Category Archives: cybersecurity

The State of Internet Privacy? In Shambles. Moving on.

Many would consider me an Internet Old Timer.  I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet.  I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.

 

Websites Intentionally Disabling Password Managers

It wasn’t just me.  The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often.  Lots of that travel is for work but I do get around on personal business and to get away.  One of my go to sites for travel is Hilton dot com.  I’ve been a Hilton customer for a long time.  I like their hotels.  I think they treat me well where ever I go.  This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser.  This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot.  It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached.  I found the test usually involves matching text to pictures.  The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails.  Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

 

New Apple Guidelines Explain What Data the Company Will Provide to Law Enforcement

ars technica has a great article that explains recently published Apple guidelines regarding what customer data the company will provide to law enforcement.  Reviewing and understanding Apple’s position is important as the companies consumer devices such as the iPhone, the iPad, and Mac computers running OS/X readily provide users the capability to use both local and cloud storage for data.

The guidelines that are referenced in the ars article were posted by Apple under the heading “Legal Process Guidelines for U.S. Law Enforcement” and were released on May 7th, 2014.

Seminars at the John Jay Center for Private Security and Safety

If you are near New York City and interested in cyber security and criminal justice I suggest attending the seminars at the Center for Private Security and Safety at John Jay College in Manhattan. I attended seminars on cybersecurity and cyber espionage.  The presenters that I saw are faculty from the college.  I found the seminars to be very well prepared and presented.  The technical level of the seminars seems targeted at an undergraduate upper class person (Junior or senior) but all questions both more and less technical in nature were answered.

Why Security is Hard: When APTs became TPAs

Trying to secure the Internet and all it’s users, content, and services is a difficult job. The Internet is a global resource that supports many different cultures and languages.  The purpose of the various Internet web sites that appear on the Internet vary from commercial sites selling products and services to informational sites about many more topics that most people need or care to know about.  There are a myriad of operating systems and applications used to produce and access those sites.  As if Advanced Persistent Threats (APT) were not bad (or scary) enough there is now a new term used to describe the attacks that security personnel are trying to secure all these operating systems and applications from.  Welcome Targeted Persistent Attacks (TPA)!

The first read where I came across TPA was over at Tech Republic.  During an interview with the Research Vice President at NSS Labs they report:

“The truth of the matter is that an APT is sometimes made up of known exploits/vulnerabilities that are not that Advanced; so the term APT doesn’t define the action correctly. TPA highlights that the actor is going after a specific target such as company X or an entire industry sector like financial services, and will be persistent in attacking the target”

Uhh?  So the reason we need a new category of product is because some malware writer slacked off and didn’t use the latest, most advanced exploit or vulnerability and instead used something that Microsoft already addressed a couple of Tuesday’s ago?

To be fair this blog post that also appeared at NSS labs makes a better case for the new term (TPA that was).  What NSS Labs seems to be talking about here is threat or breach detection.  Of course, there is also a TPA focused Breach Detection Systems (BDS) product buyers guide.

 

Using a Heat Map to Relate Security Information

I have been thinking a lot about how security practitioners can share information. They need to be able to tell the masses about security issues.  I usually refer to this as security awareness.  They need to be able to communicate the current security and risk state to organizational leaders.  I came across an interest web site that uses a Heat Map to relate security state information.

Exploit of Trust Hack in a K-12 School

I was contacted the other day and asked to assess the threat posed by the email below.  The message was sent to much of the professional staff of a local school district.  The subject line read “URGENT. MUST READ.”.  The email was from an email account at a North Carolina, US University.  The contents of the message was a link to a web site that read in part “Contact Update”.

Screen Shot 2013-05-29 of email

Following the link users were taken to a web page that looked like this (see below).  The title of the page is “School Support Team” and asks the user to enter their first and last names, date of birth, email address,  username, and password (p-word with confirmation).

Screen Shot 2013-05-29 at 12.14.38 PM

There is no title that associates the site with the school district.  If anything the form asking for a “p-word” should have raised a caution flag to anyone who saw this.

A number of people who received the email message contacted the IT department and asked what they should do.  As the IT administrators fielded more calls they sent email messages to all of the district’s users alerting them not to respond to this message.

In the end several employee’s acknowledged that they had not only received and read the email message but that they had followed the link and filled out the form.  I wish I could say that these were all low level folks who didn’t know better.  But I can’t.

When discovered by the IT staff these employees were advised to change their passwords immediately.  Should their accounts have been disabled and thus forced to choose a new password.  Probably.  But the IT staff and the district don’t have policies in place to mandate such a move.

What’s worse is that some employees complained that they could not change their passwords.  You see they would not be able to remember anything else.  And some of those same people reported that their school password matched that they use for their home email and banking.  Yes.  That was priceless.

Some employees complained that the web filter that blocked them from viewing their favorite web sites while at work should have stopped the message getting through or stopped them from being able to access the web site and form.  The reality is that the message was delivered via email address from a university.  This message exploited the trust relationship formed because the supposed sender was in the “dot edu” domain.  The chances that the web or email filter at a  school would block a message from another school is thin.  An important takeaway from this should be that web sites hosted at free web providers like this one should be blocked.  I did advise that they add the site “webs.com’ to their blacklist.

What can come of this?  I would expect that any account for which the user entered a username and password will be probed.  My guess is that this was a data gathering exercise and that the probes will not start immediately.

If you are a school district IT professional here is what you should add to your defenses.  The link in the message referred to a free web hosting site at webs dot com.

Screen Shot 2013-05-29 at 12.15.16 PM

The web site used a form that was created at the free form Freedback dot com.

Screen Shot 2013-05-29 at 12.14.53 PM

I would suggest adding these sites to your local blacklist.

I did contact Freedback dot com, Webs dot com, and the university that the email came from.  To their credit the team at Freedback dot com responded to my twitter requests to block the site within hours.  The team at webs dot com responded the next business day.  The University still has not responded.

What’s the threat here?  Given the use of the “p-word” I don’t think the attacker is local to the east coast of the US.  This could be just a person or company that sells into schools gathering data so as to avoid cold calling.  This could be an attacker trying to locate users who give up their passwords with the intent of later finding other accounts (think Yahoo Mail or GMail).

My strong recommendation to the person who called me was to step up security awareness training for all district employees.

Cybersecurity & the Law: IT for Oppression

I don’t know how many people read the IEEE Security and Privacy magazine but this past issue closed with a interesting ‘Last Word’ essay by BT CSO Bruce Schneier titled “IT for Oppression”. It’s avery good read that discusses both the positive and negative use of the technology that many here have used and contributed to in the name of improving security. Schneier makes a great case for his call for more research into how to circumvent these technologies.

https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html

While Schneier points out that cyberspace is still waiting the arrival of it’s hero (Gandhi or MLK) he ignores the fact that our system of laws is regularly used to prosecute those who challenge seemingly ‘correct’ uses of security such as the recent Swartz and weev cases .

http://www.wired.com/threatlevel/2013/03/holder-swartz-case/

http://news.idg.no/cw/art.cfm?id=50707CC6-B980-1CD4-53A32E093B8B71AA

http://articles.latimes.com/2013/mar/28/opinion/la-ed-computer-fraud-abuse-act-20130328

Cyber chief warns of rising danger from cyber attacks

“The probability for crisis is mounting,” said Alexander, who also
heads the National Security Agency. He told an audience at the
American Enterprise Institute in Washington that he was concerned
about the changing nature of the threat from disruptive to destructive
attacks and that the numbers of cyber attacks against business and
critical infrastructure are on the rise.

 

http://security.blogs.cnn.com/2012/07/09/cyber-chief-warns-of-rising-danger-f…