Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2020
Doug Lhotka

It’s never ‘just email’ – secure your endpoints

By

(c) Depositphotos / @ duha127

Like many security folks, I always grab and read the Verizon Data Breach Investigations report when it comes out, looking for trends and themes.  One of the things that struck me this year is that email remains a broad attack surface.  At that same time, my own conversations with security teams have seen a troubling anti-pattern:  unmanaged devices, especially mobile and BYOD, because users ‘only get email’ on them.  Combine the two, and it’s an attack vector in waiting.

Email is a broad theme across sections of the report – it’s the most common entry point for malware, phishing (almost always via email) is the top social action in a breach, sending data to the wrong people, attempts to compromise accounts either for or via email, fraud perpetrated by a man-in-the-middle attack in payment email chains, and a number of others.  Part of the threat is that Email is the most common vector to reset passwords, bypassing most MFA systems – and attackers know this, and force fail back to that method. If they get access to your email account, they really do have the keys to the kingdom.

At the same time, there’s growing demand by employees to allow BYOD, especially on mobile devices. Coupled with financial pressures to reduce corporate assets, a highly mobile and remote workforce, and a blurring of traditional office hours, access to email is happening on a growing number of endpoints.  Most BYOD is mobile which are a mixed bag in terms of built-in security, ranging from Apple’s hardened iOS environment and walled garden at one end, to cheap offshore android phones that come with free pre-installed malware.   Validating email on mobile, as the report notes, is extremely difficult (ever try to view the raw headers on an iPhone?).

On the laptop side, allowing access to corporate email or systems isn’t as widespread, but it still happens fairly frequently.   Even though it’s easier to validate email contents, it’s still not perfect.  One company I work with had a C-level executive’s credentials stolen…by phishing his children, who clicked the link, installed malware on the personal machine, which then captured the executives credentials logging into the corporate system.

As an aside on personal email account, remember that free email accounts, along with the you’re-the-product privacy implications, can be very difficult to recover if they are compromised. A paid service, like Exchange Online, lets you have a separate administrator account which you can use to disable and recover control over your email account.  Of course, you’ll also have access to actual people to help too. The services are cheaper than a latte, and worth every penny.

For both corporate and personal email our risk models need to change:  email is a major threat vector that provides a foothold for credential compromise, account takeover, and malware installation, and we need to assess risk in that overall context, not just the risk of data leakage.

Put it more simply, the idea that we don’t need to manage endpoints that only get email is misguided – we especially need to manage them if they have email access.

Herd Immunity and Microsoft Legacy Patches

By

Microsoft just released patches for a ‘wormable’ vulnerability, and took the unusual step of including XP and Server 2003.  That’s prompted conversations and comments about legacy operating systems and ‘enabling’ tardy upgraders. While there are people who still have their head down in denial, there are other cases where it’s much more complicated.

Clearly end users shouldn’t be on XP these days (and soon shouldn’t be on Windows 7).  But what happens when that endpoint is controlling a multi-million dollar piece of industrial equipment?  Or when it’s embedded into devices like an ATM that require significant investment to replace across an environment In many cases the vendor doesn’t support an upgrade (or has gone out of business), and requires either a major overhaul or outright replacement of the entire system.

On the Server 2003 side, it can be similar – large scale applications have been built that cannot be upgraded easily (or at all), either because the vendor is out of business, or there isn’t sufficient capital available to replace the system.  In some cases, it’s a critical line of business application and the source code isn’t even available.

Security folks tend to default to a ‘replace it’ approach, and that’s definitely reasonable given the legacy nature of those platforms, but it’s never that simple.  Risk has to be balanced with cost, and often that results in lingering legacy environments.  In most of those cases, companies have either firewalled or airgapped those endpoints, sometimes moving to a virtual environment as well.  Unfortunately, some do require internet access for maintenance or functionality, so there may be ways in.

So when a vulnerability comes along that can be ‘wormable’ – autonomous spreading of malware without user intervention, there’s a small (but very important) set of infrastructure that’s at risk.  These systems can’t just be unplugged or disabled easily, as it can have significant impact to the business – potentially to the ‘go out of’ level.

That’s why Microsoft’s decision to issue the patches is commendable.  They’re protecting the ones that legitimately can’t upgrade from the tardy upgraders.  In some cases folks won’t, so a worm may still hit, but if a significant portion do, the effects will be contained and isolated – and that’s where herd immunity comes it.  If we can get most of the legacy systems patched, the risk to the entire environment drops.

If you have legacy systems, by all means, use this as a reason to have the conversation (again) with your stakeholders and vendors about upgrading.  But first, find the machines, and get the patches applied, courtesy of Microsoft’s good will.  Kudos to them for protecting the herd.

It’s 2019 and we know better

By

(c) Depositphotos / MichalLudwiczak

Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices.  These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices.  So why do these things continue to happen?

Let me walk through some examples first.  A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email.   I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.

A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive.  This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in.  I reached out through their public contact info, heard no response, and closed my account a week later.

Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them.  They are ‘working on it’.  Fortunately that line of business has widespread competition, but in other areas they have monopoly control.  I could probably cite dozens of reports of common default credentials.

There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications.  Why anyone is surprised is beyond me.  There’s no such thing as a free puppy, or social media site.

A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks.  Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation.  They build their company on trust, and customers feel as if that’s been broken.  I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.

An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked.  There’s a new thunderbolt attack that can dump memory.   Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport).  And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.

In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’.  I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks.  They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.

Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.

The most insidious reason though is inertia.  They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change.  They don’t patch criticial vulnerabilities, because ‘the system works’.  They don’t upgrade to the new OS because it requires a hardware refresh.  In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date.  Not a secret!), but most of the time no formal decision was made.

Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s.  CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training.  For everyone else, there is something we all can, and should do, especially as security professionals.

Speak up.

If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change.  There’s no excuse for these bad practices to continue in 2019.  Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.