Monday, December 18, 2017

The positive blog entry - Launching 2018 on the right foot.

One of my security guru friends (Robert) challenged me to making a positive blog post as many (most...well... all) of my posts involve some level of aggressiveness towards human stupidity.

I committed to producing a light hearted, positive post before the end of the year.

Here goes.



Many years ago, I stated that just when you feel you have hit the bottom of the human stupidity barrel, you find a false bottom and the rabbit hole goes even deeper.



It took a 30 year carrer to finally cross an entire ecosystem that did not follow the same negative progression of downhill motion that I observed in so many enterprises.

As a security professional, I spend most of my time explaining risks to some level of management and watching the message die at that level.  Rarely are the board members advised of serious issues and senior management usually stays in the dark.  This is mostly based on peoples Ego's with a capital E.  So I spend a lot of time trying to get the message to the right people.  In fact that is why at the start of 2010 I decided to move to senior management coaching almost exclusively.

Enter a new client, circa 2014.

I'm brought in by a friend and told very little on the client.  Aside from the type of business and their yearly revenue.   The numbers being large, I first refuse the client, as I do not want another "traded" company in my client portfolio.   Traded companies are synonymous with cover ups, lies and messages that do not get to the top.

Robert.... wait for it.... this is really positive!

My friend explains that this is a privately owned company, and that the CIO is a really nice guy.

Strike two.  Security reporting to the CIO is a nightmare scenario.   A daily conflict of interest.  The security initiatives essentially critiquing the CIO.  Who wants to live through that.

For some strange reason, I still went to the meeting.  After all, I am an optimist.

Hence started a long term relationship that I qualify as one of the best of my career.

It had to happen at some point, statistically these ingredients had to exist somewhere.

I started working with the CIO and the staff that comprised the IT team, and started seeing the light that was missing for so long in so many places.  The staff is overworked and understaffed, same as in all enterprises, however they are professional, knowledgable and usually pretty reasonable.

You see, this client is fundamentally different.   No one is lying.  if it's blue it's blue, if it's orange with green dots... so be it.

That's right, people just say what they think, and you don't get shot in the face, fired, pushed aside or asked to leave the tribe.

When highlighting some security issues, management wants them fixed.  All of it.   I found myself in a new situation.  One that reversed my roll of 30 years.   You see at this client, you have to do two very important things:

1) Prioritize security issues based on risk 
2) Push back and refuse to address all of them based on the identified risks

Number 2 isn't new, it's the basis of risk management, but REFUSING to allow them to fix something is.  In other words, I actively participate in saying NO we are not going to fix that.

Like many large enterprises, external audits happen.  At one point we get a bunch of enlightened auditors who find some really important findings (sarcasm is positive....)

Here are two examples (classics for auditors who might not have a strong technical background)

a) SNMP using public community strings for hardware that isn't important and isn't manageable through SNMP (only statistics can be accessed).

b) Out dated network hardware managed through HTTP.

So what do you think happened.   It was a priority to fix all issues including these two lame ducks.  The Security teams role was to say NO, we are not wasting (sorry... positive terms.... investing) valuable time in addressing these findings.

The reasoning is simple, (A) cannot be used to reap any benefits, and (B) uses a unique password, over a switched internal network, used less then once a year, on outdated hardware, with no value once compromised.

So we wrote up a derogation stating why we weren't going to fix it, and the CEO signed off on it.    That's right, the CEO wants to see everything and wants to keep informed of our security posture.  And he doesn't just want to sign off on it, he wants to understand it.

This still makes my eyes tear up.  A series of senior managers who accept their current condition, want to be aware and take the best decisions, AND decide to take actions as required and as identified by the experts they have in their teams.

Holy shit.

In fact, perhaps I shouldn't write this part down....

A few weeks ago, I stumbled on something security related, and I immediately (like a high school freshman) fired off an email to inform the CIO that I was investigating XYZ.

Well that genius went and told the CEO immediately !   

My phone rings, it's the CIO.  He says "hey about that thing, the CEO would like an update this afternoon"

Son of a bitch !   An update !   I don't even know what is going on yet and I'm the one who saw it first !

I've never had this issue to manage ! 

For the first time in my life, the entire ecosystem is transparent and I have to take a pause and figure it all out (mostly) before sending a memo if I don't want to be questioned about how we are going to fix it before I know what it is!

This being all said, the security admin and myself now have an agreement that we should hold off for at least an hour and figure things out before we tell anyone.

A long way from the usual attitude of telling senior management years later that most companies seem to have.



Note for my client:  Don't worry.... wink wink...  we will tell you immediately if it seems grave.  But like all emergencies, we will gather a reasonable amount of information to better communicate the actual situation to you before plugging you into a cerebellum.  





So in this holiday season, I count my blessings to have had the chance to cross an enterprise with good family values across all layers.

Are there things that can be improved, of course.  From a security point of view, this is the healthiest attitude I have seen in any enterprise.  

Perhaps as far as attitude is concerned, this company should write a book.

This by far is the most positive experience I have had as acting CSO in any enterprise.

So there you have it Robert, one positive post, with a dabble of sarcasm, a little bit of realism and a lot of hope for other enterprises.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com

'Tis the season.... to fall victim to scams

Friendly reminder that during the holiday period, an increase in scams of all kinds takes place.


I just received this very legitimate looking email from the Canadian Revenue Agency.

Everything looks good except the fact that they do not love me (or any of you) enough to send you a document.

Testing out the document, only 5 of 59 anti-viruses actually detect this document as malicious (based on file signatures).

So over the holiday season, please do not believe emails asking you to do anything, or SMS messages asking you to visit a site, or a phone call, or even traditional mail (yes... I got a real envelope with a real stamp that was a full blown scam).

Essentially, anyone who loves you shouldn't be sending you anything you click on unless you talked before hand and are expecting the link or file.

Trust no one.

When in doubt, contact the sender directly using the phone number you already know or the number from their actual website.






_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com


Wednesday, December 13, 2017

Is Tenable pulling an Equifax / Ashley Madison ?


One of the founders tried to appeal to the security crowd with a posting about how these new FEATURES are better for the end user, and in my opinion it is the biggest pile of crap since the last US election (slight exaggeration for effect, but still a pile of dung).

https://www.tenable.com/blog/a-clarification-about-nessus-professional

He started by explaining how he created the product for consultants and penetration testers, etc.

Then goes on to explain that supporting multiple users is complicated and since the users cannot share reports it wasn't worth the effort.

Hey genius, if we migrate or version 6 to 7 any users we have created get ported over and according to Tenable support they will always be there, you just can't create NEW ones and if you install from scratch you are limited to just one.

So who is full of shit here.  If the system can continue to support multiple users, then limiting the addition of NEW users is a marketing game not a technical one.  Aside from the fact that limiting to a single user and forcing enterprise users to share passwords is absurdly nuts.

And this is how he explains it:  "We evaluated this feature and realized it adds confusion".  really... confusion.... each human has their own user account and this is confusing.   

Second issue, the API.

It's complicated to have a secure API and maintaining it is also complicated.
And people used it to aggressively and it could impact the performance of the product.

So we left it there but killed the features that allow you to launch a scan.

WHAT !!!!

So if I use my MacBook too aggressively (like a baseball bat) Apple will start making laptops with no mouse pad.

And all the features still work if you buy the bigger solution and it talks to the scan engines just fine.


  • The reason you removed multi users is marketing.
  • The reason you are crippling the API is marketing.
  • You want people to buy your TENABLE.IO solution and your Cloud based solution.


For the love of all gods please do not try to shovel shit down the throats of the hardcore technical folks who have supported you from the start and made you what you are today.

It's disgusting, insulting and revolting.

Actually, it's disrespectful, but it sure as hell is "Doing Business the American way".

And while we are on that note, please remove from the NEW FEATURES & IMPROVEMENTS section both items which for everyone who reads English, are NOT IMPROVEMENTS OR FEATURES.

I prefer being told the truth and not being filled with bull and then having someone add to it trying to tell us it is for our own good.   If I overload my Nessus scanner through the API, that's my problem, not yours.

And Renaud, as a founder, you have failed.  You've made a lot of money, and built an empire, but you have failed the "community" who supported you for the last 13 years since the fork of 2005.

So why the click bait title mentioning Equifax and Ashley Madison.  Simple, to some extent, they all treat their customers below what I deem acceptable, and the truth is we are not their customer we become their product (think about that), and one thing is for sure, they all lie about their true motives.

Shareholders care about increasing recurring revenue and growing large enterprise user base.  That's how you make your wall street value go up.

In this case we have not only a shareholder, but a founder making up numbers.

He states, and I quote "Less than 2% of users use the remote scan API, and there are only a handful of scanners out there with multiple users.".  These are numbers he has no way of knowing.    A "Handful"..... every scanner I have ever worked with had multiple users.  Must be a Canadian thing.    So the bull sounds just like Equifax and Ashley Madison to me, just write up a press release and make stuff up. 

Speaking of Canadians, and almost every other country.  We have data residency laws and the US has brilliant laws like the US Patriot Act.  What this means is that you can't push us to use a Cloud based solution unless it is hosted in our own country.  And Tenable doesn't offer cloud services in every Country.  So we simply can't use your cloud products.  Not that I would want to.

Sad day in my mind.   And I'm an optimist !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Tuesday, December 12, 2017

Tenable is killing Nessus Professional - When a security company sabotages a good product

Sad day today for any user of 
Tenable Nessus Professional.




As is the case with many security companies who are working towards making their products cool, Tenable is pushing their customers to the Cloud.   A security tool in the cloud just doesn't fly with me.

Tenable just released Nessus version 7.0 and along with it has killed two basic features that are critical to many smaller businesses and especially consultants.

A security company, that produces a security product, is now releasing software that imposes a less secure state, and cripples the product used by thousands without communicating these changes ahead of the release.  SURPRISE !  

In fact, the features they are crippling, they are listing as FEATURES and IMPROVEMENTS!




So naturally I thought the wording simply was wrong and had to call Tenable to have them provide me with the amazement that no... the wording is right.  

These crippled items are FEATURES.

The first item sabotaged is the ability to create users.   You read that correctly.  USERS.

This applies to anyone paying the $2,190 a year for single scan engine (Nessus Professional).  You now have to share a password.  You can scan as many assets as you want, but the security person needs to share his/her password with the technical folks so they can work through the findings within the tool.

Normally within a business, you would create accounts for scanning, and perhaps accounts for simply reviewing the scan results (like when an auditor comes in to review results).  Or you would separate your assets by groups such as Linux servers, and Windows servers.  You would have different accounts set up for each asset group.

For a consultant, you would have a user account for each client.  

This makes sense since scan policies usually include authentication credentials for the operating systems being scanned.

In version 7.0, you can no longer create users.  Single user mode is the only way to go.

The product should therefor no longer be used by consultants since clients generally do not want their information mixed with others.

Within a business, a single scanner will now have a single user account, this means that if two technical people need to review the findings, they need to share the password !!!!   

We are in 2017, preaching to our user base to NEVER share passwords and this security product, a long time leader is now imposing insecure practices.

What else did they sabotage.  Well, it seems that they have crippled the API (restricted API).  So if you wrote yourself some tools using the API, you are screwed.

They made the API available, it contributed greatly to the popularity of the product, now go screw yourself, no more API.

As far as loyalty to customers, this is once again, a CLEAR demonstration of capitalism.  The exact attitude that hurts the over all security of our entire ecosystem.

I have been a long time defender and promoter of Tenable and their solutions.

I use their tools in conferences and training seminars.

I include their tools in the classes I teach in two Universities.

Today is the end of an era.  The era of reasonable priced commercial tools produced by companies who first wanted to offer a great security tool not just make a buck.

I predict that projects like OpenVAS are going to see a large increase in popularity and support.

I for one have to now integrate OpenVAS in my conferences and university classes and drop Tenable from my curriculum.

I also now have to ask myself what tool best offers the features I need as a consultant and what to recommend for smaller businesses.

Imposing cloud based solutions simply is not something I can get behind for a security tool.

And crippling products and calling it a feature isn't either.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Sunday, November 26, 2017

When being ONLINE costs you $250,000. A warning thats good for all businesses (and IT people)



Being online is the big trend (obviously).  Everything has to be connected, fast, immediate.



I'm writing this short post to warn people about a common (it turns out) mistake.


Every time I leave on a business trip, I get an emergency call.  Every single time.


I'm in Paris, it's 1:25am, I just got here a few days ago and am still jet lagged, and I get an emergency call from a trusted contact that one of his clients is in trouble.  I have just enjoyed a series of good wines in the hopes of falling asleep and moving into this timezone and now I have to talk a jumper down from the ledge (just kidding, this client was relatively calm).


Well, this "trouble" I have seen 4 times in the last 3 weeks which I'm starting to find alarming.


Ransomeware is the culprit.  The difference is this time, a longer then usual series of mistakes has led to three interconnected companies to being infected.  A real lottery winner in the world of Ransomeware.

The initial ransom requested :  $250,000  (20 bitcoins)


So this is my forth case in three weeks..... what do they all have in common......  Online backups.


- Some have disk to disk live backs


- Some have a large USB key stuck in something somewhere and thats their backup


- Some have online (Internet) backup but only pay to keep one full copy (crappy service in my mind).


In this day and age, the fact that companies are failing at one of the oldest IT issues (a fondamental one) is still surprising me.


Live (always connected) backups usually means no backups when the right failure takes place.


CALL TO ACTION


So if you "think" you have backups, check if they are offline.  Check if they would survive a ransomware attack.


And by check I mean have a "real" security expert validate your backup architecture.


You see, when you have good backups, you don't have to pay large sums of money to criminals to get your data back.


Wow.... what a novel idea.  Backups that work!


This reminds me of a legal case from many years ago between a large and respected (cough cough) IT firm that had screwed up one of their important clients backup.


In the court hearings, the IT service provider actually said the following:  "Our contract stipulates that we take backups and makes no guarantees that we can restore them".   Can you imagine being told that after you've lost all your data.


Trust but verify.


I'm going to bed now, before my wine stops making me happy.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


   

Tuesday, November 21, 2017

UBER ! Oops. My Bad. 57 million records lost. Finally some good news.





I've been waiting for this.

Waiting a long time.

Finally someone has dropped the soap and come clean in a direct and "appropriate" way.

Obviously plenty of criticism is coming down the road for why it happened, why it took so long to let customers know, etc.

That's really part of the game.


What would you expect when Uber's Chief Security Officer is a Lawyer instead of a trained security expert.

There are still some funny things to laugh at.

For example paying the hackers $100,000 to delete the data.   Honour amongst thieves perhaps.  After all, we are all allowed to believe in Santa.  Some us believe more in Satan, oh well.


However here are some really nice tidbits that I find very positive:


"None of this should have happened, and I will not make excuses for it," he added (CEO). 
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
I love it when people just come clean and tell you they dropped the ball, very inspiring.
The only problem with the last statement, is that they ended up fined for a much smaller breach in 2014 and it appears... they still needed to learn from those mistakes.
So now, they will have to face the music for not disclosing when they uncovered, but once again, the lawyer(s) certainly had a large role in holding that off.
Perhaps many enterprises could re-visit their choice of CSO to ensure that the position is handled by a "real" security expert, but lets face it, traded companies focus on the shareholder and their return on investment.  So I guess most boards would go the route of a hardened politician, Lawyer, or Music Major since the talent they most want is not "security".  So I guess in this case, as is also the case in many other enterprises, this is pretty much the ingredients they wanted.  Some will call it "plausible deniability" some will call it "willful blindness".   Some will call it a Tuesday.
Note to my friend Robert M.  You wanted a positive post out of me.  Well this isn't it yet ;-)



Now on an even more positive note.  Maybe some people are starting to grasp that sensitive data in the cloud requires more then nice words and a pretty logo.   

Lesson learned:  Regardless of the size and glamour of the cloud provider, "Trust but Verify".  Or don't use it.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, November 16, 2017

Airplanes falling out of the sky - Part deux it seems


You guessed it, people are once again claiming that airplanes could be hacked over wifi and that the sky is falling.

https://www.theregister.co.uk/2017/11/15/airplanes_vulnerable_rf_hacking/

This time, they are talking about the Boeing 757 which it seems was hacked while parked at an airport.

Some interesting things about the Boeing 757.  First off, it isn't a fly by wire aircraft.  This means that you cannot hack it out of the sky or have it fly sideways as it is mechanically impossible to take over the controls from the pilot.

Most aircrafts have provisions for pushing updates and sending off flight data while they are on the ground.  This means that sensors are on the landing gear to detect weight on wheels in order to allow system updates to take place.

The big stink it seems is that the pilots hadn't been told that the aircraft was more vulnerable on the ground.

These journalists keep talking about how planes are more vulnerable because we have added wifi to the entertainment system and other rather silly claims.

Just to be clear, no commercial aircraft has their entertainment system talking freely to the avionics suite used by the pilots.

In other words, you can hack away at the entertainment system all you want, you CANNOT hack the plane in flight.

The data flow simply isn't there.   Flight data can be sent unidirectionally to the entertainment system, but the electronics to send data the other way simply isn't there.

Also, you cannot flash upgrade the avionics suite without weight being on the wheels as stated earlier.

This means, that a malicious actor would have to attempt to push this update while the plane is on the ground.

So lets take that and make it the worst possible scenario.

You are in flight and your GPS stops working, your autopilot stops working, everything techi stops working.

Wow, what an attack.

Does the plane fall out of the sky ?

No.

You see, in most modern aircraft you have something really old school.   A pilot.  Actually two of them.

The pilots have many responsibilities including overseeing the overall functionalities of the aircraft to ensure it's safety.

This means that if a pilot looks at the GPS and then looks at the MECHANICAL altimeter and notices that the GPS claims to be at 38,000 feet and the mechanical altimeter says 2,000 feet you are going to have two very motivated pilots looking into the problem.

They would identify that the GPS is faulty, turn it off, note it in the aircraft log and probably report it in flight to headquarters to have someone fix it when they land.

So what happens when two, three or four airplanes call in with the same problem....  The fleet would be grounded until someone figures out what went wrong.

So now I already hear the septics screaming yeah but what if they hack the autopilot to take over the plane and crash it.



Well, good news.  The autopilot isn't a steroids jacked up cocaine infused weight lifter that will immobilize the pilots and force the plane into the ground.

As soon as the pilots would feel the plane change altitude or veer to one side or another, they would notice.   Thats right folks, just like driving a car, when the sound of the engine changes.... you notice.

So what would happen.... they would hit this button called POWER on the autopilot and this button, by design, is not computer controlled.  It is a mechanical interrupter that kills the power to the autopilot.   If that button failed, the pilot would push or pull on the controls and overtake the autopilot.  The mechanical autopilot is not designed to be stronger then a human, you can override it because you are stronger then it's designed strength.  And they wouldn't have to do this long, just long enough to find the FUSE for the autopilot and pull it.  And yes, they simulate this.

That folks is what you call SECURE DESIGN.  Something lost in most markets, but very present in aviation.

So what if the pilots don't notice that they are descending lower and lower and lower....

Well, I'm a pilot.  And I can tell you that air traffic control doesn't appreciate it when you file a flight plane for a certain altitude and they see you at the wrong altitude.   They will even have the audacity to humiliate you on the radio by asking you to confirm altitude and altimeter settings.

You see, their job is to keep airplanes separated along flight paths.

They have a set number of airplanes under their watch, and they do indeed watch.

As one of my good friends "J" once expertly described while we both gave a conference on this very subject.  Airplanes like every complex mechanical system, have security weaknesses.  However these to not translate into a SAFETY issue because of the overall safe engineering of the entire ecosystem.

Aircrafts are extremely SAFE.

Take the radio system for example.  Any idiot can purchase an aviation band radio for a couple hundred dollars and learn to PLAY control tower.



This in the cyber security realm is called a non authenticated communication.  No username, no password.  Really the worst case in computer security.

So a rogue individual could call out to an airplane, make themselves sound like the control tower, and crash an airplane.

Well.... No.

Once again, we have something called "the pilots" who are the "BOSS" of that airplane.  The "Tower" isn't the boss.  The pilot is.

So hearing an order come in from a fake tower that results in an unsafe action wouldn't work, and also the real tower that hears the fake tower would most certainly call out that something is wrong.

So if the tower says "Air Canada Flight 1505 please descend at your discretion to 10,000 feet" while they are actually flying over the rockies.... I'm pretty sure the pilots would know that this isn't ideal.

As they would descend, the other safeguards in the airplane would start setting off alarms.

The GPS screen would turn RED.

The ground radar would starts saying "TERRAIN"  "TERRAIN"

So the unauthenticated radio communications is certainly a security issue....  but it isn't a safety issue, so we don't really care.

Here is a cockpit photo of a modern, extremely technology dependant aircraft, and I have highlighted the devices that are old school mechanical and are impossible to hack via wifi... or via any computer.



Don't let the headline grabbing journalists frighten you from flying.  It remains extremely safe, and my favourite way to get to where I'm going.




_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com