Make use of OWASP Mobile Top 10

February 14, 2017

OWASP “Mobile Security Project” team updated their Mobile Top 10 Vulnerability list this week. {in the process they broke some of their links, if you hit one, just use the 2015 content for now: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad}

I was in a meeting yesterday with a group reviewing one facet of an evolving proposal for Office 365 as the primary collaboration and document storage infrastructure for some business operations.

Office 365 in global Financial Services? Yup. Technology pundits-for-sale, tech wannabes, and some who are still intoxicated by their mobile technology have been effective in their efforts to sell “cloud-first.” One outcome of some types of “cloud-enabled” operations is the introduction of mobile client platforms. Even though global Financial Services enterprises tend to hold many hundreds of billions or trillions of other people’s dollars, some sell (even unmanaged) mobile platforms as risk appropriate and within the risk tolerance of all relevant constituencies… My working assumption is that those gigantic piles of assets and the power that can result from them necessarily attract a certain amount of hostile attention. That attention requires that our software, infrastructure, and operations be resistant enough to attack to meet all relevant risk management obligations (contracts, laws, regulations, and more). This scenario seems like a mismatch — but I digress.

So, we were attempting to work through a risk review of Mobile Skype for Business integration. That raised a number of issues, one being the risks associated with the software itself. The mobile application ecosystem is composed of software that executes & stores information locally on mobile devices as well as software running on servers in any number of safe and wildly-unsafe environments. Under most circumstances the Internet is in between. By definition this describes a risk-rich environment.

All hostile parties on earth are also attached to the Internet. As a result, software connected to the Internet must be sufficiently resistant to attack (where “sufficient” is associated with a given business and technology context). Mobile applications are hosted on devices and within operating systems having a relatively short history. I believe that they have tended to prize features and “cool” over effective risk management for much of that history (and many would argue that they continue to do so). As a result, the mobile software ecosystem has a somewhat unique vulnerability profile compared to software hosted in other environments.

The OWASP “Mobile Security Project” team research resulted in the Top 10 mobile vulnerabilities list below. I think it is a useful tool to support those involved in thinking about writing or buying software for that ecosystem. You can use it in a variety of ways. Challenge your vendors to show you evidence (yes, real evidence) that they have dealt with each of these risks. You can do the same with your IT architects or anyone who plays the role of an architect for periods of time — then do it again with your developers and testers later. Business analysts, or those who act as one some of the time should also work through adding these as requirements as needed.  Another way to use this Mobile Top 10 resource is to help you identify and think through the attack surface of an existing or proposed mobile-enabled applications, infrastructure, and operations.

OK, I hope that provides enough context to make use of the resource below.

REFERENCES:

Mobile Top 10 2016-Top 10
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

M1 – Improper Platform Usage
https://www.owasp.org/index.php/Mobile_Top_Ten_2016-M1-Improper_Platform_Usage
This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. There are several ways that mobile apps can experience this risk.

M2 – Insecure Data Storage
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M2-Insecure_Data_Storage  This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.

M3 – Insecure Communication
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M3-Insecure_Communication This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

M4 – Insecure Authentication
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M4-Insecure_Authentication This category captures notions of authenticating the end user or bad session management. This can include:
Failing to identify the user at all when that should be required
Failure to maintain the user’s identity when it is required
Weaknesses in session management

M5 – Insufficient Cryptography
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M5-Insufficient_Cryptography The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn’t done correctly.

M6 – Insecure Authorization
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M6-Insecure_Authorization This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.

M7 – Client Code Quality
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M7-Poor_Code_Quality
This was the “Security Decisions Via Untrusted Inputs”, one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client. That’s distinct from server-side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that’s running on the mobile device.

M8 – Code Tampering
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M8-Code_Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application’s data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

M9 – Reverse Engineering
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M9-Reverse_Engineering
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

M10 – Extraneous Functionality
https://www.owasp.org/index.php?title=Mobile_Top_Ten_2016-M10-Extraneous_Functionality Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.


Code Review Required for JavaScript Too

December 17, 2016

In the course of my professional activity, I have repeatedly bumped into well-meaning individuals (developers, architects, leaders, and more) who believe that browser-hosted JavaScript is not a real security concern (anything important to protecting our systems and data happens back on servers, right?)  This can lead to a certain amount of passivity during code-promotion code reviews.

I was just looking for a current copy of the Automated Penetration Testing Toolkit (APT2), and happen to glance at one of the author’s blogs, and was presented with another reason that JavaScript code review and accompanying risk management is still a core capability.

Much of the automated web application testing that I see day to day does a great job finding bugs.  It does not, though, do such a great job identifying new features that require only a little code to implement.

Professional pen tester Adam Compton offers some keystroke logging JavaScript along with a primitive  to catch & log the output.  Adding a keystroke logging “feature” to one of your JavaScript modules could involve only a few lines of code, but could result in any number of abuse cases — and resulting in harm of varying scope & impacts.  Monitoring for “feature” additions to your JavaScript is just another reason to keep that language on your code review radar.

REFERENCES:

Automated Penetration Testing Toolkit (APT2)
https://github.com/MooseDojo/apt2

New Script/Tool: KeyLogging in JavaScript
http://blog.seedsofepiphany.com/2015/04/new-scripttool-keylogging-in-javascript.html

 


Getting through that Compliance-Only Mindset

December 1, 2016

We all need to work with leaders and other influencers who hold “compliance” as their prime (sometimes, only) risk management driver.   Sure, that is tiring and sometimes disheartening, but they are not going away…  In the course of your efforts to advance effective information and operations security motivating these individuals can be a challenge.  Because large scale financial services enterprises in the United States do business across the country, it is sometimes helpful to be able to demonstrate the scope of legislation (not regulation) that applies to various aspects of information and cyber security.  Below is a collection of lists of laws on related information security topics from the National Conference of State Legislatures (http://www.ncsl.org/aboutus.aspx) that may help you on that front.  I’ve included a couple of global resources as well, but that information is far more limited than is available to me about U.S. state laws.

At the story-telling level, one might use this list to demonstrate why it is critical to create, acquire, evolve and maintain ________ (this may be context-specific, use whatever is applicable: software, networks, servers, endpoints, databases, appliances, etc…) that are audit-ready, resilient and resistant to attack, and that protect sensitive resources & transactions while delivering the intended levels of service while under attack.  I am not a lawyer and this is not legal advice!  But I believe given the scope and complexity of the laws involved, along with the velocity of change, attempting to achieve and maintain tight compliance alignment with all applicable laws & regulations would be vastly more expensive than focusing most of our creativity & energy on fielding safe-enough software, infrastructure, and operations.

Sure, laws, regulations, and the professionals who focus on them are critically important in Financial Services.  That does not make them the center-of-the-universe for information security. Safe software, safe infrastructure, and safe operations are expected by all our constituencies and these characteristics also should satisfy information security-relevant compliance obligations. This seems like an achievable goal. Mapping every relevant law and regulation to every facet of every application and all aspects of our infrastructure and its operations seems impractical and unbusinesslike.

What do you think?

List of U.S. Security Breach Notification Laws:

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

A running list of U.S. security breach-related legislation by year (2010 to present):

http://www.ncsl.org/research/telecommunications-and-information-technology/overview-security-breaches.aspx

List of U.S Data Disposal Laws:

At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx

List of U.S. Identity Theft Laws:

http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx
Identity theft occurs when someone uses another person’s personally identifying information, like a person’s name, Social Security number, or credit card number or other financial information, without permission, to commit fraud or other crimes.
This chart summarizes the identity theft criminal penalties, restitution and identity theft passport laws. Every state has a law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

List of U.S. Cybersecurity Legislation for 2016:

http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2016.aspx
Cyber threats have enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various approaches, such as:

  • Requiring government or public agencies to implement security practices
  • Offering incentives to the cybersecurity industry
  • Providing exemptions from public records laws for security information
  • Creating cybersecurity commissions, studies or task forces
  • Promoting cybersecurity education.

Same for 2015:
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2015.aspx

List of U.S. Computer Crime Statutes:

http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
Computer crime laws encompass a variety of actions that destroy or interfere with normal operation of a computer system including hacking, unauthorized access, and malware, among others.

List of U.S. State Laws Associated with Phishing:

http://www.ncsl.org/research/telecommunications-and-information-technology/state-phishing-laws.aspx
Through 1/9/2015.
Phishing is a scam where fraudsters send spam or text messages or create deceptive websites to lure personal or financial information from unsuspecting victims.

U.S. State Spyware Laws

http://www.ncsl.org/research/telecommunications-and-information-technology/state-spyware-laws.aspx
Last update: 12/3/2015
Spyware, also sometimes called adware, is software that can track or collect the online activities or personal information of Web users, change settings on users computers, or cause advertising messages to pop up on users’ computer screens.  Web users are often unaware that spyware has been downloaded to their computers, and even when found, it can be very difficult to remove.
Twenty states, Guam and Puerto Rico have laws targeting spyware. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft and that possibly could apply to some practices involving spyware.

Also:

Perkins Coie’s list of U.S. State Security Breach Notification Laws:

https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
(Last Revised June 2016)
Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told Perkins Coie that the chart has been helpful when preparing for and responding to data breaches.
This resource includes more detail than most of the links listed above.

DLA Piper “Data Protection Laws of the World”

Interactive Map Of Notification Status and more.
https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section
Interactive map highlighting breach notification rules and regulations (per country). The colors of the countries below represent a data breach risk index. Red is the highest, orange is high, yellow is elevated, blue is general, and green is low risk.
There is also an on-demand PFD version of “Data Protection Laws of the World” available from DLA Piper at:
https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw/functions/export.pdf?country=all
When downloaded on November 29, 2016, this was a 510 page document covering the following 98 countries: Angola, Argentina, Australia, Austria, Belarus, Belgium, Bosnia and Herzegovina, British Virgin Islands, Bulgaria, Canada, Cape Verde, Cayman Islands, Chile, China, Colombia, Costa Rica, Brazil, British, Bulgaria, Canada, Cape, Cayman, Chile, China, Colombia, Costa, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Ghana, Gibraltar, Greece, Guernsey, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jersey, Latvia, Lesotho, Lithuania, Luxembourg, Macau, Macedonia, Madagascar, Malaysia, Malta, Mauritius, Mexico, Monaco, Montenegro, Morocco, Netherlands, New Zealand, Nigeria, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, Slovak Republic, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Trinidad and Tobago, Turkey, UAE – Dubai (DIFC), UAE – General, Ukraine, United Kingdom, United States, Uruguay, Venezuela, and Zimbabwe.

This page below provides a brief summary of the requirements of each of the 47 U.S state data breach notification laws as of August 2014.
http://www.itgovernanceusa.com/data-breach-notification-laws.aspx


5 Ways InfoSec Adds Value

November 28, 2016

Effective information and operations security is essential for all global financial services enterprises.

Even so, in my workplace it seems like we rarely summarize ways that it delivers value in that arena.

Last week Identity Solutions Strategist at Micro Focus, Travis Greene shared his list:

#1 IT security saves money
#2 IT security retains customers
#3 IT security improves productivity
#4 IT security will help you keep your job
#5 IT security is ethical

Take a look at the full article to see why he poses these assertions.
http://www.securityweek.com/five-reasons-be-thankful-it-security

REFERENCES:

Five Reasons to be Thankful for IT Security
http://www.securityweek.com/five-reasons-be-thankful-it-security
By Travis Greene


This Just In: Water is Wet

November 10, 2016

I received a link this morning from a colleague about office space.  it was an entertaining and interesting diversion from the all too often inward-focused grind.

It reminded me that other fields, not only Information Security, seem to suffer from unproductive, unbusiness-like amounts of “hope as a strategy”, unearned & misplaced trust, faith-based belief systems, flimflam, misdirection, puff, raw emotion, as well as lots of hype & hype-sters.

The article linked below is a quick read about alternative ways to frame some of the current blather about how reshaping the office environment necessarily leads to business benefits.  If you find this topic of interest, it appears to be the focus of some adult attention & analysis — see your favorite search engine for more.  If you are really interested, search on “herd behavior” and on “cognitive traps.”  There are many paths to broadly shared beliefs in “solutions” that are both unsupported by and contradicted by what often seem to be easy to grasp facts.  We still face lavish challenges.

REFERENCE:
“The Myths behind Brainstorming, Open Office Plans, and Collaboration.”
By Linda Hayes – November 3, 2016
https://www.techwell.com/techwell-insights/2016/11/myths-behind-brainstorming-open-office-plans-and-collaboration


DataLoss Eye Candy – Enhance Your Message

October 31, 2016

It is still important to deliver messages that influence…

Good visuals have a way of imprinting, and of adding context that sticks with a good argument.

A collection of researchers, along with some design & coding help just released an update to their “World’s Biggest Data Breaches” graphic.  It uses color, size, location along a timeline, and additional interactive data to document selected data loss greater than 30,000 records between 2004 and October 2016.

It seems like one of those resources that will be useful in a number of contexts.  [For example: Have you ever been asked “Why do I have to change my password — again…?  — One answer: Because in a world where humans too often reuse passwords across systems, passwords are no longer ‘durable.’  Look at this illustration to see how many have been stolen over the last decade…]

Use it to help goose up your risk management stories:

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks .

REFERENCES:

“World’s Biggest Data Breaches — Selected losses greater than 30,000 records.”
(updated 15th Oct 2016 Version 1.095)
Research: Miriam Quick, Ella Hollowood, Christian Miles, Dan Hampson; Design & concept: David McCandless; Code: Tom Evans.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

A static version from early 2015: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-static/


Protect Your USB

September 19, 2016

Physical and logical PC controls still matter.

Just one more reason to resist the shared madness of “bring your own device” and/or “anywhere/anytime/any-endpoint” in global Financial Services.  We hold trillions of dollars for our customers (under the guise of a broad and evolving range of relationships)!  To add value to those relationships, we turn that money into units that are inter-business (and Internet) friendly to enable complex webs of financial transactions and services.  The concentration of “cash” and its transformation into bits results in an attractive target for hostile parties of many types.  How could endpoint anarchy ever be a risk-appropriate behavior for any but a microscopically few roles within our ranks?  It seems like something we should expect to fail the “reasonable person” test.

I was just catching up on some of my random reading and bumped into this demonstration of Windows credential stealing with just 15 seconds of access to a PC’s USB port.

15 seconds of social engineering is not that hard to pull off, so all you have left are serious controls administering the use of your USB ports, physically destroying your USB ports (yes, that is a serious option), along with multi-layer physical & logical security to the location of the PC at any given time.

Take a look st the video below along with the supporting paper.  Then voice your professional opinion and conscience wherever appropriate to resist elevated risk endpoint behaviors.  And if your role permits, ensure that your Financial Services organization has the goals and resources to effectively deal with attacks like the ones enabled by this automated, USB enabled assault.

REFERENCES:

15 Second Password Hack, Mr Robot Style
Video:
https://www.hak5.org/episodes/season-21/hak5-2101-15-second-password-hack-mr-robot-style
Supporting Paper
https://www.hak5.org/blog/15-second-password-hack-mr-robot-style


%d bloggers like this: