Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.

 

SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from auth0.com

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.

 

Contact Us to discuss auditing your network environment

You are Good, But Neighbor is not… Now What?

Let’s set this up…

You have paid attention to some Cyber security efforts, and have a number of defenses, maybe not “all of them” but your risk management matrix has shown you where to focus. What is impact on a device if having Cyber security problems?

Assuming you set up the probability matrix of all of your devices failure impact… Did you think of everything?

What about this:

Internet Storm center has  a story “More malspam pushing Lokibot”  

The post is about when an email attachment RTF(Rich Text Format) runs and then downloads an exploit for CVE-2017-11882 which installs Loki the information stealer.

Once Loki is on the machine it will contact home base and more.

Loki is an especially bad malware software, as it steals FTP credentials, SMTP credentials, Browser data, database information, and keylogger abilities.

So how do we defend against this malware? we need to deny the entry points. Because if once the malware is in one of your systems or one of your partners then it is a different game.

 

So what happens when  you think the neighbor is infected?  The firewall is no longer in play, as all internal machines are now open to attack. All it takes is another payload to be dropped into the infected machine that will take advantage of other machines with weak defenses.

So the problem is that any machine that you allow into your network (with vpn or otherwise) also can make your network systems weaker.

Coming back to our neighbor, if the neighbor does not have the same methods to security as you do, they are now a liability if you do not take the neighbor threat seriously.

I want to give an example in an apartment building that has been setup with a well known ISP internet service. So you get an apartment  and the service for internet is built-in to the price of your apartment(or at least is a minor add-on).

The Apartment people tell you to just plug into the wall and voila you have internet service.

So when i plug in, do i get my own router? Or am I connected within a switch with every other apartment first? So now I have to run a discovery scan, and check all other IP addresses first?

This is why one runs a discovery scan, to see all the machines that are on the network and that can see you. This is all part of the risk management of your company.

 

Contact Us to discuss Risk management and more.

Smart Cameras have Cybersecurity Problems

Everything has cybersecurity problems if it is not built with some security in mind at least. One should not build security after building the product, it tends to be ad-hoc or kluge.

Tom’s Guide has a good article of several cameras, it happens that AV-TEST evaluated 8 IP(Internet Protocol) cameras.

Only 3 cameras received 3 stars out of 3 (best stat): Logitech Circle, Myfox Security Camera, and the Netgear Arlo.  D-Link and Hanhwa Techwin need to get updates. Samsung Smartcam had  a new vulnerability that was found in March. And the unknown brands should just be thrown out.

 Logitech’s Circle above.  (a new one Circle 2 is available now)

Why focus on cameras? because they are easy to set up but not as easy to keep up and secure.

What happens when new firmware is released? How long until you update the camera? the camera requires a password and then upload the file – update, and ‘reboot’.

These new cameras also have cloud accounts or mobile apps, which may need updating too.

MyFox security camera is also a good option. (Made by Somfy protect, here is Somfy tech support page).

The other “top camera” in the review is:

Netgear Arlo has many options in cameras

Security light, Pro2, Pro, regular, Go, Q, Q plus, and baby

So you bought a nice camera, set up the Wifi, and the app on your phone.  Now you can keep an eye on a certain area from anywhere you have phone service. Pretty good right?

Now in a year or so, a new vulnerability comes out, and you have to upgrade the firmware. Where was that password again?

this year’s top product become next years liabilities (remember the Intel/AMD security problem in all processors).

So better do some documentation of the camera devices, and keep track of the vulnerabilities just like all the other computer devices on your network.

 

Contact Us to discuss your security policy needs.

Why Are we in a Big Cybersecurity Mess?

To answer this question logically and truthfully we have to go back to how computers have evolved and connected to each other.

During WW2 the beginning stages of electronic machines tabulating artillery tables faster and more accurately than humans (Colossus mark 1 and 2)

(public Domain picture)

As the computers evolved more and more effort was put in for how the programming and processing abilities occurred and security was not even a worry, as security was physically done not networking wise.

So when and what was the first networked computer?

The first network was the precursor of the internet as we know it and it was called ARPANET (Advanced research Projects Agency Network): EDN Network article discusses this.  On Arpanet in 1969 and shortly thereafter the focus was on making the network operational (it finally was deemed “operational” in 1975 at six years later).  The work on this technology is available for everyone to see: TCP Transmission Control Protocol as it was developed in the public domain :  The RFC 793 September1981

If you look at the Table of Contents of the TCP RFC (Transmission Control Protocol – Request For Comment) document there is no place for security or encryption.  It is up to you to develop security. So that is what we have done. New technologies with SSL(Secure Socket Layer) and TLS(Transport Layer Security) have been built on top of the TCP technology.

As you may know from our past blogpost SSL is no longer PCI compliant

So THIS IS THE PROBLEM !!!

We are developing our current software on an insecure platform.

Until there is a computer built from scratch for security using a network mechanism that is also built with security in mind, we will always be fighting a losing battle.

So we have developed Compliance mechanisms:

  1. PCI – Payment Card Industry  (2004 major credit card companies came together)
  2. HIPAA – Health Insurance Portability and Accountability Act of 1996
  3. Other public company compliance regulations (SOX)

 

The compliance systems are not designed to make you 100%secure, they are designed for you to mitigate security problems. If you follow all the rules for the most part you will keep problems in check and thus  business risk is reasonable.

The bottom line  is for IT resources to provide business capabilities, in that environment security has to be mitigated. Until someone develops a 100% secure platform this is the life we have. We will have to keep up on patches, and review logs while always looking over our shoulders to see if the criminal hackers have finally come into  the environment or not.

Interesting to note, that as more people get connected  we stop to think about our security, I mean who thinks about cybersecurity as they get a new phone or tablet/laptop? especially if that is their first foray into smartphones.  The new connectee is interested only in how I can connect (usually with free WiFi or an unlimited data plan.  The reason we stop to think about security is that we expect security to be there.

The unfortunate aspect of more people connecting is that not all people are knowledgeable about phishing emails and other cyber security problems. It takes time to become knowledgeable in anything, so the overall understanding is pushed down (common denominator).

So my theory is as more people connect the average knowledge about cybersecurity is pushed down. Thus allowing more attacks to  be successful by the criminal  hackers.

In the following image Cisco predicted IoTs to balloon to 50billion devices by 2020. (this seems correct or low).

So nothing has changed – we are so busy connecting to the Internet we are not focusing on Security. This phenomenon is moving faster towards a larger Chaotic environment.

Contact us to discuss