STE WILLIAMS

Financial Institutions Less AppSec-Savvy Than You’d Think

New study shows banks all have policies in place, but lack metrics and good third-party software controls.

Financial institutions are known to have in place some of the most advanced application security practices and tools. Even so, a new benchmarking study out this week shows that even among these well-funded security programs there are still big gaps in their application security practices – a finding that should offer a clue as to the state of appsec at large.

The study found that while financial organizations almost universally have internal secure coding standards in place, most are hard-pressed to validate them. Additionally, fewer than half require their third-party vendors to have similar policies and standards.

Conducted among CISOs, the survey took a deep dive into common attitudes and practices across dozens of leading global financial institutions. The good news is that three out of four respondents reporte that application security is a critical- or high priority. And nearly all of them employ at least one kind of framework, standard, or maturity model to structure their application security program, with Building Security In Maturity Model (BSIMM) as the most popular, with an adoption rate of 89%.

However, digging further, the types of metrics and key performance indicators (KPIs) used to track the effectiveness of policies laid out by these standards betray a lack of sophistication in their appsec programs. The most common KPI used by the respondents was a simple vulnerability count, typically totaled up based on statistic analysis security testing and dynamic analysis security testing, a metric used by 77% of programs.

Meanwhile, only about 46% of organizations measure how long it takes to remediate vulnerabilities, just 38% of organizations track whether developer teams are even using the security tools mandated by policies, and only 15% measure completion of security requirements. Scarily enough, 15% of organizations don’t track via metrics the effectiveness of their appsec programs.

The report noted that the overreliance on vulnerability counts could potentially be giving these organizations a false sense of security. According to Security Compass analysis, scanning by SAST and DAST tools alone probably miss about 46% of application-level risks. Though that number may be up for debate, other application security experts concur that there’s a risk visibility gap left by relying on scanning alone. 

“When thinking about vulnerability management, most security practitioners think about it is terms of a what a scanner will find for them,” says Jake Kouns, chief information security officer for Risk Based Security. “Most scanners are not looking for all vulnerabilities as they don’t have the signatures to cover them, and they are also not comprehensive as they don’t look for third-party library vulnerabilities.”  

 More on Security Live at Interop ITX

For the financial organizations queried for the report, third-party library vulnerabilities are just the start of third-party application risks left unaddressed. The study showed that 58% of respondents use at least some third-party software and 17% say they primarily rely on it. However, less than half of organizations require that their vendors have a secure software development lifecycle or application security policy. Additionally, only 38% of organizations were able to perform static or dynamic testing, and a measly 15% performed threat modeling or design reviews on third-party software.

As financial organizations grapple with the demands placed upon them to increase their customer-facing application portfolio for competitive demands, the weaknesses evidenced by this report shows that there’s a lot of work ahead for them on the application security front.

“Application security teams within financial institutions need to design their security programs with the appropriate goals, governance and metrics,” the report warned. “Firms should select security activities that meet their risk reduction and scalability goals. Simply selecting a set of best practices from a secure SDLC framework may not result in an ability to execute.”

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/application-security/financial-institutions-less-appsec-savvy-than-youd-think/d/d-id/1328364?_mc=RSS_DR_EDT

‘Nigerian princes’ snatch billions from Western biz via fake email – Interpol

Spoofed email and malware hidden in attachments netted crooks in West Africa more than $3bn in three years from businesses.

That’s according to research carried out by the International Criminal Police Organization (Interpol) and infosec biz Trend Micro. Forget claims of money stuck in bank accounts. Scammers are now raking it in from so-called business email compromise (BEC) schemes, according to the security team.

A BEC crook sends authentic-looking invoices and internal memos to businesses and their finance staff, tricking the employees into paying money into the thieves’ accounts. The messages can also be booby-trapped with malware that infects work PCs and logs key-strokes. This information is then used to log into the company’s online bank account, and transfer money to criminals’ pockets.

The Interpol-Trend study found that between October 2013 and May 2016, BEC scammers walked off with more than $3bn having exploited the technique globally.

Such frauds are becoming a serious pain in the fundament: the FBI warned last year that they had siphoned over $1bn from American companies. Victims of BEC scams included the city of El Paso, in Texas, America, which got scammed out of $3.2m, and Austrian engineering firm FACC, which lost over $54m. Much of the money in both cases has now been recovered – but by no means all of it, and the problem is getting worse.

“West African cybercriminals are clearly shifting to more elaborate crimes, complex operations, and business models – BEC and tax fraud, in particular,” the report [PDF] states.

“Armed with their social engineering expertise and ingenuity, and augmented by tools and services (keyloggers, RATs, crypters, counter-AV services, etc), West African cybercriminals are stealing large amounts of money via crimes targeting individuals and companies worldwide.”

Quite why West Africa is such a hotspot for online crime isn’t hard to work out – education and motive. Around half of all university graduates in West Africa are unemployed a year after graduation and so the lure of crime is strong.

It’s now so established in some cultures that it has entered the pantheon of religion in Ghana, under the name Sakawa. The fraudsters make offerings to a supreme being that will protect their fraud from being discovered and ensure good fortune.

The study identified two big gangs working in the regions. The first, known as the Yahoo! Boys, concentrate largely on the traditional types of fraud like 419 scams – where an online figure (typically a bogus Nigerian prince or foreign lawyer) promises a big payout if the victim coughs up fees to free up the supposed fortune.

The Yahoo! Boys – so named because until recently they used the failing portal’s chat tools to coordinate their scams – also carry out romance scams, forming faux relationships with the lonely and then ‘borrowing’ money for plane tickets to consummate the relationship. Another is the so-called “send money” scam, whereby they pretend to be a foreign traveler who has been mugged and needs funds from friends and family.

Typically members of the Yahoo! Boys are in their twenties, like to show off their wealth on social media, and operate in small, local groups. While their methods of fraud are relatively unsophisticated, they still make a good living.

More dangerous are what the study calls next-level cybercriminals. This group is generally older, doesn’t show off their wealth, and operates in a more sophisticated way. It concentrates on BEC fraud and also harvests financial details to scam funds from victims with fake tax returns.

Next-level cybercriminals are highly professional, running money-laundering operations, a network of money mules, and working closely with relatives in the target countries to smooth out the scamming process. It’s this group that has been raking in the billions.

Interpol reports some limited success in shutting down these groups, but says that for all the tips they pass on to local police, only about 30 per cent end up in an arrest. As ever with online crime, finding the physical location of the criminals is a major issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/10/interpol_study_nigerian_princes_raking_in_billions/

What a Flake: Congress mulls trashing privacy rules, letting ISPs go to town on your data

US Senator Jeff Flake (R-AZ) has suggested tweaking the law to permanently prevent America’s comms watchdog, the FCC, from limiting what ISPs are allowed to do with your private information.

Using what was – at least until the past month – an arcane piece of legislation called the Congressional Review Act of 1996, Flake proposes that the Republican-run Congress express its “congressional disapproval” of a rule passed in November by the FCC that required ISPs to notify subscribers about what types of information they are collecting on them, and say how that personal information may be shared, and with whom.

ISPs would also have been required to “take reasonable measures” to protect this sensitive information from hackers, and notify customers if their data was obtained by miscreants.

The requirements were due to take effect on March 2, but new FCC chairman Ajit Pai voted to block them at the last minute, claiming that there needed to be a “comprehensive and uniform framework to protect Americans’ online privacy.”

Flake’s proposal [PDF] is a single paragraph that notes Congress “disapproves the rule submitted by the Federal Communications Commission relating to ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’, and such rule shall have no force or effect.”

This formulation has already been used repeatedly by Congress this year to revoke decisions of the Obama Administration. Three such disapproval resolutions have already been signed into law by President Trump (previously it had been successfully applied only once, in 2001) and they have the effect of not only removing the rules but also prohibiting the reintroduction of that rule without a specific law supporting it.

Congress has 60 legislative days to register its disapproval in this way, which in reality means any Obama Administration rules going back to May 2016 can potentially be overturned.

Right now, Flake’s proposed resolution is in the hands of the Senate’s Committee on Commerce, Science, and Transportation to consider. The proposal is twinned with an identical resolution introduced by Representative Marsha Blackburn (R-TN); this version is with the House Committee on Energy and Commerce.

Misleading

In the same way that Pai masked the impact of his decision to stop the rules by claiming there needed to be a common framework, Senator Flake has also misleadingly framed his proposal as a way to “protect consumers from overreaching internet regulation.”

How are consumers protected? According to Flake, by not having their ability to receive information about “innovative and cost-saving product offerings” limited. So next time you get that sales email or phone call from a company that bought your personal information from your ISP, be grateful for your “consumer choice.”

Previous FCC chairman Tom Wheeler took a different view and passed the rules because he felt consumers “deserve to be able to make informed choices about their privacy and their children’s privacy online. After all, it’s your data – shouldn’t you have a say over how it’s used?”

Wheeler quoted a report from the Pew Research Center that found that 91 percent of American adults say consumers have lost control over how their personal information is collected and used by companies.

Both Pai and Flake argue that the new rules were an unnecessary expansion of the FCC powers over America’s trade watchdog the FTC, and that the need to inform consumers about the information that ISPs store on you is a “dangerous deviation from successful regulation and common-sense industry practices.”

Both, however, fail to note that the rules were based on existing FCC rules that cover what telecom companies can do with their customers’ data.

Both FCC chair and senator also claim that since the FCC rules go further than FTC rules in protecting personal data, they introduce a dangerous inconsistency across the federal government.

Wheeler’s argument was that since ISPs are able to track every single thing that people do online, the rules need to be stronger than the FTC rules, which are designed to cover what companies can do with, for example, a particular app that consumers install.

Reality bites

Pai and Flake’s call for consistency purposefully ignores the reality of the current situation: that due to the fact that the Open Internet Order covering net neutrality is still in effect, the FCC continues to be responsible for the rules covering use of customer data by ISPs.

As a result, the effect of stopping the rules by Pai and blocking a future rule by Flake has the direct and immediate effect of lifting almost all rules surrounding what ISPs can do with their customers’ data.

Until either new legislation is passed explicitly giving the FTC authority over ISPs, or the FCC runs a new process that reconsiders its privacy rules, that will remain the status quo.

If Pai and Flake really did care about consumers’ rights, as they claim to, they could have chosen a dozen other routes instead of simply throwing the rules in the trash and sticking a lid on top.

There is one group happy about Flake’s proposal however: the “Voice of America’s Broadband Providers,” the ITTA (Independent Telephone Telecommunications Alliance).

“Passage of this resolution would return us to an environment in which broadband consumers receive consistent and uniform protection of the privacy of their personal information from all entities in the Internet ecosystem,” said president Genny Morelli. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/isp_privacy_rights/

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there’s a technique known as MAC address randomization. This replaces the number that uniquely identifies a device’s wireless hardware with randomly generated values.

In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers.

It’s a real issue because stores can buy Wi-Fi equipment that logs smartphones’ MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present. This could be used to alert assistants, or to follow people from department to department, store to store, and then sell that data to marketers and ad companies.

Public wireless hotspots can do the same. Transport for London in the UK, for instance, used these techniques to study Tube passengers.

Regularly changing a device’s MAC address is supposed to defeat this tracking.

But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority of Android phones.

In a paper published on Wednesday, US Naval Academy researchers report that they were able to “track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.”

Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices.

Cellular radio hardware has its own set of security and privacy issues; these are not considered in the Naval Academy study, which focuses on Android and iOS devices.

Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware identifier, one that’s supposed to be persistent and globally unique.

Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to buy a block of MAC addresses for their networking products: the manufacturer is assigned a three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional three-byte identifier that can be set to any value. Put those six bytes together, and you’ve got a 48-bit MAC address that should be globally unique for each device.

The IEEE’s registration system makes it easy to identify the maker of a particular piece of network hardware. The IEEE also provides the ability to purchase a private OUI that’s not associated with a company name, but according to the researchers “this additional privacy feature is not currently used by any major manufacturers that we are aware of.”

Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses can be used in situations where global uniqueness is not required. These CID numbers tend to be used for MAC address randomization and are usually transmitted when a device unassociated with a specific access point broadcasts 802.11 probe requests, the paper explains.

The researchers focused on devices unassociated with a network access point – as might happen when walking down the street through various Wi-Fi networks – rather than those associated and authenticated with a specific access point, where the privacy concerns differ and unique global MAC addresses come into play.

Unmasking

Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol can be used to reverse engineer a device’s globally unique MAC address through a technique called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study builds upon that work by focusing on randomized MAC address implementations.

The researchers found that “the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS,” which makes such Android devices trivial to track. It’s not clear why this is the case, but the researchers speculate that 802.11 chipset and firmware incompatibilities might be part of it.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/10/mac_address_randomization/

Are you customer of a firm that’s been breached? Look out for more attacks

TalkTalk’s security breaches in the UK and the action it’s taken have been widely publicised. What’s less well-known is the aftermath of a breach like that, and how organised criminals can get involved.

That’s what appears to have happened in the TalkTalk case, as a handful of Indian “contact centre” workers have claimed they were hired specifically to persuade TalkTalk customers to hand their data over. They were part of a 60-strong team, they stated.

It was in effect an old scam; they would call and claim to be working for TalkTalk, and suggest there was a problem with the computer, and persuade the customer to install malware that then enabled the criminals to get into the system and raid bank details and other confidential information. The problem is not independently verified but according to a BBC report it appears likely that it is genuine, and related not to TalkTalk but to one of its subcontractors.

Whether this instance is real or not (and it appears to be), it’s certain that people get calls from people claiming there is a problem with a computer and that their company (they might claim to be Microsoft, for example) is the only one that can help.

Naked Security’s standard advice is to hang up when one of these calls comes in, however tempting it is to string along or taunt the caller.

We’d also urge companies to put better controls in place sometimes – banks will never ask for complete passwords, for example, but one of our staff had to call his ISP last week and they wouldn’t act without the complete word rather than individual letters.

We talked to Action Fraud, attached to the City of London Police, which issued an infographic with practical points on it in response to the TalkTalk issue. It points out that legitimate companies will never cold-call requesting remote access to your computer or for financial details. It adds:

Even if the caller is able to provide you with details such as your full name, don’t give out any personal or financial information during a cold call.

If you’re in the UK and have been approached by a scammer, call Action Fraud on 0300 123 2040.


 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e7hdhGCkrMg/

Brit ISP TalkTalk blocks control tool TeamViewer

TalkTalk has blocked remote desktop management tool TeamViewer from its network, following a spate of scammers using the software to defraud customers.

A spokeswoman for the UK ISP confirmed it had blocked “a number of sites and applications” including TeamViewer from its network to protect customers from phishing and scamming activities.

The company said it was working with TeamViewer and other third parties on implementing some additional security measures to enhance security.

TeamViewer is one of the most popular pieces of software to enable remote access. It was also used by hundreds of scammers attempting to defraud TalkTalk customers by gaining remote access to their computers.

TeamViewer has previously said it takes the security and privacy of its customers “extremely seriously” and “condemns the use of TeamViewer to subvert systems and gain unauthorised access to private data.”

Customers complained on TalkTalk’s forum this afternoon they were unable to use the software.

One said they spent the whole morning trying to fix the problem, using three different computers which failed to connect to TeamViewer via TalkTalk’s SuperRouter.

“I tried to connect by tethering my computer to iPhone 4G – and it connected to TeamViewer straight away. [When I went] back to router [I] lost connection. Loads of reports on the internet about no connection via TalkTalk – why are they blocking it?”

Another said: “This is completely unsatisfactory. If this can’t be resolved then I’ll have no alternative but to switch ISP and also recommend that my main clients do also.”

In the forum, TalkTalk noted the number of complaints it receives from customers regarding these tools through fraudulent activities “is significant” but said it hoped to resolve the issue with TeamViewer and the other third party wares affected.

The mobile network’s spokeswoman said: “We constantly monitor for potentially malicious internet traffic, so that we can protect our customers from phishing and scamming activities.

“As part of this work, we have recently blocked a number of sites and applications from our network, and we’re working hard to minimise the impact on our customers.

“We would also urge our customers to visit our Beat the Scammers website to find out more about how they can keep themselves safe online.”

The Register has asked TeamViewer for a comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/talktalk_blocks_teamviewer/

Instagram phishing apps pulled from Google Play

Security researchers have discovered 13 new Instagram credential-stealing apps on Google Play.

The malicious apps, which pose as tools for either managing or boosting Instagram follower numbers, are actually designed to phish for Instagram credentials. The stolen credentials allow hackers to abuse compromised accounts in order to distribute spam and ads, enriching crooks in the process.

Altogether the malicious apps have been installed by up to 1.5 million users, software security firm ESET reports.

Upon ESET’s notification, all 13 apps were removed from the store.

The dodgy apps typically trick marks into installing them by promising to increase the number of followers, likes and comments tied to an Instagram account.

Victims were induced to hand over their credentials via an Instagram lookalike screen, which was then sent to the attackers’ server in plain text.

While the apps appear to have originated in Turkey, some used English localisation to target Instagram users worldwide.

ESET has added detection for the nasties, which it collectively identifies as Android/Spy.Inazigram. More details of the threat can be found in a blog post by ESET here.

Although phishing and malware threats targeting either Facebook or Twitter users are more common, Instagram fans are by no means strangers to threats. For example, crooks have put together a smut-themed scam campaign targeting Instagram users last August. The ruse was designed to pull in traffic to X-rated and adult hookup sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/instagram_phishing_apps/

Zero-days? Sexy, sure, but crap passwords and phishing are probably more pressing

A new study from RAND Corporation concluded that zero-day vulnerabilities – security flaws that developers haven’t got around to patching or aren’t aware of – have an average life expectancy of 6.9 years.

The research, based on rare access to a dataset of more than 200 such vulnerabilities, also looked at how frequently the same holes are found by different groups. The rarity of independent discovery and the long half-life of defects means it can make sense for some organisations with a dual offensive and defensive role (intel agencies) to stockpile vulnerabilities, the researchers argue.

The long timeline plus low collision rates – the likelihood of two people finding the same vulnerability (approximately 5.7 per cent per year) –means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about – or “stockpiling” – vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others.

“Typical ‘white hat’ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,” said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organisation. “Others, like system-security-penetration testing firms and ‘grey hat’ entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments.”

Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analysed by RAND, almost 40 per cent are still publicly unknown.

The study is one of the most comprehensive of its type and its release, just two days after revelations about the CIA’s cyber arsenal of hacking tools, is timely. Security pundits were quick to point out that issues such as weak password security, phishing and failure to apply available patches are all far more important risk factors than the “sexy” but somewhat hyped field of zero-day vulnerabilities.

Javvad Malik, security advocate at security dashboard firm AlienVault, commented: “Zero-days aren’t so much a concern for average users. Cybercriminals tend to go for tried and tested methods to attack users and have built pretty efficient processes around it, e.g. phishing or ransomware. Larger enterprises such as financial services, critical national infrastructure, and governments are usually the ones that need to factor in zero-days and targeted attacks in their threat model.”

Craig Young, security researcher at security tools firm Tripwire, questioned the study’s methodology. “This study from RAND is very unscientific for several reasons,” he said. “First, they are looking at only 200 vulnerabilities which is a small percentage of the number of vulnerabilities being discovered each year.”

The CVE project, which documents just a portion of publicly disclosed vulnerabilities, had 6,435 identifiers released in 2016 plus as many as 3,500 additional identifiers that were assigned but have not yet been revealed publicly. This is in addition to an unknown number of vulnerabilities discovered by hackers with no intention of disclosing them.

“Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity,” Young added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/oday_vuln_study_rand/

Black Hat Asia 2017: Pentesting for Vulnerabilities

Continually testing for vulnerabilities is critical to threat detection and prevention. Whether testing manually, virtually or through automated programs, pentesting highlights routes to key data, gaps in security policy and compliance, and opportunities for educating staff and developers. Black Hat helps you navigate the array of tools and methodologies for identifying system weaknesses with the following Trainings, Briefings and Arsenal, open-source tool demonstrations:

Optimal for beginning your pentesting training or reinforcing your knowledge, Techniques, Tactics and Procedures for Hackers dissects attack vectors to provide a comprehensive overview of fundamentals and processes for securing systems and checking defensibility. Develop your knowledge of pentesting essentials including basic networking principles, web application exploitability and offensive Linux approaches. Leave with practical, in-depth experience compromising diverse targets in a protected, real-world environment, available to attendees prior and post Training. This course provides a complete foundation for pentesting novices and a refresher for experienced professionals.

Evolving attack structures exacerbate threat detection and problem solving for novice and advanced pentesters alike. Dark Side Ops: Custom Penetration Testing trains attendees to architect custom offensive tools and bypass offensive countermeasures for increased capability and defense. Stealthily maneuver through the network and build custom droppers, beaconing backdoors, interactive shells and more. Receive free offensive source code for future analysis and defense against sophisticated attacks.

With a multitude of malicious attack modes, recognizing avenues for dislodging secure information is imperative. 24 Techniques to Gather Threat Intel and Track Actors uses real-world cases and experiences in an underground marketplace to detail procurable exploits and how they can be trailed. Advance your understanding of threat malware transmission and trackability through this in-depth Briefing to enhance threat discovery and attribution ability in cases of crimeware, webshells, email lists, and more.

Auditing attack structures is helpful in pinpointing areas of vulnerability and effectively allocating resources automating threat intelligence research which can strengthen and maximize efforts. Beyond the Blacklists: Detecting Malicious URL Through Machine Learning discusses machine learning as a tool for automated testing. Researchers of this Briefing used algorithms, static blacklisting and signatures to detect compromised URLS and new variants yet to be exposed aiding in overall system defendability. Timing in threat detection is critical to response capability. ShinoBOT.ps1 is a RAT simulator for detection performance testing demoing at Black Hat Asia Arsenal. With ShinoBot.ps1, defenders can perform the whole APT scenario, from exploit to data exfiltration to protect against the powershell based attacks.

Gain foundational tools and indispensable experience with Black Hat Asia Briefings, Trainings, and Arsenal presentations March 28-31, 2017 at Marina Bay Sands in Singapore.

Article source: http://www.darkreading.com/black-hat/black-hat-asia-2017-pentesting-for-vulnerabilities/d/d-id/1328347?_mc=RSS_DR_EDT

Most Federal Government Websites Lack Basic Security

HTTPS and DNSSEC not used across the board on agency websites despite federal requirements to do so.

The majority of federal agency websites fail to meet basic standards for security as well as for speed and mobile-friendliness.

That’s the finding from a new study by the Information Technology and Innovation Foundation (ITIF), which says 92% of the 297 most popular fed websites lacked security basics, as well as proper performance and accessibility to people with disabilities. The study is based on a November 2016 analysis of the websites.

Alan McQuinn, the ITIF research analyst who headed up the project, says executive agencies “generally fared better than the non-executive agencies” when it comes to security as well as accessibility and convenience standards.

The security picture is especially vexing. For example, the Bush administration’s OMB in 2008 required that all federal agencies use the Domain Name System Security (DNSSEC) protocol that protects DNS lookup and exchange processes. Today, nearly a decade later, 10% of agencies still don’t use DNSSEC on their websites, ITIF found. Agencies that failed the DNSSEC test include the House of Representatives (house.gov), the Speaker of the House of Representatives (speaker.gov), and the U.S. Forest Service (fs.fed.us).

The same holds true for a 2015 Obama administration requirement that agencies use HTTPS to secure their websites: 14% still don’t use HTTPS, says McQuinn.

Agencies that don’t use HTTPS and failed the test for SSL certificates include the Department of Defense (defense.gov), the International Trade Administration (trade.gov), and the United States Courts (uscourts.gov). McQuinn says that DoD has since added the HTTPS feature to its website and expects others to follow.

Shawn McCarthy, research director of IDC Government Insights, says cost-conscious agencies should look to the cloud to help manage some of these security issues.

“Agencies need to move to a standard platform in the cloud,” he says. “The cloud provider knows about DNSSEC and SSL, and you won’t have to worry about it anymore. The agency can just focus on the content.”

The ITIF’s SSL tests on websites also uncovered multiple high-profile security vulnerabilities.

For example, both LongTermCare.gov and letsmove.gov are vulnerable to the POODLE attack, a weakness in certain systems that support SSL 3.0 that lets attackers gain access to data passed within encrypted traffic. The SSL tests also found that SaferProducts.gov is susceptible to man-in-the-middle attacks and the tsunami.gov sites are vulnerable to the DROWN attack.

 More on Security Live at Interop ITX

Here are some other highlights of the ITIF report:

Speed: While 22% of websites failed the speed test for desktops, 64% failed the speed test for mobile devices; the tests evaluate features such as the speed of optimized images and landing page redirects; websites that failed both mobile and desktop speed tests include the General Services Administration (gsa.gov), the Federal Trade Commission’s IdentityTheft.gov and the National Cancer Institute (cancer.gov).

Mobile friendliness: 41% of the reviewed websites were not mobile friendly, meaning the text was too small, metatags did not scale well, and buttons were too small; websites that failed the mobile-friendliness test include the National Weather Service (weather.gov), the Treasury Department (treasury.gov), and the International Trade Administration (trade.gov).

Accessibility: 42% of the sites websites reviewed failed the test for users with disabilities; websites that failed the accessibility test include the International Trade Administration (trade.gov) and the Internal Revenue Service (irs.gov).

 

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/most-federal-government-websites-lack-basic-security-/d/d-id/1328360?_mc=RSS_DR_EDT