The Bruce Schneier Cryptogram Oct 2018

The Bruce Schneier Cryptogram Oct 2018

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is.

In this issue:

  1. NSA Attacks Against Virtual Private Networks
  2. Public Shaming of Companies for Bad Security
  3. Pegasus Spyware Used in 45 Countries
  4. Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer
  5. AES Resulted in a $250-Billion Economic Benefit
  6. New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography
  7. New Variants of Cold-Boot Attack
  8. Evidence for the Security of PKCS #1 Digital Signatures
  9. Counting People through a Wall with Wi-Fi
  10. Yet Another IoT Cybersecurity Document
  11. Major Tech Companies Finally Endorse Federal Privacy Regulation
  12. More on the Five Eyes Statement on Encryption and Backdoors
  13. Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising
  14. Sophisticated Voice Phishing Scams
  15. Terahertz Millimeter-Wave Scanners
  16. The Effects of GDPR’s 72-Hour Notification Rule
  17. Helen Nissenbaum on Data Privacy and Consent
  18. Chinese Supply Chain Hardware Attack
  19. Conspiracy Theories around the “Presidential Alert”
  20. Detecting Credit Card Skimmers
  21. Defeating the “Deal or No Deal” Arcade Game
  22. The US National Cyber Strategy
  23. Access Now Is Looking for a Chief Security Officer
  24. Security Vulnerabilities in US Weapons Systems
  25. Another Bloomberg Story about Supply-Chain Hardware Attacks from China
  26. Security in a World of Physically Capable Computers
  27. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.

 

Patch Tuesday October 2018

Patch Tuesday October 2018

Krebs (you read Krebs right?,you should…) has a great write up on this month’s Windows patches.

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available.

We’re not big proponents of waiting for free bug and security releases to be applied. Get to testing and apply them!

Are you a phish in barrel?

Are you a phish in barrel?

It doesn’t matter how much money you have spent on security, there is a very high probability that your security perimeter can be penetrated. Unfortunately, this is a reality we have learned to live with… but we don’t have to.

It all started with the CWRT research team spoofing emails from certain very high-level politicians, CEOs, and other famous people. We only spoofed each other for educational reasons…Evil thoughts ranged from starting the next “me too” movement to exfiltrating secrets by impersonating someone’s boss and requesting they save the data to USB, save to a Dropbox, or open an infected file. It was soon apparent that we could manipulate nearly any situation with a strategically spoofed email. When done correctly it’s nearly impossible, even for the best-trained user, to distinguish real from forged emails.

Want your own proof that spoofing will work on your company? We thought you might, so we made this tool http://emailspooftest.com, enter your corporate email and press the button and see what spoofs will work and how to fix them.

Check it for yourself.

Did you get any of the 5 test emails the page sends? Did any of them end up in spam?

If they made it into spam or into your inbox, you could easily be spoofed. This means an attacker can email any number of tricks into your user-base and be successful. The email security checks should prevent the email server connection, and the email will not be accepted by your mail servers… -not even into spam.

How big of an issue is this?

To many, email is a boring security conversation. Those of us in security understand clearly that email can be easily faked. We may not realize that the rest of the world is going about daily operations with reasonably critical business processes happening via email communication. We trust that communications from our co-workers, bosses, and partners are all subject to email manipulation.

We were able to impersonate highly classified email addresses where we should not have been able to.

How big of an issue is this?

General attacks
Commercial Federal
Email 95% 90%
Web 4% 1%
Other 1% 9%
Direct Attacks
Email 90% 70%
Web 7% 1%
Other 3% 29%

*stats are estimates from real-world threat intelligence by ADi Cyber Warfare Research Team (CWRT)

Wouldn’t it make sense to close the email threat gap?

We have all seen the recent uptick of phish-me type products to train your users.

Training is an excellent idea and really works in the security world. Treating people well and having a great culture is also useful.

There are email security controls that all modern email systems support, just ask DHS BOD 18-01 that mandates these controls as of last year. Below is a snippet from BOD 18-01:

“Federal agency “cyber hygiene” greatly impacts user security. By implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”

…way overdue if you ask me.

In 2006-2014 SPF was slowly rolled out as an industry recommended technology but many have not implemented the basics of protection as of 2018. We are finding in many cases we are able to spoof even when checks are enabled. Very few have all of the email security checks and completely pass our simple tests on emailspooftest.com.

The fix:

  • SPF
  • DKIM
  • DMARC
  • Authentication
  • Reverse DNS

With all tech there are challenges, and each of the above solutions has its own. It can be very complicated to implement each one if you aren’t experienced. We tested many firms with all of those protections at least partially enabled, only to find out the protections didn’t work at all. That’s why we created http://emailspooftest.com.

Hopefully, you passed the email spoof test, if not, you have some work to do.

Happy Hunting,

-Chuck

 

Cybersecurity is an unwinnable war

Cybersecurity is an unwinnable war

You can’t actually WIN.

You can SUCCEED though.

But that doesn’t mean you don’t have to fight it anyway. Like many things in a safety and security realm, the threat is ever changing, and your strategy must flex with it. You have to manage the threat and fend attackers off while serving your customers and enabling your employees to do work.

AND you even have to let your employees do the work in the way they want to.

Top-down authoritarian restrictions don’t really work in the long run.

“The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.” – Princess Leia

Security only works if EVERYONE on board participates and WANTS to be part of the culture that puts it near the top of the list.

Treat your employees and customers like robots, and they WILL find somewhere else to go. They WILL leak data through the cracks. They WILL leave the side door unlocked.

If your culture is a stance of defense and diligence, one of self-awareness and reliance and constant learning and improvement, then this should include your security posture as well.

The war is not winnable, but that doesn’t have to keep you from succeeding.

Need help? Contact us.

Use Deception to Automate Response

Use Deception to Automate Response

What technology are many firms now starting to use to fill the Risk Response Gap?

What is the importance of responding to recon and unwanted activity?

You can’t respond to what you can’t detect. And sometimes even responding to what you DO discover is an issue.

The Risk Response Gap is that gap in time where something doesn’t look right, but you aren’t sure enough to respond. Here is an example:

I was hired to “recover” a priceless gem from a busy, well-protected house.  Armed guards, dogs, and gates. The works.  I poked around from afar to determine any probable entry methods. I decided that breaching the front door or a window was too much effort and risky.

If someone kicks the door in, they don’t belong there. Obvious.

The location had staff and people in and out so I made a couple fake gas company phone calls and gained entry as a natural gas repairman. One of the many helpful people told the guards to expect me. Once in, I got the complete layout of the house, all the defenses, communications, and where they kept the gem I wanted.

After poking around a little too much, the staff detected I may not be who I said I was. No one could validate me so I took a nap next to the boiler for a few hours and they seemed to forget I was there. I set off some smoke alarms, and in the confusion, I took what I wanted, then left with a smile. About 15 minutes later they determined I was an intruder they were breached. A day or so later they learned I had taken the gem.

Far too late. The damage was done.

Change the word house to business, and you get what happens in most breaches on a corporate level. Sound familiar? Trick a user to gain entry (phish etc.), move laterally, lie dormant, cause a ruckus, exfiltrate in the confusion.

Bad-guy 101.

Why? They had plenty of protection and actually did detect me, so what was the failure here?

Answer: The response was too slow. There were indicators that I did not belong, but they were not put together quickly enough to isolate me. By potentially being a false positive I gained a lot of time.

Usually, we like automated action; you jump the gate, and the dog automatically eats you. Walk through the gates and the guards automatically detain you. Once you have a trusted foothold past the guards and dogs, you can pretty much just hang out as much as you want… just like malware on a laptop. You see, entry is a given, you will always gain access… you send 1000 phish emails, and someone will let you in. There is always a hole… Hey Stuxnet, you air-gapped?

Detection accuracy becomes key to making a timely response.

Imagine the same scenario as above. In the house, there was a room marked “Gem Collection.” When you go into this room, the door closes behind you, and there is no way out and certainly no gems. You are captured simply for being curious. No other staff has business in there, so it catches thieving staffers too. In an ideal scenario, there are more fake rooms than real rooms and many objects a thief would be interested in that a worker will just pass by. These traps are known as “Deception.”

Deception technology provides accuracy which allows security to be automated.

Without deception, I can quickly and easily leverage native windows tools to map an entire infrastructure and systematically go after object nearly undetected until I get what I want in almost every environment.

With deception, I am detected almost immediately.

Not all deception is created equally. “Honeypots” and “honey grids” are easy to sift through or recognize. The fraud must be unrecognizable from business components. If I want to go after SQL server, Exchange servers, file servers, and even individual user accounts I should probably have Deception on all of those objects… Javelin does precisely this.

So instead of one house there are three, instead of 30 rooms in each there are 300, instead of 1 gem there are 49 fakes right next to it… select one of the cheats in the process and become captured immediately.

If you haven’t explored it yet, look into deception as immediate response protection.

The Bruce Schneier Cryptogram Sept 2018

The Bruce Schneier Cryptogram Sept 2018

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is.

In this issue:

  1. New Book Announcement: Click Here to Kill Everybody
  2. Speculation Attack Against Intel’s SGX
  3. New Ways to Track Internet Browsing
  4. James Mickens on the Current State of Computer Security
  5. “Two Stage” BMW Theft Attempt
  6. Good Primer on Two-Factor Authentication Security
  7. John Mueller and Mark Stewart on the Risks of Terrorism
  8. Future Cyberwar
  9. NotPetya
  10. CIA Network Exposed through Insecure Communications System
  11. Cheating in Bird Racing
  12. Eavesdropping on Computer Screens through the Webcam Mic
  13. Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords
  14. Five-Eyes Intelligence Services Choose Surveillance Over Security
  15. Reddit AMA
  16. Using Hacked IoT Devices to Disrupt the Power Grid
  17. Security Vulnerability in Smart Electric Outlets
  18. Security Risks of Government Hacking
  19. Quantum Computing and Cryptography
  20. Click Here to Kill Everybody Reviews and Press Mentions
  21. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.

 

Death of a thousand cuts for your security posture

Death of a thousand cuts for your security posture

The make-up of a great security posture comes from having your “ducks in a row”… meaning you have the three Threat Management Vectors working effectively. These Threat Management Vectors are Detection, Prevention, and Response.

Yup, that’s right, all that jargon and spin to sell security products muddies the waters of what you should be doing to manage threats. These security products don’t take away any responsibility from your company, and these products are not sufficient without proper configuration. Even the best product can do very little without on-going tailoring to your business. Care and feeding of these security products by trained people will keep your CIO/ CSO out of negligent waters (jail) and your corporate brand safe and secure (without fines)

ADi helps hundreds of customers every year get security products off the ground while training the company’s engineers on how to use these products effectively and ensure these products are tuned well for Detection, Prevention, and Response.

However, ADi does regular health-checks and frequent security reviews. You might be asking, “If you are so good at training the company’s Engineers how to care for the security products, why would you need a heath-check or a security review?”

The answer to this question is at the heart of IT operations,… The HELPDESK or helpless desk as I often hear it referred. Most of us IT’ers have done our time at the helpdesk, and maybe some of you are there right now (don’t worry it’s not forever!).  Don’t get me wrong, in some companies you have a few rising rockstars but they quickly jump the ranks or go work somewhere else for more money (truth) The helpdesk usually ends up as an operational ticket “triage” that merely forwards the tickets to the right Engineers to solve the problem.

“Eventually the hole is so deep you are just shoveling dirt in your own face.”

As the Engineers become bogged down solving help desk requests or adjusting security policies to accommodate the office Halloween party, an endless cycle starts. The Engineer becomes consumed by helpdesk tasks while security tuning and threat hunting and response go by the wayside to accommodate business workflow tasks. This causes more helpdesk tickets. Before you know it, your environment needs a little housekeeping!

For security’s sake, get yourself a housekeeper! That is a reliable partner/ reseller, who is going to add value to your team and not just sell you stuff.

Keep your ducks in a row!

How do you treat your employees in a cyber war environment?

How do you treat your employees in a cyber war environment?

The most effective method for long-term cybersecurity is training.

It’s important to create a culture where security is just part of what you do. You can’t force users to be secure. Not in the long term. A lot of companies create endless sets of rules and lock down everything.

Of course, employees put their work ahead of your rules. They have stuff to get done. That’s how they end up sneaking in a thumb drive because they need to take work home. Then your design files get compromised on a coffee shop wifi, and we’re off to races.

Treat people with respect. Make it the cool thing to do in your culture to be secure. A healthy culture is more secure than a prisoner culture.

Need help? Give us a call.

2 factor and phishing

2 factor and phishing

Usernames and passwords. They’ve been around a long time. They work, sorta. They work better with a password manager that helps you make strong passwords unique to each of your logins.

But usernames and passwords have many problems. You could easily watch someone type their password in a coffee shop. I was on a commercial flight not long ago, and an executive from a MAJOR bank logged into their system in the row in front of me holding their smartphone at eye level for the whole plane to see.

“2 factor” is a concept that has been around for a long time, and is much more straightforward than the marketing fluff may make it seem. The idea is to add a second method of authentication to your existing login. So in the case of a username and password login system, having something physical that you also have to authenticate with as another layer of security. Sometimes the second factor can be who you are. Your fingerprint is an example.

While not foolproof, adding more layers does make unauthorized access to your accounts more difficult.

And that’s a foundation of security: make it more expensive to steal than the information is worth.

It’s very common to see text messages be used as a second-factor authentication, but we highly recommend at least an Authenticator app like LastPass, or Google Authenticator. If you really want to step up your game, a physical device like a Yubikey is an excellent and affordable choice.

In our research adding hardware 2-factor authentication dramatically reduces the chance of employees being phished.