New School Malware Wipes Hard Drives Old Skool Style

hard driveThis story has been over-reported on already, so I figured I would join the party! The FBI issued a warning regarding malware that completely wipes all data on a computer’s hard drive. Destructive malware is nothing new, but it has fallen out of favor with malware writers probably because there isn’t much to gain by destroying someone’s data. Of late, it seems that most destructive malware has been targeted, so for the most part the average person doesn’t need to worry about that risk. However, that may be about to change.

All evidence indicates that this malware wreaked havoc on Sony pictures recently. If I can find a bright side to this type of news, it’s the fact that people tend to listen up when they hear that they can potentially loose family photos and videos forever if they click on the wrong link. Low probability perhaps, but very high impact! So I will take this opportunity to make a few recommendations.

I am not going to tell you to install anti-virus, even if you are a Mac user, because I know that my blog readers already have AV installed…right?!  And I know you would never log in to your local workstation as an administrator to check email and surf the web, so no need to mention that!

Consider installing and using EMET if you are a Windows user. I have been running it on my Windows desktop set to “Maximum security settings” with no adverse effects.  Well, that’s not entirely true.  There was one patch recently that caused EMET to crash IE continually, but updating EMET resolved the problem.

Backup, backup, backup. Oh and don’t forget to backup your data. Make sure your data is backed up too. And if you are really smart, you will backup your data.

One more thing…AUTOMATE your backup. Don’t rely on remembering to manually copy your data to a USB drive. Automate the process otherwise when you need your backup, it will be 1 year old. I guarantee it!

Did I mention the importance of backing up your data?

Technical Details published by Symantec about Backdoor.Destover:  http://www.symantec.com/security_response/writeup.jsp?docid=2014-120209-5631-99&tabid=2

Thanks for reading and don’t forget to subscribe!

Interop NY 2014 In a Nutshell


interop-ny-logoThis week I attended Interop NY for 5 days and thought I would share some highlights from the week.  The daily commute was painful, but Javitz is only a brisk 15 minute walk from Penn Station and a pretty cool venue overall.

Day One:  The first day I attended an all day workshop consisting of an intro to web application penetration testing.  It was a nice review of some of the popular exploits today, and if you are responsible for writing or supporting a web app I would highly recommend you become familiar with the OWASP top 10.

hihackerHint:  If typing <script>alert(‘Hi Hacker’)</script> in an input box on your website produces a pop up box, be afraid.  Be very afraid… Some useful tools reviewed included sqlmap, Burp, and an awesome cross-site scripting checker called XSS-Me.

Day Two:  On the second day I attended another all day workshop which focused on components of a risk management program.  The preso was very well put together and the speaker made some interesting points.  For example, the cloud should be defined as anything out of our direct control. There is no such thing as a “best” practice. Refer to industry recommended practices instead. IT security is subset of Information Security which is a subset of Enterprise Risk Management.

Days 3-5:  Vendor Expo and Educational Sessions

20141001_102642-MOTION

The following day was the kickoff of the expo and began with the first of two keynotes.  The headliner was Seth Myers and he did a 30 minute stand-up with some technology jokes peppered throughout.  He shared a story about that one time he jumped on his friend’s computer and typed the first few words of a search and the terrifying search history of his friend appeared…AWKWARD. There were some other great keynote guests like a VP from CBS and HBO.  The founder of Gilt was there and the CTO from Obama’s campaign in 2012.  There were some others as well.  Overall, they had some very insightful comments prepared and even some non-orthodox ways of running their enterprises.  For example, Gilt makes changes to production every 15-30 minutes by breaking apart their website into hundreds of small applications managed by different groups.  Essentially, they are mimicking open source development within the enterprise.  Several company execs agreed that there is a major talent shortage and believe strongly in developing talent internally and keeping your employees content.

Throughout the keynotes and the 1 hour sessions over the next 3 days, I heard many technology buzz words absolutely destroyed.  Can I get an amen?!

  • Big Data is just data.  We need Big Answers.  – Harper Reed (Formally Obama 2012 CTO; Modest, Inc.)
  • Big Data is just business analytics with lipstick. – John Pironti (IP Architects, LLC.)
  • Cyber, Cyber, Cyber, Cyber, Cyber…stop it! – David Rhoades (Maven Security)
  • The cloud is just adding another data center that you don’t manage. – Elliot Glazer (Dunn and Bradstreet)

The vendors came out in DROVES.  I heard one vendor throwing around a new term I can imagine picking up speed, “encryption in-use.” The irony of it all is that one of the ongoing messages throughout the Information Security and Risk Management track was to stop buying “widgets” you will not make full use of before first making full use of the “widgets” you have.  With that said, the expo was a very effective way to get up to speed quickly on a wide range of vendor offerings.  Although, I think I will need a new work number because I have no doubt that it will be ringing off the hook from now on.  Good thing I registered with my CISO’s phone number instead of my own…

In addition to chatting with many vendors and sitting through several vendor specific presentations, below is a list of the sessions I attended.  Feel free to reach out if you want more information about any of them, but the slides from every presentation is available right HERE.

Session ID Title
830131 Hands-On Web Application Penetration Testing
829636 Acknowledge the Inevitable: How to Prepare For, Respond To, and Recover From a Security Incident
100001 Wednesday Keynotes
830310 A CISO’s Perspective: Friend or Foe? Effectively Managing Third Party Information Security Risks
830317 Emerging Tools and Trends in Hacking
830315 Cloudy with a Chance of Encryption
100004 Thursday Keynotes
830313 Next-Generation Firewalls: Results from the Lab
830314 The Threat Within: Managing Insider Risks and Building a Culture of Security
830311 What’s Next? Emerging Trends in Information Risk Management and Security
830316 Is Your Data Really Safe? A Security Checklist Everyone Must Implement
830318 Next Line of Defense: Internet of Things

Rating:  Fair – I’d go back for the keynotes and expo, but I felt like they were trying awfully hard to stretch a 2 day conference into a 5 day conference.

Thanks for reading and don’t forget to subscribe!

Risky Business: Who decides?

At our recent DoIT all-hands meeting, it was mentioned that thanks to my blog it is possible to know what I’m thinking about. That has been true to some extent. As I reflected on that statement though, I realized that most of this blog has centered around facts and ways to secure your computing environment. I haven’t really used this platform to share my viewpoints or opinions. That is partially due to the fact that I am not, by nature, a blogger. This blog was my first venture into sharing information in such a public forum and I’m still trying to strike a balance between opaque and transparent. After all, discretion is the better part of valor, is it not? Mostly true, but lack of discretion has a time and place too. By the way, for some reason I hate the word blog. Blog Blog Blog.

riskgameWith over a year here on West Campus I thought today is a good day to break the self-imposed mold for this blog and talk about my thoughts on risk. No, not RISK the strategic board game. Risk as in “the potential of losing something of value.”

Did you know that risk has a formula? That’s right, my academic brethren. Here it goes: Risk = Threat x Vulnerability. Let that sink in for a minute. Read it again. Risk = Threat x Vulnerability. Which of those two factors can we control? The threat? Nope. We only have control only over the vulnerability aspects of that equation. Every organization has a risk posture. What is ours? What is yours? What needs to change?

What is our risk posture?

Before we talk about risk posture, we need to talk about risk tolerance. Some organizations are risk adverse and try to address every known vulnerability regardless of cost. Others tend to be more risk tolerant and allow certain inefficiencies to remain. Where do we sit on that spectrum as an organization? Well, most institutions of higher education tend to have relatively high risk tolerance. The extent of tolerance varies from institution to institution. Consistently, though, risk tolerance is decreasing across the board. The threat has changed. The world has changed. At Stony Brook our risk tolerance is decreasing in like manner. Is our tolerance decreasing as quickly as the threat is increasing? We need to move fast.

risktolerance

This blog is not the place to discuss our risk posture. Sorry to disappoint. I will say this, though. Our risk posture is strong in some areas and weak in others. That is true for all organizations. Then there are areas that have an unknown risk posture. Those worry me. There are too many of those.

What is your risk posture?

In other words, how are we doing as individuals in regards to assessing and managing risk. The sensitivity and tolerance to risk varies greatly. Let me give you a handful of character profiles found around campus and while you read it, try to honestly evaluate which one you relate to more.

  • A researcher who proactively reaches out to the CISO at the start of a research project to ensure that the practices they plan on following are adequate.
  • A researcher who is convinced that nobody in this world is interested in his/her research data and therefore security is not a concern.
  • An IT support professional who knows the owner of each system on their portion of the network and is quick to respond to security related incidents.
  • An IT support professional who provides support as requested, but otherwise allows faculty to manage their own equipment and therefore does not view security as part of their job description.
  • An IT admin who always takes into consideration security and can justify why every security adverse decision is made and employs compensating controls.
  • An IT admin who will always choose functionality and ease of use over security without giving any thought to risk.
  • A faculty member who wants to use their computer to accomplish a given task over the next few months.
  • A faculty member who wants admin rights on their computer so they can accomplish any task at any given time at some point in the future.

The list can go on and on, but those are some of the perspectives I’ve encountered on campus.  If reading this list put you on the defensive, ask yourself “Why?”

What needs to change? 

riskFor starters, we need to start thinking and talking about risk more often. The decisions we make must be made with both eyes wide open. Lack of thought has no place in higher education. In my opinion, this improvement will have the single greatest impact on the security of our organization. Coincidentally, our meeting with Information Systems today centered around this very topic. They are acutely aware of certain risks within their purview and they want to formalize a priority-based plan to address them. This the type of thinking that will keep Stony Brook safe.

We need to recognize who has the authority to accept risk in behalf of Stony Brook University, or wherever you happen to be employed. It’s probably not you or I. If a decision is being made that exposes Stony Brook to risk, make sure the right administrator is accepting that risk and is fully aware of the implications. It’s for your protection as much as it is for Stony Brook’s. I have observed that the higher you move up the chain of command, the less tolerance there is for risk. Let the decision makers do their job.

When there is conflict between security and preference or ease of use, we need to default secure. As it stands now, it is not uncommon to default less secure until an incident. That mentality needs to change. If a security related decision is going to impact the business flow or ease of use negatively, there needs to be a well informed decision made by the appropriate person. Don’t default less secure, default more secure until otherwise advised.

In the past, there was no reasonable way to collaborate safely. That is no longer true. Responsible collaboration is possible and practical. We have to be willing to jump through a hoop here or there to operate securely. Connecting to the VPN before accessing something is not unreasonable. Put the organization’s safety before your own convenience.

Finally, we need to work together. We need to disagree and discuss it intelligently. We need to yield when a reasonable argument is presented.

Overall, I am optimistic about our security posture and our security trajectory. Let’s make a concerted effort this year to think and talk about risk so our posture will continue to improve.

Thanks for reading and don’t forget to subscribe!

 

Have You Been Bluesnarfed?

I recently became aware of a couple of scams that can significantly hurt your wallet because the end result is a bunch of unauthorized, but legitimate (from the phone company’s perspective) charges on your cell phone bill.  The prevention of these scams is extremely simple and non-technical.

Scam 1:  A scammer hacks into the Bluetooth connection coming from your phone and downloads your entire address book.  They then add a 1-900 premium relay number as a prefix to each of the stored phone numbers in your address book and uploads the modified contacts back to your phone…all in the matter of seconds.

The result?  You call Mom, and your phone simply displays “Calling Mom.”  What’s really happening is that your phone call to Mom is being relayed through a 1-900 premium pay-per-minute “service” and you owe the phone company thousands of dollars by the end of the month.  You’ve been bluesnarfed!

Prevention:  Call your cell phone company and disallow premium phone calls.

Scam 2:  A scammer sits in the back of a crowded movie theater and hacks into your cell phone via Bluetooth while it is tucked safely away in a purse or pocket as to not disturb others.  A second scammer sits outside and sells reduced cost minutes to a crowd of international visitors who would like to speak to their family.  Unbeknownst to you, they are doing so via your cell phone.

The result?  You owe the phone company big for almost 2 hours of international phone calls.

Prevention:  Call your cell phone company and disallow international phone calls.

I took the preventive steps listed and although the customer service rep at my cell phone carrier initially told me it was not possible, after I pushed them they “figured out” how to disable international and premium outbound phone calls on my line.  Although newer phones make these scams harder to execute, the increased range of Bluetooth makes your “attacker” radius larger than ever before.  Besides, it was a 15 minute phone call and may have saved me thousands of dollars.  I hope you take the same precaution!

Some other general recommendations regarding Bluetooth security:

  1. Turn off discovery mode when not actively pairing a device.
  2. Reset default Bluetooth pins to be longer and unique.
  3. Turn off Bluetooth when not in use.
  4. Only pair devices in trusted and non-crowded locations.

Thanks for reading and don’t forget to subscribe!

What Does a Security Guy Do to Protect His Own Computer?

It is not uncommon for someone to ask me what I do to keep my computer safe.  I can’t list everything here, but I will list some of the basic things I do and don’t do, to keep my workstation unhacked (not-a-word).  Some of this stuff is unexciting, but needs to be mentioned regardless.

  • I roll up my car window when driving through a dangerous neighborhood, commonly referred to as the Internet.  More specifically, I do not allow scripts to run on my browser without authorization.

The Internet is a very dangerous place.  If you were driving through a bad neighborhood, would you lock your door and roll up your windows?  Unless you are looking for trouble, it would probably be a good idea.  Hackers describe your Internet clouds-through-window-framebrowser as a window into your computer.  They love your browser.  We could spend a long time discussing browser security and best practices, but if I had to pick one thing to recommend, it would be this.  Do not allow scripts to run by default.  Scripts are basically little programs that give every website the awesome functionality we are all looking for.  More often than not, you have to allow the scripts on a webpage to run for it to work properly.  Unfortunately, the bad guys know this too and they use scripts to execute a wide range of attacks.  If you are a Firefox user, install NoScript.  I mostly use Chrome so I am using an extension called NotScripts.  I’m also using Vanilla Cookie Manager, HTTPS Everywhere and Adblock Plus for additional protection.  WOT is worth mentioning too.  I still use IE, but only for trusted websites.

  • I never login to do day to day work as a local administrator.  Never.  Sometimes?  NEVER!

I am going to use an overly dramatic illustration to drive this point home.  SANS expert Dr. Eric Cole categorizes surfing the Internet and checking e-mail as two of the most dangerous actions in the world.  Outside of cyber, perhaps bungee jumping would also be considered pretty dangerous.  Would you go bungee jumping without any safety precautions?  Would you detach your bungee cord because you find it to be too restrictive or inconvenient?  Of course not.  You know that bungee jumping with all the precautions in place is still high risk.

bungee-jumping-1

The same is true of checking your e-mail and surfing the web.  If I didn’t need admin access to my computer, I would gladly give it up.  It is no great privilege.  Since I do need it to effectively do my job, I logon to my computer as a standard user and if something I am doing requires admin access, I use run as functionality or temporarily login as my local admin account to do that particular task.  Keep the bungee cord attached!

  • I always install antivirus, enable a local host firewall and set patches to automatically install.  AlwaysBut I have a Mac…ALWAYS.  But…ALWAYS!

I won’t relaunch into my bungee cord illustration, but you get the point.  Every OS is  equally deficient.  Personal sentiments aside, there is no one software vendor less vulnerable than another.  In fact, security experts analyzed which OS has the most vulnerabilities and they found that the vulnerability count for every OS is within 2% of one another.  Security decisions must be data driven.  It’s true that some operating systems are more targeted than others, but that detail should not make you feel safe.  Perhaps you’ve noticed that more people today are using Macs.  The bad guys know that too.

  • I use a password manager so that I can maintain separate passwords for each of my accounts.

For the time being I am using Dashlane.  It fills my needs.  There are some other ones out there that are equally great if not better (Lastpass, 1password, yada yada yada).  Basically, password managers allow you to digitally write down every username and password you have and encrypt them using one master password.  They also can generate secure passwords for you so your other accounts are adequately protected.  You can see that there is a tradeoff here.  If that one master password is weak or gets compromised, you are in trouble.  Still, you are much better off if all your passwords are unique and secure.  The Heartbleed vulnerablility proves that point. heartbleed

The biggest factor for me in choosing a password manager is whether or not the company stores your master password anywhere.  Actually, that master password works as your decryption key to your encrypted password list stored within the password locknkeymanager software.  Encryption is the commonly likened to the lock on your door and your master password is the key.  If the encrypted data and the key is stored together, it would be akin to taping your house key to the front door of your house.  Sadly, that is not rare.  Dashlane says they do not store it at all so if they were breached, the adversary would only get a worthless chunk of encrypted data rather than my password list.  Also, if you forget your master password, it is gone forever.  So are the many passwords protected by it.

An additional benefited was noted by one hacker during a Defcon conference.  One of his targets was inadvertently protected against a keylogger that the hacker deployed.  Why?  The password manager the target used came with an auto login feature, so there were no key presses to log.  Pretty cool!

My fingers are tired and I think I shared enough to keep you busy for a while.  What steps do you take to secure your computer?  Let us know in the comments below.

Thanks for reading and don’t forget to subscribe.

PSA regarding TMI

The day I passed my driver’s test, my father sat me down to chat.  He lovingly reminded me that if driven responsibly, a car would prove to be a valuable tool.  If driven recklessly, it could instantly transform in to a 3000 pound bullet.

Is this post really about driving your car safely?  No.  However, the concept applies to using the internet responsibly.  Social networking is a valuable tool and a big part of our daily lives, both socially and professionally.  However, posting without discretion can put ourselves and others in danger from Internet hooligans.  Check out the below infographic for some loving reminders.How-Too-Much-Information-Shared-Through-Social-Media-Can-Really-Hurt-You-InfographicThank you for tuning in to this public service announcement (PSA) regarding too much information (TMI).

So, what do you do to stay safe while using a particular social networking site?  Post a comment below.

Thanks for reading and don’t forget to subscribe!

Extra! Extra! Privacy for sale!

Data Privacy Month

Privacy is a keyword that has sold a lot of newspapers lately.  Why is that?  For starters, absolute privacy is more elusive than Peyton Manning trying to win a 2nd Super Bowl.  24-21 Seahawks, but I digress.

When discussing online and data privacy, responses can be generally summarized in to one of three statements:

“I don’t have anything to hide, anyway.”

or

“I don’t have any data anybody wants.”

or

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

There is some truth to all of those statements.  However, let me respond one by one…

“I don’t have anything to hide, anyway.”

Hopefully, that is true!  I would put myself in that category.  However, not having anything to hide is not the same as, “please document all of my likes, dislikes, medical conditions and internet searches.”  The power of big data is amazing.  It’s hard to imagine what a single search provider can deduce from your search history.  Add your social media activity and GPS coordinates from smartphone snapped photos to the mix and it would be a mundane task to predict where you are going to have lunch…next Wednesday….before you even know.  So, what’s the harm in that?  Well, like anything else there is no harm if that information is not abused.  However, the idea of so much personal information logged on a server somewhere in cyberspace can make anyone a little bit uncomfortable when you start to give it some thought.  After all, these companies exist to make money and your information is the product they are selling.  If someone was following you, your children and your “friends” around with a pen and pad, from a safe distance of course, jotting down your schedule and any other details they could gather in plain sight, would you be OK with that? Unlikely.

Be aware of the fact that when you are logged into a social media account or search engine, your web traffic and internet searches are likely being logged and analyzed.  If you have a problem with that, remember to log out of all websites you logged into and clear your temp files before browsing the web.  Some individuals keep a separate browser for random searches and web traffic and another browser for logging into social media websites and the like.

“I don’t have anything anybody is interested in stealing.”

Actually, you do.  You have credit cards, a social security number and credentials to campus or corporate resources.  You may have access to intellectual property or research data.  You definitely have access to a computer.  Many of today’s attackers are more interested in computing power as much as anything else.  If they can turn your computer into a zombie and make it part of their apocalyptic cyber army, they are more powerful and more effective in getting what it is they’re ultimately after.  There have been countless cases of a computer sitting under the desk of a receptionist in an inconsequential office taking part in a cyber attack against a high value target.  So don’t subscribe to this faulty reasoning.  It’s just not true.

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

Well, this is not true as it stands today, but there is no telling what next week will bring.  Here’s the bottom line.  The climate of information security has changed from ‘trust but verify’ to ‘don’t trust and verify’.  Everything worth protecting needs to be protected.  What do I mean by that obscenely obvious statement?  Assuming something is safe or relying on security by obscurity is not going to cut it anymore.  Any data hitting the wire or the air via WiFi should be viewed as fair game for invited or uninvited onlookers to see.  Encryption for data at rest and data in transit is not an option; it’s a requirement.  Every website, product or software package you are investigating should support encryption.  Accept no less and assume your local network is already breached in some way.  It’s not paranoia.  It’s reality more often than anyone would like to admit.

Watch this short video for some important reminders.  It’s an oldie but goodie if you haven’t seen it before.