Protect Your USB

September 19, 2016

Physical and logical PC controls still matter.

Just one more reason to resist the shared madness of “bring your own device” and/or “anywhere/anytime/any-endpoint” in global Financial Services.  We hold trillions of dollars for our customers (under the guise of a broad and evolving range of relationships)!  To add value to those relationships, we turn that money into units that are inter-business (and Internet) friendly to enable complex webs of financial transactions and services.  The concentration of “cash” and its transformation into bits results in an attractive target for hostile parties of many types.  How could endpoint anarchy ever be a risk-appropriate behavior for any but a microscopically few roles within our ranks?  It seems like something we should expect to fail the “reasonable person” test.

I was just catching up on some of my random reading and bumped into this demonstration of Windows credential stealing with just 15 seconds of access to a PC’s USB port.

15 seconds of social engineering is not that hard to pull off, so all you have left are serious controls administering the use of your USB ports, physically destroying your USB ports (yes, that is a serious option), along with multi-layer physical & logical security to the location of the PC at any given time.

Take a look st the video below along with the supporting paper.  Then voice your professional opinion and conscience wherever appropriate to resist elevated risk endpoint behaviors.  And if your role permits, ensure that your Financial Services organization has the goals and resources to effectively deal with attacks like the ones enabled by this automated, USB enabled assault.


15 Second Password Hack, Mr Robot Style
Supporting Paper


Recognize the Fact of Android Endpoints

April 20, 2016

The BYO hypesters that I am exposed to tend to trend strongly toward all things Apple.

Earlier today, a ranking security leader saw a slide highlighting the history of iOS and OSx vulnerabilities and snapped something about the market speaking through Apple’s sales dominance… …as if Apple ‘owned’ our customer, prospect, and employee population.

This seems to happen a lot. I work for an overtly “global” financial services corporation. Leading technologists on staff promote Apple products as the solution to virtually any endpoint challenge (we currently do our business on tens of thousands of Windows endpoints running Windows applications…). The company that pays us is attempting to generate strategic expansion in Latin America and Asia…  We want and need to service people’s financial services needs where they are — meaning strong support for interactions via their mobile devices.  The mismatch is cringe-worthy.

How does this marketplace blind spot afflict so many people who otherwise are intelligent adults?  I really don’t know.  Maybe financial services professionals are becoming prisoners of their own cognitive traps?

MacRumors recently announced that “iOS and Android Capture Combined 98.4% Share of Smartphone Market.” The Apple portion of that global 2015 market share was 17.7% (down from 20.4% in 2014). Android-based mobile devices represented 80.7% of the 2015 market (up from 76.0% in 2015).

Year after year people around the world purchase more Android mobile devices than the competing Apple devices. In 2015 that amounted to more than 4.5 Android mobile devices purchased for every Apple iOS device sold.

Gartner (Feb 2016) reported:

Worldwide Smartphone Sales to End Users by OS in 4Q15 (in Thousands of Units)

           4Q15     4Q15 Market   4Q14      4Q14 Market
        Units Sold  Share %     Units Sold  Share %
Android 325,394     80.7        279,057     76.0
iOS      71,525     17.7         74,831     20.4
Windows   4,395      1.1         10,424      2.8
Blackberry  906      0.2          1,733      0.5
Others      887      0.2          1,286      0.4


Sure, the Android == ‘security hell’ meme has some good reasons for retaining its foothold in business culture. And sure, there are many more ‘ancient’ unpatched/underpatched Android devices compared to the iOS environment. There are attractive and repulsive characteristics of Android/iOS environments that we can argue about, but that avoids the fact that our employees, customers, and prospects buy and use more Android devices.  A lot more.  We will leave a lot of money on the table if we ignore that fact and build software & operations that are tightly-coupled with Apple mobile device products.

OK. I had to get that out of my system…


“iOS and Android Capture Combined 98.4% Share of Smartphone Market.”
By Joe Rossignol, Feb. 18, 2016

“iPhone lost market share to Android in every major market except one.”
Jim Edwards, Jan. 27, 2016

Another Demonstration of How Mobile Phones & their Supporting Networks are Vulnerable to Abuse

April 17, 2016

Some continue to hype “bring your own device” (sometimes just BYOD) as near-term technology and business goal for global Financial Services enterprises.  At its most shrill, the argument hammers on the idea like ‘we all have a smart phone and it has become the center of our lives…‘  In this industry we are all responsible for protecting trillions of dollars of other people’s money as well as digital information about customers (individuals & companies), partners, and deals, all of which must remain highly secure, or the foundation of our business erodes.  That responsibility is wildly out of alignment with most BYOD realities.  In that context, this blog entry is an offering to help risk management teams educate their Financial Services organizations about some of the risks associated with using mobile phones for work activities.

Here is some content that may be useful in your security awareness campaign…

Financial Services executives “private” communications could be of high value to cyber criminals. So too could be your Finance staff, Help Desk, Reporting Admin, Database Admin, System Admin, and Network Admin communications. There are a lot of high value avenues into Financial Services organizations.

Under the title “Hacking Your Phone,” the 60-Minutes team have security professionals demonstrate the following in a 13 minute video:

  • Any attacker needs just their target’s phone number, to track the whereabouts, the text traffic, and the details of phone conversations initiated or received by their prey. Turning off your “location status” or other GPS technology does not inhibit this attack. It depends upon features in the SS7 (Signalling System #7) network that have been overly permissive and vulnerable to abuse for decades. These SS7 vulnerabilities appear to remain after all this time because of nation-state pressures to support “lawful interception.”
    They demonstrate their assertion in an experiment with U.S. Representative Ted Lieu, a congressman from California.
  • Attackers can own all or some of your phone when you attach to a hostile WiFi. Never trust “public” or “convenience” (for example “hotel”) WiFi. Attackers present look-alike WiFi (sometimes called “spoofing”) and then use human’s weakness for “trustworthy” names to suck targets in.
    They demonstrate this approach by stealing a target’s mobile phone number, account ID, and all the credit cards associated with– with that account, along with their email.
  • Attackers use social engineering to get their software installed on targeted devices. One outcome is that they can also monitor all your activity via your mobile phone’s camera and microphone — without any indication from the mobile device screen or LEDs, and the attacker’s software does not show up via any user interface even if you tried to find it.
    They demonstrate this approach with the 60 Minutes interviewer’s device.

Remember, not everyone employed throughout Financial Services enterprises understands the risks associated with performing business activities via mobile devices.  Use materials like this video to augment your risk awareness program.

“Hacking Your Phone.” aired on April 17, 2016

SS7, Signalling System #7

Lawful interception.”



Use care when describing how you do Financial Services security

March 3, 2016

Use care when describing how you do your Financial Services security.  This seems especially relevant as some in our industry attempt to drive down costs by extending their operations into low cost consumer-heritage cloud services and onto other types of opaque Internet platforms of all kinds.  Consultants, pundits, analysts, and hucksters are all attempting to make a living by selling schemes that incorporate one or many of these options.  What they tend to omit, are the impacts that their ideas may have on the truthfulness of your public and contractual security assurances.

The Consumer Financial Protection Bureau (CFPB) just fined Dwolla $100,000 U.S. for misleading users about the company’s data security practices.  In addition, Dwolla must report virtually all security-related activities to the CFPB and request permission for certain types of security changes for the next 5 years.  The CFPB also put the Dwolla Board of Directors on notice that they must demonstrate more intense and more regular involvement in and oversight of Dwolla security measures and their effectiveness.

The CFPB also required Dwolla to implement a long list of measures to improve the safety and security of its operations and the consumer information that is stored on, or transmitted through, its network(s). [see pages 12-13 for just the initial summary]

A key mandate seems to be that these security measures must evolve as Dwolla grows.  The CFPB wrote that Dwolla must protect the confidentiality, integrity, and availability of sensitive consumer information with “administrative, technical, and physical safeguards appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected about consumers.”  So this is not a simple once-and-done mandate at all.

Dwolla operates an online payments-transfer network.

The CFPB said Dwolla misrepresented the security of its platform, which collects users’ personal information at account set up.  All Financial Services enterprises collect users’ personal information at account setup…

The CFPB wrote that Dwolla had failed to:

  • Adopt and implement data-security policies and procedures reasonable and appropriate for the organization;
  • Use appropriate measures to identify reasonably foreseeable security risks;
  • Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • Use encryption technologies to properly safeguard sensitive consumer information; and
  • Practice secure software development, particularly with regard to consumerfacing applications developed at an affiliated website, Dwollalabs. (Note: Under this heading, the CFPB also included ending the use of customer information in the non-production environment.)

Would your Financial Services organization hold up against a thorough review of these two areas of secure operations?

In response, Dwolla wrote:

Dwolla was incorporating new ideas because we wanted 
to build a safer product, but at the time we may not have 
chosen the best language and comparisons to describe 
some of our capabilities. It has never been the 
company’s intent to mislead anyone on critical issues 
like data security. For any confusion we may have caused, 
we sincerely apologize.

In that blog entry, they go on to describe how they implement security today.  They use careful words to describe their current status and strategy.

Dwolla has been an optimistic, agile, cloud-friendly, fast-evolving financial services specialist company for years.  The CFPB fine is a signal that optimism and its close relative in some approaches to ‘risk management‘ — hope — are not going to be tolerated as effective protections for customer personal information.  I understand that we must always attempt to better serve our customers (real and prospective) and partners, but keep this reminder about how ‘security cannot only be words’ in mind as you explore wildly hyped technology options with enthusiasts who promote them.


Administrative Proceeding File No. 2016-CFPB-0007
In the Matter of: Dwolla, Inc. Consent Order


“We are Never Done.”

“Dwolla fined $100,000 for misleading data security claims.”
Federal agency orders D.M.-based financial technology firm to bolster security
Matthew Patane, The Des Moines Register, page 11A. 3/3/2016 (from the physical paper copy)

“CFPB Fines Fintech Firm Dwolla Over Data-Security Practices — Online-payment company agrees to improve how it protects customer data.”

Six Months of Cyber-Attacks Against the Financial Services Sector

June 24, 2015

For years, the finance industry has been under attack by groups of hostile parties.

The frequency and sophistication of targeted cyber-attacks is a top-tier risk for our industry.

A threat intelligence vendor, WebSense, recently released a short report outlining their analysis of the actions and attack patterns directed against organizations in the financial services sector. This type of information can be used to help enterprises more effectively protect customers’ data and assets (as well as — for some types — to market their products and services).
This report identifies some key cyber threats and tactics targeting the financial sector, briefly discusses their effectiveness along with the respective volumes of those attack techniques from January through May of this year.

This type of information may be viewed under the category of “forewarned is forearmed.” It can help organizations to construct more proactive resistance to attack, quicker incident detection, and faster responses.

We are enablers & users of global operations that flow trillions of dollars daily.
That, along with the fact that we also host large numbers of personal and identity information, results in our being a continuous focus for hostile agents world-wide — agents who are motivated to constantly optimize their activities.

Financial information and the sensitive personal information of millions of consumers under our care, we must continually strengthen our security practices — our technology, tools and talent — in order to maintain effective (good-enough) defensive and reactive capabilities.

A key message of the WebSense report is that there appears to be no single path to effectively combat threats and risks presented by cyber-security attacks.
Comprehensive, edge-to-edge due diligence is still required.

2015 Industry Drill-Down Report Financial Services” is worth a read, and contains a range of reusable facts & assertions.


“2015 Industry Drill-Down Report Financial Services.”
By Raytheon & WebSense, 06-23-2015.

Another BYOD Security Challenge – User-Managed Remote Access Software

August 16, 2014

In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise.  That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post.  As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet.  As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely.  This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling.  The use case doesn’t matter as much as the behavior itself.  If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…

Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure.  When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices.  Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software.  There are a number of popular approaches.  The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.

We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:

  1. Don’t run software (whatever it is) that is not really needed
  2. If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’
  3. If you need remote access exercise the principle of least privilege
    1. Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
    2. Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
    3. Configure the remote access software to include a risk-reasonably short session timeout
    4. Permit only uniquely-authenticated users having a strong, unique, time-limited password
  4. Restrict remote access to your endpoint as much as possible
  5. Turn off all remote access you can get away with
  6. Use multiple layers of protection to implement defense in depth
    1. Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
    2. Don’t grant apps permissions that you don’t understand
    3. Don’t grant apps permissions that would enable access to business data or business communications
    4. Run one or more anti-malware packages
    5. Use security-centric web proxies
    6. Configure your browser(s) in their most paranoid settings
    7. Turn on your search engine’s ‘recommendation’ or anti-hostility service
    8. If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)

In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices.  The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations.  As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts.  In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).

All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation.  All of the new risks also need to be introduced into the overall enterprise risk management pool.  The impacts will be different for various organizations.  For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment. 


“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014,

“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, 

“Comparison of remote desktop software.” From Wikipedia,

“Principle of Least Privilege.” From Wikipedia,

“Defense in depth.” From Wikipedia,

Does Government Owning Your iPhone Matter?

January 2, 2014

A recent burst of news about NSA access to individual’s iPhones serves as a reminder that using modern mobile devices for some types of Financial Services business activities involves elevated risk.  Risk that is difficult to quantify.

Late last summer I wrote a little about the potential for NSA data gathering to influence Financial Services privacy and security promises.
This reference to iPhone surveillance is a reminder that using consumer devices to perform material company business of any kind, or to perform many types of common operations using company non-public data involves a certain amount of risk.  This should be factored into your ‘risk appetite’ discussions and planning — and this should occur at a number of levels throughout your Financial Services organizations.

Mass surveillance by U.S. intelligence organizations has been relatively-frequently documented in the last 7 years since Mark Klein, a retired AT&T communications technician, revealed that AT&T provided U.S. National Security Agency personnel with full access to its customers’ phone calls, and shunted its customers’ internet traffic to data-mining equipment installed in a San Francisco switching center since 2003.  The U.S. is not the only government engaged in mass surveillance.

“Shopping for Spy Gear: Catalog Advertises NSA Toolbox.” By Jacob Appelbaum, Judith Horchert and Christian Stöcker; 12-29-2013;

“…an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.”
“These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them. “

“How The NSA Hacks Your iPhone (Presenting DROPOUT JEEP).” By Tyler Durden; 12-30-2013;

“NSA Data Gathering Hits Financial Services Privacy & Security Promises.” September 8, 2013;

Historical References to U.S. Mass Surveillance:

“Whistle-Blower Outs NSA Spy Room.” By Ryan Singel; 04-07-2006;
And “Wiretap Whistle-Blower’s Account.” Statement By Mark Klein; 04-06-2006;

“NSA’s Domestic Spying Grows As Agency Sweeps Up Data — Terror Fight Blurs Line Over Domain; Tracking Email.” By Siobhan Gorman; 03-10-2008;

“The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.”
“According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns.”
“The Treasury, for instance, built its database “to look at all the world’s financial transactions” and gave the NSA access to it about 15 years ago, said a former NSA official. The data include domestic and international money flows between bank accounts and credit-card information, according to current and former intelligence officials.   The NSA receives from Treasury weekly batches of this data and adds it to a database at its headquarters. Prior to 9/11, the database was used to pursue specific leads, but afterward, the effort was expanded to hunt for suspicious patterns.”  The NSA also has access from the Treasury to financial transactions globally via their connection to the Society for Worldwide Interbank Financial Telecommunication, or Swift, the Belgium-based clearinghouse for records of international transactions between financial institutions.

“Government Is Tracking Verizon Customers’ Records.” By Siobhan Gorman And Jennifer Valentino-DeVries; 06-06-2013;

“Verizon is required to provide NSA with “all call detail records” of customers, including all local and long-distance calls within the U.S., as well as calls between the U.S. and overseas, according to a court order labeled “top secret” published Wednesday by the Guardian newspaper.”
“Mass Surveillance in America: A Timeline of Loosening Laws and Practices.” By Cora Currier, Justin Elliott and Theodoric Meyer; 06-07-2013;
“FAQ: What You Need to Know About the NSA’s Surveillance Programs.” By Jonathan Stray; 08-05-2013;

“U.S. Collects Vast Data Trove — NSA Monitoring Includes Three Major Phone Companies, as Well as Online Activity.” By Siobhan Gorman, Evan Perez and Janet Hook; 06-07-2013;

“The National Security Agency’s monitoring of Americans includes customer records from the three major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions, said people familiar with the agency’s activities.”
“Civil-liberties advocates slammed the NSA’s actions. “The most recent surveillance program is breathtaking. It shows absolutely no effort to narrow or tailor the surveillance of citizens,” said Jonathan Turley, a constitutional law expert at George Washington University.”
“The Washington Post and the Guardian reported earlier Thursday the existence of the previously undisclosed program, which was described as providing the NSA and FBI direct access to server systems operated by tech companies that include Google Inc., Apple Inc., Facebook Inc., Microsoft Corp.  The newspapers, citing what they said was an internal NSA document, said the agencies received the contents of emails, file transfers and live chats of the companies’ customers as part of their surveillance activities of foreigners whose activity online is routed through the U.S.”
“The arrangement with Verizon, AT&T and Sprint, the country’s three largest phone companies means, that every time the majority of Americans makes a call, NSA gets a record of the location, the number called, the time of the call and the length of the conversation, according to people familiar with the matter.”

“Gamma FinSpy Surveillance Servers in 25 Countries.” By Vernon Silver; 03-13-2013;

“Computers running U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, have been found in 25 countries, according to an updated global scan of the Internet that mapped the locations of servers that control infected machines.”

“U.S. Confirms That It Gathers Online Data Overseas.” By Charlie Savage, Edward Wyatt and Peter Baker; 06-06-2013;

“The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation’s largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night.”
“In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called “scripts,” then enable additional access to at least 38 iPhone features.”

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-07-2013;

“SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.”
“The material viewed by SPIEGEL suggests that the spying on smart phones has not been a mass phenomenon. It has been targeted, in some cases in an individually tailored manner…”

“iSpy: How the NSA Accesses Smartphone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-09-2013;

According to internal NSA documents from the Edward Snowden archive that SPIEGEL has been granted access to, “The US intelligence agency NSA has been taking advantage of the smartphone boom. It has developed the ability to hack into iPhones, android devices and even the BlackBerry, previously believed to be particularly secure.”
“A detailed NSA presentation titled, “Does your target have a smartphone?” shows how extensive the surveillance methods against users of Apple’s popular iPhone already are.”


Finally, if you are interested in an excellent recent 1-hour technical presentation on some of the technical surveillance aspects of this topic by Jacob “@ioerror” Applebaum at the 30C3: 30th Chaos Communication Congress (Hamburg, Germany, Dec 27-30, 2013)

%d bloggers like this: