Incite 5/30/2012: Low Hanging FruitBy Mike Rothman
As you might have noticed, there was no Incite last week. Turns out the Boss and I were in Barcelona to celebrate 15 years of wedded bliss. We usually run about 6 months late on everything, so the timing was perfect. We had 3 days to ourselves and then two other couples from ATL joined us for the rest of the week. We got to indulge our appreciation for art – hitting the Dali, Miro, and Picasso museums. We also saw some Gaudi structures that are just mind-boggling. Then we joked about how Americans are not patient enough to ever build anything like the Sagrada Familia.
Even though we were halfway around the world, we weren’t disconnected. Unless we wanted to be. I rented a MiFi, so when we checked in (mostly with the kids) we just fired up the MiFi, and Skype or FaceTime back home. Not cheap, but cheaper than paying for expensive WiFi and cellular roaming. And it was exceedingly cool to be walking around the Passion Facade of the Sagrada Familia, showing the kids the sculptures via FaceTime, connected via a MiFi on a broadband cellular network in a different country.
We took it slow and enjoyed exploring the city, tooling around the markets, and feasting on natural Catalan cooking – not the mixture of additives, preservatives, and otherwise engineered nutrition we call food in the US. And we did more walking in a day than we normally do in a week. We also relaxed. It’s been a pretty intense year so far, and this was our first opportunity to take a breath and enjoy the progress we have made.
But real life has a way of intruding on even the most idyllic situations. As we were enjoying a late lunch at a cafe off Las Robles, our friends mentioned how it’s been a little while since they were online. We had already had the discussion about weak passwords on their webmail accounts as we enjoyed cervezas Park Gueell the day before. Their name and a single digit number may be easy to remember, but it’s not really a good password.
When my friend then told me how he checked email from a public computer in London, I braced for what I knew was likely to come next. So I started interrogating him as to what he uses that email address for. Bank accounts? Brokerage sites? Utilities? Airlines? Commerce sites? No, no, and no. OK, I can breathe now. Then I proceeded to talk about how losing control of your email can result in a bad day. I thought we were in the clear.
Then my buddy’s wife piped in, “Well, I checked my bank account from that computer also, what that bad?” Ugh. Well, yes, that was bad. Quite bad indeed. Then I walked them through how a public computer usually has some kind of key logger and accessing a sensitive account from that device isn’t something you want to do. Ever. She turned ashen and started to panic. To avoid borking the rest of my holiday, I had her log into her account via the bank’s iOS app and scrutinize the transactions. Nothing out of the ordinary, so we all breathed a sigh of relief. She couldn’t reset the password from that app and none of us had a laptop with us. But she promised to change the password immediately when she got back to the US.
It was a great reminder of the low-hanging fruit out there for attackers. It’s probably not you, but it’s likely to be plenty of folks you know. Which means things aren’t going to get better anytime soon, though you already knew that.
Photo credits: “Low-hanging fruit explained” originally uploaded by Adam Fagen
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with all our content in its unabridged glory. And you can get all our research papers too.
Understanding and Selecting Data Masking
Evolving Endpoint Malware Detection
Incite 4 U
Bear hunting for security professionals: Fascinating post by Chris Nickerson about Running from your Information Security Program. How else could you integrate bear hunting in Russia (yes, real bears), running, and security? He talks about how these Russian dudes take down bears with nothing more than a stick and a knife. Probably not how you’d plan to do it, right? Chris’ points are well taken, especially challenging the adage about not needing to be totally secure – just more secure than the other guys. That’s what I love about pen testers – they question everything, challenge assumptions, and spend a great deal of their lives proving those assumptions wrong. The answer? Plan for the inevitable attacks and make sure you can respond. Yes, it’s something lots of folks (including us) have been talking about for a long time. Though I do enjoy highlighting new and interesting ways to tell important stories. – MR
Job security: Say you’re the CISO of a retail chain. Do you think you’d be fired if 10% of your transactions were hacked and resulted in fraud? Maybe you should consider working for the IRS, because apparently gigantic fraud rates not only don’t get you fired there – you get sympathetic press. I bet the guys at Global Payments and Heartland are jealous! And someone at the IRS actually thought that anonymous Internet tax filings, with subsequent anonymous distribution of refunds, was a great idea. I’m willing to bet that not only is whoever created the program is still working at the IRS (where else?), but they will keep the program as is. There are occasions where it’s better to ditch fundamentally flawed processes – and losing millions, if not hundreds of millions, of dollars is a good indicator that your process still has a few glitches – and start over. Most of us are not lucky enough to survive that kind of lesson and keep our jobs. – AL
Whining in the sandbox: As any of you who follow Mac security know, Apple is now enforcing sandboxing on all new apps (and updates) in the Mac App Store. These apps are limited compared to versions developers are still free to sell directly. Apps can’t swap spit willy nilly like the old days, and a single app can’t do whatever it wants on a host Mac. From a security perspective this is a great first step to limit the attack surface. Perfect? Nope. But I think we can expect to see it used more on every single platform out there. But some developers aren’t happy with the change. I think this is the second time I have written about this in the Incite, and once again I don’t think this will hurt user productivity nearly as badly as some developers fear. First of all, power users are exactly the people who are willing to buy directly from the vendor as opposed of through the App Store. Second, apps are clearly a major attack target, and given a choice I expect most users to choose better security – so long as the productivity trade-off is relatively minor. Saying it’s a “lose lose lose situation for Apple” shows a poor assessment of the user base. – RM
Life’s dangerous – get over it: I need to beat down a frustratingly myopic post from Evan Schuman on Storefront Backtalk called Should Forensic Tools Be Sold To Anyone? Evan argues these tools are just as likely be used for evil purposes, so they should not be sold. I’ll skip the tired arguments we normally use about how cars/guns/drugs/fertilizer are all too dangerous to allow anyone to own or operate, and just leave you with a simple question: What makes you think that these pre-packaged security applications are better than the home-grown code a skilled attacker has written for their own use? You don’t think we have the capability to run a debugger, or read memory dumps, or steal the privileges you’re worried about some outsider social-engineering out of the IT administrator? You don’t think we can write the C code to do this ourselves, or reverse engineer the applications to find memory locations where keys are accessed? I understand that tools like this can give hacker wannabes a leg up and maybe accelerate their productivity, but hey, the same can be said of all software. If you think that’s dangerous, you should see me with a general ledger system – I can crash a balance sheet in minutes! But don’t tell our CFO, or he’ll revoke my privileges. – AL UPDATE: Evan contacted me stating he objected to this post. He stated that in no way was he making an argument against the sale of these products. I read – and still view the phrasing of – the post as Evan as making arguments against the sale of specialized security software, but he stressed that is absolutely not the case, and his intention was to start a discussion on this important question. Sometimes I get it wrong folks, and if I missed the intention to raise a the issue without advocacy, I apologize.
Personality typing for the right folks: Interesting article here on an HP blog talking about whether introverts or extroverts make better social engineers. There are a number of data points and experts mentioned who don’t really reach a conclusion. So the article wasn’t overly useful – aside from getting me thinking about which kinds of personalities thrive in the different types of roles in a typical security operation. The type of person who is comfortable managing and persuading (the CISO) is necessarily different than the ops guy manning the SOC, or the incident responder in the middle of a firefight. Of course folks can learn new skills and get comfortable changing context depending on their immediate responsibilities. It’s that chameleon quality that makes great social engineers, BTW. I thought it was stupid when CipherTrust put me through a battery of personality tests during the recruiting process, but looking back I see the logic. Is that for every company? No, but the more you know about folks the better you’ll be able to put them in situations where they can prosper. – MR
Hyperbole or hope? A couple weeks ago I wrote Write Third in response to a bunch of misinformed articles piling on top of each other. Yesterday, Robert Graham of Errata Security showed how valuable it is to use multiple sources for a story if you want to come close to getting it right. Rob dissected the story about a Chinese manufacturer injecting a hardware back door into a military computer chip. In this case Rob himself is the expert, and while he can’t rule out nefarious activity, he presents a strong and well-informed argument that this may be standard operating procedure – nothing to do with a deliberate effort to compromise national defense. It turns out that adding encryption to debugging features is a common means of protecting a chip’s IP. I wouldn’t put it past any nation state (including ours) to backdoor anything they could get their hands on, but we certainly don’t have enough evidence to conclude that’s the case here. Reason and logic FTW. – RM