Sunday, May 14, 2017

The dangers of centralized authentication




EXECUTIVE SUMMARY:  If you Enterprise has many several different systems controlled through a centralized authentication mechanism (a single username and password) and you do not have multi-factor authentication (receiving an SMS for example)... you are more then likely exposed far more then you think.

---

I didn't want to name any of the "cool" marketing terms we keep hearing, like SSO, and Federated Identity Management solution.  These concepts are all great and bring a lot of value.  What if parts of this introduced behaviour that was much riskier then we all think?

Having a single username and password to access everything is nothing new.

What if it was a terrible idea ?

What if this "idea" was meant to be used a certain way, and we all ain't doing it.

I know.... ain't ain't a word, so how can this be true....

Read on....  because a client asked my opinion on something and my answer simply wasn't... "go ahead.... it's fine".  It came to mind that a lot of Enterprises are faced with this issue.

Awhile back, I did an intrusion test on a large brokerage firm that I happened to be a client of.  The reason I tested it, was simple.... it smelt bad from the first welcome letter.

After compromising an administrator email account, I had access to everything.

When I contacted this company to explain to them that they had a major security flaw, the CEO and CIO did what they do best in traded companies... they ignored me.  

I had to light a few fires to get them to assign some poor soul to call me back.

NOTE:  Now lets be clear, I do not hack companies and then call them.  In this case, I was the client, and I suspected many things smelt bad so I did my due diligence and hired a professional to test them out.  The professional happened to be me.

When I finally talked to someone, they told me that under no circumstances had client data been exposed, that this was simply a breach of the company email system.

To this I replied as follows:

1) First off, your administrator had your websites new web certificate in his email including the private keys.  He must have emailed it to himself to then retrieve and install on your servers.  So you no longer have any security on your "transaction" servers which do host very sensitive information.

2) The administrator credentials I now have in my possession have the following characteristics which you might find of interest:


  • This is an Active Directory admin account
  • Your enterprise VPN is integrated into Active Directory
  • Your Citrix remote access which is Internet facing is integrated into Active Directory.
I then paused for effect and waited to see if the lights where on or if I was talking to myself.....  after a longer pause then I was willing to wait for I asked "do you understand what that means", then the reply was both funny and frightening at the same time.  "Why is that a big deal".

After a quick deep breath, I explained that since all their key technologies are plugged into A/D to validate usernames and passwords, that once an account is compromised on one application (in this case the email system), that the attacker can now use this account to access everything else that user has access to.....

So why does that effect most companies?

A simple list of reasons really.  Simplicity & ease of access.

Add to that lack of budget for good form.

Everyone wants easy access to email.

Your company probably has webmail services.

Or minimally you can access your emails from your smart phone or tablet.

This means that an employee can use an insecure device (such as their own virus infested home computer, or better yet, an Internet Cafe or Hotel computer) and access corporate email.

This means that this users username and password could be captured by someone with malicious intent through several of these opportunities.

The reflex is always to think that "It's only email". 

First off, after hundreds of investigations over the years, it is NEVER just emails.  Emails alone expose a list of concerns as long as the pills Donald Trump should be taking.

But in so many instances it exposes the rest of the company through remote access connections or even web based applications that are available from the Internet from anywhere in the world, perhaps using the same username and password because it is all integrated within a centralized authentication system. 

So we covered simplicity and ease of use.... what about budget?

The bottom line is that centralizing is indeed a good idea.  Since it allows you to have more control.

The problem is we are not putting in place "more" control to the level that we need.

Think back, hundreds of years ago.  You put your money at the bank because it was safer.  You put your houses deed in a safety deposit box, because anyone with the papers essentially owns your house.  You did this because the bank has controls that are safer then underneath your mattress.  A simple example:  safety deposit boxes require two keys and the role of the bank key is to vet that you are on the authorized access list.

So what about our username and password to access our sensitive corporate systems ?  Where is the added security as we centralize all our applications into one pot of gold ?

Two factor authentication (also called strong authentication) is the missing link.   Centralizing is fine IF you have strong authentication.

Without it, enterprises must realize that if they allow risky behaviour on some systems, this could allow access to more critical systems and assets... 

So to summarize, if you have multiple systems and applications pulling authentication from A/D and also have web based systems (such as email or business portals, etc.) and any of your staff can access this from anywhere in the world....  you should be greatly concerned because without two-factor authentication it is just a matter of time before this attack vector becomes your Saturday morning discussion.

---

Actually, now that I think about it, budget isn't really the issue.  I think senior managers might be.  I recall numerous times when senior management refused to do things the "secure way" because they find it unconformable.   I don't want my workstation to lock me out when I don't use it for hours, this irks me.  Fix it because I'm the boss.

This kind of attitude is what often bits companies in the ass.

Since when is letting someone decide who does not have the competence to make these decisions.   

Oh wait.... that happens a lot doesn't it.

Food for thought.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com


Tuesday, March 1, 2016

Are we sharing too much, and who is sharing it on our behalf !



If you haven't heard of TAKE THIS LOLLYPOP it is worth your time. A great educational experience.


http://www.takethislollipop.com



It is an interactive film which accesses the viewer's Facebook profile and locates the viewer's home from data in their profile. It depicts the dangers in posting too much personal information on the Internet. 

Information gathered is then deleted which makes the film different for each viewer.... and safe....

it is an eye opener for both techies and non techies and it is extremely well done.

Perhaps if everyone realized that not everyone on the Internet or in this case social media is your friend, information would be disclosed far less openly.

The more open and full your Facebook profile is, the more the film will hit home and make you think.

Come on Sandra you don't really have 1700 friends whom you trust with your personal information do you ?????
(reference to one of my Facebook friends, her name replaced to protect the innocent)

Now this applies to corporations also, after all, if your enterprises password retrieval security questions rely on voluntarily leaked information such as hometown, birthdate, or favourite sports team, then you're exposed and chances are.... you don't realize it.

That is the thing with security (or insecurity), a malicious person will take the time to navigate the search engines and find all sorts of tidbits of information that can be accumulated to perform more intrusive social engineering attacks.

As a manager or senior executive, shouldn't you KNOW what information can be gathered or derived from your employees ?   I certainly think so.

There are tools out there, like Harvester.py which is a simply python script to dig through Google, Bing, LinkedIn and gather email addresses that have been leaked (published voluntarily). 

Other interesting ones include:
PunkSpider which indexes web pages with identified vulnerabilities
Shodan.io which lists IoT (Internet of Things) devices found on the Internet
Censys.io which does something similar...

Are you listed in any of these ?   Is the information you uncover a surprise....

99.9% of enterprises have no idea what information about them is out there.  A determined attacker will find more then enough information then is required to breach your enterprise security.

A good example is this article about a journalist who challenged (as in asked for) a group of hackers to violate his digital world at Defcon23.  

This is him, amazed at what a social engineer is getting out of his own cell phone provider.  



A video and article worth taking a look at.

http://fusion.net/video/271750/real-future-episode-8-hack-attack/

There are privately developed tools that make use of multiple sources to look for meaning and collisions and help float to the top the most important elements.   My own company has a toolset that does just that, and so far, we have had a blast identifying leaks in seemingly prestigious and "secure" companies.


Now here is an idea.... we need an interactive TAKE THIS LOLLYPOP movie that targets enterprises.....  That sounds like a great summer time project.

Any takers ?

Call me !



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com







Friday, February 19, 2016

How disconnected are the cerebellums of the CIA and FBI?

The last few weeks have been significantly active in the security world, constantly providing sitcom writers material to last a decade.  And.... I'm not even going to talk about Donald Trump.  

The FBI is sending out court orders to get Apple to put in back doors in an iPhone....

Hillary Clinton is being investigated by the FBI for her "sensitive email" issue....

And the FBI arrests a teenager for hacking into senior CIA & FBI officials emails....

Lets take a quick look at these events, and lets all realize how much we are being taken for fools.



First off, the FBI does not need Apple to get into the insides of an iPhone.  John McAffee is even offering to do it for free.  Thanks John.  In fact, I will offer to do it for free too, great publicity.  

No worries since the FBI will not let anyone try to get into that iPhone.  This case is about the government putting in place the mechanisms for killing privacy in general.  So don't be fooled by their request looking all normal because they need Apple to get into a terrorists phone.  Whatever Apple could do, the United States Government can do, or get done.

But lets take a look at the MAJOR security issue around the Hillary Clinton and CIA/FBI email scandal.

Certainly we should be concerned that a senior government official who is representing "the people" and is supposed to be smart would expose sensitive information on her personal email system.

However, something much worst is not being discussed by the media.

How can someone, anyone, take top secret documents from a high security ecosystem and bring it into a less secure ecosystem (like Hillary's email server).

Someone should be getting fired, and charged with some form of criminal negligence.

But WAIT !   It gets worst.

This week, HackerNews reported that a 16 year old hacker was arrested for breaking into emails of both the CIA and the FBI.

Take a look at these details (taken from the article):

What the hell is going on at the CIA and the FBI ????  Do they not have any security policies or "RULES" ?   Can anyone just do anything over there ?

Well, rest assured, if a normal person working at the CIA or FBI did anything this stupid, they would face the full power of the US government (sorry Snowden).  Yet in this case, just like Hillary, it will be a joke.

What am I referencing exactly...  Senior staff using PERSONAL EMAIL SYSTEMS (like AOL) to handle sensitive data.

These clowns are the real problem.   They knowingly allowed sensitive information to transit through insecure systems therefor violating the agencies CLEARLY DEFINED POLICIES.

Strangely, John Brennan, James Clapper and Mark Giuliano are not being charged, and have not been arrested...

Yet a 16 year old is being arrested.

Doing enterprise security assessments is often accompanied by attitudes that ressemble this.  

What people to not understand is that the security risk is coming from these individuals, not the 16 year old.

In fact, strange enough, the 16 year old exposed the issue, brought it to light, and showed no strategy for making use of the information collected aside from foolishly publishing it.

Who is to say that someone truly malicious had not been reading these imbeciles emails for months or years ?

The 16 year old went out and published what he found and got caught.

The spies who are taking actions on US soil do not publish their findings for the world to see.  They gather the intelligence and take well educated actions.

Like corporate America, these senior executives are the weakest link, and will significantly and negatively impact security.

So when the FBI is done roasting the 16 year old, I hope they get their heads out of their asses and have the common sense to take legal action against their own clowns.

In the security industry, we call that the ROOT CAUSE.

You can't fix stupid, but you can fire stupid.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, November 19, 2015

Anonymous blunder - Anonymous hunts down ISIS social media accounts but drops the ball

Anonymous sets out to take down ISIS.  This sounds like great news, and certainly has potential if only they would have shut up about it.  But I guess that is a problem with the entire Anonymous protocol.





Sometimes, people don't get the big picture.


Hackers around the world rejoiced that ANONYMOUS took down over 5000 ISIS twitter accounts and a mix of other social media accounts the likes of Facebook.


I hung my head in shame.





Stepping on a cockroach just means a hundred more will spawn into existence.


Closing 5000 twitter accounts only means 5000 more will grow that you may not find.


Lesson in strategic defences


Whoever is behind this "anonymous" blunder actually had a brilliant idea for crowd sourcing intelligence gathering.   They just dropped the ball on what to do with this information. 


Information is power.


What should have been done, is identify the social media accounts being used by these sorry excuses for carbon based units (humans for the non star trek folks) and then hand them off to someone that can actually do something intelligent with the information.


Now you don't simply drop this on the NSA's or FBI's desk, because you want to make sure that the information is not held under lock and key within a single intelligence agency.


So what you do is gather the top 20 intelligence agencies, find their emails, and send the entire list of 5000 accounts to ALL agencies.


Now you don't use BCC to send it all off, you make sure they all know, that they all have the intel.


This way, spy agencies can do what they do.  Correlate the information, pull out the intelligence that can be pulled out and take action.


The process set forth by a faction calling themselves Anonymous is brilliant, they even supply the python scripts and the howto instructions for identifying key words (in arabic) that would signal a potential terrorist supporter.


Since Anonymous is crowd sourcing to not speakers of the language, wouldn't it be best to eavesdrop on these conversations using folks who talk the language.... yes it would.


Trust me, the intelligence agencies have access to fluent speakers of almost any language even simplified Klingon.  (rur Sargh HuS jIH)


So as a community we should remember this.  There was indeed a better way to handle this and yield much more value.


Better luck next time!


By next week, there will be 500 new twitter accounts to identify.  


All is not lost.


I for one support Anonymous against ISIS.  Just not sure where to send my check or money donation ;-)  


I just hope the media can eventually grasp that they could be telling anonymous to do a better job.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com








Monday, October 5, 2015

INTERACT systems being targeted at retailers as criminals exploit it to the tune of $5000 a shot


Organized criminals are taking assault on poorly secured Payment Terminals leaving store owners assuming the loss.

As various news agencies reported over the last few days, Interact card processing systems used in various retail operations are being targeted by criminals.  


 TVA NOUVELLES - 25 septembre 2015


At a privately held Fraud Summit that I was invited to speak last week, it became clear that this is a pretty big problem as police investigators started sharing their experiences following my talk which touched briefly on the subject.  At least 20 cases in the room.

A specific service provider (EVALON) appears to be a common target, as their default password for performing a refund to a debit card is the ever so secure 0000.

Not only is this a bad password, it is also indicated in the configuration manual available on the Internet.

The strategy is simple, two individuals go into a retail store (convenience store, restaurant, etc.) and purchases something.  When the debit machine is handed to the client, the accomplice distracts the clerk so his partner can cancel out the transaction and activate the REFUND (CREDIT) function of the system, using the 0000 password and authorizing a $5000 credit onto the criminals debit card.

The store in question will only notice the issue when they attempt to balance out the sales transactions at the end of the day.

So far, the criminals have been smart enough to only use debit cards associated with bank accounts opened with false identifies and not their own personal accounts.  

BAD DESIGN

Three things stink to high heaven with all this.

1) The most obvious.... the code being 0000 on production systems is nothing short of mind blowingly stupid.

2) When they started receiving calls from their clients claiming they where robbed of $5000, why hasn't the company supplying these devices reached out to their clients to explain to them they should change their 0000 password ?

3) And finally, the most important one.....   Why is the system design stuck in the 1800's.  Any security engineer will tell you that the device should impose a password change during the initial configuration and activation process.  This means that before the new plastic smell is gone, and before the DNA of a second person touches the device, that password should have been changed.   Default passwords forced to be changed before the system accepts its first debit / credit card is the only reasonable design.  

This is a beautiful example of lazy, low quality software engineering.

The company pushing these out the door to their "clients" is basically saying they prefer to rely on people reading the manual  and realizing the impact of not changing this code instead of locking it down right from the start.

Crossing your fingers hoping the end user gets it is not sound engineering.  Building it in a way that PREVENTS their clients from doing a stupid... stupid... thing... is the way to go.

Some retailers have nothing to worry about.  The processing architecture of many mature retailers often relies on the POS system authorizing a credit and only then will the paiement terminal process it.  Limits are often imposed to further protect against abuse/fraud.  

However, if you have an all in one independent POS/PT  that is not attached or controlled by an enterprise POS, you may be at risk.  You may want to make sure your password is of good quality, and that you have changed it at some point since spanish inquisition so ex-exployees don't still have it.



Now keep in mind that these systems have been thoroughly tested, attested and certified to be PCI-DSS compliant.  That was a joke by the way....  

As we can all see, there are three important life lessons learnt here:

1) Compliance does not mean secure.  

2) Common sense is not to be assumed. 

and 

3) Trust in your so called business partners to "do the right thing" is as ridiculous as having 1234 as your banking PIN.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com










Wednesday, September 2, 2015

Donald Trump will not be President

We live in an era where it is seemingly ok for a corporation to lie to both share holders and clients.  A world that sees executives spending more time taking care of themselves instead of their jobs responsibility. 

Corporations who spend more on covering things up as opposed to fixing root causes is becoming the norm and this is hurting our economy, and is going to get a lot worst before it gets better.

The Ashley Madison case is a perfect example.   A company built on fake profiles and robots who entice the weak male species with a few automated sexy words, and false claims of security to make everyone feel good about it.  

Enter Donald Trump, running for president.  A man that most find revolting, yet some of the things he says are actually hitting a sensitive nerve.  It is difficult to argue that we do not need more transparency and blunt truths thrown at our faces.  I recently saw a speech he gave, and I hated him through the entire speech, yet couldn't disagree with him and the topics he was covering.   Well, it was only that one speech, the rest of his verbal diarrhea is just plain annoying.

If you haven't seen this video of President Obama taking a shovel to the old Donald's face along with FOX news and a few others, then your life is missing a great humorous segment.  When he lays into Donald Trump at 3:00 into the video, many will fall off their chair.  The entire segment is worth watching.

LINK HERE

So in an age where most of our entertainment revolves around fake reality shows, fake news, fake websites and essentially fake facts.   Trump with his fake hair seems like a clear winner.

He won't be.  Not as president anyways.  But rest assured, he will be winning the lotery.

The facts remain that in "America" as so many uneducated seem to call it not realizing the stupidity involved with that geographic statement..... people may be foolish and easily manipulated, but the powerful hold each other by the balls.  And the ultra powerful control the courts.  Every election involves politicians using trends and popular opinion to win votes.  Translated that means telling the people what they want to hear without giving a second thought to the real facts.  If telling people that we will build stairs to the moon gets votes, so be it.  Forget the fact that you cannot build stairs to the moon, these facts are boring.  Note, if you do not understand the numerous technical reasons we can't have stairs to the moon, keep right on calling the United States <America>.  ;-) Mexico, Canada and all that south part of the globe really don't care.

So back on the Trump bandwagon

You would be found to be very naive if you think that Trump has not violated any rules to get to his current standing.   

He may be a public favourite, yet everyone in his party would prefer he take up basket weaving.

He is saying a lot of things that please a lot of people.  A real politician really.  Yet, many of the things he says simply do not make him worthy of a world leader position.  If you have doubts on his classy act and have a few minutes to burn, this video should close the deal for you.  Top 10 crazy Donald Trump moments

For him, this is a play that will yield him awesome benefits.  

When he stands down for whatever reason he gives the public, there will have been a deal.  A deal that could involve looking the other way on things past, present, or to come.  A deal that will be worth millions if not billions for the old Trump.

Now if I'm wrong, the outcome is even funnier.  Can we all take a moment to imagine Donald Trump negotiating international policy and sitting across from Poutine.

Love him or hate him, we do need more transparency, and in Trumps case what you see is what you get.

I would buy tickets to that show.


Monday, August 24, 2015

ASHLEY MADISON are suicides the final straw? Open letter to our privacy commissioner and a call to arms for our journalists

People are now committing suicide because their lives have been impacted by this issue and it seems that we are only looking at the hackers and never really looking at the serious lack of ethics at Ashley Madison.




Over at Ashley Madison, the original landing page is back, complete with FALSE STATEMENTS about their outstanding security!

Class Action Lawsuits are being launched and should have no issue showing the lack of ethics that management has shown and continues to show.

Ashley Madison faces $578M Canadian class-action lawsuit

Yes, you read that correctly, LACK OF ETHICS at Ashley Madison.

I realize they are selling a service that many would find lacking in ethics, yet even a hitman is expected to follow certain basic rules that evade the management of Ashley Madison.

I would like to turn this blog post into an open letter addressed to the Canadian Privacy Commissioner, the law firms that are about to take an axe to the subject, and any journalist that wishes to ask that single question that kills:

QUESTION: Ashley, you claim to have a security certification or "award" as you call it, titled "TRUSTED SECURITY AWARD", can you provide the details of this award, and can we "see" the evaluation criteria and the audit report that surely accompanies such a prestigious award.

Here is the thing.  The main landing page was just put back to what is essentially the same as before the security issue, and their are numerous FALSE claims right there, right in your face.

You cannot just make up a trusted security award and give it to yourself.




You cannot claim 39,285,000 ANONYMOUS MEMBERS when your entire member list was just leaked.

You cannot claim 100% LIKE-MINDED PEOPLE when the entire world has seen your members list and at least 175,000 have downloaded it and gone through it and found an impressive amount of fake accounts. 

You cannot claim 100% DISCREET SERVICE because you have not even yet resolved the issue I blogged about several weeks ago about any intercepted emails from Ashley Madison allowing anyone in without asking for a username and password.

You certainly cannot claim all these things when people are now jumping off bridges because of your failure.

Yet you are doing exactly that.

You're also telling us in your press releases (along with a regular infusion of bullshit) that an impressive task force of law enforcement is working on this problem.

I'm sceptical here.  No one had died up until now, and to be honest, you're a bunch of clowns running a pretty shit quality service.  Sure the front page looks good, but clearly you have not invested in security practices that would make you proud.

I find it hard to believe that all these police agencies are going to invest an incredible amount of time and effort on this case, and....if they do, I would be very VERY upset that MY tax dollars are being spent looking for someone who has just slapped you around when you keep giving me endless reasons to actually fly to Toronto and smack you around myself.  Now, certainly the fact that people are committing suicide will place the case on the top of the list, but there are two criminal activities to investigate.

1) Lacking security at Ashley Madison, yet they continue to make claims of great security
2) Criminals stole Ashley Madison data

Both these things are criminal

Bottom line, Ashley, you suck and are as much responsible for the problem as the "evil" hackers that stole "our" data.

If you want to show the world you are a trust worthy enterprise, you should publish your system logs.  The logs that show the connection IP addresses for the last login from each user account.  We already have all the user accounts, why are you shy.  Perhaps you do not want the entire world to see your system logs, fine, get creative, send them to me, I will confirm what I see and destroy them when done.  Why are you not letting REAL experts look under the hood.

I will tell you why.  Fake profiles are pretty damned easy to spot when you have ALL the information.

Terrible security is equally easy to spot.  Criminally negligent is under the same banner.

Ashley doesn't want that.

Someone needs to start asking real questions about the numerous laws and privacy regulations that have been broken over at Ashley Madison.

Ashley Madison is offering $500,000 to catch the criminals behind the attack.

Is our government going to do their job and investigate Ashley Madison to the same extent....


To the law firms going after Ashley Madison, please call me.  I have a lot of interesting information to share with you.

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com