Apr 14

Aaaand we now have our first confirmed breach of data tied to Heartbleed – the Canadian Revenue Authority has reported that the social insurance numbers of about 900 Canucks were downloaded by attackers using Heartbleed.  Canada’s equivalent of the US IRS had shut down their e-filing website last week when the bug was announced.

Akamai (whose network carries almost a third of the Internet’s traffic) was also in the Heartbleed news this AM… it turns out that their patch to correct their servers’ vulnerability had a bug in it.  They are revoking their certificates and issuing new ones in the wake of patching the patch.

Stay tuned… I am sure there is more to come

Apr 13

heartbleedIt seems like Heartbleed is going to be keeping  infosec people busy  for a while.

First, multiple people have succeeded in extracting the private signing keys of a website’s SSL certificate using Heartbleed.  This is not good news, since it makes it possible for attackers to set up sites with phony baloney SSL certificates which look and act like the real McCoy.    I think we’ll be seeing a lot of revoked and reissued certificates this week.  Nobody is likely to be happy about this except for CAs, who stand to profit from this debacle (although, since they had nothing to do with causing the problem, can we blame them?)

Obviously, any site which was Heartbleed vulnerable needs to get new certs toot sweet.  But what about sites which were not vulnerable?  From a technical point of view, if you never ran one of the vulnerable versions of OpenSSL, you really don’t need to buy a new certificate.  However, given the fact that Heartbleed was around for 2 years, site owners will have to think back to whether they were ever running vulnerable software in combination with their current certificates.    Hope you had good version control on your site!

And its not just web servers we need to worry about.  Other, non port 443 services like email, databases, directory services, APIs and the like also use OpenSSL to protect their communications in transit.  We may be hearing about Heartbleed attacks on these services in the coming weeks and months.

And the good news just keeps on coming – there’s a lot of client and embedded device software out there running vulnerable OpenSSL code.   At least one expert thinks that malicious servers can be set up to exploit clients and extract passwords and crypto keys from devices which connect to them.   While Apple’s OS X and iOS products are Heartbleed-free, Android version 4.1.1 (said by Google to be in use on millions of devices) is vulnerable to the bug.

Finally, I think it is safe to assume that phishers are going to make the most of Heartbleed – fake “password reset” notices will be filling our inboxes, trying to make the most of Heartbleed hysteria to steal credentials in a low tech fashion.

So, expect Heartbleed related heartburn for the foreseeable future, folks…


Jul 12

Another day, another Android vulnerability which allows malicious actors to inject malicious code into Android applications without triggering cryptographic safeguards.   And another reason to refrain from using app stores other than Google Play for the time being.

Tagged with:
Jul 11

Via Gizmodo

Mar 20

Yes… hover and check…

If you are like me, “hover over the link and read the URL before you click” is a basic piece of advice you give to people who want to know how to avoid malicious links in web pages and emails.  Well, it looks like a little bit of Javascript trickery can be used to make malicious links look benign until they are clicked.  While email clients like Outlook will not execute Javascript in messages, links in web applications or webmail accounts could be disguised in this way.  Sounds like we need a browser based fix to combat this – it is possible, since Opera apparently is not fooled by this behavior.

Nov 28

Interesting post from security and cyberwarfare blog Digital Dao on how changes in Russian law will make it more difficult for foreign firms and investigators to track down the owners of .ru domains used for nefarious purposes.  Not a positive development.

Oct 14

Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…

SC Magazine:
Security Researcher Threatened with Vulnerability Repair Bill

A couple of observations about the article…

The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.

It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account.  Whoever designed/wrote that application needs some serious re-edumacation at the very least.  Maybe these are the folks who should be paying to fix the vulnerability.

I’m not sure why they are demanding the researcher’s computer.  The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.

I’ll bet that plenty of people at this organization are wishing that this incident never hit the news.  Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging.  If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.

So, to sum things up… WTF!



Oct 11

Heeeeeere's malware!

The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.

Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.

Vulnerabilities are sooo last year – your users are the weakest link.  Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation.  In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful.   In most cases, no vulnerability was used – the user simply gave the malware permission to run.  Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.

You still need to keep software up to date.  Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems.  This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.

Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced.  Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.

Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time.  Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.

I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!


Aug 15

The latest in anti censorship tech

When I read about Telex, a research project aimed at making it easier to get past Internet censorship, my “split personality” – lover of freedom and justice versus corporate security guy kicked in right away.  You see, if widely implemented, Telex would make it much easier and safer for people living under repressive regimes to get past said regimes’ censorship of the Internets.  Built on client software, some clever crypto in packet headers and servers hosted by friendly ISPs, Telex would turn the idea of a proxy server inside out, effectively making the entire Internet (it’s a series of tubes, you know) one big proxy.

This would be really great – I would love to see the US government as well as non profit organizations host Telex servers to allow people in China, the middle east, and other places where freedom of expression is curtailed… however, Telex would also make my job as a security professional that much more difficult.  By installing a Telex client, the users on my corporate network might be able to bypass the web filtering we have put in place.  While some of that filtering is aimed at keeping people away from “non work appropriate sites,” there are other reasons to filter Internet access in the workplace as well.  For example, we block access to sites known to host malware.  We block access to sites which would put us in violation of various legal and regulatory mandates.  These are all legitimate things to do in a corporate environment, and our employees have unfettered access to the Internet outside of the office.  Employees using a system like Telex would put our company at risk.

Telex is stil in the proof of concept stage and there needs to be a lot more software and infrastructure development done before it can be a reality on a large scale. As I said, I am 1000% pro Telex as a tool for people to bypass repressive regimes’ Internet censorship.  But I think that corporate Internet censorship (hate that word) is another kettle of fish altogether and we security professionals need to keep an eye on Telex and similar technologies.  I feel like I should be dressing like these guys after writing this…


Aug 13

Over the past few days, a lot of folks at work have been sending me links to this really excellent XKCD cartoon:


I think this really hits the password problem on the head.  With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated.  And yes, they are hard to remember.  And most importantly, they make users hate the InfoSec people.  Do they ever bring us home baked brownies as a reward for our password rules?  Nope.

As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea.  The math seems to work and it certainly seems to be easier on the user.  However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable.  I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.


preload preload preload