Jan 17

No, you don’t need to close your LastPass account…

By alberg authentication, hacks, privacy, risk, useful stuff Comments Off on No, you don’t need to close your LastPass account…

Your passwords…

Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager.  He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code.  This information would be sent to the attacker, who would then have access to all of the user’s passwords.

Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager.  This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.

I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts.  In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.

One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk.  Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally.  I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites.  In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.

I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view.  It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use.  Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag).  Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code.  Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access.  I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of.   I’ll let you know how it goes.

To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes.   However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion.  Password managers are still a great security solution.

 

Jan 02

Great DerbyCon talk on hunting for the bad guys

By alberg best practices, CSO, malware, useful stuff Comments Off on Great DerbyCon talk on hunting for the bad guys

Wabbits or bad guys, all the same to me

It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage.  This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain.  If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity).    I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big.   Best con-talk I have watched in a long time.

 

 

Dec 31

In DPRK, Linux Watches You

By alberg deep thoughts, hacks, Paranoid Peeps, privacy, worst practices Comments Off on In DPRK, Linux Watches You

He might actually be looking at something here…

A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression.  Case in point – the DPRK’s Red Star Linux distribution.  In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines.  One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data.  The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.

The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.

Watch here…

 

Dec 23

Leaving the key under the mat for the cops?

By alberg Uncategorized Comments Off on Leaving the key under the mat for the cops?

The recent discovery of ‘back door’ code and hard coded passwords in Juniper routers has come at a useful time. We don’t know where the code came from or how it got into Juniper’s supply chain, but none of the possibilities are particularly appetizing:

Insiders at Juniper, possibly posing an ongoing threat
Nation state actors, with either inside help or penetration of Juniper’s networks
Criminal actors, again with someone on the inside and/or access to Juniper’s network

All of this is happening as the debate about providing intelligence services with ‘back doors’ to allow them to defeat encryption in their efforts to prevent terrorism. To me, this incident is a great example of why this is a bad idea. Any back doors added to code will eventually be discovered by someone other than the person/organization that they were meant for, putting their capabilities at the service of repressive regimes, terrorists, criminals and other undesirables.

Now that the details of the Juniper issue are out in the world, I am hearing reports of many companies being scanned for vulnerable internet connected devices. Juniper users world-wide have to get their networking staff working on identifying vulnerable devices and testing and applying the patches to them. This process takes more time, effort and cost than the average non networking person would think. To top it all off, many shops are short staffed at this time of year. Whoever was responsible for this may have put a large number of totally innocent organizations at risk (as well as the private data of their customers).

Law enforcement and intelligence agencies have lots of more targeted tools that they could use to specifically target those with larceny or violence in their hearts. Be creative, guys! Work to compromise the endpoints of your targets – roll up your sleeves and infect them with malware, scoop data from their mobile devices and do some old fashioned HUMINT.

If it turns out that the perpetrators of this were non state actors, my level of concern would be even greater as this would mark a significant advance in cyber criminals’ capabilities.

In the end, while terrorists may use encrypted means to communicate, they also must leave trails in the real world – purchases and other suspicious activities come to mind.

To play devil’s advocate for a moment… Is my “you’ll have to pry crypto out of my cold, dead hands” stance so different from the loonies who think everyone from age 12 and up (including people on the no fly list and with mental issues) needs an AR-15 to protect them from the guvnment and ISIS terrorists lurking under their beds? It seems to me that strong crypto is different from AR-15s… It has legitimate uses that protect us all from damage from all sorts of entities (guvnment and criminal). Terrorists use all sorts of dual use tools (duct tape, timers, box cutters, etc) in furtherance of their muderous plots. We aren’t banning all of these items because the risk/reward ratio is pretty clear. I would not feel any safer if everyone were to be banned from buying, say, ball bearings (potential bomb shrapnel) or renting trucks (potential VBIEDs). If we really want to save lives, ban smoking, cars, high fat foods, sugar and about a zillion other things. But we aren’t doing away with these things which would save many more lives than taking away crypto’s secrecy ever could.

Compromising the privacy and safety of everyone on the Internet is not a proportional response to a threat from a relatively small population.

Jun 25

The Practitioner’s Perspective on Cybersecurity – June 2015

By alberg best practices, CSO, deep thoughts Comments Off on The Practitioner’s Perspective on Cybersecurity – June 2015

On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club.  At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.

Here is a 15 minute “highlights reel” from the panel…

And here is the full discussion, which ran approximately 45 minutes…

The participants were:

Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief

More videos from this event can be found here.

Jun 01

What should InfoSec people be doing?

By alberg CSO, deep thoughts Comments Off on What should InfoSec people be doing?

Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account.  Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture.  I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:

 

  • The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals.  Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”

 

  • Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management.  Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.

 

  • The foundation of Information Security and Risk Management is the organization’s people and culture.  Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program.  Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.

 

  • While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.

 

  • Information security as a practice has changed significantly in the past decade.  While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer.  Perimeter controls are still necessary, but networks must be able to withstand an attack from within.

 

  •  The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques.  Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.
Feb 18

no, it’s not the end user’s fault

By alberg best practices, CSO, deep thoughts, malware, online security, social engineering Comments Off on no, it’s not the end user’s fault

No, you’re not.

According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”

What security people need to understand is that the end users are not the problem.  The end users are our customers (and one of the main reasons we have jobs).  The problem arises from the increasing sophistication of attackers and their tools and ruses.  In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money).  Since then, the attackers have been getting better and better at their jobs.  They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails.  They do their homework, mining social media for personal and business information to make their clickbait more convincing.  End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.

I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks.  It has a great return on investment for just about every organization.

We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them.  Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).

End users are not stupid.  They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day.  We have to step up our efforts to protect them, not call them a problem.  That’s what we get paid for.

Go hug an end user today.

Nov 30

als, bls, cissp

By alberg deep thoughts, systemic risk Comments Off on als, bls, cissp

Those of you who have the misfortune to know me personally know that information security is but one piece of the pie that is Al Berg.  (mmmm…. pie…)  On Friday nights, I swap my desk for an ambulance of the Weehawken Volunteer First Aid Squad where I am an Emergency Medical Technician.  Most of the time, these two parts of my life don’t really intersect, but this week, I saw something that seems to bridge the gap.

So, there are two different kinds of ambulances here in the US.  BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation.  EMTs do not administer drugs – we cannot even give you a Tylenol for pain.  If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator.  We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.

As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:

90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”

Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge.  CPR works way better on TV than it does in real life.

Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this.  Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers.  For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses.  According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.

There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:

  • Documented policies and procedures
  • Least privilege for user accounts
  • Segmentation of internal networks
  • Applying security patches and updates in a timely fashion
  • Security awareness training
  • Sharing information with other organizations

These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data.  They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them.  Yet, time and again, companies fail to pay enough attention to them.  Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.

So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them.   As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.

Nov 23

quick and dirty malware analysis

By alberg best practices, hacks, malware, useful stuff Comments Off on quick and dirty malware analysis

There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely.  My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment.  Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs.  This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs.   For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.

I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier.  MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.

It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine.  If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection.   So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.

 

 

Nov 02

insecure systems? no insurance for you!

By alberg systemic risk Comments Off on insecure systems? no insurance for you!

It seems that car thieves have been targeting the keyless entry systems of high end vehicles, taking advantage of insecure security in their on board computers.  In addition to stolen cars, this has also caused some insurers in the UK to refuse coverage for certain models of Range Rovers in London unless their owners take additional security measures.  This is an interesting development – if your potential customers can’t get insurance coverage because your car (or other device’s) computer enabled systems aren’t secure, then you have a real incentive to fix the problem.   Now how do we apply this to other types of systems?

preload preload preload