Wednesday, September 25, 2013

Data Aggregator Giants Hacked

Today Brian Krebs (krebsonsecurity.comhas posted the results of a months-long investigation conducted by his organization.  These results, while long suspected, are disheartening:  it appears that several well known data aggregators have been compromised, and their files accessed for malicious use.


The underground ID Theft service SNNDOB[dot]ms (hereafter SSNDOB) has for two years marketed itself as a source for valid compromised identities.  The source of their data has been largely unknown, but access to a major data aggregator was suspected.  Several months ago, SSNDOB’s  own compromised database was compromised and a copy was provided to Brian Krebs for analysis. Further analysis was performed on the networks, activities, and credentials held by SSNDOB administrators revealing a small Botnet operating on the internal systems of LexisNexis, Dunn & Bradstreet, and Kroll Background America.


The SSNDOB service has served up more than 1.02 million unique social security numbers, and nearly 3.1 million date of birth records since its  inception in early 2012


You can read Krebs' full post regarding the compromise here.  Be advised that I have no further substatiation of Mr. Krebs' claims nor any statements from the aformentioned companies...but  krebsonsecurity.com is known to be one of the most credible sources out there.  Also here is a link with some great tips about what to do if you suspect your identify has been compromised.


Be aware...



Monday, September 23, 2013

IE Zero Day Released Into the Wild

Kudos to my buddy Matt for pointing this one out.  Recently SANS reported a zero-day exploit to all supported versions of Internet Explorer.  

It looks like this zero day is no joke.  SANS raised their threat level to Yellow so it looks like it is actively being exploited.   Since this is a zero day, the best bet for now is to make sure you have appropriate mitigation in place. Matt's blog does a great job of laying out the options.  Give it a read!

Saturday, September 21, 2013

iOS 7 Security Bug Discovered

Well THAT didn't take long at all, did it?

Just days after the release of Apple's new operating system -- which Apple is touting as having (among other things) enhanced security features -- websites are reporting the discovery of a security-related bug.  In a video released online, hackers demonstrated how accessing the Control Center feature from the lock screen and executing a specific series of commands will allow someone to access other applications (such as email) which are supposedly inaccessible when the phone is locked.  While Apple says it's working on a fix, the simplest solution for the nonce is to change the Control Center settings so that you cannot access Control Center on the Lock screen.  This is easily doable from the Settings screen (though feel free to ping me directly if you need a walk-through).

While some have dismissed the relevance of this bug, I like security controls to work.  I remain cautious about what I do and do not do online, but given the ubiquitous nature of technology it is nigh impossible to avoid utilizing wireless devices to store, process, or transmit some type of data.  In this context, dismissing security flaws as hyperbole is short sighted and naive.  Yes, convenience comes with risk and even security geeks like me understand that.  I wonder, though, how much Apple spent on the Security Testing and Evaluation (ST&E)  of its operating system as compared to, say, redisigning its icons.  Would shifting 1% of that spend toward ST&E have made a difference?  We'll never know.  What we do know is that Apple is now spending unplanned dollars fixing flaws and responding to public embarrassment instead of innovating.  Not a good position for a technology company to be in.

Here's hoping Apple takes a much harder look at its iOS  and sends a fast update before the next security bug is discovered.  Oh, wait...too late...the next bug has already been found.  

Be aware...

Sunday, September 15, 2013

Nymi -- Biometrics Revisited

Last week my friend Lori approached me with an article she had read about a new device called Nymi.  This device (which is in pre-release and available for preorder) purports to be able to use "a person's unique heartrate" for authentication purposes.   Payment devices, hotel check-in technologies, enterprise computer systems, and even automobile locks can then be secured and accessed without remembering a plethora of passwords or carrying half a dozen token devices (to include physical keys).  Lori's question to me -- which warmed my heart :)  -- was what the security implications and ramications would be of  such a technology.  To answer this question, we need to go back to the basic principles behind authentication and biometrics.  If you are already more than well versed in these topics, then you should scroll ahead a few paragraphs; however a base-level review of these topics is never a bad thing.

As most of us know, the best authetnication schemas use two of the following three factors:  (1) something you have (a physical token such as a key or an digital key fob); (2) something you know (a unique password); and/or (3) something you are (a biometric identifier such as a fingerprint).  Most true two-factor authentication schemas employ (1) and (2) above;  many schemas use two instances of item (2) -- such as a user ID and a password -- which is not true two-factor authentication.  

Very, very few authentication schemas employ widespread use of biometrics in their environments.  The reasons are straightforward:
  • Invasiveness.  Utilization of biometrics in some form or fashion usually means the surrender and recording of a person's unique physical characteristics.  If you use a fingerprint scanner, for example, then somewhere within your network is some type of digital representation of  your staffs' fingerprints.  Same for retinal scanners.  Many organizations see the adoption of such tools to be invasive and "overkill" from a security standpoint.
  • Privacy.  With over 35 states having data privacy and security laws, protection of biometric data adds yet another category of data to be secured within the enterprise.  Worse, biometric data may subject organizations to portions of the HIPAA/HITECH regulations that they mighn't have to deal with at present.
  • Rejection/Acceptance Rates.  If you enter your password and token data in correctly, the system will allow you access.  Period.  If you use a biometric device, you are subject to false rejection and denial of access -- or worse (from a security perspective) false acceptance which will allow unauthorized personnel access to your secure data.  While these rates are falling as technologies get better, they are still not at 100% -- which means they run the risk of being labelled as a (a) nuisance or encumberance to operations or (b) ineffective in securing the enerprise.
With these things in mind, let's take a took at the Nymi.

Nymi's use requires it to be on your wrist and active.  Once there, Nymi purports to be able to "continuously" sample your heartrate and provde continuous proximity-based authentication for those systems which require such things (say, for example, your network-based office computers which could automatically lock when you get up from the desk).  Interviews with the CEO (which can be found on their website) discuss how Nymi was buildtutilizing the Privacy by Design framework which emphasizes minimum utilization of personal data and total transparency re: where the data goes...

...but there is no information or discussion around the security of the device and the data.

Without the technical specifications I am only guessing regarding how Nymi actually works...but logic would dictate that it is either (a) transmitting a digitized versious of your heart rate signature or (b) is utilizing your hear rate to authorize the transmittial of a unique "go code" to an authentication device (in other words, Nymi samples your heart rate and determines that it is, indeed, you...at which point it sends a unique authentication key to the device you're attempting to utilize).  Here are the top-of-head questions the Old Security Guy in me has regarding security and utility of the Nymi:
  1. Static Nature of My "Unique Heart Rate."  I'm not a doctor, but I would assume that my heart characteristics now as an overweight 47 year-old man have changed slightly since I was a 22 year-old Lean Mean Fighting Machine.  What specific items are measured to generate this unique signature.  If my heart health changes (cholesterol, etc.), will I be locked out of my own Nymi-enabled devices?  While heart rate and heart beat are different things, I would assume that my heartbeat is one of the variables which goes into my unique signature.  What's the variance and/or tolerance rate of the device in this regard?  If (for example) I set Nymi at my resting heart rate just after I wake up, will I be unable to use it just after a workout when my heart beat is accellerated?  What if I get a pacemaker installed or need heart surgery (as another dear friend of mine is undergoing this week)?  Would those things change my characteristics to the point of needing to reset my Nymi -- and is such a reset possible?
  2. It's All About The Data.  What, specifically, is being transmitted by the Nymi?  Is is compared against a centrally-stored signature or is the authentication done in the local device?  If there is a centralized store of data, then I would want to know how Nymi is protecting that data.  If authentication is done locally in the Nymi device then I would expect that either a static or dynamic "go code" is sent to the authenticating system.  If the code is dynamic (similar, for instance, to the random RSA token), what's the schema used to generate the random code to ensure it can't be spoofed?  If it is static and tied to the individual Nymi device, then how is the code server secured?  (Note:  Nymi speaks often about its use of Bluetooh technology...but Bluetooh technology isn't foolproof or hackproof. :) )
  3. What's the Uplift?  The marketing campaign for Nymi is clearly geared to the consumer...but for this technology to work in as widespread a fashion as described there needs to be acceptance by enterprise-class users such as (for example) payment processors.  Given the highly-regulated nature of that industry (and the heightened level of  concern regarding data security these days), the questions listed in (2) above would have to be answered in meticulous detail before widespread adoption could take place.
Conclusions:  In an era where people are still using weak passwords and changing them infrequently,  convenient biometric solutions make sense; that being said, Nymi's marketing focus on privacy versus security leads me to believe that they mightn't be ready for security prime time just yet.  I would be reluctant to employ Nymi even on my personal devices until I got some answers to some fairly straightforward security questions...

...answers that, as of yet, aren't forthcoming.

My two cents...