Android Endpoints Still Rule

Five and a half years ago I wrote about how wildly inaccurate assumptions about Apple market-share impacted some software development decisions as well as ‘downstream’ customers and partners….https://completosec.wordpress.com/2016/04/20/recognize-the-fact-of-android-endpoints/

I continue to bump into this attitude about Apple mobile devices and it remains cringe-worthy.  How can this be?  Because it happens so often I assume that this must be something that other North America risk management professionals experience as well.  How can this be?  I understand that the U.S. market has iOS roughly 15% above Android, but suspect that the more than 7 billion people living outside the U.S. represent a huge and growing business opportunity for most global financial services enterprises.  Discounting Android endpoints leaves a lot of opportunity unexplored.

In the last 5.5 years global Apple mobile device market-share has increased roughly 10% while Android increased roughly 9%, leaving them at 28.23% for iOS and 71.08% for Android in October 2021.

If your business is attempting to expand in India or more broadly in Asia, or in South America, iOS market-share is smaller.

India (https://gs.statcounter.com/os-market-share/mobile/india):
Android == 96.03%
iOS == 3.16%
Asia (https://gs.statcounter.com/os-market-share/mobile/asia):
Android == 83.21%
iOS == 16.04%
South America (https://gs.statcounter.com/os-market-share/mobile/south-america):
Android == 88.23%
iOS == 11.46%

 As in 2016, I had to get that out of my system…

SolarWinds-Enabled Hacks Widespread

Hostile actors associated with Russian cyber-security organizations used SolarWinds Orion technology to enable unauthorized long-running elevated rights access throughout the U.S. government and as many as hundreds of the Fortune 500 corporations. This access may have included the Office of the President of the United States.

There is no reason for me to copy the operational details here. There are some good write-ups in the REFERENCES section below.

I just wanted to add to their content with this abuse case:

These hostile actors are getting a lot of attention for data & secrets exfiltration. In global financial services enterprises, we move trillions of dollars a day. These hostile actors were able to acquire elevated rights credentials and move laterally for months. They had enough time to figure out the cash management, account management, portfolio management, and back room accounting processes as well as the chains of approvers required to authorize the maintenance of external target accounts and authorizations for the movement of funds/securities. If so motivated, it seems likely they could have moved large amounts of the financial assets for which we are responsible to target accounts of their choosing. If this did not happen, financial services organizations dodged a big one.

In that case, it was only ‘luck’ that protected the financial services industry. Luck is a terrible risk management tool/technique. This hack is a loud signal that our resistance to and detection of attacks needs to be a lot better than it is today. The FireEye and Krebs references below include the types of details that support changes that will help fill some of that gap.

REFERENCES:

“U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise.” By Brian Krebs, 14 Dec 2020.
https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

“Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.” By FireEye, 13 December 2020.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

“Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce.” By Ellen Nakashima and Craig Timberg, 13 Dec 2020.
https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html

“Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect,” By David E. Sanger, 13 Dec 2020.
https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html

“Suspected Russian hackers spied on U.S. Treasury emails – sources.” By Christopher Bing, 13 Dec 2020.
https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG

17 Dec 2020 Addition:
“Sunburst Backdoor: A Deeper Look Into The SolarWinds’ Supply Chain Malware.” By Sergei Shevchenko, 15 Dec 2020 https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html

Apple iOS Vuln via Mail

ZecOps announced a collection of iOS vulnerabilities associated with the iOS Mail app that enables hostile agents to run arbitrary code and to delete messages since at least since iOS 6…
So far, this has been described as a set of Out-Of-Bounds write and Heap-Overflow vulnerabilities that are being used against targeted high value endpoints. My interpretation of their detailed write-up is that this qualifies as a remote, anonymous, arbitrary code execution vulnerability. As such, even if it must be targeted and even if it may not be an ‘easy‘ attack, because global financial services organizations are targeted by some amount of determined adversaries, we need to take it seriously.

Apple responded by rejecting the idea that this represented an elevated risk for consumers because their security architecture was not violated and they found no evidence of impact to their customers — while engineering a fix that will be rolled out soon. Is it time to factor this elevated risk behavior (reject-but-fix) into our threat models?

The ZecOps headline was:

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”

For global financial services enterprises, the presence of hundreds of billions, even trillions of dollars in one or another digital form seems to make this risk rise to the level of relevance. This is especially true because of the effectiveness of Apple’s marketing techniques across broad categories of roles expected to populate our organizations — i.e., our staff and leaders often use Apple devices.

On one front “Apple’s product security and the engineering team delivered a beta patch (to ZecOps) to block these vulnerabilities from further abuse once deployed to GA.”

On another front Apple also publicly rejected the ZecOps claims about finding evidence of the exploit being used saying “are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.” If I read this assertion carefully and in the context of potential future legal action or sales headwinds, it does not inspire confidence that the vulnerabilities were not real-and-exploitable-as-described — only that Apple rejects some narrowly-crafted subset of ZecOps’ announcement/analysis and that they still stand behind the effectiveness of some subset of the iOS architecture.

Apple’s full statement:

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

The Apple echo-chamber kicked in to support the rejection in its most comprehensive and positive interpretation…

ZecOps’ summary of their findings includes (quoted):

• The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
• The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
• Both vulnerabilities were triggered in-the-wild
• The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
• We are not dismissing the possibility that attackers may have deleted remaining emails following a successful attack
• Vulnerability trigger on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
• Vulnerability trigger on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
• Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
• The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released
• The earliest triggers we have observed in the wild were on iOS 11.2.2 in January 2018

Like any large-scale software vendor, Apple fixes a lot of bugs and flaws. I am not highlighting that as an issue.  A certain amount of bugs & flaws are expected in large scale development efforts.  I think that it is important to keep in mind that iOS devices are regularly found in use in safety and critical infrastructure operations, increasing the importance of managing the software lifecycle in ways that minimize the number, scope and nature of bugs & flaws that make it into production.

Apple has a history of enthusiastically rejecting the announcement of some interesting and elevated risk vulnerabilities using narrowly crafted language that would be likely to stand up to legal challenge while concurrently rolling out fixes — which often seems like a pretty overt admission of a given vulnerability.
This behavior leaves me thinking that Apple has created a corporate culture that is impacting their ability to do effective threat modeling.  From the outside, it increasingly appears that Apple’s iOS trust boundaries are expected to match the corporation’s marketing expressions of their control architecture — ‘the happy path‘ where formal iOS isolation boundaries matter only in ways that are defined in public to consumers and that other I/O channels are defined-out of what matters… If I am even a little correct, that cultural characteristic needs to be recognized and incorporated into our risk management practices.

Given the scale of their profits, Apple has tremendous resources that could be devoted to attack surface definition, threat modeling, and operational verification of their assumptions about the same. Many types of OOB Write and Heap-Overflow bugs are good targets for discovery by fuzz testing as well. Until recently I would have assumed that by this point in iOS & iPhone/iPad maturation, Apple had automation in place to routinely, regularly & thoroughly fuzz obvious attack vectors like inbound email message flow in a variety of different ways and at great depth.

This pattern of behavior has been exhibited long enough and consistently enough that it seems material for global financial services enterprises. So many of our corporations support doing large amounts of our business operations on iDevices. I think that we need to begin to factor this elevated risk behavior into our threat models. What do you think?

REFERENCES:
“You’ve Got (0-click) Mail!” By SecOps Research Team, 04-20-2020
https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/

“Apple’s built-in iPhone mail app is vulnerable to hackers, research says.” By Reed Albergotti, 2020-04-23
https://www.washingtonpost.com/technology/2020/04/23/apple-hack-mail-iphone/

“Apple downplays iOS Mail app security flaw, says ‘no evidence’ of exploits — ‘These potential issues will be addressed in a software update soon’” By Jon Porter, 2020-04-24 https://www.theverge.com/2020/4/24/21234163/apple-ios-ipados-mail-app-security-flaw-statement-no-evidence-exploit

Twitter Reduces Privacy Options

The Electronic Frontier Foundation (EFF) provided some context for the recent change in Twitter privacy options.  I think that it is an excellent read and recommend it to anyone involved in Financial Services security — especially those involved in mobile application architecture, design, and implementation.

Their conclusion:

Users in Europe retain some level of control over their personal data in that they get to decide whether advertisers on Twitter can harvest user’s device identifiers. All other Twitter users have lost that right.

The more broadly-available are user’s device identifiers — especially in the context of their behaviors (how they use their devices) — the greater are the risks associated with resisting a range of attacks.  We already have a difficult time identifying customers, vendors, contractors, the people we work with, and leaders throughout our organizations.  We depend on all kinds of queues (formal and informal) for making trust decisions.  As the pool of data available to hostile agents (because if it is gathered it will be sold and/or leaked) grows along every relevant dimension, the more difficult it is for us to find information that only the intended/expected individual would know or would have.

Defending against competent social engineering is already a great challenge — and behaviors like Twitter’s* will make it more difficult.

Note: Twitter is hardly alone in its attraction to the revenue that this type of data sales brings in…

REFERENCE:

https://www.eff.org/deeplinks/2020/04/twitter-removes-privacy-option-and-shows-why-we-need-strong-privacy-laws

Open Office Fail

Risk management in global financial services enterprises is necessarily a highly collaborative exercise.  Effective managers understand and nurture this foundational characteristic of our mission.

…And then there are the Open Office pushers.  My experience with mainstream open office workplace religion over the last ten years or so has been, well, not something that I would like to go through again.  It seems like managers caught up in Open Office echo chamber must be driven by a range of motivations that express themselves in an odd mix of xkcd irony and dilbert-speak.

I just read an essay on the effectiveness of Open Office workplace environments.  The authors appear to do a reasonable job collecting and analyzing real & relevant data to support their observation that:

“When the firms switched to open offices, face-to-face interactions fell by 70%.”
Ethan Bernstein & Ben Waber in The Truth About Open Offices.

Regardless of your opinions on this topic, if you are in the risk management business, you have to understand the value of effective collaboration and the need to protect it from forces that undermine it.  Bernstein & Waber’s work on this topic is well worth your attention.  Read it now: https://hbr.org/2019/11/the-truth-about-open-offices

REFERENCES:

The Truth About Open Offices.
By Ethan Bernstein & Ben Waber
From the November–December 2019 Issue of Harvard Business Review
https://hbr.org/2019/11/the-truth-about-open-offices

 

Survey Says – CyberSec is CEOs #1 External Concern for 2019

A Conference Board survey revealed that “U.S. CEOs rank cyber security as their #1 external concern for 2019.”  Security professionals can use this data to help support investments in their operations, or in funding new efforts.  Use care in your messaging on this topic.  As usual, cyber security is not synonymous with data privacy.  The Conference Board survey found that while cyber security ranked high, compliance with data privacy regulations did not — it was their #10 ranked internal concern.

Messaging matters.  Don’t sell data privacy compliance if cyber security is a fit.  Use the Conference Board survey information to help sharpen your story-telling.

REFERENCES:

“In 2019, CEOs are Most Concerned About Talent and a Recession.”
https://www.conference-board.org/pdf_free/press/Press%20Release%20–%20C-Suite%20Challenge%202019.pdf
and
https://www.conference-board.org/press/pressdetail.cfm?pressid=7650
“U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession.” by Erik Sherman, http://fortune.com/2019/01/17/cybersecurity-recession/

 

Crypto-Currencies & BlockChain Will Not Transform Society in 2019

Well over $1B U.S. was lost from crypto-currency ecosystems in 2018.

That said, I still read and hear from many about the societal transformation being brought about by blockchain technology as well as the broader crypto-currency ecosystems.  Too often these assumptions are either a simple echo of something the author or speaker just read or heard.  Even the more substantial assertions are based on more or less fuzzy assumptions about new access to ‘truth‘ and the elimination of corrupt ‘insiders‘ across the globe.  Is this any more than another layer of social media-supported shared madness (maybe a dose of old fashion pump & dump too)?  From the perspective of a security professional in global financial services, it sure seems unjustified by our experiences.  Architecture, design, implementation, operations, and software & infrastructure vulnerabilities along with criminals & human weakness still seem relevant to blockchain and crypto-currency.

Yesterday Farzam Ehsani, co-founder and CEO of VALR.com, wrote in a “2018 year in review” on coindesk.com that:

“We’ve been told that blockchain technology will get rid of the need for trust in the world. We won’t have to trust corrupt governments, greedy corporations or rigged electoral systems. Everything from deeds offices to supply chains to voting systems to identity will be revolutionized, ensuring we never have to trust another untrustworthy human being, institution or government ever again.

This is a pipe dream that is unsubstantiated and misleading.”

I think that his short essay is worth a read.

REFERENCES:

The False Promise Blockchains Will Revolutionize Real-World Assets.
By Farzam Ehsani, co-founder and CEO of VALR.com
https://www.coindesk.com/the-false-promise-blockchains-will-revolutionize-real-world-assets

List of Major Crypto Hacks… So Far…
By Paolo Passeri (10 September 2018)
https://www.hackmageddon.com/2018/09/10/list-of-major-crypto-hacks-so-far/

 

Deception Has a Place in Secure Software

Deception has been standard military practice for millennia.  Attackers and defenders employ deception for a variety of goals:

Deceive – Cause a person to believe what is not true
Degrade – Temporary reduction in effectiveness
Delay – Slow the time of arrival of forces or capabilities
Deny – Withhold information about capabilities
Destroy – Enemy capability cannot be restored
Disrupt – Interrupt or impede capabilities or systems
Divert – Force adversary to change course or direction
Exploit – Gain access to systems to collect or plant information
Neutralize – Render adversary incapable of interfering with activity
Suppress – Temporarily degrade adversary/tool below level to accomplish mission

The U.S. military uses what they call a “See, Think, Do” deception methodology.

The core idea is to manipulate the cognitive processes in the deception target’s mind that result in targeting decisions and in adversary actions that are advantageous to our operations, our tactical or strategic goals.  This methodology tends to result in looping through the following three questions:

(1) What does the target of our deceptive activities see when they observe our operations?
(2) What conclusions does that target draw from those observations?
(3) What action may the target take as a result of the conclusions based upon those observations?

Successful deception operations are those that do more than make the target “believe” or “think” that the deception is true.  Success also needs to result in action(s) or inaction that supports the our operational plan(s).

Deception tactics can target human attackers, their organizations, their code, or any set thereof.

It is standard practice across global financial services enterprise information security to implement layers of protections — never depending on only a single security device.  We are at a stage in the battle with global cybercrime that may demand we introduce deception as a new layer of defense.  When we architect, design, and implement our applications and systems, we may enhance our resistance to attack by employing tactics analogous to military deception to influence attackers and the hostile code they use.  This will not be quick or easy.

Who might you assign to this task?  Do not immediately regress to: “I wonder who is available.”  Like many security tasks, deception planning requires a relatively unique skillset.  We build and deploy our software in ways that expose a multitude of interfaces.  That practice results in complex and often numerous abuse cases.  Our worker will need to understand and analyze that matrix from a number of perspectives, and to project other’s thinking and actions into the future.  We might expect them to:

1. Understand each component’s deception and other information operations/influence capabilities.
2. Be intimately familiar with their organization’s missions and focus.
3. Understand the concepts of centers of gravity, calculated risk, initiative, security, and surprise.
4. Understand friendly and adversary intelligence systems and how they function.
5. Possess technical understanding of intelligence sensors, the platforms on which they deploy, their reporting capabilities, and associated processing methodologies.
6. Understand the psychological and cultural factors that might influence the adversary’s planning and decision making.
7. Understand potential adversaries’ planning and decision-making processes (both formal and informal).
8. Understand the assets that are available to support the deception.

It is more difficult than just that.  We live in a world of laws, regulations, contracts, and norms that will constrain our behaviors in ways that differ from what may be acceptable on other battlefields.  Our leaders and practitioners need to understand those limits and manage their activities in ways that align with our obligations.  This will require much more than technical and operational competence.  It requires a high level of maturity and a finely calibrated moral & ethical compass.  Superior deception campaigns will require careful planning, effective guard-rails, and serious management.

Darn!  Another difficult staffing challenge…

Get use to it if you want to deliver your applications to a user-base anywhere on the Internet, and/or if you want to run your business in the cloud — especially if your are a global financial services enterprise — you need to expand and enhance your threat resistance using deception.

What do you think?

REFERENCES:

“Influence Operations and the Internet: A 21st Century Issue Legal, Doctrinal, and Policy Challenges in the Cyber World.”

http://www.au.af.mil/au/awc/awcgate/maxwell/mp52.pdf

“JP 3-13.3, Operations Security.” 04 January 2012
http://www.dtic.mil/doctrine/concepts/concepts.htm

“JP 3-13.4” “Military deception”
http://jfsc.ndu.edu/Portals/72/Documents/JC2IOS/Additional_Reading/1C3-JP_3-13-4_MILDEC.pdf or http://www.globalsecurity.org/military/library/policy/dod/joint/jp3_13_4_2012.pdf

Adult Behavior

John Perry Barlow, a co-founder of the Electronic Frontier Foundation (EFF) died yesterday.  Many of us haven’t had the opportunity to meet him, but it would have been difficult in our business to avoid being touched by some aspect of his work.  His diverse accomplishments suggest that he was an extremely curious, intelligent, sensitive, and energetic individual.

For decades he was influential across a number of dimensions of Internet evolution.
His work and that of the EFF have been valuable risk management enablers for decades.

In addition, Mr. Barlow shared some guidance on adult behavior that seems like excellent input for anyone engaged in or hoping to join Financial Services risk management.  In the presence of a diverse spectrum of pressures we all work within, and under a non-stop rain of security product/service marketing, it is easy to get overly-focused on technology and process.  While they are essential, they are also insufficient.  Global Financial Services enterprises are complex, dynamic entities that — for long term success — seem to require those of us in information security & risk management strive to exhibit the behaviors that are succinctly summarized in Barlow’s Principles, and to be called out by our peers when we fail.  Make some time to read them.

REFERENCES:
Barlow’s “Principles of Adult Behavior”
https://www.mail-archive.com/silklist@lists.hserus.net/msg08034.html
John Perry Barlow:
https://en.wikipedia.org/wiki/John_Perry_Barlow
EFF:
https://www.eff.org/
EFF Background: https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation
Barlow’s still thought provoking 1996 “A Declaration of the Independence of Cyberspace:”
https://www.eff.org/cyberspace-independence

Pirated Software and Network Segmentation

Global financial services enterprises face a complex web of risk management challenges.
Sometimes finding the right grain for security controls can be a difficult problem.
This can be especially problematic when there is a tendency to attribute specific risks to cultures or nations.

A couple months ago I read a short article on how wannacry ransomware impacted organizations in China. Recently, while responding to a question about data communications connectivity and segmenting enterprise networks, I used some of the factoids in this article. While some propose material “savings” and “agility” enabled by uninhibited workforce communications and sharing, the global financial services marketplace imposes the need for rational/rationalized risk management and some level of due diligence evidence. Paul Mozur provides a brief vignette about some of the risks associated with what seems like China’s dependence on pirated software. Mr. Mozur argues that unlicensed Windows software is not being patched, so the vulnerability ecosystem in China is much richer for attackers than is found in societies where software piracy is less pronounced. Because of the scale of the issue, this seems like it is a valid nation-specific risk — one that might add some context to some individual’s urges to enforce China-specific data communications controls.

Again, there is no perfect approach to identifying security controls at the right grain. Story-telling about risks works best with real and relevant fact-sets. This little article may help flesh out one facet of the risks associated with more-open, rather than more segmented data communications networks.

REFERENCES:
“China, Addicted to Bootleg Software, Reels From Ransomware Attack.”
https://mobile.nytimes.com/2017/05/15/business/china-ransomware-wannacry-hacking.html