Dear News Agencies – Please wake up.
Marc Rogers prepared a fantastic writeup on his blog entitled “Why the Sony hack is unlikely to be the work of North Korea.”. I suggest that EVERY media outlet take a moment, and review it. It is clear that there is far more research and digging to be done with regards to this security breach, and ANY future stories pertaining to Information Security breaches.
For the most part, (Brian Krebs being the primary exception), mainstream news has a significant knowledge gap when it comes to technology. They haven’t figured out how to report security breaches, without flogging the word “hack” or immediately blaming someone to gain headlines.
The most alarming part, IMHO, is that there is a chance that we will NEVER know the real root cause, however, Marc’s blog post does find some very insightful indicators that the North Korea angle is simply wrong.
Lastly, Thank you Marc, for a well reasoned and thought out contribution to the current Sony issues.
Welcome to the December Holiday Season! With our current December busy schedules, we need to be aware data breaches also occur during the Holiday Season. Criminals understand that the holiday season is a very busy time, not just for individuals, but also for employers, companies, and all sectors of industry.
For those that may have missed it, 60 Minutes did a short 13-minute piece on Credit Card fraud, and for those that remember, there were several breaches this past year, and many of them were in place far before the 2013 Holiday Season. The main point of all of this is to create an environment where we can all be on the lookout for the risks, have open discussions, and to ensure that we are all doing our part to secure our personal information. Please take a moment to view the video.
Original Video – More videos at TinyPic
Some Data Breach Presents for under your tree!
We have found a few infographics for you that show the number and sources of some of the largest breaches of 2013/2014. You can find them below.
As always, have a productive, safe and happy holiday season, from all of us here.
- 60 Minutes Video – As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season(opensourcesinfo.org)
- More data breaches expected this holiday season(bizjournals.com)
- Avoiding credit card fraud in the holiday season(lexingtonlaw.com)
For those who have been following, there are some nuances of the latest Crypto Security flaws that may have been missed by most…
Adding to my previous post, you should not only completely disable SSL v 3, and 2, but consider disabling TLS v 1.0 as well.
As well, another good site to test your browser / client for it’s security configuration is https://www.howsmyssl.com/
- New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue(threatpost.com)
Not So Fast on BEAST Attack Mitigations (threatpost.com)
Wow, that happened FAST!!! (time flies…)
Well, it’s now the middle of October. We’re back, and had a wonderful time in Hawaii, getting married, and spending our honeymoon in Wailea and Kihea on the wonderful island of Maui. For those who care, we held a very private ceremony on Po’olenalena Beach (aka Changs Beach) with only our officiant and ourselves. There will be photos, soon… as we’re waiting on them from the photographer.
Now on to what I missed and fell into upon returning.
The POODLE vulnerability
The Great Californian Shakeout
National Cyber Security Month
You may, (or may not) have noticed that there is a gap in my posting recently.
I’m getting married on October 4th of this year, and now, I’m running at 110 mph finalizing and preparing to go out-of-town for that event! [i know, i can’t believe it either!]
I plan on returning to this space sometime after the middle of October with some new articles, opinions and thoughts around all things information security related.
Hope you all have a great week, and if you wish to contact us, please do so at dc0de at foundpackets dot org.
Ok folks… I know… you don’t want the drivel to end… but, I have to take a break. DEFCON 22 is around the corner, and I’m going into full on preparation mode.
However, this post isn’t without some warnings that you should heed if you’re going to be in Las Vegas next week for BlackHat, DEFCON, and/or BSidesLV, (What I like to call InfoSecMecca).
Your Smart phone is vulnerable. Period.
- Lock your smart phone (with battery removed if possible) in a Faraday cage in your hotel room, and don’t turn it on for any reason, except in a life threatening emergency. (No, I’m not kidding)
- Disable ANY/ALL automatic update service, either from Google Play, the Apple Store, and/or any other source of software updates. This also includes the Amazon store, and your carrier automatic updates.
- Purchase an OLDER pay-as-you-go phone, and forward your mobile number to that one, or simply get with the 20th century, and use Google Voice. This will set you back a few $30-50, depending on what phone and what services you buy, and how much you plan on using it, but it’s far cheaper than having your smartphone “pown3d”, and your office getting emails from you saying “I went to and all I got was digitally raped”.
- Believe that your [insert security vendor app] is going to protect you. It won’t.
- Bother discussing or commenting if you are one of those who takes their smart phone to “see what’s going to happen”. For you, I have no words.
- Enable purchasing from any mobile device while in Las Vegas during InfoSecMecca.
- Worry, be happy.
That’s all I’ve got, and I hope to see you in Vegas during the InfoSecMecca, I’ll be running around between BsidesLV, and working @ DEFCON.
For those Travelling this and next week, please be safe.
In the past weeks, as I’ve restarted blogging about Information Security, I’ve been much more curious as to how non-technical people view Information Security. In my non-scientific assessment of casually watching people use their computers and mobile devices all around me, I’ve determined, again, very unscientifically, that the majority of the people, simply don’t care. I’m over being shocked, stunned, or befuddled, now I simply accept it. So, I’ve been asking myself the following questions.
- Does Information Security for Consumers need to be fixed?
- Who is responsible for fixing Information Security for Consumers?
- Where should Information Security for Consumers be fixed?
- How should Information Security for Consumers be fixed?
So, in this entry, I’m going to try to tackle the first bullet, and leave the other three (or more, if I get some good suggestions), in follow-up blogs. So, here goes.
Does Information Security need to be “fixed” for consumers?
Wow, what a loaded question. The short answer? There isn’t one. On this question, I see a variety of issues, opportunities, and simply, a bunch of FUD. There will be companies claiming that they do this for you, for your mobile devices, and IMHO, there are that do this job adequately, however, they don’t have a desktop equivalent, preventing the consumer from having ONE tool to use. Remember, consumers want the “Easy” Button. (Thanks Staples, you ruined it for the next guy). Most of the tools are cumbersome, written with technical experts as the audience and are filled with bloat. What happened to the software community? There once was a time when a tool simply did it’s job & functioned, without damaging, or [severely] impacting performance. Can we get back to that please? (Looking at you Symantec and a few others) I truly want to be able to recommend some tools to the consumers who are in my life that aren’t tech savvy, and when I do, I end up supporting said tools. So, [insert big software companies names here], I’m done recommending your tools and utilities. I’m simply going to tell those people, that they’re on their own and that Your Mileage May Vary (YMMV). But I’m straying from the question… back to point… should Information Security be fixed for Consumers? In order for Information Security to be functional for the Consumer, it needs to be simple. It needs to continually, and repeatedly remind Consumers what data they are l̶e̶a̶k̶i̶n̶g sharing, and give them the options to return to a more secure posture. The updates should be automatic, and secure. Sign everything that you do with your code/software/updates. If it takes a little longer, background the process so that it notifies the Consumer that it’s going to take a few minutes/hours, and that the tool/software will let them know when it is completed. These are SIMPLE things. And yet, it seems that it has to be called out.
So, the simple answer to this question?
It needs to be fixed.
Do you have any thoughts on this? Any suggestions for any more bullet points? Comments? Let me know…
We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.
We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.
However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me. Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5. I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak. Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;
“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”
Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user. One of the primary offenders is the popular blog plugin called “AddThis”
“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”
The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.
The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.
Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format. I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.
Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.
What are your thoughts, is this paranoia, or a significant risk?
- How companies use Canvas Fingerprinting to track you online(ghacks.net)
- The hidden threat in your browser: Share buttons reveal personal information each time you visit certain popular sites (and even the White House is affected)(dailymail.co.uk)
- What You Need to Know About the Sneakiest New Online Tracking Tool(gizmodo.co.uk)
- Canvas fingerprinting is like a cookie you can’t block, and thousands of sites are using it(geek.com)
- 404 – New online consumer tracking tool is virtually impossible to block(welsh.typepad.com)
So, I went to Walmart with my fiancé, and while we were checking out, I showed my credit card and ID to the employee at the checkout, and the person said, “I don’t know why people do that, it’s not like we check ID for credit cards.” The checkout clerk didn’t even want to look at my card, or my ID, nor did he validate that my card was signed. (Which it’s NOT)
I tried to explain that when using a credit card that identification is also supposed to be checked, and this person replied, “What if someone gave their card to another person to buy things for them?, it’s not like we [Walmart] have a policy against people using other people’s cards, it’s not like we can stop them or anything.” They followed with, “we allow people to use cards that aren’t theirs, we do it all the time.”
I took a moment to try to explain that this was fraud, but the person behind the register simply said, “Well how can it be illegal, we do it all the time?”
I finally finished with the statement, “Well, now I know how my credit card was used illegally in Lawrenceville Georgia last month at a Walmart.” It seems to be the place to purchase goods with stolen credit cards.
Needless to say, Walmart seems to be the lowest common denominator when it comes to Credit Card Fraud. Read some of the stories below to learn more…
Do you have a retailer that doesn’t check cards well? Please comment and let us know.
- Walmart Rejects Con Men’s First 12 Fake Credit Cards – Then Accepts 2(dailyfinance.com)
- New Walmart Policy Requires Customers To Fork Over Their Credit Card’s 3-Digit Security Code(consumerist.com)
- Walmart Protects Cyberthief Privacy While Choosing To Not Prosecute(storefrontbacktalk.com)
- Suspect wanted for alleged credit card theft, fraud in Suffolk(wtkr.com)
- Police Seek Fraud Suspect(stlouis.cbslocal.com)
- 302 Counts of Fraud Offenses In Wallingford Arrest(connecticut.cbslocal.com)
- Woman admits gambling fraud, credit card theft(billingsgazette.com)
- How One Woman Stopped Card Fraud at Walmart(storefrontbacktalk.com)
Today while going through some of our logs, I was alerted to several instances of systems that are susceptible to a “reverse HeartBleed” attack. As the company I work for is very risk averse, I tried to contact the hosting company (SoftLayer) to discuss this with them. I reached out to them via their online chat application, and chatted with a nice fellow, presumably named “Jason S.” The transcript of the conversation appears below, with my name redacted, and my companies information redacted.
Thank you for choosing SoftLayer. A representative will be with you shortly.,<telephone#>,
You are now chatting with ‘Jason S’
Jason S: Hello, thank you for contacting SoftLayer. How can I help you today?
dc0de: Jason, how can I get in contact with your Information Security Group? We are receiving attempts to break into our systems from one of your hosted IP Addresses
dc0de: Actually, from several.
Jason S: I’m sorry to hear this dc0de
Jason S: May i have your account number?
dc0de: We do not have an account number.
dc0de: I’m with , and I’m a Sr. Information Security Analyst, working for the VP of Information Security.
dc0de:dc0de Information Security Analyst
dc0de: ^^ My information
dc0de: If you could put me in contact with your information security team, I would greatly appreciate it.
Jason S: You will need to email firstname.lastname@example.org
Jason S: Put all the information you have in the email and our abuse team will take care of it
dc0de: I would like to speak to someone on the phone or we will have to block your IP ranges from coming to our data centers, thereby potentially impacting your customers.
dc0de: Could you have someone in your Information Security team contact me directly, or provide me with a phone number to call?
Jason S: You can try our support number
Jason S: SUPPORT: 866.403.7638
Jason S: But I’m afraid they are going to tell you the same thing.
dc0de: are you saying that you do not have an information security department?
Jason S: We do take these things seriously and will look in to it
Jason S: That would be our abuse team
dc0de: and they are only available via email? That’s not very approachable.
Jason S: Is there anything else I can assist you with dc0de?
Jason S: Thank you for choosing SoftLayer. We value your feedback. Please click the “Close” button at top right to answer a few questions about your experience with us today.
As you can see, there wasn’t a very simple method to get in touch with their “InfoSec” people, and as such, I’ve gone to Twitter, and posted this, to show how poorly hosting providers are these days, and how difficult they make doing our jobs in InfoSec.
The worst part? SoftLayer is hosting several systems for a company based out of Nigeria, in their Dallas Data Center that are at the heart of the problem. Whelp, if you’re a SoftLayer customer and have difficulty communicating with some businesses in North America, don’t blame us, we just blocked the SoftLayer network blocks at our border.
Note to SoftLayer – We tried to get in touch with you, and you made it very inconvenient, if not impossible to work together. Kthnxbye.