Research

Hurt back yesterday Too much pain to write much now Haiku easier And don’t forget to sign up for our Black Hat cloud security training in December! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading article on Shiny and New. Rich’s Touch ID and Secure Enclave article was picked up by Daring Fireball, AllThingsD, and who knows where else. Dave Lewis at CSO: Stuffing The Social Media Genie Back In Favorite Securosis Posts Adrian Lane: Investigating Touch ID and the Secure Enclave. Really good analysis from Rich on the security implementation of Touch ID on the iPhone 5s. But I’m not buying the ‘article’ angle – he just wanted a cool new toy! Mike Rothman: Cybercrime at the Speed of Light. Everything can (and will) be gamed. Everything. Gal Shpantzer: API Gateways. Especially because it made @beaker jealous. Rich: Keep Calm and Bust out the Tinfoil Hat. Mike is supposed to be an engineer, not a history major. But this is exactly what I have been thinking. Plus, every other country is doing the same thing to the best of their ability. Other Securosis Posts Continuous Security Monitoring [New Paper]. Data brokers and background checks are a massive security vulnerability. Walled Garden Fail. Incite 9/25/2013: Road Trip. Firewall Management Essentials: Quick Wins. A Quick Response on the Great Touch ID Spoof. Favorite Outside Posts Adrian Lane: Meet the machines that steal your phone’s data. Interesting to see professional eavesdropping devices for mainstream law enforcement. Nothing state of the art, but it allows Officer Barbrady to jack a cell tower. Still, before Snowden nobody cared about this stuff. Mike Rothman: Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth”. We’re entering (yet) another new age, when the legal system is nowhere near keeping pace with technological innovation. Interesting thoughts from Marcia Hoffman about the legal question of whether you can be compelled to unlock your phone (with presumably damning evidence on there) because biometrics are not protected under the 5th Amendment, while passwords would be. Rich: A TED talk by master pickpocket Apollo Robbins. This is more entertainment than learning (as are most TED talks), but damn. You may think you understand the limits of your perception, but you don’t. The last line is the real kicker. Dave Lewis: London schoolboy secretly arrested over ‘world’s biggest cyber attack’ Gal Shpantzer: Yahoo recycled email accounts may contain emails destined to old account owner. No matter how they try to talk this up, or what they do to recover, this is a mess. Research Reports and Presentations Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Top News and Posts Chaos Computer Club breaks Apple Touch ID. A Survey of the State of Secure Application Development Processes. Just downloaded a copy. Review forthcoming. TouchID defeated: what does it mean? New CA law will let minors digitally erase their past. ‘Mr Big’ of UK cyber-crime among gang of eight arrested over £1.3million Barclays computer hijack plot in carbon copy of Santander scam Blog Comment of the Week This week’s best comment goes to Gunnar, in response to Cybercrime at the Speed of Light. HFT is about trading, not investing. Traders buy and sell every second of every day. Investors have multi year time horizons. That’s how ordinary should approach it, long term, buy and hold investment not as traders. These events which continue to happen on a more regular basis and show no signs of stopping, are worrisome, for traders. They can bankrupt themselves with their own algorithms, as one of the biggest Knight Capital did last year http://www.forbes.com/sites/halahtouryalai/2012/08/06/knight-capital-the-ideal-way-to-screw-up-on-wall-street/ Share:

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. … The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, … Two other compromised systems were located inside the networks of Dun & Bradstreet, … The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers. In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on. What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk. Share:

As much as it pained me, Friday morning I slipped out of my house at 3:30am, drove to the nearest Apple Store, set up my folding chair, and waited patiently to acquire an iPhone 5s. I was about number 150 in line, and it was a good thing I didn’t want a gold or silver model. This wasn’t my first time in a release line, but it is most definitely the first time I have stood in line since having children and truly appreciated the value of sleep. It wasn’t that I felt I must have new shiny object, but because, as someone who writes extensively on Apple security, I felt it was important to get my hands on a Touch ID equipped phone as quickly as possible, to really understand how it works. I learned even more than I expected. The training process is straightforward and rapid. Once you enable Touch ID you press and lift your finger, and if you don’t move it around at all the iPhone prompts you to slightly change positioning for a better profile. Then there is a second round of sensing the fringes of your finger. You can register up to five fingers, and they don’t have to all be your own. What does this tell me from a security perspective? Touch ID is clearly storing an encrypted fingerprint template, not a hashed one. The template is modified over time as you use it (according to Apple statements). Apple also, in their Touch ID support note, mentions that there is a 1 in 50,000 chance of a match of the section of fingerprint. So I believe they aren’t doing a full match of the entire template, but of a certain number of registered data points. There are some assumptions here, and some of my earlier assumptions about Touch ID were wrong. Apple has stated from the start that the fingerprint data is encrypted and stored in the Secure Enclave of the A7 chip. In my earlier Macworld and TidBITS articles I explained that I thought they really meant hashed, like a passcode, but I now believe not only that I was wrong, but that there is even more to it. Touch ID itself is insanely responsive. As someone who has used many fingerprint scanners before, I was stunned by how quickly it works, from so many different angles. The only failures I have are when my finger is really wet (it still worked fine during a sweaty workout). My wife had more misreads after a long bath when her skin was saturated and swollen. This is the future of unlocking your phone – if you want. I already love it. I mentioned that the fingerprint template (Apple prefers to call it a “mathematical representation”, but I am sticking with standard terms) is encrypted and stored. I believe that Touch ID also stores your device passcode in the Secure Enclave. When you perform a normal swipe to unlock, then use Touch ID, it clearly fills in your passcode (or Apple is visually faking it). Also, during the registration process you must enter your passcode (and Apple ID passwords, if you intend to use Touch ID for Apple purchases). Again, we won’t know until Apple confirms or denies, but it seems that your iPhone works just like normal, using standard passcode hashing to unlock and encrypt the device. Touch ID stores this in the Secure Enclave, which Apple states is walled off from everything else. When you successfully match an enrolled finger, your passcode is loaded and filled in for you. Again, assumptions abound here, but they are educated. The key implication is that you should still use a long and complicated passcode. Touch ID does not prevent brute-force passcode cracking! The big question is now how the Secure Enclave works, and how secure it really is. Based on a pointer provided by James Arlen in our Securosis chat room, and information released from various sources, I believe Apple is using ARM TrustZone technology. That page offers a white paper in case you want to dig deeper than the overview provides, and I read all 108 pages. The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds – the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI(TM) bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for security certification. Seems pretty clear. We still don’t know exactly what Apple is up to. TrustZone is very flexible and can be implemented in a number of different ways. At the hardware level, this might or might not include ‘extra’ RAM and resources integrated into the System on a Chip. Apple may have some dedicated resources embedded in the A7 for handling Touch ID and passcodes, which would be consistent with their statements and diagrams. Secure operations probably still run on the main A7 processor, in restricted Secure mode so regular user processes (apps) cannot access the Secure Enclave. That is how TrustZone handles secure and non-secure functions sharing the same hardware. So, for the less technical, part of the A7 chip is apparently dedicated to the Secure Enclave and only accessible when running in secure mode. It is also possible that Apple has processing resources dedicated only to the Secure Enclave, but either option still looks pretty darn secure. The next piece is the hardware. The Touch ID sensor itself may be

Hackers at the Chaos Computer Club were the first to spoof Apple’s Touch ID sensor. They used existing techniques, but at higher resolution. A quick response: The technique can be completed with generally available materials and technology. It isn’t the sort of thing everyone will do, but there is no inherent barrier to entry such as high cost, special materials, or super-special skills. The CCC did great work here – I just think the hype is a bit off-base. On the other hand, Touch ID primarily targets people with no passcodes, or 4-digit PINs. It is a large improvement for that population. We need some perspective here. Touch ID disables itself if the phone is rebooted or you don’t use Touch ID for 48 hours (or if you wipe your iPhone remotely). This is why I’m comfortable using Touch ID even though I know I am more targeted. There is little chance of someone getting my phone without me knowing it (I’m addicted to the darn thing). I will disable Touch ID when crossing international borders and at certain conferences and hacker events. Yes, I believe if you enable Touch ID it could allow law enforcement easier access to your phone (because they can get your fingerprint, or touch your finger to your phone). If this concerns you, turn it off. That’s why I intend to disable it when crossing borders and in certain countries. As Rob Graham noted, you can set up Touch ID to use your fingertip, not the main body of your finger. I can confirm that this works, but you do need to game the setup a little. Your fingertip print is harder to get, but still not impossible. Not all risk is equal. For the vast majority of consumers, this provides as much security as a strong passcode with the convenience of no passcode. If you are worried you might be targeted by someone who can get your fingerprint, get your phone, and fake out the sensor… don’t use Touch ID. Apple didn’t make it for you. PS: I see the biggest risk for Touch ID in relationships with trust issues. It wouldn’t shock me at all to read about someone using the CCC technique to invade the privacy of a significant other. There are no rules in domestics… Share:

I am psyched to announce that our Black Hat Vegas class went well, and we have been invited to teach in Seattle December 9-10 and 11-12. As before, we will be bringing some advanced material, but you shouldn’t be scared off – advanced skillz are not required to make it through the class. You can sign up for the class here. The short description is: CLOUD SECURITY PLUS (CCSK-Plus) Provide students with the practical knowledge they need to understand the real cloud security issues and solutions. The Cloud Security Plus class provides students a comprehensive two-day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance Certificate of Cloud Computing Security Knowledge (CCSK) exam (this course is also known as the CCSK-Plus). Starting with a detailed description of cloud computing, the course covers all major domains in the latest Guidance document from the Cloud Security Alliance, and includes a full day of hands-on cloud security training covering both public and private cloud. Share:

I had a really great Friday Summary planned. I was going to go all in-depth and metaphysical on something really important, with a full-on “and knowing is half the battle” conclusion at the end, tying it back to security and making you reevaluate your life. That was before my 6-month-old decided to go to bed after 11pm, then wake up at 3am, and not go back to sleep until 5:15am. Followed by my 4.5-year-old waking me up at 6am because, although she knew it was too early, I forgot to put the iPad that she is allowed to watch until it’s time to wake us up in her room. Then there was the cat. That f***ing cat. (It was my turn to take the baby… he had already wrecked my wife the nights before). So someone is reevaluating their life, but it isn’t you. Instead, I’m going to emulate Adrian: here is my stream of consciousness… Residential alarm companies don’t really like hackers/tinkerers. I have some extensive home automation and I want to pull alerts out of my alarm panel (without enabling control) to trigger certain things and use the sensors. The phone calls tend not to go well. They all have home automation packages they will gladly sell me, and usually after the third time I tell them I have thousands of dollars and tons of custom programming of my own system they finally get it. None of them want to let you access the panel you pay for because they are legitimately worried about false alarms. Can’t really blame them – I wouldn’t trust me either. I finally added some security cameras, mostly to watch the kids outside in the play pool when I have to run inside for my morning… constitutional. I’d like to put some in the play areas but I don’t like how intrusive they look. Need to figure that out. There is a bobcat in our neighborhood. It’s living in the yard of a house that has been effectively abandoned for 3 years because no one seems to know who actually owns or is responsible for it. The bank would sure like the cash, but doesn’t want to deal with maintenance. I smell one of those improperly handled mortgage paperwork situations. The bobcat has cubs and seems quite content to bounce around our backyards. Many neighbors are scared of it, despite, you know, scientific evidence. I mentioned on our community forum that their kids should be safe unless they leash the babies to a stake out in a backyard – that may not work out well. A bunch of neighbors would also like to gate our community due to a mild uptick in break-ins (the other reason for the alarm and camera updates). That would involve about 50 unmanned gates for 900 homes and 6,752 landscapers with keys, judging from the 24/7 blower noises around here. Seriously, we would have to give gate codes to easily over 10K people over the course of the first year. Then there is the maintenance, and if you gate a community you need to take over street maintenance. And there is no evidence that unmanned gates reduce crime. I live with a lot of very scared upper-middle-class people. Other people want to slather cameras all over our community. They don’t understand that no one watches them. Someone thought we would have a control center like a casino or something with security calling in drone strikes for suspicious vehicles. (I consider them a mild deterrent at best, and mostly useful for me to keep an eye on the kids when I need to take my morning constitutional). I mean cameras are mild deterrents – a few drone strikes would probably be pretty effective. Me? I think for a fraction of the long-term cost of either option we could hire additional security and off-duty police patrols. Incident response and active defense, baby! My 4.5-year-old and her best friend have decided which boys they are going to marry. In related news, I will be shopping for a gun safe this weekend. The new Lego Mindstorms EV3 is amazing. I’m a long-time fan of Lego robots, and this one is far more accessible to my young kids due to the ball shooter and iPhone/iPad control. I still need to do all the building and programming, but I’m working on getting them to tell me what they want it to do and break that down into discrete steps. They want me to build an “evil robot” so they can put on their super hero clothes and battle it. The 4.5-year-old has a nice Captain America shield (she was pissed the first time she threw it, because it didn’t come back), and the 3-year-old has a cool Fisher Price Spider-Man web shooter thing. Both girls, both started on super hero kicks without my influence, and both are totally awesome. That’s all I got. Go buy Legos, watch out for bobcats, and don’t get involved in your community security program unless you want to realize how nice our infosec world is in comparison. Seriously. One last note – good luck to everyone in Boulder. It’s very hard to watch the floods from the outside, but still a hell of a lot easier than what you all are going through. Stay safe! On to the Summary. To be honest, due to the lack of sleep and my family walking in the door, it’s be a bit light this week… On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich presenting on cloud encryption next week. Rich wrote two articles on Apple’s Touch ID fingerprint sensor. You can read them at Macworld and TidBITS. They were both referenced by a ton of sites. Rich also quoted on Touch ID at the Wall Street Journal. Cloud IAM webcast next week: Check it out! Adrian’s DR post on PII and Entitlement Management. Another DR piece from Mike on “Talking Threats with Senior Management”. Mike’s latest DR column on the million bot network. Mike quoted

We received an email tip today that Oracle added a new security feature to Java that might be pretty important (awaiting confirmation that I can publicly credit the person who sent it in): Deployment Rule Set is a new security feature in JDK 7u40 that allows a system administrator to control which applets or Java Web Start applications an end user is permitted to execute and which version of the Java Runtime Environment (JRE) is associated with them. Deployment Rule Set provides a common environment to manage employee access in a controlled and secure manner. Clearly it depends on how easy it is to circumvent, and I don’t even hope it will stop advanced attacks, but it does seem like it might help if you put the right policy set in place. More details are available. Share:

I am still putting my personal thoughts together on the recent NSA revelations. The short version is that when you look at it in the context of developments in vulnerability disclosure and markets, we are deep into a period of time where our benign government has actively undermined the security of citizens, businesses, and even other arms of government, at scale, in order to develop and maintain offensive capabilities. (Yes, I’m a patriotic type who considers our government benign). They traded one risk for another, with the assumption that the scale and scope of their activities would remain secret. Now that they aren’t, we will see a free for all. That’s why I am even writing about this on Securosis. Those of us in security need to prepare for both system/design vulnerabilities and specific implementation flaws. We may have to replace hardware, as foreign governments and criminals find these flaws (they will). I don’t believe this was done maliciously. It appears to be mission creep as individual units worked towards their mission without considering the overall implications. Someone at the top decided it was better to leave us exposed to widespread exploitation than lose monitoring capabilities and miss another terrorist attack (these programs existed to some degree before 9/11, but clearly have exploded since then). It was a calculated risk decision. One I may not agree with, but can sympathize with. But the end result is that we may be in the first days of cleaning up some very fundamental messes. Now that we have direct evidence, the risks of external attack have increased for organizations and consumers. The issue has gone beyond monitoring and data collection to affect every security professional, and our ability to do our jobs. Share:

PCWorld/TechHive has a very clear article on how to deal with a Twitter hack. Print it out and keep it handy, especially if you manage a corporate account. If you are very big get a phone number for Twitter security, make contact, and add it to your IR plans. Share: