Verizon Says Passwords are Not Enough

April 25, 2016

Lately, I’ve been spending a lot of time performing static code security assessments of web applications. That leads to working with developers and those who work around them. One thing many of them share with me is their faith in authentication infrastructure — infrastructure that generally sits “in front” of their applications and protects them from unauthorized users. Sometimes I still hear Architects talk about “security” as if it were really just authentication… In that context, the latest Verizon Data Breach Investigations Report (DBIR) reviews their 2016 dataset of over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries.

The full paper is worth a read, but in the context of my comments above I wanted to highlight Verizon’s recommendations concerning passwords:

“…passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

“63% of confirmed data breaches involved weak, default or stolen passwords.”

The top 6 breaches included the following steps: “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials”

Recommendaton:
“If you are securing a web application, don’t base the integrity of authentication on the assumption that your customers won’t get owned with keylogging malware. They do and will.”

REFERENCES:
Verizon Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/insiders/

 


Recognize the Fact of Android Endpoints

April 20, 2016

The BYO hypesters that I am exposed to tend to trend strongly toward all things Apple.

Earlier today, a ranking security leader saw a slide highlighting the history of iOS and OSx vulnerabilities and snapped something about the market speaking through Apple’s sales dominance… …as if Apple ‘owned’ our customer, prospect, and employee population.

This seems to happen a lot. I work for an overtly “global” financial services corporation. Leading technologists on staff promote Apple products as the solution to virtually any endpoint challenge (we currently do our business on tens of thousands of Windows endpoints running Windows applications…). The company that pays us is attempting to generate strategic expansion in Latin America and Asia…  We want and need to service people’s financial services needs where they are — meaning strong support for interactions via their mobile devices.  The mismatch is cringe-worthy.

How does this marketplace blind spot afflict so many people who otherwise are intelligent adults?  I really don’t know.  Maybe financial services professionals are becoming prisoners of their own cognitive traps?

MacRumors recently announced that “iOS and Android Capture Combined 98.4% Share of Smartphone Market.” The Apple portion of that global 2015 market share was 17.7% (down from 20.4% in 2014). Android-based mobile devices represented 80.7% of the 2015 market (up from 76.0% in 2015).

Year after year people around the world purchase more Android mobile devices than the competing Apple devices. In 2015 that amounted to more than 4.5 Android mobile devices purchased for every Apple iOS device sold.

Gartner (Feb 2016) reported:

Worldwide Smartphone Sales to End Users by OS in 4Q15 (in Thousands of Units)

           4Q15     4Q15 Market   4Q14      4Q14 Market
        Units Sold  Share %     Units Sold  Share %
Android 325,394     80.7        279,057     76.0
iOS      71,525     17.7         74,831     20.4
Windows   4,395      1.1         10,424      2.8
Blackberry  906      0.2          1,733      0.5
Others      887      0.2          1,286      0.4

 

Sure, the Android == ‘security hell’ meme has some good reasons for retaining its foothold in business culture. And sure, there are many more ‘ancient’ unpatched/underpatched Android devices compared to the iOS environment. There are attractive and repulsive characteristics of Android/iOS environments that we can argue about, but that avoids the fact that our employees, customers, and prospects buy and use more Android devices.  A lot more.  We will leave a lot of money on the table if we ignore that fact and build software & operations that are tightly-coupled with Apple mobile device products.

OK. I had to get that out of my system…

REFERENCES

“iOS and Android Capture Combined 98.4% Share of Smartphone Market.”
By Joe Rossignol, Feb. 18, 2016
http://www.macrumors.com/2016/02/18/ios-android-market-share-q4-15-gartner/

“iPhone lost market share to Android in every major market except one.”
Jim Edwards, Jan. 27, 2016
http://www.businessinsider.com/apple-ios-v-android-market-share-2016-1


Another Demonstration of How Mobile Phones & their Supporting Networks are Vulnerable to Abuse

April 17, 2016

Some continue to hype “bring your own device” (sometimes just BYOD) as near-term technology and business goal for global Financial Services enterprises.  At its most shrill, the argument hammers on the idea like ‘we all have a smart phone and it has become the center of our lives…‘  In this industry we are all responsible for protecting trillions of dollars of other people’s money as well as digital information about customers (individuals & companies), partners, and deals, all of which must remain highly secure, or the foundation of our business erodes.  That responsibility is wildly out of alignment with most BYOD realities.  In that context, this blog entry is an offering to help risk management teams educate their Financial Services organizations about some of the risks associated with using mobile phones for work activities.

Here is some content that may be useful in your security awareness campaign…

Financial Services executives “private” communications could be of high value to cyber criminals. So too could be your Finance staff, Help Desk, Reporting Admin, Database Admin, System Admin, and Network Admin communications. There are a lot of high value avenues into Financial Services organizations.

Under the title “Hacking Your Phone,” the 60-Minutes team have security professionals demonstrate the following in a 13 minute video:

  • Any attacker needs just their target’s phone number, to track the whereabouts, the text traffic, and the details of phone conversations initiated or received by their prey. Turning off your “location status” or other GPS technology does not inhibit this attack. It depends upon features in the SS7 (Signalling System #7) network that have been overly permissive and vulnerable to abuse for decades. These SS7 vulnerabilities appear to remain after all this time because of nation-state pressures to support “lawful interception.”
    They demonstrate their assertion in an experiment with U.S. Representative Ted Lieu, a congressman from California.
  • Attackers can own all or some of your phone when you attach to a hostile WiFi. Never trust “public” or “convenience” (for example “hotel”) WiFi. Attackers present look-alike WiFi (sometimes called “spoofing”) and then use human’s weakness for “trustworthy” names to suck targets in.
    They demonstrate this approach by stealing a target’s mobile phone number, account ID, and all the credit cards associated with– with that account, along with their email.
  • Attackers use social engineering to get their software installed on targeted devices. One outcome is that they can also monitor all your activity via your mobile phone’s camera and microphone — without any indication from the mobile device screen or LEDs, and the attacker’s software does not show up via any user interface even if you tried to find it.
    They demonstrate this approach with the 60 Minutes interviewer’s device.

Remember, not everyone employed throughout Financial Services enterprises understands the risks associated with performing business activities via mobile devices.  Use materials like this video to augment your risk awareness program.

REFERENCES:
“Hacking Your Phone.” aired on April 17, 2016
http://www.cbsnews.com/news/60-minutes-hacking-your-phone/

SS7, Signalling System #7 https://en.wikipedia.org/wiki/Signalling_System_No._7

Lawful interception.” https://en.wikipedia.org/wiki/Lawful_interception

 

 


Use care when describing how you do Financial Services security

March 3, 2016

Use care when describing how you do your Financial Services security.  This seems especially relevant as some in our industry attempt to drive down costs by extending their operations into low cost consumer-heritage cloud services and onto other types of opaque Internet platforms of all kinds.  Consultants, pundits, analysts, and hucksters are all attempting to make a living by selling schemes that incorporate one or many of these options.  What they tend to omit, are the impacts that their ideas may have on the truthfulness of your public and contractual security assurances.

The Consumer Financial Protection Bureau (CFPB) just fined Dwolla $100,000 U.S. for misleading users about the company’s data security practices.  In addition, Dwolla must report virtually all security-related activities to the CFPB and request permission for certain types of security changes for the next 5 years.  The CFPB also put the Dwolla Board of Directors on notice that they must demonstrate more intense and more regular involvement in and oversight of Dwolla security measures and their effectiveness.

The CFPB also required Dwolla to implement a long list of measures to improve the safety and security of its operations and the consumer information that is stored on, or transmitted through, its network(s). [see pages 12-13 for just the initial summary]

A key mandate seems to be that these security measures must evolve as Dwolla grows.  The CFPB wrote that Dwolla must protect the confidentiality, integrity, and availability of sensitive consumer information with “administrative, technical, and physical safeguards appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected about consumers.”  So this is not a simple once-and-done mandate at all.

Dwolla operates an online payments-transfer network.

The CFPB said Dwolla misrepresented the security of its platform, which collects users’ personal information at account set up.  All Financial Services enterprises collect users’ personal information at account setup…

The CFPB wrote that Dwolla had failed to:

  • Adopt and implement data-security policies and procedures reasonable and appropriate for the organization;
  • Use appropriate measures to identify reasonably foreseeable security risks;
  • Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • Use encryption technologies to properly safeguard sensitive consumer information; and
  • Practice secure software development, particularly with regard to consumerfacing applications developed at an affiliated website, Dwollalabs. (Note: Under this heading, the CFPB also included ending the use of customer information in the non-production environment.)

Would your Financial Services organization hold up against a thorough review of these two areas of secure operations?

In response, Dwolla wrote:

Dwolla was incorporating new ideas because we wanted 
to build a safer product, but at the time we may not have 
chosen the best language and comparisons to describe 
some of our capabilities. It has never been the 
company’s intent to mislead anyone on critical issues 
like data security. For any confusion we may have caused, 
we sincerely apologize.

In that blog entry, they go on to describe how they implement security today.  They use careful words to describe their current status and strategy.

Dwolla has been an optimistic, agile, cloud-friendly, fast-evolving financial services specialist company for years.  The CFPB fine is a signal that optimism and its close relative in some approaches to ‘risk management‘ — hope — are not going to be tolerated as effective protections for customer personal information.  I understand that we must always attempt to better serve our customers (real and prospective) and partners, but keep this reminder about how ‘security cannot only be words’ in mind as you explore wildly hyped technology options with enthusiasts who promote them.

REFERENCES

Administrative Proceeding File No. 2016-CFPB-0007
In the Matter of: Dwolla, Inc. Consent Order

Dwolla: https://www.dwolla.com/

“We are Never Done.” http://blog.dwolla.com/we-are-never-done/

“Dwolla fined $100,000 for misleading data security claims.”
Federal agency orders D.M.-based financial technology firm to bolster security
Matthew Patane, The Des Moines Register, page 11A. 3/3/2016 (from the physical paper copy)

“CFPB Fines Fintech Firm Dwolla Over Data-Security Practices — Online-payment company agrees to improve how it protects customer data.”

Targeted Phishing Still Works – Resistance is Critical

February 29, 2016
As many have been reporting today, one of Snapchat’s employees was recently targeted by online criminals who convinced them that they were the company’s CEO.
Then what?
In response to the targeted phish, the employee emailed a copy of some company payroll details to what they hoped was their CEO.  As a result, a number of Snapchat’s workers have had their identities compromised [not Snapchat’s millions of users].
Still, and too often, social engineering works…
Members of any Financial Services workforce need to resist this force all day, every day.
In this 4 minute video, Graham Cluley outlines how this can happen and how employees might reconsider breaking the rules.
His final guidance can be summarized as: “It’s okay to say no.”
He is an entertaining presenter and his message is completely applicable to any Financial Services work environment.
Take a break for this 4 minute security reminder: https://www.youtube.com/watch?v=PpNDpnXXiOA
REFERENCE:
 Snapchat Apology:
http://snapchat-blog.com/post/140194434840/an-apology-to-our-employees
VIDEO: “Snapchat data breach shows that sometimes it’s good to say no to your CEO. — Do you mind just sending over the payroll database?”
By Graham Cluley, February 29, 2016
https://www.youtube.com/watch?v=PpNDpnXXiOA

What Can We Learn From Russian Attacks Against Ukrainian Power Companies?

February 26, 2016

The U.S. Dept. of Homeland Security (DHS) released a report about the December 23, 2015, Ukrainian power company outages caused by cyber-attacks.

Why should you care? These were targeted, effective, remote attacks against infrastructure operations to cause outages in subsidiary systems, as well as to demonstrate power.

As Financial Services consolidate their digital operations into ever-larger data centers — owned or third party — and migrate software and data to third party ‘cloud’ services — still more data center concentration — the risks associated with attacks against infrastructure are growing. Data centers are highly automated webs of complex power, heat management, monitoring, data communications, and access control infrastructure. Because of commercial data center consolidation, remote access to infrastructure systems is a given. If Financial Services enterprises’ infrastructures were the target of talented cyber-attack conceptually analogous to those against Ukrainian power company infrastructures, there would be serious negative consequences.

During those Ukrainian cyber-attacks, remote hostile actors used either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections to operate electric power flow controls. The hostile actors appeared to use a number of legitimate credentials during the cyber-attack to facilitate remote access.
These actors also wiped some systems by executing the KillDisk malware to render systems inoperable as they finished their attack.
They also corrupted firmware supporting Serial-to-Ethernet devices at substations.
Finally, they scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface in an attempt to interfere with expected restoration efforts.
The targeted power companies also reported that they had been infected with BlackEnergy malware — reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. Researchers suspect that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials

Exhibit continuous due diligence in your selection and management over your data communications infrastructure & data centers. Protect them against all channels of unauthorized access. The threat of remote catastrophe or simply serious, serious outage is real.

REFERENCES:
Alert (IR-ALERT-H-16-056-01)
Cyber-Attack Against Ukrainian Critical Infrastructure
Original release date: February 25, 2016
https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

Hackers did indeed cause Ukrainian power outage, US report concludes
DHS officials say well-coordinated hack cut power to 225,000 people.
by Dan Goodin – Feb 26, 2016 1:14pm CST
http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power-outage-us-report-concludes/


Complex Problems Remain

October 4, 2015

All of us involved in global financial services continue to be confronted with an expanding universe of “cloud” and “mobile” and “agile” options. Too many marketers for too many of these vendors seem to exercise increasingly predatory behaviors. A key result seems to be an escalation of risk management complexity…

In that context, I have been working on some complex issues…
Hofstadter’s Law (1979) still applies.

Hofstadter’s Law states that “It always takes longer than you expect, even when you take into account Hofstadter’s Law.”

REFERENCES:
Hofstadter’s Law: https://en.wikipedia.org/wiki/Hofstadter%27s_law


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: