Doug Lhotka

Technical Storyteller

(C) Copyright 2019-2020
Doug Lhotka

It’s 2019 and we know better

By

(c) Depositphotos / MichalLudwiczak

Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices.  These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices.  So why do these things continue to happen?

Let me walk through some examples first.  A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email.   I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.

A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive.  This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in.  I reached out through their public contact info, heard no response, and closed my account a week later.

Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them.  They are ‘working on it’.  Fortunately that line of business has widespread competition, but in other areas they have monopoly control.  I could probably cite dozens of reports of common default credentials.

There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications.  Why anyone is surprised is beyond me.  There’s no such thing as a free puppy, or social media site.

A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks.  Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation.  They build their company on trust, and customers feel as if that’s been broken.  I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.

An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked.  There’s a new thunderbolt attack that can dump memory.   Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport).  And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.

In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’.  I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks.  They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.

Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.

The most insidious reason though is inertia.  They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change.  They don’t patch criticial vulnerabilities, because ‘the system works’.  They don’t upgrade to the new OS because it requires a hardware refresh.  In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date.  Not a secret!), but most of the time no formal decision was made.

Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s.  CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training.  For everyone else, there is something we all can, and should do, especially as security professionals.

Speak up.

If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change.  There’s no excuse for these bad practices to continue in 2019.  Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.

Striking back against cyber attack: tempting, but no

By

(c) Depositphotos / Gorodenkoff

Andy Kessler wrote an op-ed in the Wall Street Journal last week advocating for striking back against every cyberattack.  I’ve written before about why that’s a bad idea for private organizations, yet in this case he’s advocating for a government response.  While it’s very tempting emotionally, when we step back and look at the options and risk, it’s not really viable.

Look, I get it, we have nation state actors probing our networks, attacking our critical infrastructure, intercepting sensitive government communications, and conducting economic cyber espionage against us.  We, and every nation state, does all that except for the economic espionage.  The argument is that if these were kinetic attacks, we’d be dropping bombs on the perpetrators before lunchtime, but unfortunately the analogy doesn’t really apply.

First, there’s the problem of vulnerabilities.  Unlike bombs where we can just manufacture more, once a particular exploit is used against a target, it’s likely spent.  Upon discovery it’ll be remediated, so if we’ve used it to ‘fire a warning shot’, we may not have a capability to take more aggressive action in the future.  That’s also true if it’s a simple credential compromise – once used, the credentials are changed, and we lose access for future action.

But what’s worse is the potential for the adversary to capture the exploit code and weaponize it against us.  Or, and history shows this to be likely, a targeted attack causes widespread collateral damage because the code is self-propagating.   Both bring us to the problem of stockpiling vulnerabilities versus having vendors patch them.  We use many of the same systems as the bad actors do, so we’re at as much, or more, risk than they are.  Put simply, I’d much rather have my water system or power grid patched so we stay up, than be able to take someone else’s down.

Of course, before we even have the option of hacking back, we have to know who hacked us to begin with. I’ve written in detail on the problem of attribution, and not much has changed.   If it becomes known that we hack back reflexively, we’ll see one actor spoofing attacks by another in order to create international chaos.   Both hacking the wrong target, and even hacking the right one risks significant escalation and put our civilian population in jeopardy. The lead time to replace major components of our electrical grid, fuel pipelines, and water systems is measured in months, not days or weeks.  Yes, we’re at risk of that now if, as one CISO put it, “the cyber cold war turns into a cyber hot war”, but so far, Mutually Assured Destruction (MAD) applies as much to cyber as it does to nuclear warfare.  It’s irrational, but it works – and we can even back up cyber-MAD with kinetic attacks too.

A better option is to unilaterally declare, much like the START treaty, a Strategic Cyber Arms Reduction Effort (SCARE, yeah, sorry) by aggressively testing and remediating vulnerabilities across our critical infrastructure.  Every vulnerability we find and patch removes the exploit from everycyber arsenal.  Fewer cyber arms makes for a safer world – and we have far more to lose than our adversaries.

Fortunately most of the impactful attacks at the moment are economic in nature, and deserve an economic response. We can’t conduct economic espionage because no American company would ever use that information – lawsuits abound (and the government isn’t exactly going to sell foreign credit card numbers on the black market!).  So the only viable option to address things like intellectual property theft, and one for which there’s widespread bi-partisan support, is via trade policy and other diplomatic efforts, which are underway.

Those two efforts aren’t perfect. Diplomacy is open to violation of agreements.   Testing and remediation is unlikely to find everything. Yet the combination is a far better option than playing chicken with critical infrastructure.

Managing online risk – beyond the basics

By

I had a conversation recently with someone who’s a ‘high value target’ about how to stay safe online and recalled an article earlier this year that a famous actress no longer will take selfies with fans because they include time and location information, as well as what she’s currently wearing.  She’s worried about stalkers.  While not exclusive to folks like celebrities and politicians – they really do have different threat models – we can all learn from their situation to help protect ourselves.

So this builds on my previous post about staying safe online, and touches on some of the same things, but unlike that one where the advice is broadly applicable, much in this one is about tradeoffs and risk tolerance.  Follow that previous advice, then check below for updates and more ideas.

Passwords

I continue to recommend 1Password from AgileBits as a password manager, especially with the new features (I’m a paid customer, and happy to be one).  Yet it depends on having a secure passphrase, and none of the old techniques (e.g. using the first letter of the words in a phrase) have enough entropy to resist modern attacks.  Instead use a long sentence – something like ‘shark tornado pine tree Snowman h3ll0’ – length is king.  If you do that, and don’t get hit with a keylogger, you probably will never need to change it.  Don’t worry, after a bit muscle memory makes it easy to type.  Ditto on the password to unlock your computer.

Yes, this is somewhat inconvenient.  But it’s not optional for anyone these days – we’re all high value targets.

Vendors

There is no such thing as a free puppy – everything has costs, and someone’s always getting paid. If you’re not paying, most likely they’re selling your personal information either ‘anonymized’ (which is often poorly done and reversible), or outright as your individual data.   Companies hide behind massive EULA’s that no one reads, change terms and settings on a regular basis, and in some cases resort to dissembling, distracting and outright misleading statements – even to Congress.

So you need to choose what vendors you do business with.  I carry Apple devices because their business model isn’t based on exploiting their customers.  Do they gather data?  Sure. Do they also have an advertising business?  Yep. But of the options out there, they’re by far the best option.  I severely limit how and which social networks I use, including things like secure messaging (I use Signal instead), and would absolutely never use that identity to login to any other site or service.  Likewise, I’m in the process of switching my search engine default to DuckDuckGo (though I will use Bing, and then Google in a private window if I don’t get good results).

Two/Multi-Factor

Simply put, enable it.   If your vendor doesn’t offer it, or only offers SMS based solutions, complain or find a new one.  For most of us, SMS is better than nothing, but for a high-value target, spoofing SIM cards has become so easy that you need to move on to a vendor with a modern approach.

Apple has built 2FA into their devices, and 1Password now has integrated 2FA capability for most other sites.   App-based 2FA like Authy or 1Password even allows you to have multiple trusted devices, while others like Microsoft, only support a single device, which is a risk itself.  Note that this makes having a long and strong 1Password passphrase all that more important! Look for companies that support the TOTP standard.

Verbal passwords & Security Questions

This is so important I’m reviewing it again from the previous post.  Call every business you work with and add a verbal password to the account (store it in 1Password of course).  If the only field they have is ‘mother’s maiden name’, first, consider terminating your business relationship with them and switching to a vendor that cares about identity theft.   If you can’t, then at least create a unique word for each one – none of which can be found on your social media sites.  If they only offer the last four of SSN, won’t disable it as an option, and won’t add a verbal password, then find a new company to work with.  Full stop.  At this point that’s essentially negligent.

That’s one example of a ‘security’ question.  For online accounts, my advice remains the same.  Lie.  Use unique lies for each one, recorded in 1Password.  This is especiallycritical if you’re a public figure.  Most of the celebrity hacks have come by resetting passwords using security questions where the information is on social media (more on that later).

Likewise, lie about birth day, lie about where you live, lie about your hair color – lie about anything that the company doesn’t have a legitimate business, regulatory, or functional need to know.

Biometrics

There’s a whole lot of bad biometric systems out there, particularly in the inexpensive android world. Fig leaves aren’t secure!

Even with good ones, I’m not a fan of using biometrics to unlock your password manager.  Take the time and enter the passphrase.

For a public figure, I wouldn’t use them to unlock devices as there’s too many opportunities to capture information to spoof them. Instead use long complex passcodes (not a PIN!). This is a major inconvenience, so you’ll have to evaluate your threat model and see if it’s worth it.  For myself, I allow the phone to unlock with TouchID (as of this writing FaceID seems to be secure, but I continue to be skeptical), but not my mac (as there’s no wipe feature on the computer), and absolutely don’t allow my watch to unlock the computer.

Email accounts

Your email account is the most important one to protect, because it’s how all your other passwords are reset.  It absolutelymust have a robust random password on it.  You should neveraccess it from a device you do not own, and I’d highly recommend using an application rather than a web browser.

Consider using a business-grade paid service for your email.  It’ll allow you to separate your email account from the management account, so you can easily restore access if the email account is compromised.  Paid services, like Microsoft Exchange Online, provide much better protection across the board – encryption at rest, better spam and malware protection, and 2FA.  If you’re a high-value target, this is probably a mandatory change, and at around $4/month, well worth the investment.

See my original post for other email tips.

Location and Apps vs Browser

Location is of huge value to an advertising-based business model like Google Maps, Waze, Facebook, Instagram, and so on.  For public figures, this is a safety issue, and for the rest of us, something to think about.  For apps like Waze, I’d gladly pay for a ‘ad/tracking free and privacy first’ option, and hope that recent pressure moves companies like this to change their business model.

First, change the location privacy setting to ‘only while using’, and turn it off for apps that don’t need it (like Facebook).  Unfortunately, some apps like Netflix and Hulu require location tracking so they can respect content contracts, including those nutty sports blackout areas.  Be careful though, some apps are notorious for sharing more data than you intend, and in some cases, outright lie about what’s captured regardless of the settings.

Using a web browser prevents a lot of this – and if you put it into private mode and close your tabs on a regular basis, it’ll help prevent them from creating a dossier.

Pictures are the other big source of location leaks.  Your GPS data and time stamps are included in the metadata every time you take a picture- that’s what the actress is concerned about.  When I post photographs to my blog or LinkedIn, I export them from Lightroom and strip all metadata other than copyright.  If you’re a high-value target, especially if you’re concerned about physical safety, you probably need to take explicit steps to avoid leaking your location this way.

VPN

Mobile and landline data carriers leverage DNS and other traffic analysis to target advertising and generate revenue off what you do.  You can fix the DNS problem on your home network by changing to 9.9.9.9 (Quad9) or 1.1.1.1 (Cloudflare), and I use both (in that order) on my home network. 1.1.1.1 now has an iOS app that will tunnel your DNS queries to their servers rather than the mobile carrier, which is really cool!

Using a full VPN adds further protection, particularly if you’re on a public (e.g. hotel) network, but do you really need one?  If you’re a high-value target, I’d argue yes, but not without risk as you’re transferring trust from one company to another and the VPN industry is notoriously shady (run away from anything free).  For the record, I trust Cloudflare, and Quad9 (the latter alliance includes IBM).  I do use a VPN but am not comfortable endorsing one – research carefully.

Data

Let me close with the piece of advice both obvious, and one we forget.

We all need to realize that we will have an account compromised at some point, and they will go after exactly what we most want kept private.  Yet more than that:  even if it’s not a hack, public posts can come back to haunt you in job interviews or other ways.

I want to be clear – I am notblaming anyone who’s been victimized by a hack, particularly where very personal/intimate information or photographs have been exposed. That’s a horrific invasion of privacy, and my sympathy goes out to those impacted by such a betrayal.

Unfortunately, the Internet never forgets.  Please talk with your kids and make sure that they understand the risks, then go clean out your own archives.

Simply put, if it’s not online, it’s harder to steal.  If it doesn’t exist, there’s no risk.