Archive

Posts Tagged ‘Security’

Can you be too secure?

July 31, 2014 Comments off

When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeoff most people will want. But that’s not always the case. In fact in most business that’s the opposite of what you really want.

Risk is at the heart of the capitalist system. Without risk there is either no room for profit except through exploitation and collision. So businesses must take risks. If there were no risk competitors could easily enter the market and disrupt the industry.

So risk is necessary; risk is good. There is value in risk just as there is in security. Understanding and undertaking smart risks allows you to balance concerns with ambitions. Balance gives health; imbalance can lead to total collapse.

Incident Response to Data Breaches and Schrodinger’s Cat

March 19, 2013 Comments off

Untitled

Are sloppy security controls actually beneficial to a company during a breach?  This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.

A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:

  • Whenever our server rebooted previously logged card numbers were removed.
  • Our server reboots. A lot. So often that no credit card numbers were ever in the log files.
  • We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.
  • We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.

This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.

But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.

Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.

Security Advisory: Bambuser Mobile Application

October 3, 2012 Comments off

Security Advisory: Bambuser Mobile Application

  • Advisory Title: Bambuser Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-002
  • External ID: CVE Pending
  • Date discovered: August 10, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Vendor fix is in place
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Bambuser (bambuser.com)
  • Affected product: Bambuser mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Vulnerable Version: 1.9.3 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Bambuser mobile application and reported the issue to Bambuser on August 10, 2012. Bambuser quickly responded, provided estimated timeline for the fix and notified Stratigos Security when the updated version was published. Stratigos Security has confirmed that this vulnerability has been fixed in the updated version.

The formal advisory is published here: Security Advisory STRAT-2012-002 Bambuser Mobile Application Information Disclosure Vulnerability

Security Advisory: Ustream Mobile Application

October 3, 2012 Comments off

Security Advisory: Ustream Mobile Application

  • Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-001
  • External ID: CVE Pending
  • Date discovered: August 6, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Reported to Vendor, not yet fixed
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Ustream (USTREAM.TV)
  • Affected product: Ustream mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability

Infosec Management Tip: Principles Are More Important Than Tactics

August 27, 2012 Comments off

Principles Are More Important Than Tactics

Security doesn’t come from the specific things you do. It comes from an overall approach to doing everything. In that sense, the principles that underpin your decisions and actions matter more than the decisions and actions themselves. Those statements may seem inscrutable or contradictory so I owe you further explanation.

Process and procedure can never be made so that they will, in isolation, provide optimum security. Even for very well thought out, nearly comprehensive tactics unplanned events will always come up. You’ll have to make decisions when there’s no written plan and no precedent. When you’re making those decisions you need to weigh all the factors you can take into account and move forward based on your judgement. Your judgement here is a point-in-time reflection of your principles. If your principles fail you, so will your judgement and you’d have to get lucky for your decision to be the right one.

In most organizations, processes and procedures leave a lot of room for decision making. It’s not just the occasional judgement call that has to be made, these usually happen on a daily basis at most levels of the organization. So strong tactics but poor principles will compound over time and erode even the best security program.

Instead, focus on coming up with strong principles, and make sure everyone knows them. Clear communication, understanding and internalization is key to having principles, not just tactics. This way whenever any decision is made, there’s a good chance that the judgement behind it is sound. This also, by the way, will push decision-making down in the organization, freeing up management to tackle larger and more strategic issues and critical problems.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Prioritize Based on the Business

July 23, 2012 Comments off

Prioritize Based on the Business

A lot of data isn’t worth what we spend to protect it. What’s worth protecting and what’s just not? That’s not a decision IT and IT Security should be making. Instead, count on the business to help you prioritize. This goes along with our tip to cultivate understanding between the business and Infosec. Prioritize security controls that play into what the business needs and leave the others for later. (And document this decision for the auditors!)

Example: If you’re working for Coca-Cola and you say to your Chief Taste Magician (or whatever his title would be) that you want to help him protect the secret formula he probably won’t care. Anybody with access to a mass spectrometer and a basic understanding of how to read the printout can figure out the formula. But he is going to care about patenting the technology they’re developing to get the soda fountain mouth-feel into a plastic bottle. That’s his priority for the Taste Lab and it should be yours too.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Beware Security Fads

July 20, 2012 Comments off

Tools are a Means, Not an End
One of the biggest shames of our industry right now is that “silver bullet” tools have such a hold on media and mind share. Organizations typically try to deploy the latest product in isolation, without understanding what’s causing the issues they’re seeing. But tools used this way are bound to fail, raid the corporate budget, tie up valuable resources and just obscure the symptoms of the problem for a while longer. Organizations can only fix what’s broken by understanding the problems clearly and developing a solution using proven methods that fixes them. Only then should you start thinking about what tool fits into the solution.

Example: A lot of companies have asked about “tuning” their latest flashy box that’s not working right. But when you get talking to them, you find that the problem isn’t with the product it’s somewhere else. Even if the product was at 100% efficiency, you still wouldn’t be able to solve the problem. One company had spent tens of millions of dollars on SIEM and other tools, but were using business school interns to run the SOC and didn’t have any plan for handling incidents! Another company had a DLP device that sat on the shelf for 2 years, and they hadn’t even clearly defined what data they cared about or where it should and shouldn’t be. Tuning in those situations would only be an expensive way of buying false assurance.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Cultivate Understanding

July 16, 2012 Comments off

Cultivate Understanding
This is the opposite of running around trying to inform everybody of what you think is the biggest problem. It means getting with them to understand what their problems are, where their risk prioritization is and then find out where your concerns fit in there. Maybe they’re already aware of the threat and aren’t concerned; or maybe they have a way to mitigate it you hadn’t thought of; or maybe they need to listen, but don’t trust Infosec yet. By bringing the business into the Infosec decision making process, there’s more trust, more chance they’ll listen when you talk, more chance you’ll have the right answer for their needs and usually that all means more budget, plus more willingness to go along with what you want!

Example: I know of a company that was going into China to open R&D centers. The CISO was trying to say “no we shouldn’t, it’s too risky because somebody could steal our IP.” But the business knew this – their strategy around it was to lean on other assets like brand reputation (which is actually fairly well protected in China) to prevent against that. In other words, lost IP wouldn’t necessarily translate into lost revenue or profits. In another company the BOD wanted to have their updates and formal reports delivered to an iPad. The CISO worked with Finance to say yes because the costs of securing the digital distribution were less and results better than securing the hard copies. IT and Security helped save money, reduce risk and got a high visibility win for the company.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with companies large and small. If you like what you read, come back for more!

Clever Hack Makes In-App Purchases Free

July 13, 2012 Comments off

A Russian site today published a report that a simple and clever hack can allow Apple iOS in-app purchases to be made at no cost. The hack does not require the phone to be jailbroken.

To exploit the weakness in the in-app purchase, only two primary steps are required. First, an additional SSL certificate is installed on the device itself, which involves downloading the file and a couple of screen taps. The second and more difficult part requires control over the local network to create a custom DNS entry. (Stratigos Security researchers are looking at a way to simplify this.) When the iOS app then attempts to connect to Apple’s servers to make the purchase, the connection is redirected to a different server which provides a fraudulent authorization, which unlocks the in-game content. this poses a clear threat to Apple’s and game makers’ revenue.

But this could pose a risk to phone owners as well. If the app update mechanism or any other communication goes through this third-party server, it opens the possibility of introducing malicious code to the device. This is similar to other man-in-the-middle attacks facilitated by tools such as The Middler and Evilgrade. So device owners should consider these risks before carrying out these procedures.

At this time it is not yet possible to validate the Russian site’s story because the servers enabling it have been under heavy load and have apparently at least one has been taken down by the hosting provider from an Apple legal request. However, Stratigos Security researchers are working to independently confirm the issue in our lab.

UPDATE: A post on 9-to-5 Mac all but confirms the ability to circumvent the iOS App Store for in-app purchases. Other potential security issues have not yet been confirmed.

UPDATE: Macworld reports that both username and password are sent in plaintext to the server. This means that the server, or any attacker who successfully executes a man-in-the-middle-attack can access the victim’s credentials. These credentials are not just valid at the iOS App Store, but typically across multiple Apple properties and usually many others, due to password reuse. Instead, Apple should be protecting credentials on the device and sending the hash to the servers.

Categories: Cybersecurity Tags: , , , , ,

Preventing Security Issues from Acquisitions

July 13, 2012 Comments off

Yahoo Voices – a 2010 acquisition by the search company – was breached, and an attacker compromised 450,000 accounts, including email addresses and passwords. This is the latest in a series of similar breaches, affecting eHarmony, LinkedIn and last.fm. However, unlike these companies, Yahoo Voices was using poor security practices when storing the data at rest. How did this 2010 acquisition cause security problems for the Internet giant, and how can you avoid having the same thing happen?

Over the last month, several online companies have suffered account credential breaches. And these companies were chastised for practicing poor web application security, as well as poor data protection. In most of the previous cases, the passwords were stored encrypted, but in a way that most passwords could be deciphered within a matter of hours. Exceptionally strong passwords, such as those recommended by most security practitioners, however remained relatively safe because the time to decipher them would be a matter of months. So people whose accounts were compromised have time to change them before any abuse can take place. In the case of Yahoo Voices, passwords were stored in plaintext, without any encryption. This means that even strong passwords have been compromised.

But the Yahoo Voices breach is interesting for a number of reasons. Analysis of the compromised accounts reveals that only 30% use Yahoo email addresses, and Yahoo reports that only 5% of the passwords for those corresponding email accounts are correct. This is a lower than expected number in both cases. In a Yahoo service, you’d expect to see nearly all accounts linked to Yahoo email addresses. And people don’t tend to change their personal email passwords very often, so you’d expect that the number of valid credentials would be much higher, as well. Yahoo themselves say the data is old. My guess is that the data is from pre-acquisition, was no longer used and may even have been somewhat corrupted.

That makes me wonder what pre and post acquisition assessments Yahoo did. Acquisitions can be a weak link in a security program for many reasons, even if the acquired company has an equivalent level of security. The Yahoo Voices problem could have been identified by talking to the developers, reading over policy documents and performing assessments on the company’s technical and data security. Any weaknesses would be identified and could be tracked until remediated.

So how could Yahoo have prevented this situation, and how can you avoid the same problem?

  • Use and enforce strong encryption practices for data at rest. Yahoo says this is their policy and that the Voices incident was an outlier. Always use strong password protection mechanisms, such as salted hashes or methods better yet, use something like bcrypt.
  • Use good data retention and destruction practices. If this was old and unused data, it should have been purged. Old data should be cleaned up properly and quickly.
  • Practice good data security diligence before, during and after an acquisition. Most organizations are coming to realize that potential information security issues can affect the diligence process. And although these issues should rarely halt an acquisition, foreknowledge of them certainly helps set expectations efforts to integrate new groups in a secure manner. That saves money and reduces risk, which is what the diligence process is all about.