Category Archives: security

Practical ways towards more secure logins

Posted on by
1

Lately, numerous websites have adopted better security practices, supporting a wider variety of multiple factor authentication or MFA. I have been trying these out and for the most part they install relatively easily, although your mileage will vary. The idea is that you want something more than your username (often just your email address) and a password. No matter how complex your password, it can be circumvented by a determined hacker. And many of us (you know who you are) don’t use very complex passwords, or reuse them across various sites.

Let’s start first with the MFA tools that I want to use. First up is Google Authenticator. This is a smartphone app that generates a one-time PIN. You get to the dialog box on your website and enter the PIN and you can complete your login. Google Authenticator is dirt simple to setup: you scan a QR code that is displayed on your screen and it then shows you an entry for your website. The PIN changes every minute, so it is a lot harder to spoof than a code that is sent to your phone via text messaging.

The other tool is the Yubikey, a USB device that supports the FIDO standards from Yubico. There is a small button on the device that you press, and that sends the appropriate code to your website at the appropriate time to complete your login. They are inexpensive and now support a wide variety of website logins. Again, setup is fairly straightforward, and I just leave my key in my desktop’s USB port so I don’t have to worry about losing it.

If you use both methods (and you should, why not), this will prevent someone else from trying to login to your account, even if they know your password. Once you have completed a successful login on one device, you aren’t prompted again for the extra security.

Twitter announced this past week that they support the Yubikey, which adds to their existing support of Google Authenticator and other authenticator apps. Here are the instructions for setting it up. The interface for doing this can be found starting with this menu, under the Security heading. It isn’t all that verbose an interface, but you can choose which of the three methods (text, Yubico key, and mobile app) or all of them to use for the additional security.

Next up is my WordPress blog. If you host your blog on WordPress.org, they have long supported various MFA methods, including Google Authenticator, Authy, Duo and others. If you use WordFence Premium, you can also get the MFA protection. Speaking of WordFence, you really should use it (at least the basic version): it will tell you who is trying to break into your blog and last week I got several thousand attempts, which I think was a new record for me.

So I was more motivated to start having better protection for my login there. Since I use the basic WordFence, I looked around and found miniOrange, another plug-in that supports WordPress as well as Magento, Drupal and Joomla CMS. It works with Google Authenticator as well as its own QR code reader and soft token apps. I used the free version, but if you pay extra for a miniOrange account, you can support more than a single user as well as get additional MFA methods, including Yubikey. There are several other MFA plug-ins for WordPress, but I didn’t try them.

While I was doing these installations, my bitcoin wallet app notified me that they were requiring everyone to add MFA to their logins soon, otherwise I wouldn’t be able to transfer any funds in or out of my account. That is a smart decision, especially given the number of recent exploits in this market space. So I got Google Authenticator working on that as well.

Finally, a few weeks ago I was getting all sorts of notifications that someone was trying to login to my Facebook account, so I wanted to add both Google Authenticator and Yubikey to that login. I ran into problems: when I wanted to add the Authenticator app, Facebook turns on “Allow logins without a code for one week.” You can’t then turn this off without disabling my Authenticator app.  I am not sure this is a good idea, but when I went back to check on it for this post I couldn’t find the setting. Your dialog box when done will look like this.

As you can see, this is still not completely ready for your mom’s logins. (At least, it isn’t ready unless you want to support her when she has problems.) But you should take the time and add these tools to protect your own logins.

CSOonline: Rethinking the process of doing risk assessments

Posted on by
Reply

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.

CSOonline: The state of the CASB market

Posted on by
Reply

In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.

Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.

Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent. 

In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Posted on by
Reply

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Having better risk-based analysis for your banks and credit cards

Posted on by
1

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.

 

SecurityIntelligence (IBM blog): Are ransomware attacks rising or falling?

Posted on by
Reply

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

SecurityIntelligence blog: What Are the Legalities and Implications of Hacking Back?

Posted on by
Reply

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.

How Atlanta lost its ransomware battle

Posted on by
Reply

The story of how the city of Atlanta reacted against a ransomware attack at the end of March 2018 is instructive both in terms of what not to do and how expensive such an attack can become. The city actually experienced two separate attacks, one that began March 22 and another on April 5. This is just part of an overall trend where ransomware is on the rise. The Verizon Data Breach Investigations Report for 2018 says that ransomware has “overtaken all other forms of malware to be the most prevalent variety of malicious code for” 2017, and 2018 doesn’t look very different.

The first attack took down a number of city services, including online bill paying, the water department and court systems. Some law enforcement officers had to write their reports by hand. However, the city was able to make their municipal payroll and their city-owned airport continued with uninterrupted operations. The city was asked to pay $51,000 in ransom. A second attack hit the water department website again, according to Reuters. “I just want to make the point that this is much bigger than a ransomware attack,” said Keisha Lance Bottoms, the mayor of Atlanta. “This is really an attack on our government, which means it’s an attack on all of us. We are dealing with a hostage situation,” she said. But the mayor also admitted that cybersecurity wasn’t initially a high priority for her or the city, although it is now.

The first attack was based on the SamSam malware. CSOonline has details about the ransom notes and how they were tied to this particular malware strain. SamSam ransomware differs from other ransomware because the attackers don’t rely on user-based attack vectors, such as phishing campaigns. Instead, they use compromised hosts to gain a foothold and then move laterally through the network, taking their time to analyze weaknesses and points of leverage. This type of malware also hit the Colorado state Department of Transportation, which was able to restore its systems without paying any ransom. But then it was hit with a second attack a week later.

It seemed the Atlanta city government refused to pay based on subsequently events, when they hired a series of consultants to help fix things. Eventually, they will have spent more than $2 million in contracts with various consultants such as E&Y, Secureworks, Microsoft, CDW and others that the city has listed on its website.

Their first mistake was not heeding any early warnings about how ill-prepared they were, according to this report from a local TV station. Fixes were planned for the spring of 2018 but unfortunately not completed before the attacks happened.

But they compounded this mistake with a lot of sloppy IT work. One of the issues for Atlanta was how exposed it was. The city had open Windows RDP ports with no multi-factor authentication protection and also had open SMB shares and FTP servers too, making them very easy to access and infect. Rendition Infosec documents these issues in a blog post here. These consultants had found the infamous NSA-based DoublePulsar malware on several city computers last year — computers that weren’t patched for several weeks after their owners were notified. These delays in patching were one of the big reasons why the footprint of the ransomware was so large, and so difficult to contain.

Certainly, Atlanta isn’t the only city which has poorly prepared for potential attacks. A recent survey of municipal  IT workers found that most of them don’t know how frequently they are under attack, can’t determine who the attackers are and don’t even keep track of them when these attacks happen. The survey found that almost half of the respondents experience daily cyberattacks, and the researchers think this is even conservative. They conclude, “If local officials are going to do a better job protecting their information assets, they’ll first need to know a lot more about what’s actually happening.”

What can we learn from Atlanta? Lax security, delayed patching, sparse backups, lots of open ports for hackers to access all led to the inevitable. These are some of the reasons why getting its online sites up and running took them weeks, if not months. Ultimately, Atlanta IT needs to change their culture to fix these common mistakes and be more attentive.

But Atlanta was also behind the times when it comes to having top-shelf protection solutions. Reviewing whom they have paid since the breach, the city has purchased multiple protection solutions, including Forescout, temporary staffing, incident response services, and Duo authentication tools. That’s great but they should have been using these tools from the get-go.

Should they have paid the ransom? It is tempting to pay, particularly when you think (mistakenly, in the case of Atlanta) that your backups are fine. Yes, the economics of paying can be a better than the costs and consequences of trying to fix things yourself – if you are confident that the payment will actually result in decrypting your data and returning your systems back to a working state.

But that doesn’t always work, especially when you realize that your backups aren’t adequate. A business can still have disruptions, as we have seen with the aftermath of the Atlanta cleanup stretching well into the summer. And remember that you are dealing with criminals, who don’t necessarily have to give you anything in return for your ransom payment.  There is no guarantee that you will get your files decrypted, either. “Organizations should never have to think if paying the ransom is a better way out than restoring data compromised by ransomware,” says Rick Vanover, the director of product strategy for Veeam Software.

Finally, you need to vet your backup and recovery procedures, to make sure that they actually protect your data. “Organizations must have confidence in their backup architecture. It has to be resilient against threats such as ransomware today,” Vanover says. Atlanta never truly tested their recovery processes until it was too late. “One way to look at this is to pay now or pay later. Pay now to be resilient. Pay later to document that proper preparation was not in place.”

Gregory FCA blog: Get Your Cyber Security Firm Into Any News Story

Posted on by
Reply

It’s a precarious life for those who make a living marketing security services. The call could come anytime. From the product side or the C-Suite. I got together with

“Why aren’t we generating more awareness? Why does the media cover our competitors and not us? What can we do to create interest so that prospects know about us and include us in RFPs?”

Maybe it’s because your pitches aren’t creative enough?

Or they fail to understand how to engage the media?

Or they simply don’t give editors and reporters what they really want–and that’s something they haven’t heard before.

Consider these approaches:

1.  Fear sells and it’s a primary driver of media reporting. While the mass media is well aware of the Dark Web, they still don’t know enough and should report more on it to help protect their readers and viewers. What’s a cyber security firm to do? How about partnering with media on a story with a pitch that reads:

Subject: “We just did a Dark Web search on your three of your anchors, and what we found should scare you and your viewers.” 

The mass media–especially TV–loves it when their anchors or reporters personalize a story and put themselves in the shoes of their viewers. A smart PR campaign targets the media with that in mind, does the research and heavy lifting upfront and then offers to frame and work with them on the story.

2.  Crypto is all the rage. The media is desperately searching for clever ways to cover it and to engage and interest their readers and viewers in it. Cyptomining malware combines too big, fat scary angles to interest reporters with pitches like:

Subject: “How criminals are using your phone to make millions by mining bitcoins without you even knowing it.”

This angle brings to light an under reported threat that impacts general consumers and plays well to a wide range of media–everything from business magazines and TV news to popular magazines and morning network TV talk shows. A well constructed pitch that explains this threat and offers expert advice on protecting against it is exactly the kind of on-trend pitch the media jumps on.

3.  Make it contemporary. The very word NEWS comes from the root of NEW. The media loves to tie their stories to what’s happening in popular culture–even the trade and B2B media are open to the approach. Referencing entertainment, the news or pop culture provides a touchstone that immediately conveys meaning. Here’s a pitch that accomplishes all that and more:

Subject: “Liam Neeson they’re not. More companies are paying ransomware than trying to restore data from dated backup technologies.”

Where would you take your pitch from there? How about:

So you think you’re a tough guy like Liam Neeson in one of those hookey kidnap thrillers? And you’re ready to fight back if someone should hold ransom over your data?

No you’re not.

Increasingly companies are capitulating to data thieves and simply paying the ransom rather than from their own backup systems. Why? Many backup systems are simply too old and unreliable to…“.

So the next time you get that call questioning your PR strategy, remember, the media is often a willing partner in reporting on cyber security topics that impact the world. The key is to relate to the media on their terms, offering them creative angles that attract more viewers and readers to their online, print and broadcast properties. The undeniable pitch is for real and only limited by your own imagination and creativity or that of your PR partner.

CSOonline: How Risk-Based Authentication has become an essential security tool (c2018)

Posted on by
Reply

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods, especially as the typical enterprise attack surface has expanded and evolved. The expansion takes on several different dimensions:

  • Endpoints are getting more diverse. Thanks to more capable mobile devices and more susceptible embedded internet of things (IoT) products, attackers have more leverage and entry points. Botnets of thousands of these devices are quite common, and entire malware campaigns (such as Mirai in 2016) are a major threat vector.
  • More mobiles on enterprise networks means that users are mixing more personal and business activities on their phones and tablets. This erodes the boundaries between these two domains and makes it easier for attackers to leverage entry into the business network.
  • Social networks make it easier for hackers to use social engineering tactics to figure out users’ logins. As a result, authentication challenges are getting more sophisticated, with attackers compromising one-time passwords and weak MFA methods with better tools and the acquired social engineering knowledge.
  • Cloud computing has helped to leverage malware-as-a-service, and a number of malware construction kits and services are available for purchase that don’t require much in the way of skill beyond clicking on a few buttons.
  • Malware is getting more sophisticated at hiding in plain sight, being able to disable protective methods and establish themselves deep within a typical enterprise network.
  • Attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications, making them very hard to track if viewed as separate and independent events.
  • Shadow IT operations continue to proliferate, making it harder for IT to police and protect endpoints. Adding to this difficulty is that the average enterprise network is getting more complex and harder to defend. One study shows that the average bank had 30 domain configuration issues, 42 SSL configuration issues, 87 IP reputation issues, and 81 threat indicators across their digital footprints. That is a lot of different touch points to monitor and maintain.
  • Finally, ransomware is a growth business, with increasing number of attacks and pinpoint targeting on specific businesses and transactions.

Passwords are no longer secure

As the number of logins and password-protected services increases, it makes passwords more difficult to remember. That encourages more reuse or picking weaker ones that are easier to compromise. Users are experiencing more password fatigue, and they need better tools that can avoid passwords whenever possible without compromising security. All static passwords are now vulnerable, and RBA has become the best mechanism to introduce security and avoid further password reuse and fatigue.

These trends are forcing IT managers to more seriously use RBA methods and move from traditional binary login/logout practices to more nuanced user access. Authentication has to adjust to different circumstances. When a user is doing something particularly risky, such as a funds transfer or adding a new payee to their online banking account, they need more stringent authentication.

An enterprise needs to have more granular authentication tools, not just a simple yes or no process. Security blogger Brian Krebs says in a recent post, “Nobody has any business using these static identifiers for authentication because they are for sale on most Americans quite cheaply in the cybercrime underground. Most U.S. adults have had their static personal details on sale for years now.” RBA is needed to make sure that subtler yes/no decisions can be made for various authentication activities, and to be able to distinguish between the genuine user and a hacker try to force their way in.

The new generation of RBA solutions

RBA isn’t new. Various authentication vendors have been selling risk-based solutions that scored particular transactions on simple linear scales for years. What is new is a series of innovations that can make RBA more attractive and more secure. Here are a few of the RBA vendors:

The innovations found in these products include the following features, and IT buyers of RBA solutions should carefully examine how each of these are implemented before choosing one that fits their needs:

  • Continuous authentications and account monitoring that provides automated risk profiles and assessments. RBA needs to understand a user’s typical behavior, life and account patterns. For example, some software knows that you always use a particular neighborhood ATM for cash withdrawals, so that when you go visit an ATM across the country, you are presented with authentication challenges or get conditional access until you prove your identity. Unlike the older linear risk scales, these continuous methods are adjusting risk dynamically, and cover a wider collection of circumstances.
  • Real-time analysis. Helping this continuous assessment is being able to do so in near real-time. When someone is trying to use my credit card illegally (which actually happened to me last week), I should receive a notification from my bank within moments of the attempted transaction.
  • Orchestration across various diverse applications and environments. The best orchestration technologies can examine a wide variety of inputs and combine everything together to make a decision about whether a user is acting appropriately or if fraud or account takeover is happening.
  • Ability to work with various self-service portals. This allows users to reset passwords or deal with lost devices without having to call the enterprise help desk for support
  • Behavioral biometrics. RBA should also keep track of how the user behaves with the authentication application itself, so that a user’s collection of devices becomes part of its sensor network to perform the actual risk assessment. The ways in which we walk, stand, sit, and interact with our applications and devices (choosing menus, typing and touch cadence) turns out to be quite predicable and all can be used as authentication mechanisms.
  • Better integration of MFA methods. MFA is just one piece of the RBA puzzle. While it is an important one, it isn’t the only game in town. RBA tools need to determine when not to use MFA logins as much as when to use them. It used to be that we considered biometric methods as an additional MFA factor, akin to a better one-time password generator. However, biometrics and MFA are just additional inputs to the overall RBA decision process, and both need to be better integrated into an enterprise’s functional processes to handle the newer continuous risk-scoring methods.