Monthly Archives: August 2014

Breaches Happen: Call to Action

I loaded up Twitter this morning and was bombarded with even more reports of companies getting breached. Latest on the radar include the likes of JPMorgan Chase and some Dairy Queen locations. I won’t even attempt to guess at the number of breaches that have occurred already this year, but at what point to companies sit down and decide to look at their own network and systems?

I am not talking about reaching out to a company to perform a penetration test, or even a risk audit. I am thinking about looking at your actual systems for any signs of compromise like what we are seeing in all of these breaches. Lets just assume that everyone is breached, what would you as a company do? You have an incidence response plan right? Disaster recovery is in place? If any of those above don’t sound familiar, you are already late to the game.

If you are a retailer or have any type of POS system, take a moment and check your systems. There is known malware that may just be sitting on there without your knowledge. You have to go looking for this, rather than just waiting on the Feds to let you know that you have a problem.

If you are a franchise, I recommend you look at your policies for franchisee’s regarding security. Do you have a way to check how they are doing in regards to security? While a breach may occur at an individual location, it is YOUR brand name that will be pasted all over the news. It is debatable whether or not any news is good news, so I don’t recommend taunting that bear.

As an industry we try to put so much effort into defending our systems, which will always be needed. However, we also have to focus on the ability to determine if something has successfully gotten through those defenses. Ordering another Penetration Test will just try to help identify where the gaps are, it will most likely not identify that someone has already exploited it.

I know, I know, we are short on cyber security professionals and we just don’t have the man power. That is excuse for not properly utilizing the resources that you have. You don’t have to be a cyber security professional to understand networking and computer systems. To monitor network traffic looking for anomalies. Network admins and analysts should know what normal traffic looks like and what a normal installation looks like. Changes in that information should spark some interest. We can’t just wait for the network to tell us… we have to start thinking about going and searching for these differences.

We also need to get better at sharing the details of what happened in one breach so the rest of the industry can learn from it. If you are hit by some unknown malware, what are the signs and signatures of it? How did you identify it so the rest of us can go look? We have so many “researchers” testing sites for things like XSS and SQL Injection, lets get some of them researching how the malware can be identified and creating tools to help sniff it out to eradicate it before it effects millions of sites? Crowd sourcing is working great to find things like XSS, why not use it to help snuff bugs quickly.

We need to start digging deep into how we approach security and come up with better ways to protect systems. We need to focus on the ability to identify breaches more quickly. We need to analyze those breaches to get tools available to quickly block the attack methods. Lets start working together to make a difference.

1.2 Billion Passwords… Password Best Practices Again

There is a lot of talk about the recent discovery of what appears to be about 1.2 billion username and passwords stolen. I haven’t seen the list, so I can’t confirm that, but let’s assume it is accurate. Is this something we should be panicking about?

The first question is how many unique people does this actually effect? The chances that it effects 1.2 billion people seems pretty. I haven’t seen any statistics generated but we have to assume that those people that are connected to the internet have more than one user account. The breach says the credentials were pilfered from more than 450,000 sites. Of course that information is not being released, and we don’t need it to protect ourselves.

Practice Good Password Practices

With all the recent breach coverage we can’t help but to continue preaching good password practices. You may ask if it really matters with all the breaches that occur, or what control you really have. It is not like these passwords are stolen from you, the application that stores them is usually the culprit.

As those that create and rely on passwords, we do want to help take care of them as best we can. I can’t control what the developer is doing to protect the password on their end, so I have to assume the worst and do the best I can on my end. At some point, I think we will start to see people actually stop using applications that are not proactively protecting our data, but to do that we need applications that are transparent and show us they are doing things right to gain our business.

Choosing Strong Passwords
We should start off by choosing strong passwords. Unfortunately, a lot of critical applications still don’t support strong enough passwords, but if you can, try to have at least 15 characters in the password. When it comes to password strength it is the length that has the greatest effect. Remember, it is rare that someone is trying to guess Your password, rather they are running software tools to crack large swaths of passwords. I prefer to use pass phrases or sentences to create my password. This makes it easier to remember and more difficult to crack.

Changing Passwords Regularly
Changing your password to critical systems regularly can help avoid your password from being stolen by malicious users. Many corporate systems require password changes every 45-90 days for end users. You should follow that guideline too for personal applications, especially the ones that focus on financial artifacts (such as your bank accounts). Lets hope that a company that has been breached and lost passwords isn’t losing them day after day. We hope it was a one or two time thing. By changing our passwords regularly it increases the chance that the breached data is no longer valid by the time it gets used.

Don’t Reuse Passwords
It is recommended to not use the same password on multiple sites. I understand that this is a pain point because it is difficult to remember that many passwords. Try a password manager, a piece of software to store all your passwords securely, to help solve that problem. The issue with re-using passwords is that many sites allow you to use the same username, or just your email address as the user name. Once your data has been stolen from one application, an attacker may try that password on another site where you use those same credentials. This also includes not using similar passwords. Using passwords like Summer2014 and Fall2014 are not a good idea because if these are identified, it is simple to figure out the pattern and guess the next password in line. This is critical if you do change your password regularly, and an older password got breached.

2 Factor Authentication
If a site offers 2-factor authentication, enable it. Two factor authentication means that the site will prompt you for your username and password and then a secondary piece of information. For example, my bank will send me a token via email that I have to enter. This token is different every time I log in. Many sites are starting to support tools like Google Authenticator, which is an app that runs on your mobile device and provides that 2nd piece of authentication. If you are using sites that do not support 2 factor authentication, write to them and request it. Remember, they are storing your data, you want it protected.

Validate the Hype

When news like this breaks, we often have a tendency to really overreact thinking that it is the end of the world. Credentials got stolen, we are not disputing that, but lets step back and think about what that means. Keep in mind that in this announcement, applications or companies were not named. At this point, it is possible the credentials are for meaningless sites that are not that big of a deal. Due to the nature of the accounts being used to send spam I am guessing many are probably email accounts, but that is just a guess. What has happened in the past can’t really be changed. We change our passwords, we monitor our accounts (like we should be anyway) and we continue reaping the benefits that these applications provide us.

Stay safe, and keep your eyes open.

Danger of USB Devices

There has been lots of news recently regarding a flaw in USB devices that could lead to an unwanted attack. USB stands for Universal Serial Bus and is often associated with thumb drives used to store data. There are many other uses for USB devices, such as your mouse and keyboard. There are even monitors that connect via USB.

Each USB device has a microchip that contains instructions on how it will work. In addition, USB devices are separated into different classes; for example Human Input Devices (HID) for keyboards and mass storage devices like thumb drives. The computer looks at this classification to determine how to handle the device.

From a visual perspective, it is not possible to determine how a USB device will be treated because it is the firmware on the device that contains this information. A good example we have used for years is the teensy device, or rubber ducky. This device looks like a regular thumb drive, but when plugged in, acts like a HID (keyboard).

The concern here is that in an enterprise, there are often controls that block mass storage devices to load onto the end user computers. There are multiple reasons to block these devices. First, the company is trying to stop a malicious user from stealing a bunch of data using a tiny thumb drive. Remember the movie “The Recruit” where they stole info using a thumb drive? Another reason these devices are blocked is that they could contain malicious software ( malware). Block the device, block the malware.

The concern we often see with these controls is that it is difficult to block the human input device because we need a keyboard and a mouse. The idea of the rubber duck is that you, the attacker, can program a sequence of keystrokes onto the device and when it is plugged in it will execute the keystrokes. This technique allows attackers to bypass many controls and possibly gain unauthorized access to the system.

One can disassemble a rubber duck and see the sd card to see it is not a real thumb drive. The issue with this recent news is that regular thumb drives could be recoded to work as a HID without your knowledge. We haven’t seen many details of how to pull this off remotely, however we should be cautious anytime we plug a device into our system.

I will not stop using USB devices anytime soon. Diligence and user awareness are important here.