It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use LastPass.com, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using 33mail.com, but there are many other services including Mailinator.com, temp-mail.org, and throwawaymail.com. They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. Protonmail.com is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

Cyber Security Threat Actions This Week (podcast)

If your organization is not using the MITRE ATT&CK framework yet, it’s time to start. Katie Nickels from MITRE, Travis Farral from Anomali and I join host David Senf from Cyverity to talk about ATT&CK tactics, techniques and tools. You can listen to this 45-minute podcast here.  We discuss what ATT&CK is and isn’t, how it can be used to help defenders learn more about how exploits work and how to become better at protecting their enterprises, what some of the third-party tools (such as Mitre’s own Caldera shown here) that leverage ATT&CK and what are some of the common scenarios that this framework can be used for.

I did two stories for CSOonline about ATT&CK earlier this year:

 

Watch that keyboard!

We are using our mobile phones for more and more work-related tasks, and the bad guys know this and are getting sneakier about ways to compromise them. One way is to use a third-party keyboard that can be used to capture your keystrokes and send your login info to a criminal that then steals your accounts, your money, and your identity.

What are these third-party keyboards? You can get them for nearly everything – sending cute GIFs and emojis, AI-based text predictors, personalized suggestions, drawing and swiping instead of tapping and even to type in a variety of colored fonts. One of the most popular iOS apps from last year was Bitmoji, which allows you to create an avatar and adds an emoji-laden keyboard. Another popular Android app is Swiftkey. These apps have been downloaded by millions of users, and there are probably hundreds more that are available on the Play and iTunes stores.

Here is the thing. In order to install one of these keyboard apps, you have to grant it access to your phone. This seems like common sense, but sadly, this also grants the app access to pretty much everything you type, every piece of data on your phone, and every contact of yours too. Apple calls this full access, and they require these keyboards to ask explicitly for this permission after they are installed and before you use them for the first time. Many of us don’t read the fine print and just click yes and go about our merry way.

On Android phones, the permissions are a bit more granular, as you can see in this screenshot. This is actually just half of the overall permissions that are required.

An analysis of Bitmoji in particular can be found here, and it is illuminating.

Security analysts have known about this problem for quite some time. Back in July 2016, there was an accidental leak of data from millions of users of the ai.type third-party keyboard app. Analyst Lenny Zeltser looked at this leak and examined the privacy disclosures and configurations of several keyboard apps.

So what can you do? First, you probably shouldn’t use these apps, but trying telling that to your average millennial or teen. You can try banning the keyboards across your enterprise, which is what this 2015 post from Synopsys recommends. But many enterprises today no longer control what phones their users purchase or how they are configured.

You could try to educate your users and have them pay more attention to what permissions these apps require. We could try to get keyboard app developers to be more forthcoming about their requirements, and have some sort of trust or seal of approval for those that actually play by the rules and aren’t developing malware, which is what Zeltser suggests. But good luck with either strategy.

We could place our trust in Apple and Google to develop more protective mobile OSs. This is somewhat happening: Apple’s iOS will automatically switch back to the regular keyboard when it senses that you are typing in your user name or password or credit card data.

In the end though, users need to understand the implications of their actions, and particularly the security consequences of installing these keyboard replacement apps. The more paranoid and careful ones among you might want to forgo these apps entirely.

Practical ways towards more secure logins

Lately, numerous websites have adopted better security practices, supporting a wider variety of multiple factor authentication or MFA. I have been trying these out and for the most part they install relatively easily, although your mileage will vary. The idea is that you want something more than your username (often just your email address) and a password. No matter how complex your password, it can be circumvented by a determined hacker. And many of us (you know who you are) don’t use very complex passwords, or reuse them across various sites.

Let’s start first with the MFA tools that I want to use. First up is Google Authenticator. This is a smartphone app that generates a one-time PIN. You get to the dialog box on your website and enter the PIN and you can complete your login. Google Authenticator is dirt simple to setup: you scan a QR code that is displayed on your screen and it then shows you an entry for your website. The PIN changes every minute, so it is a lot harder to spoof than a code that is sent to your phone via text messaging.

The other tool is the Yubikey, a USB device that supports the FIDO standards from Yubico. There is a small button on the device that you press, and that sends the appropriate code to your website at the appropriate time to complete your login. They are inexpensive and now support a wide variety of website logins. Again, setup is fairly straightforward, and I just leave my key in my desktop’s USB port so I don’t have to worry about losing it.

If you use both methods (and you should, why not), this will prevent someone else from trying to login to your account, even if they know your password. Once you have completed a successful login on one device, you aren’t prompted again for the extra security.

Twitter announced this past week that they support the Yubikey, which adds to their existing support of Google Authenticator and other authenticator apps. Here are the instructions for setting it up. The interface for doing this can be found starting with this menu, under the Security heading. It isn’t all that verbose an interface, but you can choose which of the three methods (text, Yubico key, and mobile app) or all of them to use for the additional security.

Next up is my WordPress blog. If you host your blog on WordPress.org, they have long supported various MFA methods, including Google Authenticator, Authy, Duo and others. If you use WordFence Premium, you can also get the MFA protection. Speaking of WordFence, you really should use it (at least the basic version): it will tell you who is trying to break into your blog and last week I got several thousand attempts, which I think was a new record for me.

So I was more motivated to start having better protection for my login there. Since I use the basic WordFence, I looked around and found miniOrange, another plug-in that supports WordPress as well as Magento, Drupal and Joomla CMS. It works with Google Authenticator as well as its own QR code reader and soft token apps. I used the free version, but if you pay extra for a miniOrange account, you can support more than a single user as well as get additional MFA methods, including Yubikey. There are several other MFA plug-ins for WordPress, but I didn’t try them.

While I was doing these installations, my bitcoin wallet app notified me that they were requiring everyone to add MFA to their logins soon, otherwise I wouldn’t be able to transfer any funds in or out of my account. That is a smart decision, especially given the number of recent exploits in this market space. So I got Google Authenticator working on that as well.

Finally, a few weeks ago I was getting all sorts of notifications that someone was trying to login to my Facebook account, so I wanted to add both Google Authenticator and Yubikey to that login. I ran into problems: when I wanted to add the Authenticator app, Facebook turns on “Allow logins without a code for one week.” You can’t then turn this off without disabling my Authenticator app.  I am not sure this is a good idea, but when I went back to check on it for this post I couldn’t find the setting. Your dialog box when done will look like this.

As you can see, this is still not completely ready for your mom’s logins. (At least, it isn’t ready unless you want to support her when she has problems.) But you should take the time and add these tools to protect your own logins.

CSOonline: Rethinking the process of doing risk assessments

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.

CSOonline: The state of the CASB market

In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.

Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.

Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent. 

In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Having better risk-based analysis for your banks and credit cards

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.

 

SecurityIntelligence (IBM blog): Are ransomware attacks rising or falling?

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

SecurityIntelligence blog: What Are the Legalities and Implications of Hacking Back?

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.