This week LastPass, a popular password manager which is often invoked in discussions around securing multiple passwords, announced it had detected suspicious activity on their network, saying: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
While many users consider their passwords completely secure with products like this, the specifics of the data the would-be hackers may have accessed remind us that "Quis custodiet ipsos custodes?" is a relevant question and important concept when considering security. Fortunately, LastPass has their guards in the right place at the right time. For a Q and A with their users, click here.
On the anniversary of Heartbleed, and the discussions it raised around security vulnerabilities and strategies for all kinds of effected organizations, Fortune reports that 74% of Forbes Global 2000 companies are still vulnerable, having put off, or ignored the relatively simple and well documented fix for this vulnerability. Citing a report by Venafi, a security firm that recently released this report, Fortune's Robert Hackett outlines the steps required to fix the vulnerability and suggests that while many organizations released statements saying they would fix the vulnerability, many have not.
Regardless of the complexity (or lack thereof) of the performing the fix, organizations would have to prioritize it, and promote it through what can be complex production release processes while dedicating resources that are stretched thin more often than not. If organizations remain reactionary, instead of educating their teams and planning for the inevitable need to respond to new reports of vulnerabilities and to keep pace with best practices in security, this pattern will continue, and organizations and their users will remain at risk.
Jeremy Epstien, a senior computer scientist for SRI, recently published an article on Slate.com discussing the abysmal security features of a touch screen voting device used by "dozens of local governments" in Virginia. While these machines have now been decommissioned, the article represents one instance of what is most likely a very widespread problem - It's probably a lot easier to hack into many of the machines we use day to day than we think, or believe, it is. In this case, a report by the Virginia Information Technologies Agency ("VITA") revealed:
- "The encryption key for the wireless connection is “abcde,” and that key is unchangeable.
- The system hasn’t been patched since 2004.
- The administrator password seems to be hardwired to “admin.” Because the system has a weak set of controls, it would be easy for someone to guess and then enter in the password.
- The database is a very obsolete version of Microsoft Access and uses a very weak encryption key (“shoup”). There are no controls on changing the database. That means that someone could copy the voting database to a separate machine (which is easy to do given the weaknesses described above), edit the votes, and put it back. There are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. Furthermore, there are no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant, given how severe the other problems are."
Again, this particular machine has now been decommissioned, but it's very hard to believe these types of issues don't exist elsewhere, making hacking critical functions (voting in this case), something that doesn't take a high degree of skill, or even planning. What would one need to do to hack the system described here? From the article:
- "Take your laptop to a polling place and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the wireless connection password, which was “abcde.”
- Connect to the voting machine over Wi-Fi.
- If asked for a password, the administrator password is “admin.”
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”).
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published."
It is important to consider protecting our systems and the technologies we use every day an take for granted at their most basic levels. It can seem like a daunting task to protect against some of the more sophisticated attacks that have recently made the news, but first we should look to our basic systems, and make sure none of our passwords are still "Admin".
"Can we have expiring data based on time and need? Can an employee revoke access given to his company for his/her personal data once he leaves the company? Can the keys to the data be handed to the employee and not the employer?" These questions, posed by Deepak Jeevankumar in TechCrunch this week draw attention to an important and often under-explored area of the discussion around security: Trust. Trusted entities (sites, providers, merchants...) have ability not just to draw customers and users (many of whom may be fleeing compromised competitors, but to educate the promote the secure practices that will make our online lives safer.
Threat sharing networks, which provide an ongoing view into threats and security of sites we may rely on every day, is one technology that can help us get there. In addition, companies and organizations can take steps to establish and demonstrate trust while still maintaining the policies that protect them - making it a "2 way street", which in turn will build trust.
Mr. Jeevankumar argues that shifting our way of thinking to focus more on trust, to innovate around it, and to focus on how it can change the dynamic and frustrating cycle we find ourselves in, will help us to have safer lives online.
The cloud seems to be taking (an unfair?) amount of blame for the most recent, highly visible, attacks on corporations like Sony and most recently, Anthem. There may be a temptation to conclude that a common denominator is cloud computing, therefore, the cloud must be insecure.
"Wrong" says David Linthicum for InfoWorld. "The degree of security -- whether within cloud-based or on-premises systems -- is determined by two factors. One is the planning and technology that goes into engineering the security solution. The other is the organization's ability to operate systems in proactive and secure ways." In reality, the same risks that exist in an on premise environment - such as vulnerabilities hackers can easily find and exploit, including outdated or non-existent IAM strategies, and the organization's ability to stand behind, adhere to, and continuously improve these processes and initiatives, exist in the cloud as well. "The Cloud" cannot fix what is broken strategically within an organization, and risk and vulnerability can exist in the cloud as easily as on a local server.
Kaspersky Labs reported a large scale, long duration "unprecedented cyberrobbery" this week. This attack lasted years, involved multiple approaches (including hijacking actual ATMs), and resulted in the loss of up to a billion dollars worldwide.
Instead of targeting the banks customers, who likely have several measures in place from the bank to protect their accounts from fraud, this attack likely began with a phishing attack on the bank employees. "The cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out" says Kaspersky in it's post. From there:
- "When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money was deposited with banks in China or America. The experts do not rule out the possibility that other banks in other countries were used as receivers.
- In other cases cybercriminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: if an account has 1,000 dollars, the criminals change its value so it has 10,000 dollars and then transfer 9,000 to themselves. The account holder doesn’t suspect a problem because the original 1,000 dollars are still there.
- In addition, the cyberthieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the ‘voluntary’ payment."
This incident highlights how important it is to provide the tools, training and education to employees needed to lessen the impact of this kind of attack. In addition, sophisticated monitoring tools should alert organizations when seemingly legitimate employee transactions look wrong. See the link above for additional detail.
Tuesday was "Safer Internet Day", and Google celebrated by offering users free space in their Google Drives if they performed a simple security check. Click here for a letter from the Group Product Manager for Google Drive, explaining the offer and the check.
This is an interesting approach to a growing problem. This blog has discussed usability as a critical factor when it comes to adoption, but what about offering incentives to keep information current, and users aware of policies in place to protect them? For a program like this to be most effective, it has to offer something end users want. In this case, that is storage on Google Drive. It would benefit any online business to consider what they could incentivize their users with to enhance their security while encouraging use of their product. Promotional discounts, exclusive content and free services are just a few that come to mind.
RSA and TeleSign have released a report with key findings on the state of mobile fraud in ecommerce. "An uptick in online fraud resulting from today's environment of large-scale data breaches and security incidents is something TeleSign is seeing first-hand," said Steve Jillings, CEO of TeleSign. "Illicit activities including spamming, phishing attempts, affiliate fraud and e-commerce fraud all have a common primary motivation: money."
Below are some key findings from the report, with more details here:
- Average revenue loss due to mobile fraud: $92.3M per year (among 250 organizations with average revenue of $2.54 billion).
- Mobile growth trend: More than 50 percent of respondents believe that mobile revenues will grow 11-50 percent over the next three years, and 30 percent believe it will grow 51-100 percent.
- Rising fraud trend: The growth of mobile interactions is expected to increase the percentage of mobile incidents significantly, with 19 percent of companies already indicating that 25-49 percent of their fraud incidents are due to mobile. These rates are expected to grow, and in some cases at least double over the next 2-3 years as mobile revenue contributions increase, unless significant remedial actions are implemented quickly.
- Current lack of adequate security: One in four businesses currently don't require login identification for mobile users.
- Addressing the problem: In the next 2-3 years, next generation authentication technologies like biometrics, soft tokens and other two factor authentication will largely replace the user name and password as the primary method of authentication.