Incident Response to Data Breaches and Schrodinger’s Cat

March 19, 2013 Comments off

Untitled

Are sloppy security controls actually beneficial to a company during a breach?  This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.

A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:

  • Whenever our server rebooted previously logged card numbers were removed.
  • Our server reboots. A lot. So often that no credit card numbers were ever in the log files.
  • We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.
  • We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.

This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.

But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.

Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.

Security Advisory: Bambuser Mobile Application

October 3, 2012 Comments off

Security Advisory: Bambuser Mobile Application

  • Advisory Title: Bambuser Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-002
  • External ID: CVE Pending
  • Date discovered: August 10, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Vendor fix is in place
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Bambuser (bambuser.com)
  • Affected product: Bambuser mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Vulnerable Version: 1.9.3 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Bambuser mobile application and reported the issue to Bambuser on August 10, 2012. Bambuser quickly responded, provided estimated timeline for the fix and notified Stratigos Security when the updated version was published. Stratigos Security has confirmed that this vulnerability has been fixed in the updated version.

The formal advisory is published here: Security Advisory STRAT-2012-002 Bambuser Mobile Application Information Disclosure Vulnerability

Security Advisory: Ustream Mobile Application

October 3, 2012 Comments off

Security Advisory: Ustream Mobile Application

  • Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-001
  • External ID: CVE Pending
  • Date discovered: August 6, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Reported to Vendor, not yet fixed
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Ustream (USTREAM.TV)
  • Affected product: Ustream mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability

Infosec Management Tip: There Is No Absolutely Secure Action

August 30, 2012 Comments off

There Is No Absolutely Secure Action

It is impossible to say whether any given action is risky or not, when viewed in isolation. Everything we do has a potentially positive or negative consequence, depending on the context. In other words, adding a firewall to your network may reduce or increase risk – you can’t say without more information. But most people – and I can’t blame them for this – want things to be instant and easy. “Just tell me the right way to do something,” is the common sentiment. So if somebody comes along, for example a vendor or a consultant, and feeds that desire they’ll get a lot of attention. But there’s a lot more subtlety to security and risk reduction.

Fortunately a larger and larger group of people are realizing that there is no one right or wrong way to do things. Over the last couple of years there has been a backlash against so-called best practices. Best for whom: The security organization? The company’s budget? The vendors who talk most about them? And if I can’t actually put this guidance into practice without hundreds of hours of work then are the guidelines themselves even effective at helping me reduce risk?

And who comes up with this conventional wisdom anyway – is there a group that just sits around and thinks up the absolute best way to do things? Most of the so-called best practices are simply the thing that most people do, whether it works or not. To get a guideline that is a best practice for anyone and everyone, it has to be so watered down that it is meaningless. Then trying to actually implement it there are more ways to get it wrong than right.

To circle back to the original point, everything you do could be a double-edged sword. You’ve got to think smartly and make good decisions about what is right and wrong in your circumstance. For more on that train of thought, see the tip on Principles and Decision Making.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Principles Are More Important Than Tactics

August 27, 2012 Comments off

Principles Are More Important Than Tactics

Security doesn’t come from the specific things you do. It comes from an overall approach to doing everything. In that sense, the principles that underpin your decisions and actions matter more than the decisions and actions themselves. Those statements may seem inscrutable or contradictory so I owe you further explanation.

Process and procedure can never be made so that they will, in isolation, provide optimum security. Even for very well thought out, nearly comprehensive tactics unplanned events will always come up. You’ll have to make decisions when there’s no written plan and no precedent. When you’re making those decisions you need to weigh all the factors you can take into account and move forward based on your judgement. Your judgement here is a point-in-time reflection of your principles. If your principles fail you, so will your judgement and you’d have to get lucky for your decision to be the right one.

In most organizations, processes and procedures leave a lot of room for decision making. It’s not just the occasional judgement call that has to be made, these usually happen on a daily basis at most levels of the organization. So strong tactics but poor principles will compound over time and erode even the best security program.

Instead, focus on coming up with strong principles, and make sure everyone knows them. Clear communication, understanding and internalization is key to having principles, not just tactics. This way whenever any decision is made, there’s a good chance that the judgement behind it is sound. This also, by the way, will push decision-making down in the organization, freeing up management to tackle larger and more strategic issues and critical problems.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Business Is About Taking Risks

August 23, 2012 Comments off

Business is About Taking Risks

One of the fundamental things that drives our economy is risk-taking. That’s the natural inclination of the most successful business people I’ve met. There’s risk in both going in a new direction – what you might call “venture risk” – that separates the promising businesses from the failing.

Let’s look at an example to better illustrate the point. Suppose we have two otherwise identical chair makers, making identical chairs. One day they overhear someone mentioning that having a cup holder built into the chair would be a good thing. That’s never been done before, so there’s a risk in making something different. Now one maker takes a venture risk and builds his next line of chairs with a cup holder and it’s a hit, selling twice as many as before and even commanding a premium. The risk-averse chair maker sticks with the old design and sees a drop off in sales. The venture risk-seeking businessman wins. Enough of these successful venture risk decisions and he drives the other chair maker out of business.

(By the way, this is a principal criticism of  the labor theory of value popularized by Karl Marx and which underpins Socialism. Also for more on risk-averse behavior check out the awesome TED presentation where Laurie Santos shows our behavior can be just as irrational as Capuchin monkeys.)

But thinking back on the same situation, it’s possible to see that the risk-averse chair maker is also taking a risk. His risk is that failure to innovate will drive his company out of business. Now, his is actually what we would see traditionally as the safer bet. But expanding on the scenario just a little bit it’s possible to show that the status-quo is actually riskier. All you have to do is assume that some day a better chair will be created and put into production. This virtual certainty also virtually guarantees that the risk-averse chair maker will eventually go broke.

Most businesses today are a far cry from this idealized chair maker – even the chair making industry. But the vignette translates well to the highly risk-averse attitudes of many CISOs and other information security professionals today. They try to eliminate all security risk, but in doing so they virtually doom the enterprise to certain failure. That’s why they’re often perceived as ineffective. Instead, CISOs should help their companies make smart decisions and help protect against security, privacy and compliance threats when taking venture risks.

Hat tip to Andy Ellis, CISO of Akamai, whose keynote at Hack In The Box Amsterdam partially inspired this post. You’re a smart man, Andy.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Korea Telecom Breach First Under New Law

July 31, 2012 Comments off

It was recently announced that Korean hackers had breached Korea Telecom (KT) and sold personal information on 8.7 million individuals to telemarketers for nearly $900,000 (1 billion KRW). Both the two hackers, as well as seven telemarketers have been arrested and charged with crimes. But soon Korea Telecom may find themselves in court under a new Korean law.

The KT breach may have taken 7 months to execute, though it is not clear whether this indicates how long the attackers had access to KT networks. The breach was said to have been detected by internal security systems in mid-July. In a statement by Korea Telecom, they say that the information has been “returned” and that there should be no further damage; however the Korean Telecom Commission has said that they can’t be 100% certain of that. KT has not said whether the information leaked includes financial information such as credit card numbers or bank accounts, but given the extensive list of items that were leaked it is likely that this information was at least accessible to the attackers. The information the company admits was leaked includes the following.

The attackers, as well as buyers of the illegal information have been arrested. Based on early reports it appears that the attackers had help from an insider to bypass security systems and gain information on Korea Telecom’s internal systems. The attackers are reported to have claimed they attacked KT because KT has the highest profits, though it’s not clear whether there was a political motivation as well as financial for the attacks.

Korea has experienced many high profile breaches over the last 5 years. Most Koreans have likely been affected by many of these personal information compromises. All told, the number of records breached exceed the number of citizens of the country by a wide margin. What’s unclear is whether the actual number and severity of breaches has increased or whether they’ve gotten more attention. But the rate of breaches seems to have increased. Here is a brief list of several high profile breaches since 2008:

Legal remedies for individuals harmed have been tough to come by. A court case against Auction Korea, for example, was unsuccessful because judge decided that the plaintiffs had failed to demonstrate causality. That is, they couldn’t show that the defendant had caused the breach, nor could they show that poor security was chiefly responsible for it. Therefore Auction Korea was not deemed liable for the associated damages. At the time it was not possible to sue for negligence under Korean law.

The Korea Telecom breach is the first one since the Personal Information Protection Act (PIPA) came into effect in 2012 in Korea. (Note that this is not related to the US Protect IP Act.) The Korean PIPA law is described as a “comprehensive personal data protection law,” which restricts collection of personal information and specifies handling precautions must be in place to prevent breaches. And in a reversal of the provision that has prevented successful legal actions, PIPA allows the plaintiffs to sue for negligence. This tactic puts the burden of proof on the company that suffered the breach to demonstrate that their measures were compliant with PIPA.

If a case is brought against Korea Telecom under PIPA, the result will set a precedent in the Korean legal system. But that case may not be hard to prove. A Korean lawyer is quoted as saying “As the results of the investigation haven’t been announced, it is hard to make a provisional conclusion. But that fact that the criminals who leaked KT personal information prepared their hacking program for 7 months and it was hardly detectable as they leaked samll amount of information. For now, there still a possiblility that KT can claim that they upheld their duty of technical protective action well.”

Privacy rights proponents should carefully weigh the benefits of taking this case to court. On the one hand, they should seek justice on the part of the wronged and consequences on the part of the breached. On the other, if they fail to make a strong case the precedent set may set privacy rights back. Either way, this will be a case to look for if it appears on the dockett.

DISCLAIMER: Stratigos Security is not offering a legal opinion, nor has this article been written by a lawyer. Although we did use the services of a Korean translator for much of the research and fact checking, there may still be errors due to the language barrier. We ask that you take our words with a grain of salt and independently verify important facts. That’s just good journalistic practice. We did the best we could, but you shouldn’t believe it just because it’s on the Internet. That’s just plain common sense.