Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk.   In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that.  That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA.  Remember, you can outsource the task, but not the liability.  Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong.  Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks.  The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch.  Shodan shows 4.8 million servers running the software and only 588,000 running the fix.  Most of those servers are in the U.S.  Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week.  They are a medical claims collection agency.  As I said above, first it was Quest with 12 million customers affected;  then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised.  Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage.  If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

So You Thought Your iPhone Was Secure

The security of all computers is dependent on three things:

  • The Hardware
  • The Operating System
  • The Apps

When it comes to the iPhone, Apple does a great job of making sure the hardware is secure.  The Secure Enclave is the best in the industry and Apple spends a lot of money testing their hardware.  The good news for Apple users is that Apple controls all of the hardware because the make all of it.

The next piece is the operating system.  iOS has a great security reputation and pretty much forces all of the security patches into user’s devices whether they want them or not.

So what is left?

Yes, it is the apps.  Depending on the user and the phone, you could have 50 or a hundred or more apps on your phone.    That’s where the trouble starts.

Security researchers at Wandera evaluated about 30,000 popular apps found in the app store.  They noticed that data was being transmitted unencrypted because app security was turned off.

This seemed odd to the researchers since Apple’s app security framework, called App Transport Security or ATS, is turned on by default.  It comes included as part of Apple’s Swift development platform, so it is no additional work for the developers to use it.

The researchers found that 20,000 of the 30,000 apps had ATS turned off.

Their best guess is that the developers thought, maybe, that encryption would reduce the app’s performance, but on most phones that is not true.

For the last few versions of iOS, Apple even  made it possible for developers to only use ATS when they were transferring sensitive information, but apparently, app developers don’t care.

I think it is fair to say that the state of app security is similar to the state of web site security ten years ago (or older).

The challenge for the end user is that they really have no easy way to tell which apps are secure and which ones are not without being a security expert, which is not reasonable.

Unfortunately, I do not have a silver bullet.  I tend to minimize the number of apps that I have installed as one way to reduce my attack surface.  Maybe not the best answer, but the best one that I have.  Source: Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Will New York Follow In California’s Footsteps?

The New York Privacy Act was introduced last month.  Like California’s CCPA, it gives consumers more power over their data, but in addition to that, it would require companies to put their customer’s privacy before their own interests.  I am sure that there will be a huge lobbying effort by special interests.

While the sponsor is still looking for cosponsors in the lower house, he thinks he already has enough votes to pass it in the Senate.

The Committee on Consumer Protection is scheduled to hold a hearing this week.

Like California’s law, this bill would allow people to find out what data companies are collecting, who they are sharing it with, get it deleted, make companies correct incorrect data and stop companies from sharing the data with third parties.

One difference from the California law, is that this bill allows from consumers to sue companies over privacy violations.  One compromise that was made when the California bill was passed was to change that to only allow a private right of action in cases where there was a breach.  Here, a private right of action would exist for any violation.

Another big difference is that while the California law only applies to companies with revenues over $25 million (or a couple of other situations), this bill would apply, like Colorado’s law does, to any company of any size.

Obviously, the big companies (Facebook,. Google and others) and their lobbyists (the Internet Association) are more than just freaking out.    They are saying that keeping customer’s data private is “unworkable for businesses” which really means that it messes with their business model and fails to give residents meaningful control over their data, which makes no sense at all.  Are they suggesting that their current business model already gives people meaningful control over their data?  That certainly doesn’t seem to be the case.

While I certainly agree that a law like this messes with the business models of some companies that have built a business around selling your data, if those businesses have something that people find valuable, most people will recognize that this is a reasonable trade.

What is required is transparency and that is something that folks like Google and Facebook fight, because they know that for many people, it is not worth the trade.

This is far from law, but definitely a bill to watch.

The name of the bill is NY S 5642.

While this bill may not pass in its current form, it seems like the handwriting is on the wall and smart businesses will start to understand privacy concerns and rework their business models to take that into consideration.

Information for this post came from Wired (registration required).

 

Facebooktwitterredditlinkedinmailby feather

The Cloud is NOT Disasterproof – Are You

Over the weekend, Google suffered an outage that lasted about 4 hours. (See Google Appstatus Dashboard)

The good news is that the outage happened on a Sunday afternoon because that reduced the impact of the outage.   Next time it could happen on a Monday morning instead.

The outage took down virtually every Google service at some point during the outage.

But worse than that, it took down all of those companies that depended on one Google service or another.  Examples include Snapchat, Shopify, Discord and even a number of Apple services went down because Apple is not in the data center business.  iCloud mail and drive and iMessage were all affected.

This is not to beat up on Google.  Both Amazon and  Microsoft have had similar meltdowns and so have much smaller providers.

And they will again.  Human beings design computers, build computers and operate them.  And, after all, humans are, well, just human.

One more time, this is a lesson for users of cloud services.  

Maybe you can deal with a 4 hour outage on a Sunday.

But can you deal with an 8 hour or 24 hour outage on a Wednesday (like Microsoft had recently)?

What is the cost in lost productivity when users can’t get to their email or their office documents?

What is the impact to your customers if they can’t get to your service?  Will they move to a competitor?  And stay there?

I am not proposing any solution.  What I am proposing that you consider what the impact is of an outage like this.  Impact on both YOU and also on your CUSTOMER.

Then you need to consider what the business risk is of an inevitable outage and what your business continuity plan is.  Will your BC plan sufficiently mitigate the risk to a level that is acceptable to your company.

Finally, you need to look at your Vendor Cyber Risk Management program.  

Apple’s systems went down on Sunday NOT due anything Apple did, but rather something their vendor (Google) did.

At this point Google has not said what happened, but they said they will provide an after action report soon.  But, remember, this is not, ultimately, a Google problem, but rather a problem with cloud consolidation.  When there are only a handful of cloud providers hosting everything (3 tier one providers — Google, Microsoft and Amazon) and a slightly larger handful of tier two providers, if one of them burps, a lot of companies get indigestion.

Source: Vice 

 

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed