Category Archives: security

Do real people want real encryption?

Posted on by
1

The short answer is a resounding Yes! Let’s discuss this topic which has spanned generations.

The current case in point has to do with terrorists using WhatsApp. For those of you that don’t use it, it is a text messaging app that also enables voice and video conversations. I started using it when I first went to Israel, because my daughter and most of the folks that I met there professionally were using it constantly. It has become a verb, like Uber and Google are for getting a ride and searching for stuff. Everything is encrypted end-to-end.

This is why the bad guys also use it. In a story that my colleague Lisa Vaas posted here in Naked Security, she quotes the UK Home Secretary Amber Rudd about some remarks she recently made. For those of you that aren’t familiar with UK government, this office covers a wide collection of duties, mixing what Americans would find in our Homeland Security and Justice Departments. She said, “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She was trying to make a plea for tech companies to loosen up their encryption, just a little bit mind you, because of the inability for her government to see what the terrorists are doing. “However, there is a problem in terms of the growth of end-to-end encryption” because police and security services aren’t “able to access that information.” Her idea is to serve warrants on the tech companies and get at least metadata about the encrypted conversations.

This sounds familiar: after the Paris Charlie Hebdo attacks two years ago. The last person in her job, David Cameron, issued similar calls to break into encrypted conversations. They went nowhere.

Here is the problem. You can’t have just a little bit of encryption, just like you can’t be a little bit pregnant. Either a message (or an email or whatever) is encrypted, or it isn’t. If you want to selectively break encryption, you can’t guarantee that the bad guys can’t go down this route too. And if vendors have access to passwords (as some have suggested), that is a breach “waiting to happen,” as Vaas says in her post. “Weakening security won’t bring that about, however, and has the potential to make matters worse.”

In Vaas’ post, she mentions security expert Troy Hunt’s tweet (reproduced here) showing links to all the online services that (surprise!) she uses that operate with encryption like Wikipedia, Twitter and her own website. Jonathan Haynes, writing in the Guardian, says “A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.”

It isn’t that normal citizens or real people or whatever you want to call non-terrorists have nothing to hide.They do have their privacy, and if we don’t have encryption, then everything is out in the open for anyone to abuse, lose, or spread around the digital landscape.

CSO Online: As malware grows more complex, protection strategies need to evolve

Posted on by
Reply

The days of simple anti-malware protection are mostly over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potentially harmful infections. This is because malware has become sneakier and more defensive and complex.

In this post for CSO Online sponsored byPC Pitstop, I dive into some of the ways that malware can hide from detection, including polymorphic methods, avoiding dropping files on a target machine, detecting VMs and sandboxes or using various scripting techniques. I also make the case for using application whitelisting (which is where PC Pitstop comes into play), something more prevention vendors are paying more attention to as it gets harder to detect the sneakier types of malware.

CSOonline: Review of Check Point’s SandBlast Mobile — simplifies mobile security

Posted on by
Reply

There is a new category of startups — like Lookout Security, NowSecure, and Skycure — who have begun to provide defense in depth for mobiles. Another player in this space is Check Point Software, which has rebranded its Mobile Threat Protection product as SandBlast Mobile. I took a closer look at this product and found that it fits in between mobile device managers and security event log analyzers. It makes it easier to manage the overall security footprint of your entire mobile device fleet. While I had a few issues with its use, overall it is a solid protective product.

You can read my review in CSOonline here.

Warning: your mobile phone is not safe from hackers

Posted on by
2

The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse. I am talking of course about your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control, and some not.

Just look at some of the recent hacks that have happened to phones. There are bad apps that look benign, apps that claim to protect you from virus infections but are really what are called “fake AV” and harm your phone instead, and even malware that infects application construction tools. I will get to some of the specifics in a moment. If you are in St. Louis on August 3, you can come hear me speak here about this topic.

Part of the problem is that the notion of “bring your own device” has turned into “bring your own trouble” – as corporate users have become more comfortable using their own devices, they can infect or get infected from the corporate network.  And certainly mobile users are less careful and tend to click on email attachments that could infect their phones. But the fault really lies in the opportunity that mobile apps present.

For example, take a look what security researcher Will Strafach has done with this report earlier this year. He demonstrated dozens of iOS apps that were vulnerable to what is called a man-in-the-middle attack. These allow hackers to intercept data as it is being passed from your phone through the Internet to someplace else. At the time, his report grabbed a few headlines, but apparently, that wasn’t enough. In a more recent update, he found that very few of the app creators took the hint — most did nothing. He estimates that 18 million downloaded apps still have this vulnerability. Security is just an afterthought for many app makers.

Another issue is that many users just click on an app and download it to their phones, without any regard to seeing if they have the right app. Few of us do any vetting or research to find out if the app is legit, or if it part of some hacker’s scheme, and to do so really requires a CS degree or a lot of skill. Take the case of the “fake AV” app that infects rather than protects your phone. There are hundreds of them in the Google Play store. FalseGuide is another malware app that has been active since last November and infected more than two million users.

The Judy malware has infected between 8.5 million to 36.5 million users over the past year, hiding inside more than 40 different apps. DressCode initially appeared around April 2016 and since then it has been downloaded hundreds of thousands of times. Both look like ordinary apps that your kids might want to download and play with. Hackers often take legit apps and insert malware and then rename and relist them on the app stores, making matters worse.

Even the WannaCry worm, which was initially Windows-only, has been found in seven apps in the Google Play store and two in Apple’s App Store. Speaking of Apple, the malware XcodeGhost is notable in that it has targeted iOS devices and resulted in 300 malware-infected apps being created, although that malware infected Apple’s desktop development environment rather than the mobile phones directly.

So what can you do? First, make sure your phone has a PIN to lock its use, and if you have a choice of a longer PIN, choose that. There are still at least ten percent of users that don’t lock their phones. Having a PIN also encrypts the data on your phone too.

Next, use encrypted messaging apps to send sensitive information, such as Signal or WhatsApp. Don’t trust SMS texts or ordinary emails for this.

Use a password manager, such as Lastpass, to store all your passwords and share them across your devices, so you don’t have to remember them or write them down.

When you are away from your home or office network, use a VPN to protect your network traffic.

Don’t automatically connect to Wi-Fi hotspots by name: hackers like to fool you into thinking that just because something is named “Starbucks Wi-Fi” it could be from someone else. Apple makes a Configurator app that can be used to further lock down its devices: use it.

Turn off radios that aren’t in use, such as Bluetooth and Wi-Fi.

Don’t do your online banking — or anything else that involves moving money around — when you are away from home.

Don’t let your kids download apps without vetting them first.

Turn on the Verify Apps feature, especially on Android devices, to prevent malicious or questionable apps from being downloaded.

Keep your devices’ operating systems updated, especially Android ones. Hackers often take advantage of phones running older OS’s.

I realize that this is a lot of work. Many of these tasks are inconvenient, and some will break old habits. But ask yourself if you want to spend the time recovering from a breach, and if it is worth it to have your life turned upside down if your phone is targeted.

iBoss blog: The new rules for MFA

Posted on by
Reply

In the old days — perhaps one or two years ago — security professionals were fond of saying that you need multiple authentication factors (MFAs) to properly secure login identities. But that advice has to be tempered with the series of man-in-the-middle and other malware exploits on MFAs that nullify the supposed protection of those additional factors. Times are changing for MFA, to be sure.

I wrote a three-part series for the iBoss blog about this topic. Here is part 1, which introduces the issues.  Part 2 covers some of the new authentication technologies. If you are responsible for protecting your end users’ identities, you want to give some of these tools careful consideration. A good place to start your research is the site TwoFactorAuth, which lists which sites support MFA logins. (The Verge just posted their own analysis of the history of MFA that is well worth reading too.)

And part 3  goes into detail about why a multi-layered approach for MFA is best.

Should hacking back be legal?

Posted on by
1

Two reports, one recent and one from last year have been published about the state of active cyber defense strategies.

 The first one is Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats, it covers the work of a committee of government and industry experts put together by the Center for Cyber and Homeland Security of George Washington University and came out last October. The second report just came out this month and is called, Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace? It is published by Wyatt Hoffman and Eli Levite, two fellows at the Carnegie Endowment, a DC think tank. 

Both reports review the range of active cyber defense strategies. There are a variety of techniques that range from the more common honeypots (where IT folks set up a decoy server that looks like it contains important information but is used as a lure to attract hackers) to botnet takedowns to using white-hat (or legal uses of) ransomware to using cyber ‘dye-packs’ to collect network information from a hacker and possibly destroying his equipment, to other hacking back activities. The issue is where to draw the legal line for both the government and private actors.

Active defense is nothing new: honeypots were used back in 1986 by Clifford Stoll, who created fake files promising military secrets to lure a spy onto his network. He documented the effort in his book The Cuckoo’s Egg. Of course, since then people have gotten more sophisticated in their defense mechanisms, particularly as the number of attacks and their sophistication has grown.

The first report dissects two active defense case studies that are available in the public literature: Google’s reaction to Operation Aurora in 2009 that began in China and the Dridex banking Trojan botnet takedown in 2015. Google made use of questionably legal discovery technologies but was never prosecuted by any law enforcement agency. Dridex was neutralized through cooperation of several government agencies and private sector efforts, and resulted in the extradition and conviction of Andrey Ghinkul.

With both of these cases, the GWU report shows that attribution of the source of the malware was possible, but not without a lot of tremendous cooperation from a variety of private and government sources. That is the good news.

Speaking of cooperation, that is where the second report comes into play, where it compares the cyber efforts with the commercial shipping industry’s experience regarding piracy on the high seas. After it became clear that governments’ military efforts were insufficient responses to the piracy problem, the demand for private sector security services increased dramatically. While governments initially resisted their involvement, they begrudgingly accepted that the active defense measures deployed by shipowners, in consultation with insurance providers, were helping to deter attacks and that the tradeoffs in risk were unavoidable. The bottom line—the private sector filled a critical gap in protection by working together.

But here is the problem, as true now as last fall when the first GWU report was published. A private business has no explicit right of self-defense when it comes to a cyber attack, and in most cases, could be doing something that runs afoul of US laws. There are various legal remedies that the government can take, but not an ordinary business. As the GWU report states, “US law is commonly understood to prohibit active defense measures that occur outside the victim’s own network. This means that a business cannot legally retrieve its own data from the computer of the thief who took it, at least not without court-ordered authorization.” What makes matters worse is the number of cyber job openings in those government agencies, so even though they have the authority, they are woefully understaffed to take any action.

The GWU report puts forth a risk-based framework for how government and the private sector can work together to solve this problem, and you can read their various recommendations if you are interested. 

It is a tricky situation. One of the GWU report authors is Nuala O’Connor, the President and CEO of the Center for Democracy & Technology. She says that “as more aggressive active defense measures might become lawful are based on considerations like whether they were conducted in conjunction with the government and the intent of the actor,” there could be problems. “I believe these types of measures should remain unlawful. Intent can be difficult to measure, particularly when on the receiving end of an effort to gain access.”

 The Carnegie authors admit that their shipping analogy has its limitations, but correctly point out that when the government is lacking in its efforts, the private sector will step in and fill the gap with their own solutions. They say, “Malicious cyber actors motivated by geopolitical objectives, however, may have a far different calculus than cybercriminals, which affects whether and how they can be deterred.” In the meantime, my point in bringing up this issue is to get you to think about your own active cyber defense strategies for your own business.  

Stopping phishing

Posted on by
Reply

When IT professionals talk about phishing attacks, they are quick to blame uneducated users who aren’t really focused on processing their emails. But while this is certainly one of the causes – and one of the reasons why phishing remains so popular among attackers – you can’t fault even the most eagle-eyed users from several things that are making it harder to spot phony emails. A combination of more subtle attacks using non-Roman URL characters, more focus on mobile man-in-the-middle exploits, greater use of SSL certificates and more mobile email usage have created new opportunities for phishers.

Homograph attacks. Even if you are the sharpest-eyed observer, you will have a hard time detecting this latest phishing technique that goes by the name Punycode or an IDN homograph typosquatting attack. The idea is simple: back in the day, the Internet standards bodies expanded the ability to handle non-Roman alphabet characters for domains and URLs. The trouble is that many of these characters look very similar to the ordinary ones that you and I use in our Roman alphabet. Spammers purchased domains that looked just like the all-Roman letters, with one or two changes using some other character set. This post from Wordfence shows how subtle these homographs really are, making it almost impossible for anyone to detect. There is further discussion on this site about how phishers operate.

More mobile email usage. This is making it harder to see (and then vet) the URL bar when a browser session is opened on your phone. The mobile app designers want as much screen real estate as they can to show a web page and this means that the URL line is often hidden or quickly moves off the screen as you scroll down. Even if you wanted to pay attention, you probably don’t bother to scroll back up to see it. What is making things worse is that the criminals are making better copies of real web pages. The crooks are getting better at using the exact same HTML code that a bank or retailer uses for their web pages, which makes them harder to distinguish, even if they are viewed on a full-sized PC screen.

More SSL encryption usage. Ironically, an effort that began several years by Google and the non-profit foundation behind the Let’s Encrypt website have made problems worse. That website makes it dirt simple to obtain a free SSL certificate in a matter of seconds, so that warning signs in the URL bar of browsers when you aren’t connecting to a secure website are almost moot now. While it is great that more than half of all web traffic is now encrypted, we need better mechanisms that just a red/green indicator to help users understand what they are viewing.

More frequent MITM attacks on mobile apps. Security researcher Will Strafach gave a report earlier this year and demonstrated numerous IOS apps that were vulnerable to man-in-the-middle attacks. These allow attackers to intercept data as it is being passed from a device to a server. That grabbed a few headlines, but apparently wasn’t enough. In a more recent report, he has continued to track these apps and shows that many of them are still vulnerable.

So what is being done? The browser vendors are doing a better job at detecting the homograph URLs (if you are not running Chrome 59 or Firefox 53, please do upgrade now). Many network security vendors are fine-tuning their tools to better detect compromised emails, or track reputations of malware control sites, or use other techniques to try to neutralize the phishers. Some enterprises are deploying secure browsers, to limit the damage of a phished link.

Clearly, this will take a combination of approaches to fight this continued battle. Phishing is a war of attrition. All it takes is one less-attentive user and the game is on. And it requires constant vigilance — by all of us.

Enterprise.nxt: What to look for in your next CISO

Posted on by
Reply

Hiring a chief information security officer (CISO) is a tricky process. The job title is in the limelight, especially these days, when breaches are happening to so many businesses. The job turnover rate is high, with many CISOs quitting or getting fired because of security incidents or management frustration. And the supply of qualified candidates is low. According to the ISACA report, State of Cyber Security 2017, 48 percent of enterprises get fewer than 10 applicants for cybersecurity positions, and 64 percent say that fewer than half of their cybersecurity applicants are qualified. And that’s just the rank and file IT security positions, not the top jobs. So here are some things to consider when you need to find a CISO and you don’t want to hire a “chief impending sacrifice officer.”

Read my article in HPE’s Enterprise.nxt.

Building a software-defined network perimeter

Posted on by
Reply

At his Synergy conference keynote, Citrix CEO Kirill Tatarinov mentioned that IT “needs a software defined perimeter (SDP) that helps us manage our mission critical assets and enable people to work the way they want to.” The concept is not a new one, having been around for several years.

An SDP replaces the traditional network perimeter — usually thought of as a firewall. Those days are long gone, although you can still find a few IT managers that cling to this notion.

The SDP uses a variety of security software to define what resources are protected, and block entry points using protocols and methods. For example, if we look at the working group at the Cloud Security Alliance, they have decided on a control channel architecture using standard components such as SAML, PKI, and mutual TLS connections to define this perimeter.

Working groups such as these move slowly – it has been hard at work since 2013 – but I am glad to see Citrix adding their voice here and singing the SDP tune.

 

But perhaps a better way to explain the SDP is what is being called a “zero trust” network. In an article in Network World earlier this year, a post described the efforts at Google to move to this kind of model, whereby basically everyone on the network is guilty until proven innocent, or at least harmless. Every device is checked before being allowed access to resources. “Access is granted based on what Google knows about the end user and their device. And all access to services must be authenticated, authorized and encrypted,” according to the article.

This is really what a SDP is about, because all of these access evaluations are based on software that checks for identity, on other software that examines whether a device has the right credentials, and other software to make sure that traffic is encrypted across the network. Because Google is Google, they built their own solution and it took them years to implement across 20 different systems. What I liked about the Google implementation was that they installed their new systems across Google’s worldwide network and just had it inspect traffic for many months before they turned it on to ensure that nothing broke their existing applications.

You probably don’t have the same “money is no object” philosophy and want something more off-the-shelf. But you probably want to start sooner rather than later on building your own SDP.

New security products of the week

Posted on by
Reply

As part of my duties to write and edit this email newsletter for Inside.com, I am always on the lookout for new security products. When I was at the Citrix Synergy show last week, I wanted to see the latest products. One of the booths that were drawing crowds was Bitdefender’s. They have a Hypervisor Introspection product that sits on top of XenServer v7 hypervisors. It is completely agentless, and just runs memory inspections of the hosted VMs. Despite the crowds, I was less enamored of their solution than others that I have reviewed in the past for Network World such as TrendMicro’s and Hytrust. (Note, this review is more than three years old, so take my recommendations with several spoonfuls of your favorite condiment).

Nevertheless, having some protection riding on top of your VMs is essential these days, and you can be sure there were lots of booths scattered around the show floor that claimed to stop WannaCry in its tracks, given the publicity of this recent attack. Whether they actually would have done so is another matter entirely, I am just saying.

Over at the Kaspersky booth, it was nearly empty but they actually have a better mousetrap and have had their Virtualization Security products for several years. Kaspersky has a wider support of hypervisors (they run on top of VMware and Hyper-V as well as Xen). They offer an agentless solution for VMware that works with the vShield technology, and lightweight agents that run inside each VM for the other hypervisors. While you have to deploy agents, you get more visibility into how the VMs operate. One company not here in Orlando but that I am familiar with in this space is Observable Networks: they don’t need agents because they monitor the network traffic and system logs produced by the hypervisor. So just don’t make a decision based on the agents vs. agentless argument but look closer at what the security tool is monitoring and what kinds of threats can really be prevented. Pricing on Kaspersky starts at $110 per virtual server with a single VM and $39 per virtual desktop that includes 10-14 VMs. Volume discounts apply.

IGEL was another crowded booth. They have developed thin clients in the form of a small-factor USB drive. If you have an Intel-based client with at least 2 GB of RAM and 2 GB of disk storage (such as an old Windows XP desktop or Wyse thin client), you can run a Citrix Receiver client that will basically extend the life of your aging desktop. A major health IT provider just placed an order for $2M worth of more than 9,000 of these USB clients, saving themselves millions in upgrades to their old Wyse terminals. I got to see a demo of their management interface at the show. “It looks like Active Directory with a policy-based tool and it is super easy to manage and keep track of thousands of desktops,” according to what their CEO, Jed Ayres, told me during the demo. Their product starts at $169 per device.

img_25953Another booth held an interesting biometric solution called Veridium ID. They have recently been verified as Citrix Ready, but have been around for a couple of years developing their product. I have seen several biometric products, but this one looked very interesting. Basically, for phones that have a fingerprint sensor, they make use of that as the additional authentication factor. If your phone doesn’t have such as sensor, it uses the camera to take a picture of four of your fingers (as you can see here). It works with any SAML ID provider and at their booth they showed me a demo of it working with an ordinary website and with a Xen-powered solution. Their product starts at $25 per user, which is about half of what the traditional multi-factor vendors are selling their hardware or smart tokens for.