Tuesday, May 28, 2013

Ten Tips for Android Security

CSO Online recently published a slideshow offering tips on securing Android devices.  Some fairly decent guidelines here, laid out in an easy-to-digest fashion.  You can find the deck here.  Enjoy!

Monday, May 27, 2013

Best Practices for Online Banking

This week Brian Krebs published a list of online banking best practices for businesses.  While there is nothing earth-shattering in this list, it serves as a reminder that the basics matter and that it's important to think about the security aspects of online transactions.  

Reviewing this article got me to thinking about what I would put into such a list for the individual versus a business.  Clearly most of Brian's recommendations remain applicable, but there are a few more things that I would focus on for the individual consumer of online banking services:
  1. Passwords Matter.   I understand the concerns consumers have over a multitude of passwords and the desire to use just one password for everything, but this makes it easier for the bad guys to get to your money.  If they compromise your email password, for example, they now are one step closer to accessing your banking information if your passwords are the same.  Your banking password should always be unique, should be complex (letters, numbers, and at least one special character) and you should change that password one a somewhat regular basis (90 days is preferred, but at least once a year).   Note, if you are concerned about remembering multiple passwords in general there are several good password storage programs out there that are easy to use and highly mobile.  KeePass is my personal favorite.
  2. Know Your Network.  WiFi availability has become ubiquitous in our society;  secure WiFi has not.  Bad actors routinely place themselves on open networks in an attempt to capture your data; worse, many bad actors set up "free" networks with names similar to those you might be used to/searching for in an attempt to deceive you into granting them access to your system.  As a general rule, do your online banking at home on your own (secure! :) ) network.  If you find yourself on the road regularly or simply desire more mobility when you bank, invest in a MiFi device and the appropriate service (one which allows your to password protect the MiFi network) from your chosen carrier. 
  3. Talk To Your Bank.  Online banking is not just a convenience for you; it's a convenience for the banks as well.  If a financial institution can drive more transactions and interactions to a self-services platform such as their online presence, the less overhead they need to carry in the form of branches and tellers.  In exchange for this convenience, you should feel comfortable in asking some questions of your bank regarding their online banking security.  Simple questions such as where they host their online presence; how they protect the online transaction data; how often they patch their systems and/or update their applications; and what they do to test their online applications, mobile apps, and their online presence overall are not unreasonable questions and should result in informed answered from your financial institution.  If they don't consider finding another institution.  As an example:  my institution hosts its application internally; placed its online presence in beta for over a year to ensure the security is rock solid; tests its online presences quarterly for security; patches immediately for high-risk security patches; and tests its code annually as well as whenever updates are made for security issues and holes.  
When approaching online banking it is important to remember that being an informed and diligent consumer is an essential step in protecting your assets.  Ask questions...and remember the basics :)

Sunday, May 19, 2013

Harry Potter Spell Unlocks Backdoor on Mac Chips

The Mac on your desk or on the cafe table next to you has a chip with secret functions that can be unlocked only by inputting a spell from the Harry Potter series. That fun fact was presented Wednesday at theNoSuchCon security conferenceby veteran reverse engineer Alex Ionescu.

"The attacks discussed in my presentation are attacks that likely only a nation-state adversary would have the sufficient technical knowledge to implement, and they require precise knowledge of the machine that is being targeted," Ionescu, who is chief architect at security firm CrowdStrike, wrote in an e-mail to Ars. "They are perfect, for example, at a border crossing where a rogue country may need to 'take a quick look at your laptop' to 'help prevent terrorism.' I don't suspect most Mac users would be at a high-profile enough level to warrant such level of interest from another state."

You can read the entire article and see copies of the slideshere. Enjoy!

Google Glass Alarms Lawmakers

By now, most of us have heard about Google Glass and its potential capabilities -- benign and otherwise. This week, lawmakers have stepped into the fray. Eight members of Congress have sent a letter to Google asking for information about how Google intends to protect public privacy as well as whether or not Google intends to implement facial recognition software into its new product. The idea of people wandering around with internet-connected cameras in spaces where cameras aren't normally allowed is disturbing to many...myself included.

...but many of us are dealing (or not dealing) with this problem today anyway. Just look at your cell phones.

As security professionals we are faced with the daunting task of minimizing risk within an environment without stifling technology or development. Sadly, the problem remains that technology genuinely outpaces our efforts (and our available funding) to make good risk decisions that enable technology use. As we watch the Google Glass maneuverings play out, we need to ask ourselves how we intend to deal with this and other new personally-owned technologies that will start appearing in our offices. Saying "no" is the easy part of the equation; figuring out how is where we earn our money.

Sunday, May 12, 2013

Pentagon Report Accuses China of Cyber Espionage

News flash:  China is targeting American business and government entities for cyber attack in order to gain military and economic advantage...

...oh wait...you knew this?

On Monday in its annual report to congress on China's military capability, the Pentagon appeared to come off the fence regarding cyber attacks by China. “In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,”the 100-page report said.  This marks the first time

This revelation marks a turning point which could be good or bad for our profession.  On the one hand, such an admission now allows the government to discuss the situation openly and formally (versus hinting at the problem with nonspecific acronym-easing phrases such as "advanced persistent threat.")  Decisions can be made regarding policy, spending, and priority around the state-sponsored threat which lurks behind the Great Firewall of China.  

On the other hand, we have all seen the lethargic pace at which government is able to respond legislatively to cyber threats;  the Chinese threat may evolve exponentially if we remain content to await congressional policy action.  More concerning, however, is the potential for the focus on China to obscure other potential threats vectors.  As the recent spate of breach and investigation reports demonstrates, state-sponsored hacking still accounts for only a minority of the incidents out there.  

Paying attention to China is a good thing...but we should not focus here to the exclusion of other threats.

The detailed Pentagon report may be found here.  It's worth a read!

Arrests Made in $45 million ATM Breach

Earlier this week seven people were arrested in the U.S., accused of operating the New York cell of what prosecutors said was a network that carried out thefts at ATMs in 27 countries from Canada to Russia. Law enforcement agencies from more than a dozen nations were involved in the investigation, which was being led by the Secret Service.

After penetrating the processor's computer network, the hackers fraudulently manipulated the balances and withdrawal limits on prepaid debit card accounts. Then, teams of so-called cashers allegedly launched carefully timed attacks that caused millions in criminal losses from more than 4,500 ATMs in about 20 countries.

For more on the arrests and information regarding the attacks, check here.  Enjoy!

Comitatus

Stepping onto my soap box for a bit.  Shocking, I know... :)

I read an interesting -- and disturbing -- story this week about a medical doctor in attending the White House Correspondents Dinner with her husband. 

Dr. Seema Jilani -- a New Orleans-born physician who specializes in international healthcare -- is married to a journalist who was attending the correspondents dinner.  Spouses aren't allowed to attend the actual dinner, but show up for the cocktail hour prior to the festivities.  After the actual dinner began, Dr. Jilani realized that her husband still had their keys.  She tried calling him, but he wasn't answering.  She approached the security guards outside of the dining room, and was refused entry because did not have a ticket.

Not an unreasonable response in the slightest...in fact, it was the appropriate response.  The only problem, though, is that the same security guards who refused Dr. Jilani entry into the secured area were allowing other women into that area without questioning their authorized status.  Further, if the reporting is  accurate, one woman who claimed to have lost their ticket was allowed in and personally escorted into the area by the guards.  As Dr. Jilani objected to the double standard, one of the guards threatened to call the Secret Service...remarking that  "We have to be extra careful with you all after the Boston bombings."

Oh, did I fail to mention that the other women allowed in were Caucasian?

I am posting this reference here  not as a political statement nor a criticism but rather as a reminder to we Warriors of the Light who stand in the gap every single day:  our protect-and-serve mission must be carried out objectively and without bias toward any.  It is hard (in both the real and virtual worlds) to eschew cynicism and bias as we stare into the abyss;  however it is only by winning that battle daily that we honor our charges and our charter.  To do otherwise is to become little better than those whom we stand against.  Those Whom We Serve will hopefully respect us and come to rely upon us.  They should never fear us.  This applies not only when screening individuals for events but also when dealing with the business professional who is asking for what appears to be yet another unreasonable exception to information security policy.

Regardless of why you got into this business, true professionals understand that bias and cynicism are luxuries we cannot afford.  If you are reading this posting, I urge you to gently remind those around you of the importance of rising above such temptations.

Okay...stepping off the soap box.  For now :)  Those interested in Dr. Jilani's article can find it here.

Friday, May 10, 2013

Spotlight on Big Data

Shameless plug time :)

This month's CSO Magazine contains a feature story on big data in which I am quoted.  Nothing earth shattering in the article, but it's a good primer for organizations beginning to grapple with the pros and cons of big data analytics technologies.  You can find a copy of the article here.  Enjoy!

Monday, May 6, 2013

A Last Look Back at the Boston Tragedy

Warning:  this is going to be a bit of a rant.

It has been three weeks since the tragic bombings at the Boston Marathon.  During that time we have wept with those who were injured or who lost loved ones...and rejoiced in the tracking and capture of those responsible for this heinous crime.  

Unfortunately, this period has also been one for recrimination.  Several news outlets and elected officials have resurrected that old saw that we saw back in 9/11:  intelligence failure.  Why didn't we know?  Why didn't we prevent the attack?  Information began to surface about Russia sending alerts to US official regarding the activities of the suspected terrorists;  did we follow up?   Did we do enough?  If not, why not?

I remember the first time I was confronted with the "intelligence failure reflex" in conversation.  Working in security (and having worked in the intelligence arena in past lives),  I used to avoid this conversation because it would be a source of annoyance for me.  Finally, an acquaintance notice my ire and pressed me into commentary.  Here's the scenario I gave them in response...

Say you're an intelligence agent working for our government.  You have credible intel that there's going to be an attack in Arizona (where I live) in the next 90 days.  You know that the folks planning this attack are located somewhere within Arizona State University (the largest university in the nation) in some capacity.  Your job is to gather enough credible intelligence to preempt this attack.  

You have certain tools in your toolbelt:
  • We have technologies that will take imagery of certain areas and people, but you need to tell us where to point this technology.  If you give me 24 hours notice, I'll task the resources where you want me to, but it'll take an additional 48 hours after that to analyze the data and render you a report.
  • We also have technologies that'll allow you to intercept technical data of multiple types.  We can suck up this data en masse, but we need you to tell us who to focus on and look for.  Again, it'll take us 48 hours to cull through any data we've collected to find the specific targets you give us and render a report.
You are also at a bit of a disadvantage:
  • ASU has three large campuses that are geographically disperse.  This doesn't include its online presence and its satellite presence.  We don't know which of these campuses/presences is relevant to your investigation...or even if it's only ONE campus versus multiple ones.
  • You're in your late 40's (as am I), so you aren't exactly in the same age demographic as a goodly portion of the student population.  This'll limit your infiltration options as well as your interactions with the student population (nothing like a large almost-50-year-old black man hanging out in the student union to shut down conversation amongst the co-eds :) ).
That's your mission.  Good luck!

Now here's the real kicker:  under similar circumstances -- usually with the hindrances of language and ethnicity -- our intelligence and law enforcement professionals stop terrorist attacks and heinous crimes every single day.  Analysts and agents sort through literally thousands of leads daily and successfully interdict foreign and domestic terrorism daily.  During my time in the service, I was personally involved (in very small part) in preventing at least seven terrorist incidents on foreign soil...and I freely admit that my jobs (and skills) were mundane and unexciting.

Am I saying that the bureaucracy is perfect?  No.  Am I saying that mistakes aren't occasionally made?  Not at all. What I am saying, though, is that our underpaid, overworked, and unappreciated law enforcement and intelligence brethren who stand in the gap against seemingly insurmountable odds deserve more that armchair quarterbacking and the continued perception of incompetence others are attempting to heap upon them.  As security professionals we can relate to this situation every time there is a breach or exposure;  let's take a moment to support our fellow Warriors of the Light in different professions who stand in gap daily

*Deep Breath*  Okay...am done ranting.  If you'd like a more articulate explanation as to why tth tragedy in Boston was not an intelligence failure, give this article a read.  Thanks for listening!

Reporting Season is Here

Ah, springtime.  Flowers are blooming.  Baseball is in full swing.  And -- most importantly -- the major security vendors release their summary reports :)

Last month, Trustwave released its 2013 Global Security Report.  Some of its key findings:
  • The retail industry made up the highest percentage of their investigations at 45%
  • Mobile malware has increased 400%
  • The average time from initial breach to detection was 210 days, more than 35 days longer than 2011.  Most victim organizations (64%) took over 90 days to detect the intrusion.
  • "Password1" is still the most common password used by global businesses.  
The Verizon report is also short of good news for us:
  • 75% or breaches were untargeted and opportunistic.
  • 78% of attacks used tactics which were rated as lowor very low on the VERIS difficulty scale
  • 75% of attacks were driven by financial motives
  • 19% of attacks were perpetrated by state affiliated actors for the purposes of espionage.
While both reports are worth a read (and if you can attend either company's roadshow briefing it's worth it) as security professionals hopefully these reports will cause us to stop for just a moment and reflect on the state of our infrastructures -- particularly as pertains to basic blocking and tackling.  Of late we have been pulled (in large part by the security industry (versus the profession)) down the path of "If we can only suck in more data" and "if we can only better sort through the data we're sucking in" then we can better protect ourselves against that uber-hacker that is trying to infiltrate our systems.  While there is some truth to this approach, it tends to mask the fact that basic blocking and tackling will still resolve much of what we're seeing out there.  I truly wonder what the breach reports would look like if we:
  • Enforced heightened password complexity
  • Patched vigorously and rapidly (to include addressing aggregate risk via patching low-level vulnerabilities with regularity)
  • Cleaned up roles and access to systems, ensuring a least privilege model; and
  • Managed(and monitored) super user accounts and privileges aggressively throughout the environment.
If the reports are to be believed, we'd drive out at least two thirds of the breaches and issues that make up these findings -- leaving us ample time to hunt for the needle in the needlestack :)

Both reports are worth your time...not only as information for your SETA programs but also as a reminder to the enterprise of the importance of making the basics work.  You can find copies of both reports just about anywhere these days, but I've uploaded them onto my file sharing site here.  Enjoy!