OK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident. It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank. Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make. (Not that losing $80 million is a great outcome).
Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. This information would be sent to the attacker, who would then have access to all of the user’s passwords.
Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.
I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts. In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.
One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk. Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally. I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites. In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.
I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. I’ll let you know how it goes.
To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes. However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion. Password managers are still a great security solution.
It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage. This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain. If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity). I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big. Best con-talk I have watched in a long time.
A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
The recent discovery of ‘back door’ code and hard coded passwords in Juniper routers has come at a useful time. We don’t know where the code came from or how it got into Juniper’s supply chain, but none of the possibilities are particularly appetizing:
Insiders at Juniper, possibly posing an ongoing threat
Nation state actors, with either inside help or penetration of Juniper’s networks
Criminal actors, again with someone on the inside and/or access to Juniper’s network
All of this is happening as the debate about providing intelligence services with ‘back doors’ to allow them to defeat encryption in their efforts to prevent terrorism. To me, this incident is a great example of why this is a bad idea. Any back doors added to code will eventually be discovered by someone other than the person/organization that they were meant for, putting their capabilities at the service of repressive regimes, terrorists, criminals and other undesirables.
Now that the details of the Juniper issue are out in the world, I am hearing reports of many companies being scanned for vulnerable internet connected devices. Juniper users world-wide have to get their networking staff working on identifying vulnerable devices and testing and applying the patches to them. This process takes more time, effort and cost than the average non networking person would think. To top it all off, many shops are short staffed at this time of year. Whoever was responsible for this may have put a large number of totally innocent organizations at risk (as well as the private data of their customers).
Law enforcement and intelligence agencies have lots of more targeted tools that they could use to specifically target those with larceny or violence in their hearts. Be creative, guys! Work to compromise the endpoints of your targets – roll up your sleeves and infect them with malware, scoop data from their mobile devices and do some old fashioned HUMINT.
If it turns out that the perpetrators of this were non state actors, my level of concern would be even greater as this would mark a significant advance in cyber criminals’ capabilities.
In the end, while terrorists may use encrypted means to communicate, they also must leave trails in the real world – purchases and other suspicious activities come to mind.
To play devil’s advocate for a moment… Is my “you’ll have to pry crypto out of my cold, dead hands” stance so different from the loonies who think everyone from age 12 and up (including people on the no fly list and with mental issues) needs an AR-15 to protect them from the guvnment and ISIS terrorists lurking under their beds? It seems to me that strong crypto is different from AR-15s… It has legitimate uses that protect us all from damage from all sorts of entities (guvnment and criminal). Terrorists use all sorts of dual use tools (duct tape, timers, box cutters, etc) in furtherance of their muderous plots. We aren’t banning all of these items because the risk/reward ratio is pretty clear. I would not feel any safer if everyone were to be banned from buying, say, ball bearings (potential bomb shrapnel) or renting trucks (potential VBIEDs). If we really want to save lives, ban smoking, cars, high fat foods, sugar and about a zillion other things. But we aren’t doing away with these things which would save many more lives than taking away crypto’s secrecy ever could.
Compromising the privacy and safety of everyone on the Internet is not a proportional response to a threat from a relatively small population.
On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club. At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.
Here is a 15 minute “highlights reel” from the panel…
And here is the full discussion, which ran approximately 45 minutes…
The participants were:
Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief
More videos from this event can be found here.
Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account. Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture. I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:
- The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals. Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”
- Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management. Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.
- The foundation of Information Security and Risk Management is the organization’s people and culture. Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program. Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.
- While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.
- Information security as a practice has changed significantly in the past decade. While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer. Perimeter controls are still necessary, but networks must be able to withstand an attack from within.
- The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques. Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.