Risks of Unnecessary Admin Privileges Continue to Increase

February 18, 2015

Excessive access has been an acknowledged risk since the earliest days of distributed data-communication networks in the 1970s.  One key way that some organizations attempt to ‘keep things moving’ is to grant administrative privileges to ranges of individuals & groups who may need some small subset of those permissions in the course of normal operations or in dealing with troubleshooting requests.  In most situations, it would be possible to grant only those permissions required to perform truly required tasks. In the most of the rest of the situations, broader administrative access can be protected with strong two-factor authentication (which will resist many threats that depend upon stolen user credentials).

Constraining and/or hardening administrative access has also been one of the easier ways for large enterprises to materially reduce their attack surface which results in a lower overall risk profile.

A core risk management principle — ‘least privilege’ — reasons that users should be granted only enough rights to support performing the tasks required for their role, and no more.

This is not only a Windows issue,  but Antone Gonsalves (CIO OnLine) passed along today that a review of Microsoft’s Windows vulnerabilities in 2013 (333, of which 147 ranked ‘critical’), showed that fully 60% of them would be mitigated by removing user’s admin rights. Gartner has also argued that 90% of security threats could be eliminited by removing user’s administrative permissions.

Hostile uses of malware and social engineering continue to advance. This results in increasing the gravity of Financial Services organization’s excessive administrative access issues.  The key message is that the risks associated with malware infection could be materially-reduced if we tamped down granting of administrative privileges.

RESOURCES:

“Time to drop unnecessary admin privileges.” By Antone Gonsalves, 02-18-2014.
http://www.csoonline.com/article/2134396/privacy/time-to-drop-unnecessary-admin-privileges.html

“Trends (and other things) Learned at the Gartner IAM Summit.” By Mark Weiner, 12-11-2014
http://blog.centrify.com/trends-learned-at-gartner-iam-summit/

Completosec on Risks of Malicious Code:
https://completosec.wordpress.com/category/malicious-code/


Predictable Techniques Succeed in Big Bank Theft

February 14, 2015

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says it has seen evidence of $300 million (or much more) stolen from more than 100 banks and other financial institutions in Russia, in Japan, the United States, and in at least 27 other nations.

The attack appears to have been initiated via a phishing campaign, followed by long-running surveillance malware, remote access trojans (low and slow), and finally exfiltration of large amounts of money — part via manipulation of bank accounting systems.  …Nothing new there, the story highlights the scale of cyber-crime successes.

The rest of the story will be outlined by Kaspersky on Monday.

Or you can watch a condensed version via YouTube.

This should also be a reminder that there are no security ‘ruby slippers.’  We need to keep rejecting vacuous vendor and pundit preaching about replacing our security perimeters with (pick your hot solution-of-the-moment) ‘the cloud,’ ‘an appliance,’ or some other replacement for common sense, intelligence, and hard work.  Optimizing a layered defense on top of active resistance to phishing (along with all other types of social engineering) and malware remains our primary path to risk-reasonable due diligence.  Announcements of cyber-thefts like the one mentioned above are reminders that there are still tough challenges for all of us in financial services security and risk management.

 

REFERENCES:
“Bank Hackers Steal Millions via Malware.”
By David E. Sanger and Nicole Perlroth, 02-14-2015
http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

Updated 02-16-2015:

Report from Kaspersky:
http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
and the full report at http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf (downloaded 02-16-2015 @ 1 PM CST)

Video: “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.”
https://www.youtube.com/watch?v=ez9LNudxRIU

For some context, see:

The Great Bank Heist, or Death by 1,000 Cuts?, By Brian Krebs, 02-15-2015
https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/


Mac Boot Hacked via Thunderbolt Port

January 14, 2015

Too many of us still have to deal with members of our workforce who hold groundless beliefs about the freedom from risk they enjoy while using their Macs.

Trammell Hudson described his most recent project at the last Chaos Communication Congress in Germany. It is called Thunderstrike and it can infect any modern Mac boot ROM via the Thunderbolt port — ultimately giving the attacker control of the endpoint. This “evil maid” attack gives us all another reason for concern. Anyone with physical access to a worker’s Mac could use this technique (or one of its predecessors) as a foothold into your network, as well as gaining “direct” access into any operations to which that user has been permitted. Traveling executives seem like obvious targets, but virtually any member of the workforce is a candidate.

Mr. Hudson describes the impact of his attack as:

“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.

Our proof of concept bootkit also replaces Apple’s public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker’s private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect.”

At a minimum, this should be used as input for traveler’s security awareness training.

It should also be injected into risk analyses of all BYOD scenarios.

REFERENCES
“Thunderstrike.” By Trammell Hudson.
https://trmm.net/EFI

“De Mysteriis Dom Jobsivs: Mac EFI Rootkits.” By Snare (Blackhat 2012)
http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf

“Apple’s Mac EFI found vulnerable to bootkit attack via rogue Thunderbolt devices.” By Sam Oliver, Dec 22, 2014
http://appleinsider.com/articles/14/12/22/apples-mac-efi-found-vulnerable-to-bootkit-attack-via-rogue-thunderbolt-devices

“Thunderstrike: The scary vulnerability in your Mac’s Thunderbolt port.” By Christina Warren, Jan 02, 2015
http://mashable.com/2015/01/02/thunderstrike-mac/

Macs vulnerable to virtually undetectable virus that “can’t be removed” By Adrian Kingsley-Hughes, Jan 12, 2015
http://www.zdnet.com/article/macs-vulnerable-to-virtually-undetectable-virus-that-cant-be-removed/


Will Governments Increase Their Involvement in Incident Response?

January 10, 2015

Time (and others) reported that NSA Director Admiral Michael Rogers told the International Conference on Cyber Security (ICCS) at Fordham University in New York:
“Sony is important to me because the entire world is watching how we as a nation are going to respond to [the attack on Sony].” “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”
The attacks against Sony had begun in September, he said, with a flurry of tightly focused phishing attacks against key individuals. This was then used to gain full access to the company’s servers and to steal data.
Rogers stated, “I remain very confident: this was North Korea.”

Some cyber security experts seem less sure that accurately described what happened.

Rogers also said that hacks against private companies may require economic sanctions.

How did terabytes of data get stolen from Sony’s private network? Did Sony invest enough in attack resistance, identification, & response? Should there be more objective criteria upon which to help frame decision-making on this topic?

Since November I have been hearing a lot of discussion about “Sony” and “The Sony Hack.”   Should we in Financial Services begin including NSA monitoring, forensic assistance, and consulting in our incident response planing?
How will the U.S. (along with other nations in this global business environment) decide which hacks against private companies deserve a governmental response, and which will not?  And what if your company has business in both the source and target countries of a given attack?  It seems like each of our organizations need to work through these issues before the day they become critically important — and a small herd of corporate officers on an incident response call are waiting for your direction.

What do you think?

REFERENCES:
“NSA Director on Sony Hack: ‘The Entire World is Watching’.”
http://time.com/3660757/nsa-michael-rogers-sony-hack/
By Sam Frizell, 01-08-2015

“FBI fingering Norks for Sony hack: The Truth – by the NSA’s spyboss.”
http://www.theregister.co.uk/2015/01/09/fbi_nsa_sony_pictures_north_korea/
By Iain Thomson, 01-09-2015

“Are We Asking the Right Questions in the Wake of the Sony Pictures Breach?”
http://www.wired.com/2015/01/right-questions-sony-pictures-breach/
By Paul Martini, 01-09-2015


New In-Flight Data Leakage Channel — Gogo.

January 9, 2015

Commercial aircraft WiFi network provider Gogo appears to have been issuing SSL certificates for Google sites accessed via their in-flight service. Technically, the Gogo Inflight Internet service acts as an SSL Man-in-the-middle (MITM) attack. Most of us in Financial Services are familiar with analogous HTTP proxy infrastructure to allow our organizations to inspect and control web traffic, even traffic to secure web sites.

Assuming that many of your traveling workforce also use and communicate highly sensitive information, the kind that must be controlled to meet regulatory obligations and/or customer & investor expectations, the Gogo service appears to present a potentially material risk management issue. There is also the issue of losing any (more) of your workforce credentials. Under a range of common scenarios, Gogo appears to have them. Does Gogo protect that information to the degree required by Financial Services enterprises?  I assume not.

At a minimum, this seems like another topic to be included in our traveler’s security awareness training.
REFERENCES:

“Gogo Inflight Internet is intentionally issuing fake SSL certificates.” http://www.techworm.net/2015/01/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates.html
BY Dwulf, 01-05-2015

“Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates.”
http://www.symantec.com/connect/blogs/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates
By Rick Andrews, 01-07-2015


FBI Director James Comey on Some China Risks

October 5, 2014

For a variety of reasons, it is often a challenge to generate the appropriate level of information security awareness in executive leadership.
For some this has been especially true when the issues are associated with nation-state actors or a given culture.

For enterprises extending their operations into China, it may be difficult to build an effective risk-management message in the face of the virtually-intoxicating potential for growth and profit.

In that context, a recent interview with FBI Director James Comey included some unambiguous statements that might be helpful in framing some of the risks of integrating or extending your Financial Services operations into China. The interview was aired on the October 5, 2014 episode of 60 Minutes.

Scott Pelley: What countries are attacking the United States as we sit here in cyberspace?

James Comey: Well, I don’t want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Scott Pelley: What are they trying to get?

James Comey: Information that’s useful to them so they don’t have to invent. They can copy or steal so learn about how a company might approach negotiation with a Chinese company, all manner of things.

Scott Pelley: How many hits from China do we take in a day?

James Comey: Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

Scott Pelley: The Chinese are that good?

James Comey: Actually, not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.

Scott Pelley: How much does that cost the U.S. economy every year?

James Comey: Impossible to count. Billions.

The entire transcript is available at:
http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/

REFERENCE:

Other Completosec Channel blog entries on this topic:
https://completosec.wordpress.com/category/china/


Another Reason to Disbelieve The Apple Security Story

September 2, 2014

Some subset of any Financial Services organization’s workforce has BYOD fever.  For many in our business, that fever has infected one or more senior leaders who cannot be ignored.  In Financial Services, we are collectively responsible for protecting $trillions of other people’s assets.

Most of the BYOD fever seems to be associated with new mobile devices.  From what I can observe, many Financial Services organizations are emphasizing their attraction to Apple iPads over Android or other alternatives.  That behavior seems out of phase with our due diligence obligations.

Apple has invested what must be a tremendous amount of resource and effort in building an image that incorporates something like “trust me, but I will not respond to your requests for transparency…”  For some reason, that seems to work.  This is in spite of regular patching of vulnerabilities that could have been discovered at architectural analysis, design, coding, static code security analysis, QA or penetration testing.  Apparently those activities do not incorporate effective secure software practices.

The latest example of Apple’s approach to software security made the news over the last weekend.  A vulnerability in iCloud enabled a trivial attack to discover the passwords of a number of targeted individuals.  Those passwords were then used to steal those user’s iCloud “protected” personal files.  Apple did not enforce a “max attempts” threshold for failed attempts to login to iCloud, which permitted attackers to pound away at the URL https://fmipmobile.icloud.com/fmipservice/device/$apple_id/initClient with basic auth attempts using scripts or malware that identified itself as ‘User-Agent’: ‘FindMyiPhone/376 CFNetwork/672.0.8 Darwin/14.0.0′.   An easy-to-understand proof-of-concept application is available on github.

Remember, in Financial Services, implementing some type of failed-login governor has been standard practice since we have been using the Internet for business.  Our constituents expect some type of “n-failed-login-attempts-and-you-are-locked-out.”  They may not consciously think through a detailed rationale, it is just a small but essential part of exhibiting a threshold level of Financial Services due diligence.  I assume that one possible root cause was that Apple engineers and architects must have reasoned that either nobody could format a basic auth HTTP POST with some json payload and sling it at their iCloud web service interface, or they believed that their closed ecosystem and black box approach to security implementations would keep their web service interface from being discovered.  Alternatively, they specified a max-failed-login-attempts feature into iCloud designs, but Apple management directed them to remove it based on non-technical rationale.  There could be other root causes of this vulnerability, but with the resources available to Apple, none seem in alignment with their “trust us” story-telling.  Their iCloud authentication implementation was just not fit for Financial Services workforce operating environments — while they have been arguing that “”iCloud is built with industry-standard security practices and employs strict policies to protect your data.”

Brute forcing passwords is a proven, decades-old practice that is highly effective unless resisted (because people, in large numbers, behave so predictably).  Financial Services-grade businesses understand this and implement and enforce policies that generally resist bald, brute force attacks.  It is a small, simple, basic, and essential characteristic of any Internet-ready system hosting non-public resources.  The fact that Apple implemented an Internet-facing authentication interface without resistance to brute force password attack, then failed to implement defense in depth (i.e., instrument the environment with effective IDS/IPS, identity fraud detection, and more) demonstrates — again — their unfitness for the Financial Services workforce environment.

Update 09-03-2014:

Could it be that Apple considers hackappcom’s proof of concept application and demonstrations of its use just another side-show?  They reacted to news about the celebrity data theft using what I read as legalistic and deflecting language:

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems,” Nat Kerris, a company spokeswoman, said in a statement. “We are continuing to work with law enforcement to help identify the criminals involved.”

Update 09-06-2014:

Apple, via CEO Tim Cook continued the Apple ecosystem and its technology are safe theme, blaming users for the recent iCloud vulnerabilities and their exploit, saying in a WSJ interview that Apple would ratchet up user awareness communications about stronger and safer passwords, and apparently will not be investing in more effective engineering:

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Mr. Cook also said that Apple would would begin sending users email messages and push notifications when certain AppleID events occur or when a user’s account data lands on a new device.

After a 40-hour investigation “concluded that there was no breach of its data servers. The company has said it discovered a number of celebrity accounts were compromised by targeted attacks…”

Sure.  Not ready for Financial Services.

 

REFERENCES:

“Hacker leaks dozens of nude celebrity pics in alleged iCloud hack.”
By Cody Lee, Aug 31, 2014
http://www.idownloadblog.com/2014/08/31/icloud-celeb-nude-pics-hack/

“Apple reportedly patches Find My iPhone vulnerability to hack Apple ID accounts.” By Christian Zibreg, Sep 1, 2014
http://www.idownloadblog.com/2014/09/01/icloud-hacking-patched-find-my-iphone/

“ibrute.” By hackappcom
https://github.com/hackappcom/ibrute

“Apple patches ‘Find My iPhone’ exploit.” By Adrian Kingsley-Hughes, Sep 1, 2014
http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/

“iCloud: iCloud security and privacy overview.”
http://support.apple.com/kb/HT4865

“iCloud Keychain.”
http://www.slideshare.net/alexeytroshichev/icloud-keychain-38565363

“Privacy Collides With the Wild Web.” By Mike Isaac, Sep 2, 2014
http://mobile.nytimes.com/2014/09/03/technology/trove-of-nude-photos-sparks-debate-over-online-behavior.html?_r=0 (downloaded Wed 09/03/2014 5:46 AM)

“Apple Says It Will Add New iCloud Security Measures After Celebrity Hack.” By Brian X. Chen, Sep 4, 2014 http://mobile.nytimes.com/blogs/bits/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/

“Tim Cook Says Apple to Add Security Alerts for iCloud Users — Apple CEO Denies a Lax Attitude Toward Security Allowed Hackers to Post Nude Photos of Celebrities.” By Daisuke Wakabayashi, Sep 5, 2014 http://online.wsj.com/news/article_email/tim-cook-says-apple-to-add-security-alerts-for-icloud-users-1409880977-lMyQjAxMTA0MDAwNDEwNDQyWj

“Apple Media Advisory: Update to Celebrity Photo Investigation.” http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html (downloaded Sat 09/06/2014 5:56 PM)


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: