STE WILLIAMS

What a crooked haircut can teach you about framing the discussion about organizational security goals and strategies.

I don’t remember much from my school days, but I do remember one particular statement from one of my teachers. During the course of delivering the lesson, she illustrated her point by remarking: “If you hold your head crooked, you get a crooked haircut.” You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate.

What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy illustrates this as follows. A barber or stylist approaches a haircut from his or her frame of reference. Generally, the person giving the haircut is standing up, and thus their frame of reference is based on that (vertical). The person receiving the haircut is generally seated. If that person holds his or her head straight, then both people share the same frame of reference. If, however, that person tilts his or her head, his or her frame of reference becomes different than that of the barber or stylist. As a result, what appears to be a straight haircut to the barber or stylist will in fact be a crooked haircut to the customer.

In other words, if we want to achieve a certain outcome, we have to work towards it from within the correct frame of reference. Otherwise, no matter how much time, money, and resources we invest into our efforts, the outcome may be different from what we expected.

We can extend this analogy to the security realm and learn some valuable lessons from it. Almost all organizations now realize that they need to build or enhance their security programs. Of course, strategies, approaches, and methodologies will vary widely in this endeavor. Results will also vary widely. When undertaking this effort, frame of reference becomes extremely important. If an organization does not properly calibrate its efforts, it can end up investing a lot of time, money, and resources into a security program that misses the mark. In other words, having the right frame of reference guides a program to success. Building or enhancing a security program in a “crooked” frame of reference can ultimately lead to a program that does not adequately address the needs of the organization and does little to improve its security posture.

I’d like to illustrate this concept by sharing a few examples of incorrect frames of reference that I sometimes see in organizations. My goal is to help organizations understand the concept and identify any potential areas for improvement internally.

The Program of “No”
Unfortunately, security professionals sometimes get a reputation for being the people in an organization who always say “no.” In recent years, security has become an integral part of most organizations. But it’s important to remember that the main purpose of an organization is to be successful in its particular line of business. Of course, a business cannot operate without accepting some risk.

A security program’s ultimate goal should be to mitigate risk while enabling the business to be successful. For example, if the business needs to move to the cloud in order to stay competitive, the security organization should focus on how to mitigate and minimize risk before, during, and after that move.

Unfortunately, the frame of reference of many security organizations is structured around a knee-jerk “no” response. The trouble with this is that many areas of the business very quickly learn to go around the security team, rather than work cooperatively and collaboratively with it. In some cases, the security team may even be seen as an adversary. The end result is that the organization’s security posture does not improve at all — in fact, quite the opposite.

The program of “no” frame of reference most often results in exactly the opposite of what it intended. A frame of reference that seeks to build trust with the business to enable the business to operate more securely produces much better results. After all, security is a business function and should operate accordingly.

Not Focusing on Risk
I, along with many others, have previously written on risk-based approaches to security. This approach is quite strategic in nature. It involves prioritizing risks and threat to the organization and subsequently working through mitigating those risks and threats. Unfortunately, some organizations don’t build security programs from this frame of reference.

There are a number of different types of approaches I’ve seen that are not risk-based in nature. For example, organizations may build their frame of reference around intelligence, certain categories of technology, certain skillsets, or other things. Each of the examples I’ve mentioned is important and has its place in security, but none of them should be used as the basis for a frame of reference. For example, although intelligence is important, building a security program solely around intelligence causes an organization to rely too heavily on what someone else tells them is important, rather than the real risks and threats to their organization.

Building a frame of reference around mitigating risk allows an organization to incorporate multiple techniques to reach the desired end goals. But the risk-based frame of reference ensures that the organization will properly address the risks and threats it faces regardless of the techniques it employs. Alternate frames of reference address some risks and threats, but they do so informally, rather than strategically. That leaves an organization vulnerable.

Chasing Ghosts
I’ve seen some organizations that run from one “strategy” to the next, following the latest fad, buzzword, shiny object, or otherwise. The fault in this frame of reference is obvious. Fads come and go, but at the end of the day, they were not defined to address the risks that an organization faces.

Of course, new technologies, novel approaches, and fresh thinking can always be used to improve and strengthen a strategic approach to security. But again, they need to be incorporated within a strategic frame of reference. The “new” cannot itself be the frame of reference. That often results in organizations investing heavily in areas that don’t actually mitigate much risk for them — in other words, chasing ghosts.

Unfortunately, there are far too many “crooked” frames of reference within which an organization can find themselves. A strategic, risk-based approach to security can help an organization build a frame of reference geared towards its needs. Having a “straight” frame of reference is critical for properly guiding the efforts of a security organization to adequately address the risks and threats facing the organization.

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO – Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/playing-it-straight-building-a-risk-based-approach-to-infosec--/a/d-id/1323441?_mc=RSS_DR_EDT

Users of Honeywell’s Midas and Midas Black gas detectors are being urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities.

These extremely serious vulnerabilities, found by researcher Maxim Rupp and reported by ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team) in advisory ICSA-15-309-02, are simple enough to be exploited by an “attacker with low skill”:

Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.

…These vulnerabilities could be exploited remotely.

…An attacker with low skill would be able to exploit these vulnerabilities.

The affected devices are the Midas product with all firmware versions up to and including version 1.13b1 and the Midas Black product with all firmware versions up to and including version 2.13b1.

Patches are available to download from Honeywell’s website under the banner of Honeywell’s Security Notification SN 2015-10-14 01.

Midas and Midas Black gas detectors are used worldwide in numerous industrial sectors including chemical, manufacturing, energy, food, agriculture and water to:

…detect many key toxic, ambient and flammable gases in a plant. The device monitors points up to 100 feet (30 meters) away while using patented technology to regulate flow rates and ensure error-free gas detection.

The vulnerabilities could allow the devices’ authentication to be bypassed completely by path traversal (CVE-2015-7907) or to be compromised by attackers grabbing an administrator’s password as it’s transmitted in clear text (CVE-2015-7908).

In other words, the devices affected might be sophisticated and highly specialised but their bugs aren’t. These are basic, workaday flaws that are well understood, easy to avoid and easy to test for.

It’s shocking that such basic flaws should be present in software with such an important job to do but they wouldn’t be nearly so serious if they weren’t remotely exploitable.

Because these devices can be connected to the internet, the people they protect are at risk from anyone who can find a connected device (and if you’re wondering if that’s difficult, remember that the Internet of Things has its own search engine).

But perhaps we shouldn’t be surprised because in many ways that’s the story of the Internet of Things so far – a collection of interconnected devices from the future exhibiting vulnerabilities from the past.

The rush to attach kettles, TVs and baby monitors to the internet in the hope that it might be useful flies in the face of that bastion of security common sense; the principle of least privilege and it seems to me that it isn’t going all that well so far.

The advisory offers the following pointers for minimising the risk of these flaws being exploited, although I suggest we’d all do well to follow them no matter if we’re running industrial control systems or overly-clever thermostats:

• Minimise devices’ network exposure and physical access
• Isolate devices from the internet and business networks
• Put devices behind a firewall and connect over a VPN if you need remote access

Or, put another way, treat the Things in the Internet of Things like computers, because they are.

Follow @NakedSecurity
Follow @MarkStockley

Image of Gas Mask courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Mw0YpNFP800/

Even though Mark Zuckerberg is taking two months off for paternity leave after the recent birth of his daughter, the 31-year-old billionaire Facebook founder isn’t ready to hang up his hoodie for good.

But a quirky bug in the Facebook website could have made it appear that he had quit, if you knew how to manipulate a Life Events post to change “Started working at…” to “Left job at…,” as a security researcher did using Zuckerberg’s timeline.

The bug affected every user’s publicly viewable career Life Events posts, up until Friday (4 December) when Facebook fixed the issue.

A security researcher named Sachin Thakuri was the first to spot the bug, and notified Facebook through its bug bounty program, but he said the company’s security team assured him that the bug was low-risk and they wouldn’t be fixing it.

Thakuri published his discovery on his personal blog on 18 November, but it wasn’t until VentureBeat picked up the story on 4 December that the bug got widespread attention.

Two hours after VentureBeat published an article about the bug, Facebook contacted the publication to say the bug had been fixed.

That was fast!

So, what happened exactly?

Thakuri told me via email that he discovered the Facebook flaw by playing around with some parameters on Facebook when he noticed the “weird behavior.”

Thakuri told me he attempted to convince Facebook’s security team that the bug was serious because it could allow anyone to spoof content about another person’s job history, but Facebook wasn’t concerned:

I tried convincing them to fix this issue by explaining the impact this could have because the bug allowed to manipulate the work status of any user on Facebook. And since it was coming from a legit account there was very [little] chance to figure out that the work status was manipulated. They again replied on 12 November saying they still think this is a low-impact bug and won’t be fixing this one.

The bug worked like this: a Life Event post for a job has a start date attached to it, which is rendered by a portion of the URL of the post: ustart=1.

By deleting that snippet of code from the URL, the Facebook website showed the job as ended.

I tried the trick before Facebook fixed it, and I can tell you it worked (if you remove that bit from the URL now, post-fix, the post doesn’t show up at all).

The bug didn’t actually change anything on Zuckerberg’s profile. As Thakuri explained, the content was changed on the client side, not the server side.

If the content changed on the server side, that would be much worse – that would mean you could manipulate someone else’s profile without authorization.

Thakuri said he’s reported several bugs to Facebook this year, mostly API related security flaws, and has been awarded a bug bounty for six of them.

As of Friday afternoon (Eastern Standard Time), Thakuri said Facebook hadn’t contacted him to let him know that it had fixed the Life Events bug, and he hasn’t received a bounty.

Still, Thakuri said he’s impressed with Facebook’s security team:

Facebook has a good security team who are very fast to react to these bugs and are very good to the researchers who submit bugs through bug bounty program.

By the way, because the bug involved public Life Event posts, we should all be reminded that privacy on Facebook is easy to overlook: keep your profile set to “Friends only” and be mindful of your audience when posting.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of Mark Zuckerberg courtesy of Frederic Legrand – COMEO / Shutterstock.com. Manipulated Mark Zuckerberg Life Event post via Sachin Thakuri.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X14vvq0TO_U/

Canada’s privacy commissioner has ordered a small cable TV company in the Northwest Territories to stop naming and shaming overdue account holders on Facebook.

As if it’s not embarrassing enough to struggle to pay bills, Senga Service Cable TV, in Fort Simpson, N.W.T., reportedly posted the names of 25 customers who were delinquent in paying their bills, along with the amounts owed.

The overdue bills ranged from $94.25 to $1,406.80, according to the CBC.

The company first posted the list of accounts in arrears to its company Facebook page last Monday evening, along with a warning that the accounts would be disconnected on Wednesday.

Then, employee Jennifer Simons posted the list to a number of community Facebook pages.

She told the CBC that it’s legal: a determination she arrived at after speaking to lawyers before she posted the names.

She told CBC that it’s fine to publish a person’s name and amount owed, but that “you cannot put a [social insurance number], a birth date, an address or anything else identifying the specifics of a person.”

The CBC checked up on that by contacting the Office of the Privacy Commissioner of Canada.

In an email response, Tobi Cohen, a senior communications adviser at the office, told CBC that Senga Services had been contacted and “the company has complied with our request to take down the post.”

CBC quotes Cohen [link added]:

[The Personal Information Protection and Electronic Documents Act] allows organizations to use or disclose people’s personal information only for the purpose for which they gave consent.

There is also an over-arching clause that personal information may only be collected, used and disclosed for purposes that a reasonable person would consider appropriate under the circumstances.

While the legality is debatable, the tactic sure does work, Simons said:

We always got excuses from everybody. Promissory notes and everything, and it never arrives. So we found the most effective way is to publicly post the names. 

The list had been quickly removed from at least one community Facebook page: that of the popular Fort Simpson Bulletin Board.

But it was up long enough to prompt four people to come forward and pay their bills, Simons said, while others called to arrange to pay off their balance.

While it worked to some extent, it also blew up in the company’s face from a public relations perspective.

People in the small community of Fort Simpson, with a population of 1,200, didn’t take kindly to the public shaming.

While the shamed names have disappeared from the company’s Facebook page, people have taken their jeering to an earlier post from the company that asked “what can we as providers do to make your cable TV experience more enjoyable?”

The Huffington Post captured some of the replies, which included, among other, profanity-laced replies, the most obvious one of all:

Not post customers names on facebook?

Follow @NakedSecurity

Follow @LisaVaas

Image of Overdue bill courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/el38j5RkOeU/

Yahoo Mail has fixed a bug in its software that left hundreds of millions of users vulnerable to specially crafted emails that could have been used to steal data or spread malware on a huge scale.

The flaw was so bad that users didn’t even have to open the emails to be affected.

The bug was closed by Yahoo on 21 November, just ten days after it was reported by penetration tester Ibrahim Raafat.

Raafat discovered that users of Yahoo Mail’s mobile interface were vulnerable to an XSS (Cross-Site Scripting) attack, one of the most common and easily thwarted forms of attack that websites face.

XSS vulnerabilities can happen anywhere that a web page includes information supplied by a user but doesn’t properly sanitise or encode it.

Such attacks turn otherwise legitimate websites in to platforms that can be used to attack users.

User-supplied information (such as blog comments or forum posts) that aren’t properly encoded are treated as code by web browsers. The malicious code is run with the same level of trust as all the other code on the page, which means that an attacker can use it to harvest cookies or other sensitive information, or to attack the web browser or computer of somebody looking at the page.

What Rafaat discovered was that the mobile version of Yahoo Mail, a website that people use to read emails, didn’t properly encode the content of the emails its users received.

All he had to do was write an email with some code in it instead of text and the recipient’s browser would unwittingly run it when it appeared in Yahoo Mail. To make matters worse, it seems that the victim didn’t even have to open the email – it only had to appear unopened in their inbox in order to run.

Raafat captured how easy it was to exploit in a simple video on his site, PWN Rules.

Rather than stealing cookies or spreading malware silently Raafat simply writes an email that includes code to open a ‘prompt’ window – an obvious, visual signal that his email is being treated as code rather than content.

Yahoo Mail has hundreds of millions of users, so a successful in-the-wild exploit of this vulnerability, which could easily have piggybacked off of industrial-scale channels for sending spam that already exist, could have been extremely serious.

For his efforts Rafaat earned Yahoo’s thanks and an undisclosed bug bounty.

Follow @NakedSecurity
Follow @MarkStockley

Image of Envelope courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bit97BCEZDo/

One of the most prolific and capable Russian malware groups is using a rare module to infect USB sticks and hose air-gapped machines in defence industry organisations.

The group, known as “Sofacy” or “Pawn Storm” has been ripping into air gap defence organisations since at least August, demonstrating its skills using zero day vulnerabilities to foist malware, Kaspersky researchers say.

“In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Java, Adobe Flash Player and Windows itself,” researchers say .

“For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP (privilege escalation) exploit to break out of the sandbox.

“Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena.”

It has also targeted NATO ( North Atlantic Treaty Organisation) and the WhiteHouse through a clever then zero-day Java vulnerability.

Not content with just hacking NATO, the group also turned its attention to stealing documents relating to the investigation of downed flight MH17.

Earlier in the year Pawn Storm flexed its grey matter and popped iOS 7 by developing the XAgent malware that could steal all manner of data through a simple infection process.

It is also thought to have popped French TV station TV5Monde in a hack uncovered after the broadcaster was separately hosed in June by a pro-ISIS group.

Concerned organisations should patch religiously and implement comprehensive in-house phishing penetration tests. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/op_pawn_storm/

A hacker who appears to have cut and run has reportedly dumped bank information relating to thousands of a cashed-up United Arab Emirates bank customers.

The hacker using the handle “Hacker Buba” claimed to local media to have popped Invest Bank before demanding US$3 million in ransom in order to withhold releasing the files.

Using a collection of Twitter handles the hacker dropped alleged details on tens of thousands of bank customers including personal information, full credit card data, and transaction histories throughout November.

The Twitter accounts are closed and the hacker appears to have gone quiet while the undoubted wrath of the bank’s forensics response gains steam.

Media reports suggest that some compromised accounts contained up to US$12 million and pooled together amounted to more than US$110 million.

The hacker is reported to have contacted affected customers warned them that he was in control of their accounts.

Some of the files were hosted on the server of a hacked European basketball website

Invest Bank said it has not and will not pay the ransom, calling the hacker a ‘blackmailer’.

The hacker reportedly offered the editor of Dubai-based Xpress a five percent cut in profits if he assisted.

Local businesses expressed shock and outrage at the hack, dubbed by Xpress as the worst in UAE history, with some claiming they were first informed of their exposure through media and in the hacker’s extortion notes. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/uae_bank_hack/

A Java deserialisation vulnerability may affect as many as 40 more software libraries than first feared, research has revealed this week.

The deserialisation bug in Apache Commons Collections affects popular distributed software such as WebSphere and JBoss, FoxGlove Security advised last month.

But new research by security-tools-for-software-developers firm SourceClear, out this week, suggests 40 additional libraries may be affected by the same bug.

Libraries including Apache Directory API, JMS Transport, versions of Webx All-in-one Bundle, hadoop-mapreduce-client-core, and many more appear to be at risk.

“What makes this flaw so nasty is that it is not a flaw in Java itself, but instead a flaw in a widely used library,” Johannes Ullrich, CTO at the SANS Institute Internet Storm Center, said at the time of the original warnings last month. “Inventorying which libraries are used by which specific software is notoriously difficult.”

“Several major enterprise software packages have been updated as a result. But the real challenge is internally written software, or custom software procured from third parties,” he added.

The problem has been understood for a while, but avoided much attention until last month when a more credible attack scenario was outlined. The root cause of the problem is down to apps not validating or checking untrusted input prior to deserialisation.

The vulnerability might be exploited by hackers to take control of app servers running affected libraries. The issue at the heart of the problem affects all apps that accept serialised Java objects.

Developers ought to review their code and libraries to see whether or not their technology might be vulnerable to the deserialisation vulnerability, SourceClear advises. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/java_deserialisation_research_library_vulnerable/

Russia’s lower legislative house has passed a law letting its government ignore European Court of Human Rights judgments after the ECHR ruled the nation’s internet surveillance was incompatible with human rights.

The unrestricted interception of all telecommunications in Russia is conducted through the mandatory installation of government network-sniffing equipment.

A legal challenge brought against this in 2003 finally resulted in an ECHR judgment last Friday.

However, a law passed on Friday through the Duma, the lower house of Russia’s legislature, states that the nation’s constitution is to take precedence before judgments or obligations imposed by international bodies.

Though passed on the same day as the most recent ECHR judgment, it is thought to be the product of many such judgments against Russia.

“In passing the law, the Duma has provided the court with ‘a special legal mechanism for resolving the question of the possibility or impossibility of executing [international] court rulings from the point of view of the higher legal force of the Russian constitution,'” said the Moscow Times, quoting state propaganda outlet RIA Novosti.

The Moscow Times further reported that a federal body which represents the nation’s interests “in international court cases” will be able to appeal to the Russian constitutional court, as well as allowing for the president – currently Vladimir Putin – to appeal against such rulings.

The Register has contacted the Council of Europe’s directorate of communications to enquire about the future of Russia’s membership, considering the legal room it is affording itself to ignore ECHR judgments. We will update this article if we receive a response. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/russia_new_law_restrains_echr_judgments/

It’s 2015, and the right stuff on a USB stick can still crash a substantial switch.

Cisco hasn’t yet worked out how to fix this vulnerability, and as a result, the details it offers in the advisory are sparse.

What we can glean from the note is that the crash can only be triggered by a local user. Here’s how Cisco explain the problem:

“The vulnerability is due to insufficient handling of USB input parameters. An attacker could exploit this vulnerability by sending crafted USB parameters to be processed by the kernel of an affected device”

Naturally enough, the Borg hasn’t detailed exactly what you have to load on a USB key to trigger the crash, but it’d be nice to think that most data centres will notice someone suspicious taking down their top-of-rack switches. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/07/lock_up_your_topofracks_says_cisco_theres_a_bug_in_the_usb_code/