Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

It’s 2019 and we know better

By

(c) Depositphotos / MichalLudwiczak

Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices.  These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices.  So why do these things continue to happen?

Let me walk through some examples first.  A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email.   I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.

A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive.  This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in.  I reached out through their public contact info, heard no response, and closed my account a week later.

Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them.  They are ‘working on it’.  Fortunately that line of business has widespread competition, but in other areas they have monopoly control.  I could probably cite dozens of reports of common default credentials.

There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications.  Why anyone is surprised is beyond me.  There’s no such thing as a free puppy, or social media site.

A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks.  Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation.  They build their company on trust, and customers feel as if that’s been broken.  I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.

An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked.  There’s a new thunderbolt attack that can dump memory.   Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport).  And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.

In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’.  I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks.  They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.

Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.

The most insidious reason though is inertia.  They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change.  They don’t patch criticial vulnerabilities, because ‘the system works’.  They don’t upgrade to the new OS because it requires a hardware refresh.  In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date.  Not a secret!), but most of the time no formal decision was made.

Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s.  CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training.  For everyone else, there is something we all can, and should do, especially as security professionals.

Speak up.

If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change.  There’s no excuse for these bad practices to continue in 2019.  Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.

Securing your Dessert

By

(C) Depositphotos / belchonock

I have a joy/frustration relationship with Apple.  Their products are amazing and have changed my life, and at the same time some of their design decisions and choices are user hostile (dongles).  Their software usually just works, but when it doesn’t, well, you get Siri. On one point though, their heart – and code – is in the right place, and that’s with security and privacy, so kudos Apple: Mojave certainly isn’t a barren desert – it’s a good dessert when it comes to security and privacy.

In their upcoming releases, Apple is doing a number of things to dramatically improve security and privacy.  Safari will now take steps to prevent ‘fingerprinting’ by returning only generic configuration information, and by blocking the tracking embedded in comments and social media buttons.  They’re also removing social media account integration into the OS.  Both those are big changes that provide passive protection against invasive tracking.

Other changes include a really nice password API for tools like 1Password(my password manager of choice and recommendation).  The built-in tools are ok, but I’d rather have a purpose built solution, and Apple’s now putting that choice into our hands. There’s camera and microphone warnings, end-to-end facetime encryption and a lot of other small refinements too.

One of the more controversial changes is that they will now block USB data access starting one hour after a passcode was last entered.  That renders Greykey and similar devices useless – it’s a class-protection feature, rather than whacking the specific bug currently exploited.  Without getting into the policy issue of law enforcement back doors – after all math is hard and unforgiving (that’s why gravity is not just a good idea, it’s the law) – this is a protection that we all want. Why?  Because it’s only a matter of time before a Greykey is stolen and reverse engineered.  Then we get a dark-web service ‘Send us the stolen device, and we’ll send you the data back’.  No thanks.

What else would I like to see?  An option to, after initial connections (e.g. to a captive portal), change my DNS servers to Quad 9 or 1.1.1.1 for further tracking and malware protection (I recommend Quad 9 by the way).  Split DNS would be even better – use the network provided one for local traffic, but a standard one for all other queries.    While we can do that on home routers, it’s a real problem when on cellular data.

I’d also like to see an iOS application outbound firewall.  I really don’t want my games sending data back, and while I can block it on cellular, I can’t on wifi.  That’s been an outstanding request in their queue for years.

A bigger stretch (because the content providers would probably freak out) as a separate paid service, would be an iCloud based VPN that ‘just works’ to protect against ISP eavesdropping, tracking, and HTML injection.  The ultimate would be an Apple search engine that doesn’t monetize search data.  Just please don’t have Siri do it, or we’re likely to get a Beatle’s album when we’re looking for information on apple pie recipes J.

Seriously, Apple’s gone a long way to making security consumable by everyone, not just those who have the time and inclination to follow (or build) their own recipe.  Kudos to the company, and particularly to Tim Cook for building a business model of serving customers instead of exploiting consumers. That’s a big reason why I recommend Apple  products to my family and friends – secure apple pie makes a great dessert.

I’m shocked – shocked that Facebook sells data (not)

By

There’s been a lot of commentary about Facebook selling data to third party companies over the past week or so.  The distaste is understandable, but no one should be surprised.  Just who do folks think Facebooks customers are?

There’s a common refrain the privacy community:  if you’re not paying for it, you’re the product, not the customer.  Or put it another way – follow the money.  This article is posted to my blog, free for all, with no tracking.  It’s tweeted about and also posted to LinkedIn, which both definitely track you (I don’t, but they do).  If you’re reading it on the latter, you’ve probably been now ‘tagged’ as ‘Facebook, social media, privacy, LinkedIn’ and a bunch more.  That information is sold to advertisers and data brokers – and that’s how those companies make their money.  Both social media and credit agencies take as much care with your personal information relative to it’s value to them, not to you.

Social media is a powerful force, which is why I participate on certain platforms (selectively).  It’s why I urge people to be very cautious about how and what they share – those platforms never really forget anything.  Of course political campaigns want access to that information, and if they’re going to sell it to one side, they ethically need to sell it to both.  Rhetorical question: would there have been as much outrage in the media if the data broker had been working with the Hillary campaign instead?

All that aside, no one should be surprised that this happened.  That’s how Facebook, Google, Twitter, LinkedIn, and all the rest make their money.  It’s also why I use Apple products when practical – while Apple collects some data, their business model doesn’t involve exploiting their customer’s data.  I’m glad that the market gives me a choice – at least on the platform side.  Right now though, there’s no option on the social media side.  I’d like to see those platforms create a ‘paid private’ option, that allows access, but completely opts the user out from all tracking (even allegedly anonymized), but again, that’s their choice as a business.

I believe that information about a person belongs to that person, and that companies should only be custodians – not owners – of that information.  If that were placed into law, it would then require affirmative opt-in consent before each and every time it was transferred or sold.  Of course, that won’t really happen because it’d break the business model of most of the Internet.  So what can we do?  Something along the lines of GDPR coupled with a ‘plain English’ statement of how and where information is used and sold would go a long way, but even that will be hard.  Maybe eventually our congresscritters will pay attention to the individual instead of the lobbyist. Until then, all we can really do is control what information we share, choose the platforms we participate in, and make sure you read the terms and conditions.

And don’t be surprised.