In Honor Of Super Bowl Week – NFL Mobile App Is Like Swiss Cheese

Dark Reading is reporting that the NFL mobile app has a few problems in it – not so much different than NFL officiating.

Wandera performed a scan of the app and discovered that after a successful login, the app leaks your credentials in an unencrypted API call.  In addition, it leaks your login name and email address too (which is probably enough to do a password reset).

That is enough, they say, to get the hacker into the user’s NFL web page, which is also unencrypted, which would allow the hacker to siphon off your address, phone number, occupation, date of birth, gender, if the user entered that in their profile.

As a side note, all they use that for is to push ads to you, so if possible, I recommend NOT entering that data and if they require you to do so, then enter bogus data. You may have to enter an occupation, but who says that you are not a mortician or clean septic tanks for a living.  There is no data validation.  And, as you go from site to site, enter different information – just to mess with the ad data people.

Anyway, back to the NFL.  Wandera did not try making a purchase, but given the above information, the security there is pretty suspect as well.

Since many users reuse passwords, getting their NFL.com password may give the hacker access to someone’s email or Amazon account too.

I recommend that if you are going to reuse passwords, break them into categories.  One category I call trash sites are sites that have the lowest possible security needs and least sensitive data (at least as long as you told them that you were 92, female, lived in Paris, France and were a jockey).  The NFL.com site would fall into that category.  At least that way, if that password was compromised, nothing else important would be compromised.

But here is the best part.  The NFL, like politicians, love to spin things.  Their answer to this issue was:

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

Obviously, this answer is total bulls&*t, but they probably figure most fans will trust them implicitly – like they trust the referee’s calls.  There is NOTHING they can do, technically, on the back end to fix this problem.  Can’t be done.  Total lie.

My suggestion is don’t fill out your profile and don’t purchase anything from their web site – buy stuff somewhere else.

Mitch

Facebooktwitterredditlinkedinmailby feather

How Does Your Anti Virus Software Stack Up?

Redmond Mag is reporting that AV-Test has ranked 28 Anti Virus software products against 153 pieces of zero day (meaning previously unknown) and 12,000+ pieces of known malware.

AV-Test, based in Germany, has gotten sideways with Microsoft before.  Microsoft has come in ranked very low on their tests several times.

Microsoft says that the firm ranks anti virus software based on how well it detects malware.  Microsoft says they prioritize “real world malware uses”.  I guess that means that they only worry about the major pieces of malware.

Microsoft’s product is free and unfortunately, this may be one case where you get what you pay for.  In 2013, Microsoft said that most of the malware that they didn’t stop either didn’t hurt users or wasn’t out there in the wild.

Anti virus software is pretty cheap.  Trend Micro, one of the vendors that scored 100 percent on the test, is available today on Amazon for $25 for 3 PCs (per year).  That would work out to $8 and change per PC at home if your family has several computers.

What I don’t know is whether the reason that Microsoft says that their users don’t see the malware that they don’t detect because that malware is not common or because they don’t detect it, hence Microsoft does report it as being found on user’s computers?

In any case, to me, if I could get something that detects all 12,000+ samples for $8 per computer per year – the cost of 1 or 2 Starbucks –  that sounds like a reasonable expense.

The three anti virus products that scored 100 percent in their tests are:

  • Avira’s Antivirus Pro 2015,
  • F-Secure Internet Security 2015 and
  • Trend Micro Internet Security 2015

The complete test is available here.

Mitch

Facebooktwitterredditlinkedinmailby feather

Sony Still Trying To Recover From Attack

In the latest bit of news dribbling out of Sony Pictures, Reuters is reporting that Sony has requested an extension of the required financial filings from mid February to the end of March.

Sony is saying that their financial and accounting applications will not be working until early February.

For those of you keeping track, the attack started on November 24th of last year.  Early February will put the recovery at 10 or 11 weeks just to get the systems back online.  Then comes the task of catching up on 10+ weeks of lost work for thousands of employees.

Sony did say, according to Reuters, that they will hold a news conference on February 4th.  It will be interesting to see if they announce a charge against earnings for the cost of the breach at that time or if they wait until March 31st when they will file their financials.

The impact on a company of not having any financial systems – and likely many other systems – to manage their business for 2-3 months is significant and we will have to watch to see what the longer term effect is on Sony.

Mitch

Facebooktwitterredditlinkedinmailby feather

Defensive Best Practices For Destructive Malware

The NSA released a 5 page document last week on keeping malware out of your network.  5 pages with links to hundreds of pages of other NSA documents.  It would probably take a year just to read and absorb them.  Then you have to deal with implementing the suggestions.  Some are simple, some are hard.  As i always say, it is a matter of business risk management to decide what you want to do.  Then implementing it.  Then maintaining it.  Simple, huh?  Not quite, but with the right resources, it is possible.

Here is the condensed version of what the NSA is recommending.  Since they control their workforce completely, they can do all of this.  You, probably, will have to pick and choose.

Prevent, Detect and Contain

  • Segregate your network so that when an attacker does get in, he or she cannot roam your entire universe.  An example would be at Target – getting in to the vendor management network should not allow you access to the point of sale system.  In Target’s case, this was way to easy.  This can be a lot of work, but it has slight impact on your users once it is set up and almost no performance impact.
  • Protect and restrict administrative privileges.  Unfortunately, the NSA is the poster child for this one.  When Edward Snowden went rogue, he had way too much access.  This is transparent to your users and a pain in the rear for your administrators.  Still, they have the keys to the cookie jar, so you decide.
  • Deploy application whitelisting.  Whitelisting means that only approved versions of approved applications can be installed anywhere on your network.  This mostly impacts your users and I would rate the impact high.  If users cannot run downloaded software or infected versions of approved software, it makes the hackers job very hard.
  • Limit workstation to workstation communication.  This makes it harder for malware to spread.  I rate the impact low on users and medium on administrators.  I rate it difficult to implement.
  • Implement robust network boundary defenses such as firewalls.  This takes some effort to implement but when it is done, for the most part, the users won’t notice.  The US Government is working on this – they had thousands of connections to the outside world.  How do you protect that many connections?  How many connections do you have?  What about the ones you don’t know about like that wifi connection between someone’s laptop and their personal wifi hotspot that they bought from Verizon for $49?
  • Maintain and monitor host and network logging.  This one is completely transparent to the users but takes a lot of work and likely some money.  Every device on your network – from a server to the refrigerator needs to send it’s logs to a central server.  Then, those logs have to be crunched for unusual events.  Then people have to act on the alerts.  That is what really killed Target.  Their logging and alerting system generated an alert, IT reviewed it and bounced it up the food chain and management decided not to take any action.
  • Implement mitigations like PassTheHash and Microsoft Enhanced Mitigation Experience Toolkit.  I rate these high pain levels for both the users and administrators.
  • Implement Host Intrusion Prevention Systems (HIPS) to detect anomalous behavior.  I rate this low for the user; higher for the admins (to setup and monitor) and some cost depending on the solution chosen.
  • Finally, patch software in a timely manner so that known bugs cannot be easily exploited.  There is some pain to the user, although a lot of this can be automated with some work.  There is a lot of work for IT to find all the patches, figure out where they need to go, test all the affected systems and deploy the patches.

Prepare for incident response and recovery

  • Backup, backup, backup.  Then test.  If you cannot restore the backup to a bare metal box, it doesn’t solve the problem.  If new systems are added and not included in the backups, you have a problem.  I know of a company who’s backups hadn’t been successful for a year, but no one was checking.  When they had a problem, it suddenly became a huge problem.
  • Establish an incident response and recovery plan.  Then test it at least once a quarter.  When I was a kid, the regional hospital was affected by a big blackout that covered the whole east coast.  The hospital had generators to provide power.  Unfortunately, no one knew how to get them up and running.  That was embarrassing.  Luckily, no patients died before they did get the generators running.
  • At the conclusion of an incident, conduct a lessons learned exercise and actually learn from the experience.

I managed to reduce this to about one printed page.  Actually doing this requires person years of effort, including planning, implementing, testing, monitoring, training and documentation.  Your goal is to make it harder for the bad guys to attack your system than the one next door.  You don’t need to be perfect.  Just harder to attack than your neighbor.

This is a good checklist to review as part of your business risk mitigation efforts.

Mitch

Facebooktwitterredditlinkedinmailby feather

Adobe Flash – The Gift That Keeps On Giving

UPDATE:  As expected, Adobe did release a second patch emergency patch for this bug and expects it to be available for download this week.  Adobe has said that there are reports of vulnerability being “actively exploited”.

You can check what version of Flash you are running by going to this link at Adobe.com .

Adobe Flash – the software that Steve Jobs hated so much that he wouldn’t allow it on mobile i-devices and said, about Flash, that it had abysmal security – has another exploit in the wild.  The reason for Jobs’ hatred of Flash is controversial (see here) and maybe due to the fact that he could not control Adobe and there are many free Flash based games that aren’t sold (since they are free) by Apple.

That being said, there is another zero day exploit (see here) for which there is a “kit” available to use the exploit.

Right now, the target seems to be Windows and Internet Explorer (yet another reason not to use IE), but the bug also exists in the Mac and Linux version of Flash. Windows Chrome and Firefox users are safer, but should update anyway.

Worse yet, the patch that Adobe released may not fix the problem – or the problem may really be two problems.  In any case, get ready for a second patch soon.

The fact that there is an exploit kit that hackers can use without having to develop it, means it will show up sooner in a hacked web site near you.

The new version of Flash is available at get.adobe.com/flashplayer.

Mitch

Facebooktwitterredditlinkedinmailby feather

It’s 10 P.M. – Do You Know Where Your Permissions Are?

To paraphrase an old public service announcement (It’s 10 P.M. – Do you know where your kids are?), you grant way too many online permissions and likely do not keep track of them and revoke them.

To use today’s answer – We have an app for that.  Seriously.

MyPermissions.org is a combination of a web site and a couple of apps that allow you to lasso in those permissions.

With the web site, it guides you to the permissions pages of all of the common apps – facebook, twitter, google, yahoo, linkedin, etc. It does not collect all your passwords – you have to log in yourself – but you can then quickly see what permissions you have given to whom – maybe years ago – and revoke them if you choose.

The app generates alerts when an app accesses your data in real time and allows you to execute that app – virtually – so it cannot do that any more.  It also generates reminders for you to clean up your permissions mess.

The app runs on Android and iOS;  the web site runs, of course, in any browser.

Note – I don’t have any relationship with these guys and I am not vouching for them, but they seem to have gotten a lot of press coverage – from Wired to Mashable – all linked to on their home page.

No rocket science here, but making life easier is not a bad thing.  Visit http://www.mypermissions.org to check it out.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed