Oval Office Credential Theft is a Warning to All

October 13, 2018

IT architects cry foul about what they perceive as authentication fatigue…  “Security makes users login too many times and this must stop!”
It seems like investments attempting to reduce the number redundant workforce authentications are not often justified using the language of risk management. If they were, we might find identity technology evolving in new ways.

In a recent oval office press event, Kanye West inadvertently exposed his iPhone passcode to a crowd of news cameras. As a result, earth knows his six-digit passcode is an unbroken series of zeros “000000.” …not something too business-relevant, except that it is an example of a class of credential leakage that is already an issue for global financial services enterprises.

With increasing frequency, our increasingly mobile workforce enters passwords in the presence of live cameras. We should not assume that all the resulting recordings are secured in ways that match our obligation to keep business user name/password pairs confidential. Because credentials can be relatively easily monetized, a percentage of these recorded credentials are and will be used in unauthorized ways. The only variables are which credentials, at what time(s), and by whom.

We should assume that this scenario will become increasingly common for all workforce roles who are mobile-enabled.

Do you support your database, server, identity directory, or cloud admins, your financial officers, your investment or human resource professionals, your legal council, any other roles with elevated rights to work where they choose? If yes, tick your risk-pool meter up again. Assign someone to investigate and report on how vulnerable your organization is to unauthorized credential re-use. Large, global financial services enterprises have complex attack surfaces for this use case. For most, this analysis will not be easy, and will likely not result in a happy story.

Maybe authenticating less often is a part of addressing this risk.  I don’t know.  For some, multi-factor authentication plays a key role in resisting credential theft and reuse.  Some types of multi-factor authentication can resist some types of credential attacks. But “some” should not be a comforting qualifier. Working out the right mix of identity verification is going to require creativity, rigor, and serious risk management analysis — adult, professional, investigation and analysis.

Get started.

REFERENCES:

“The Cybersecurity 202: Kanye West is going to make password security great again.”
By Derek Hawkins, October 12, 2018
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/12/the-cybersecurity-202-kanye-west-is-going-to-make-password-security-great-again/

Advertisements

Another Reason to Disbelieve The Apple Security Story

September 2, 2014

Some subset of any Financial Services organization’s workforce has BYOD fever.  For many in our business, that fever has infected one or more senior leaders who cannot be ignored.  In Financial Services, we are collectively responsible for protecting $trillions of other people’s assets.

Most of the BYOD fever seems to be associated with new mobile devices.  From what I can observe, many Financial Services organizations are emphasizing their attraction to Apple iPads over Android or other alternatives.  That behavior seems out of phase with our due diligence obligations.

Apple has invested what must be a tremendous amount of resource and effort in building an image that incorporates something like “trust me, but I will not respond to your requests for transparency…”  For some reason, that seems to work.  This is in spite of regular patching of vulnerabilities that could have been discovered at architectural analysis, design, coding, static code security analysis, QA or penetration testing.  Apparently those activities do not incorporate effective secure software practices.

The latest example of Apple’s approach to software security made the news over the last weekend.  A vulnerability in iCloud enabled a trivial attack to discover the passwords of a number of targeted individuals.  Those passwords were then used to steal those user’s iCloud “protected” personal files.  Apple did not enforce a “max attempts” threshold for failed attempts to login to iCloud, which permitted attackers to pound away at the URL https://fmipmobile.icloud.com/fmipservice/device/$apple_id/initClient with basic auth attempts using scripts or malware that identified itself as ‘User-Agent’: ‘FindMyiPhone/376 CFNetwork/672.0.8 Darwin/14.0.0’.   An easy-to-understand proof-of-concept application is available on github.

Remember, in Financial Services, implementing some type of failed-login governor has been standard practice since we have been using the Internet for business.  Our constituents expect some type of “n-failed-login-attempts-and-you-are-locked-out.”  They may not consciously think through a detailed rationale, it is just a small but essential part of exhibiting a threshold level of Financial Services due diligence.  I assume that one possible root cause was that Apple engineers and architects must have reasoned that either nobody could format a basic auth HTTP POST with some json payload and sling it at their iCloud web service interface, or they believed that their closed ecosystem and black box approach to security implementations would keep their web service interface from being discovered.  Alternatively, they specified a max-failed-login-attempts feature into iCloud designs, but Apple management directed them to remove it based on non-technical rationale.  There could be other root causes of this vulnerability, but with the resources available to Apple, none seem in alignment with their “trust us” story-telling.  Their iCloud authentication implementation was just not fit for Financial Services workforce operating environments — while they have been arguing that “”iCloud is built with industry-standard security practices and employs strict policies to protect your data.”

Brute forcing passwords is a proven, decades-old practice that is highly effective unless resisted (because people, in large numbers, behave so predictably).  Financial Services-grade businesses understand this and implement and enforce policies that generally resist bald, brute force attacks.  It is a small, simple, basic, and essential characteristic of any Internet-ready system hosting non-public resources.  The fact that Apple implemented an Internet-facing authentication interface without resistance to brute force password attack, then failed to implement defense in depth (i.e., instrument the environment with effective IDS/IPS, identity fraud detection, and more) demonstrates — again — their unfitness for the Financial Services workforce environment.

Update 09-03-2014:

Could it be that Apple considers hackappcom’s proof of concept application and demonstrations of its use just another side-show?  They reacted to news about the celebrity data theft using what I read as legalistic and deflecting language:

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems,” Nat Kerris, a company spokeswoman, said in a statement. “We are continuing to work with law enforcement to help identify the criminals involved.”

Update 09-06-2014:

Apple, via CEO Tim Cook continued the Apple ecosystem and its technology are safe theme, blaming users for the recent iCloud vulnerabilities and their exploit, saying in a WSJ interview that Apple would ratchet up user awareness communications about stronger and safer passwords, and apparently will not be investing in more effective engineering:

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Mr. Cook also said that Apple would would begin sending users email messages and push notifications when certain AppleID events occur or when a user’s account data lands on a new device.

After a 40-hour investigation “concluded that there was no breach of its data servers. The company has said it discovered a number of celebrity accounts were compromised by targeted attacks…”

Sure.  Not ready for Financial Services.

 

REFERENCES:

“Hacker leaks dozens of nude celebrity pics in alleged iCloud hack.”
By Cody Lee, Aug 31, 2014
http://www.idownloadblog.com/2014/08/31/icloud-celeb-nude-pics-hack/

“Apple reportedly patches Find My iPhone vulnerability to hack Apple ID accounts.” By Christian Zibreg, Sep 1, 2014
http://www.idownloadblog.com/2014/09/01/icloud-hacking-patched-find-my-iphone/

“ibrute.” By hackappcom
https://github.com/hackappcom/ibrute

“Apple patches ‘Find My iPhone’ exploit.” By Adrian Kingsley-Hughes, Sep 1, 2014
http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/

“iCloud: iCloud security and privacy overview.”
http://support.apple.com/kb/HT4865

“iCloud Keychain.”
http://www.slideshare.net/alexeytroshichev/icloud-keychain-38565363

“Privacy Collides With the Wild Web.” By Mike Isaac, Sep 2, 2014
http://mobile.nytimes.com/2014/09/03/technology/trove-of-nude-photos-sparks-debate-over-online-behavior.html?_r=0 (downloaded Wed 09/03/2014 5:46 AM)

“Apple Says It Will Add New iCloud Security Measures After Celebrity Hack.” By Brian X. Chen, Sep 4, 2014 http://mobile.nytimes.com/blogs/bits/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/

“Tim Cook Says Apple to Add Security Alerts for iCloud Users — Apple CEO Denies a Lax Attitude Toward Security Allowed Hackers to Post Nude Photos of Celebrities.” By Daisuke Wakabayashi, Sep 5, 2014 http://online.wsj.com/news/article_email/tim-cook-says-apple-to-add-security-alerts-for-icloud-users-1409880977-lMyQjAxMTA0MDAwNDEwNDQyWj

“Apple Media Advisory: Update to Celebrity Photo Investigation.” http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html (downloaded Sat 09/06/2014 5:56 PM)


Another BYOD Security Challenge – User-Managed Remote Access Software

August 16, 2014

In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise.  That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post.  As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet.  As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely.  This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling.  The use case doesn’t matter as much as the behavior itself.  If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…

Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure.  When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices.  Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software.  There are a number of popular approaches.  The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.

We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:

  1. Don’t run software (whatever it is) that is not really needed
  2. If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’
  3. If you need remote access exercise the principle of least privilege
    1. Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
    2. Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
    3. Configure the remote access software to include a risk-reasonably short session timeout
    4. Permit only uniquely-authenticated users having a strong, unique, time-limited password
  4. Restrict remote access to your endpoint as much as possible
  5. Turn off all remote access you can get away with
  6. Use multiple layers of protection to implement defense in depth
    1. Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
    2. Don’t grant apps permissions that you don’t understand
    3. Don’t grant apps permissions that would enable access to business data or business communications
    4. Run one or more anti-malware packages
    5. Use security-centric web proxies
    6. Configure your browser(s) in their most paranoid settings
    7. Turn on your search engine’s ‘recommendation’ or anti-hostility service
    8. If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)

In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices.  The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations.  As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts.  In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).

All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation.  All of the new risks also need to be introduced into the overall enterprise risk management pool.  The impacts will be different for various organizations.  For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment. 

REFERENCES:

“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014, http://nakedsecurity.sophos.com/2014/08/15/thousands-of-computers-open-to-eavesdropping-and-hijacking/

“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham 

“Comparison of remote desktop software.” From Wikipedia, http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software

“Principle of Least Privilege.” From Wikipedia, http://en.wikipedia.org/wiki/Principle_of_least_privilege

“Defense in depth.” From Wikipedia,
http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29



%d bloggers like this: