Saturday, September 9, 2017

Equifax is "SCREWING" their "customers".



This is an opinion piece... so grab a beer or a line of coke like the Equifax execs have been doing.






First they have repeated security issues, many reported to them and they do nothing.  And they have had breaches in the past (2 others in the last year or so).


Second they appear to be taking full advantage of this "breach" in a way that Donald Trump would appreciate.

Hey, business is business, not my fault you happened to be bent over while I was getting ready to...  All right, let's keep it clean.

Researchers (friendly hackers) noticed something really cool about the NEW service being offered by Equifax to check if your data is part of the breach.

Drum roll please.....

It doesn't really matter what you enter, the answers are random and they just want to push you to their TrustedID service.

Coincidentally subscribing to this service means you are agreeing with their terms and you give up your right to sue their sorry asses.

Take a look at this posting from Sarah Buhr at TechCrunch and your aggravation level is certain to rise unless your dead inside.   


PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

A while back I wrote about the Ashley Madison "hack" and the fact that this company had self proclaimed themselves secure with a made up Security Award.  Well... seems they all went to the same business school as what Equifax is doing and how they are responding to this breach is inline with this type of business practice.

Combine all this with the fact that senior executives sold 2 million in stocks prior to the announcement, and then you add to that the unknown person or persons who shorted the stock and made another 4 million.... you have yourself a really nice picture generally called insider trading along with a few more terms not fit for small children.


Suspect trading in Equifax options before breach might have generated millions in profit



This all points to something missing in our wonderful world called PENALTIES.   Not penalties for the enterprise.  The executives do not care if the enterprise has to pay some penalties.  Penalities for the executives including jail time when their actions are criminal in nature.  

I'm not referencing the insider trading, which I hope is considered criminal.  I'm referencing the lack of respect for their customers data and willful blindness when serious security shortcomings are reported up the chain of command.

And by the way, why are we calling ourselves customers, when in fact we are their product, not their customers.  We are forced to deal with companies run by clowns, and the only time we are customers is if we subscribe to one of their shitty services to access our own damned data and make sure they are reporting accurately on our data !!!  What world are we allowing ourselves to live in.

I have to pay a monthly fee to access my data that I never wanted these idiots to have.  Why... because the banks "need" it the authorize my mortgage.  We certainly don't want the banks taking too much risk.  Wait... didn't they seriously screw up a few years back and lend billions of dollars that they shouldn't have and then the US government bailed them out and they all took in BONUSES !

If you want a really good laugh, take a look at Equifax's SOC 2 TYPE II attestation report.

https://www.equifax.com/assets/WFS/the_work_number_best_practices_in_data_security.pdf




Proof again, that traditional auditing mechanism are meaningless because people LIE. 

Listen up folks:  Companies on the stock market are filled with executives who have ONE priority, themselves.  Therefor they LIE, COVER UP, and IGNORE some pretty significant elements that lead to events like this.  Their bonuses are dependant on everything looking great.

So there you have it folks.  A great big company, audited by other great big companies, compromised at all levels including ethically and morally.

No wonder I prefer family run businesses.  My two most significant clients are family run (one is 500m revenue and the other is several billion) and surprise surprise, when something comes up as a security risk, the CIO brings to the the CEO and no one hides anything.   They just manage the risk, takes decisions, figure out how to be better and fix things.  

Wow.... that's revolutionary.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com







Friday, September 8, 2017

Slow News Week


The quality of journalism can certainly be challenged these days.   It seems that in order to keep your job, the title of every article must sound alarming and catastrophic in nature in order to "sell print".

Sad really, since we end up with a feeling of fake news, and many other side effects.

However, a significant mass of people will be reading these articles and believing the negative feelings being conveyed.  

This morning, in Montreal's very popular "Journal de Montreal", we find an article titled "He receives a strangers card" making reference to a medicare card.   Not a credit card, not a drivers license, but a medicare card.

Poor poor man.   How traumatizing to have received your own card along with a strangers.  How will you sleep through the night and get to work on Monday.

If you ordered underwear from Amazon and received someone else's order of socks would you call the newspaper or would you call Amazon to have the error corrected?

This is not the first time a shit article has been written on a shit subject.   Last year, someone received something from the government that was miss addressed and the newspaper did the same type of article.

Lets look at the risk.

The medicare card has only one piece of sensitive information, your birthdate.  Combined with your name, the person who erroneously received your card, now has a piece of plastic with physical countermeasures similar to a credit card, that has your picture, name and date of birth on it.

What is the risk here..... well....  if the person that received it is Frank Abagnale then maybe he can cannibalise the card, change the picture and used it to get free medical services.  Frank wouldn't have your address and know where you bank, so the damages to you are limited to say the least.

In order to sound like a journalist, let me say it this way..... 

"The statistics demonstrate that sending a random medicare card to a random individual will not result in that card being used maliciously"

Did I say statistics... sorry I meant common sense.

"A random citizen does not have access to the talent required to fraudulently use someone else's medicare card"

"A random citizen doesn't have access to the underground networks that use false medicare cards for profite"

Oh oh oh wait.... here is a good one...

"A random citizen can't do shit with your name and date of birth and your ugly mug shot".   Usually considered the same pairing of information that most idiots share with their 800 Facebook "friends".

As an other note.....  news is supposed to be pertinent (in my opinion).  These types of articles only make the security uneducated worry about something that is out of context and of no value.  The fact that a rubber bushing on an envelope stuffing machine felt fat one morning and spewed two cards into an envelope instead of just one is about as newsworthy as watching paint dry or linoleum curl under high humidity. 

Imagine your next family gathering where grandma wobbles over to her security expert grandson and asks "How bad is it dear, am I going to loose my medicare, I read that they sent out my card to the wrong address".

Charming.

I'm pretty convinced that there are large masses of worthy subjects to investigate and report on.   

This happens in security articles too

Take this example: 


Bug in Windows Kernel Could Prevent Security Software From Identifying Malware




According to Microsoft, this isn't a bug, it's a design feature.   Sure we can argue that Microsoft is covering their asses, but the article actually stipulates Microsofts response.   So in my opinion, the article title should have been "Windows Kernel Design makes security software creators work for their money".... but that is far less catchy!

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Sunday, May 14, 2017

The dangers of centralized authentication




EXECUTIVE SUMMARY:  If your Enterprise has many several different systems controlled through a centralized authentication mechanism (a single username and password) and you do not have multi-factor authentication (receiving an SMS for example)... you are more then likely exposed far more then you think.

---

I didn't want to name any of the "cool" marketing terms we keep hearing, like SSO, and Federated Identity Management solution.  These concepts are all great and bring a lot of value.  What if parts of this introduced behaviour that was much riskier then we all think?

Having a single username and password to access everything is nothing new.

What if it was a terrible idea ?

What if this "idea" was meant to be used a certain way, and we all ain't doing it.

I know.... ain't ain't a word, so how can this be true....

Read on....  because a client asked my opinion on something and my answer simply wasn't... "go ahead.... it's fine".  It came to mind that a lot of Enterprises are faced with this issue.

Awhile back, I did an intrusion test on a large brokerage firm that I happened to be a client of.  The reason I tested it, was simple.... it smelt bad from the first welcome letter.

After compromising an administrator email account, I had access to everything.

When I contacted this company to explain to them that they had a major security flaw, the CEO and CIO did what they do best in traded companies... they ignored me.  

I had to light a few fires to get them to assign some poor soul to call me back.

NOTE:  Now lets be clear, I do not hack companies and then call them.  In this case, I was the client, and I suspected many things smelt bad so I did my due diligence and hired a professional to test them out.  The professional happened to be me.

When I finally talked to someone, they told me that under no circumstances had client data been exposed, that this was simply a breach of the company email system.

To this I replied as follows:

1) First off, your administrator had your websites new web certificate in his email including the private keys.  He must have emailed it to himself to then retrieve and install on your servers.  So you no longer have any security on your "transaction" servers which do host very sensitive information.

2) The administrator credentials I now have in my possession have the following characteristics which you might find of interest:


  • This is an Active Directory admin account
  • Your enterprise VPN is integrated into Active Directory
  • Your Citrix remote access which is Internet facing is integrated into Active Directory.
I then paused for effect and waited to see if the lights where on or if I was talking to myself.....  after a longer pause then I was willing to wait for I asked "do you understand what that means", then the reply was both funny and frightening at the same time.  "Why is that a big deal".

After a quick deep breath, I explained that since all their key technologies are plugged into A/D to validate usernames and passwords, that once an account is compromised on one application (in this case the email system), that the attacker can now use this account to access everything else that user has access to.....

So why does that effect most companies?

A simple list of reasons really.  Simplicity & ease of access.

Add to that lack of budget for good form.

Everyone wants easy access to email.

Your company probably has webmail services.

Or minimally you can access your emails from your smart phone or tablet.

This means that an employee can use an insecure device (such as their own virus infested home computer, or better yet, an Internet Cafe or Hotel computer) and access corporate email.

This means that this users username and password could be captured by someone with malicious intent through several of these opportunities.

The reflex is always to think that "It's only email". 

First off, after hundreds of investigations over the years, it is NEVER just emails.  Emails alone expose a list of concerns as long as the pills Donald Trump should be taking.

But in so many instances it exposes the rest of the company through remote access connections or even web based applications that are available from the Internet from anywhere in the world, perhaps using the same username and password because it is all integrated within a centralized authentication system. 

So we covered simplicity and ease of use.... what about budget?

The bottom line is that centralizing is indeed a good idea.  Since it allows you to have more control.

The problem is we are not putting in place "more" control to the level that we need.

Think back, hundreds of years ago.  You put your money at the bank because it was safer.  You put your houses deed in a safety deposit box, because anyone with the papers essentially owns your house.  You did this because the bank has controls that are safer then underneath your mattress.  A simple example:  safety deposit boxes require two keys and the role of the bank key is to vet that you are on the authorized access list.

So what about our username and password to access our sensitive corporate systems ?  Where is the added security as we centralize all our applications into one pot of gold ?

Two factor authentication (also called strong authentication) is the missing link.   Centralizing is fine IF you have strong authentication.

Without it, enterprises must realize that if they allow risky behaviour on some systems, this could allow access to more critical systems and assets... 

So to summarize, if you have multiple systems and applications pulling authentication from A/D and also have web based systems (such as email or business portals, etc.) and any of your staff can access this from anywhere in the world....  you should be greatly concerned because without two-factor authentication it is just a matter of time before this attack vector becomes your Saturday morning discussion.

---

Actually, now that I think about it, budget isn't really the issue.  I think senior managers might be.  I recall numerous times when senior management refused to do things the "secure way" because they find it unconformable.   I don't want my workstation to lock me out when I don't use it for hours, this irks me.  Fix it because I'm the boss.

This kind of attitude is what often bits companies in the ass.

Since when is letting someone decide who does not have the competence to make these decisions.   

Oh wait.... that happens a lot doesn't it.

Food for thought.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com


Tuesday, March 1, 2016

Are we sharing too much, and who is sharing it on our behalf !



If you haven't heard of TAKE THIS LOLLYPOP it is worth your time. A great educational experience.


http://www.takethislollipop.com



It is an interactive film which accesses the viewer's Facebook profile and locates the viewer's home from data in their profile. It depicts the dangers in posting too much personal information on the Internet. 

Information gathered is then deleted which makes the film different for each viewer.... and safe....

it is an eye opener for both techies and non techies and it is extremely well done.

Perhaps if everyone realized that not everyone on the Internet or in this case social media is your friend, information would be disclosed far less openly.

The more open and full your Facebook profile is, the more the film will hit home and make you think.

Come on Sandra you don't really have 1700 friends whom you trust with your personal information do you ?????
(reference to one of my Facebook friends, her name replaced to protect the innocent)

Now this applies to corporations also, after all, if your enterprises password retrieval security questions rely on voluntarily leaked information such as hometown, birthdate, or favourite sports team, then you're exposed and chances are.... you don't realize it.

That is the thing with security (or insecurity), a malicious person will take the time to navigate the search engines and find all sorts of tidbits of information that can be accumulated to perform more intrusive social engineering attacks.

As a manager or senior executive, shouldn't you KNOW what information can be gathered or derived from your employees ?   I certainly think so.

There are tools out there, like Harvester.py which is a simply python script to dig through Google, Bing, LinkedIn and gather email addresses that have been leaked (published voluntarily). 

Other interesting ones include:
PunkSpider which indexes web pages with identified vulnerabilities
Shodan.io which lists IoT (Internet of Things) devices found on the Internet
Censys.io which does something similar...

Are you listed in any of these ?   Is the information you uncover a surprise....

99.9% of enterprises have no idea what information about them is out there.  A determined attacker will find more then enough information then is required to breach your enterprise security.

A good example is this article about a journalist who challenged (as in asked for) a group of hackers to violate his digital world at Defcon23.  

This is him, amazed at what a social engineer is getting out of his own cell phone provider.  



A video and article worth taking a look at.

http://fusion.net/video/271750/real-future-episode-8-hack-attack/

There are privately developed tools that make use of multiple sources to look for meaning and collisions and help float to the top the most important elements.   My own company has a toolset that does just that, and so far, we have had a blast identifying leaks in seemingly prestigious and "secure" companies.


Now here is an idea.... we need an interactive TAKE THIS LOLLYPOP movie that targets enterprises.....  That sounds like a great summer time project.

Any takers ?

Call me !



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com







Friday, February 19, 2016

How disconnected are the cerebellums of the CIA and FBI?

The last few weeks have been significantly active in the security world, constantly providing sitcom writers material to last a decade.  And.... I'm not even going to talk about Donald Trump.  

The FBI is sending out court orders to get Apple to put in back doors in an iPhone....

Hillary Clinton is being investigated by the FBI for her "sensitive email" issue....

And the FBI arrests a teenager for hacking into senior CIA & FBI officials emails....

Lets take a quick look at these events, and lets all realize how much we are being taken for fools.



First off, the FBI does not need Apple to get into the insides of an iPhone.  John McAffee is even offering to do it for free.  Thanks John.  In fact, I will offer to do it for free too, great publicity.  

No worries since the FBI will not let anyone try to get into that iPhone.  This case is about the government putting in place the mechanisms for killing privacy in general.  So don't be fooled by their request looking all normal because they need Apple to get into a terrorists phone.  Whatever Apple could do, the United States Government can do, or get done.

But lets take a look at the MAJOR security issue around the Hillary Clinton and CIA/FBI email scandal.

Certainly we should be concerned that a senior government official who is representing "the people" and is supposed to be smart would expose sensitive information on her personal email system.

However, something much worst is not being discussed by the media.

How can someone, anyone, take top secret documents from a high security ecosystem and bring it into a less secure ecosystem (like Hillary's email server).

Someone should be getting fired, and charged with some form of criminal negligence.

But WAIT !   It gets worst.

This week, HackerNews reported that a 16 year old hacker was arrested for breaking into emails of both the CIA and the FBI.

Take a look at these details (taken from the article):

What the hell is going on at the CIA and the FBI ????  Do they not have any security policies or "RULES" ?   Can anyone just do anything over there ?

Well, rest assured, if a normal person working at the CIA or FBI did anything this stupid, they would face the full power of the US government (sorry Snowden).  Yet in this case, just like Hillary, it will be a joke.

What am I referencing exactly...  Senior staff using PERSONAL EMAIL SYSTEMS (like AOL) to handle sensitive data.

These clowns are the real problem.   They knowingly allowed sensitive information to transit through insecure systems therefor violating the agencies CLEARLY DEFINED POLICIES.

Strangely, John Brennan, James Clapper and Mark Giuliano are not being charged, and have not been arrested...

Yet a 16 year old is being arrested.

Doing enterprise security assessments is often accompanied by attitudes that ressemble this.  

What people to not understand is that the security risk is coming from these individuals, not the 16 year old.

In fact, strange enough, the 16 year old exposed the issue, brought it to light, and showed no strategy for making use of the information collected aside from foolishly publishing it.

Who is to say that someone truly malicious had not been reading these imbeciles emails for months or years ?

The 16 year old went out and published what he found and got caught.

The spies who are taking actions on US soil do not publish their findings for the world to see.  They gather the intelligence and take well educated actions.

Like corporate America, these senior executives are the weakest link, and will significantly and negatively impact security.

So when the FBI is done roasting the 16 year old, I hope they get their heads out of their asses and have the common sense to take legal action against their own clowns.

In the security industry, we call that the ROOT CAUSE.

You can't fix stupid, but you can fire stupid.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, November 19, 2015

Anonymous blunder - Anonymous hunts down ISIS social media accounts but drops the ball

Anonymous sets out to take down ISIS.  This sounds like great news, and certainly has potential if only they would have shut up about it.  But I guess that is a problem with the entire Anonymous protocol.





Sometimes, people don't get the big picture.


Hackers around the world rejoiced that ANONYMOUS took down over 5000 ISIS twitter accounts and a mix of other social media accounts the likes of Facebook.


I hung my head in shame.





Stepping on a cockroach just means a hundred more will spawn into existence.


Closing 5000 twitter accounts only means 5000 more will grow that you may not find.


Lesson in strategic defences


Whoever is behind this "anonymous" blunder actually had a brilliant idea for crowd sourcing intelligence gathering.   They just dropped the ball on what to do with this information. 


Information is power.


What should have been done, is identify the social media accounts being used by these sorry excuses for carbon based units (humans for the non star trek folks) and then hand them off to someone that can actually do something intelligent with the information.


Now you don't simply drop this on the NSA's or FBI's desk, because you want to make sure that the information is not held under lock and key within a single intelligence agency.


So what you do is gather the top 20 intelligence agencies, find their emails, and send the entire list of 5000 accounts to ALL agencies.


Now you don't use BCC to send it all off, you make sure they all know, that they all have the intel.


This way, spy agencies can do what they do.  Correlate the information, pull out the intelligence that can be pulled out and take action.


The process set forth by a faction calling themselves Anonymous is brilliant, they even supply the python scripts and the howto instructions for identifying key words (in arabic) that would signal a potential terrorist supporter.


Since Anonymous is crowd sourcing to not speakers of the language, wouldn't it be best to eavesdrop on these conversations using folks who talk the language.... yes it would.


Trust me, the intelligence agencies have access to fluent speakers of almost any language even simplified Klingon.  (rur Sargh HuS jIH)


So as a community we should remember this.  There was indeed a better way to handle this and yield much more value.


Better luck next time!


By next week, there will be 500 new twitter accounts to identify.  


All is not lost.


I for one support Anonymous against ISIS.  Just not sure where to send my check or money donation ;-)  


I just hope the media can eventually grasp that they could be telling anonymous to do a better job.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com








Monday, October 5, 2015

INTERACT systems being targeted at retailers as criminals exploit it to the tune of $5000 a shot


Organized criminals are taking assault on poorly secured Payment Terminals leaving store owners assuming the loss.

As various news agencies reported over the last few days, Interact card processing systems used in various retail operations are being targeted by criminals.  


 TVA NOUVELLES - 25 septembre 2015


At a privately held Fraud Summit that I was invited to speak last week, it became clear that this is a pretty big problem as police investigators started sharing their experiences following my talk which touched briefly on the subject.  At least 20 cases in the room.

A specific service provider (EVALON) appears to be a common target, as their default password for performing a refund to a debit card is the ever so secure 0000.

Not only is this a bad password, it is also indicated in the configuration manual available on the Internet.

The strategy is simple, two individuals go into a retail store (convenience store, restaurant, etc.) and purchases something.  When the debit machine is handed to the client, the accomplice distracts the clerk so his partner can cancel out the transaction and activate the REFUND (CREDIT) function of the system, using the 0000 password and authorizing a $5000 credit onto the criminals debit card.

The store in question will only notice the issue when they attempt to balance out the sales transactions at the end of the day.

So far, the criminals have been smart enough to only use debit cards associated with bank accounts opened with false identifies and not their own personal accounts.  

BAD DESIGN

Three things stink to high heaven with all this.

1) The most obvious.... the code being 0000 on production systems is nothing short of mind blowingly stupid.

2) When they started receiving calls from their clients claiming they where robbed of $5000, why hasn't the company supplying these devices reached out to their clients to explain to them they should change their 0000 password ?

3) And finally, the most important one.....   Why is the system design stuck in the 1800's.  Any security engineer will tell you that the device should impose a password change during the initial configuration and activation process.  This means that before the new plastic smell is gone, and before the DNA of a second person touches the device, that password should have been changed.   Default passwords forced to be changed before the system accepts its first debit / credit card is the only reasonable design.  

This is a beautiful example of lazy, low quality software engineering.

The company pushing these out the door to their "clients" is basically saying they prefer to rely on people reading the manual  and realizing the impact of not changing this code instead of locking it down right from the start.

Crossing your fingers hoping the end user gets it is not sound engineering.  Building it in a way that PREVENTS their clients from doing a stupid... stupid... thing... is the way to go.

Some retailers have nothing to worry about.  The processing architecture of many mature retailers often relies on the POS system authorizing a credit and only then will the paiement terminal process it.  Limits are often imposed to further protect against abuse/fraud.  

However, if you have an all in one independent POS/PT  that is not attached or controlled by an enterprise POS, you may be at risk.  You may want to make sure your password is of good quality, and that you have changed it at some point since spanish inquisition so ex-exployees don't still have it.



Now keep in mind that these systems have been thoroughly tested, attested and certified to be PCI-DSS compliant.  That was a joke by the way....  

As we can all see, there are three important life lessons learnt here:

1) Compliance does not mean secure.  

2) Common sense is not to be assumed. 

and 

3) Trust in your so called business partners to "do the right thing" is as ridiculous as having 1234 as your banking PIN.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com