Friday, 12 May 2017

Secure Coding: The Foundation on Which We Must Build our Future Empire


By Will Lambert, Pre-Post Sales Cyber Security Consultant, ZeroDayLab

The Internet of Things (IoT) is a phenomenon like no other the human race has experienced before.  It must be said, the IoT is an impressive feat of engineering.  Never before has a civilisation been able to connect to such a high degree of personal devices to an interconnected network.  Let's stand back and admire the city we have created.  Like all the other great cities in history, it's not without fault.

The city we have build is pushing forward, developing and evolving in ways that even 10 years ago, we would not have thought possible.  Not only do we have wearable tech such as our smart watches, glasses and fitness trackers but we are also lucky enough to have Smart TVs, fridges, toasters, juicers, light bulbs, the list goes on. 'When does it stop?', you ask me? Never. It never stops.  We all want the latest gadgets and the market is more than willing to provide.  'Supply and demand' is the bricks and mortar that continues to push our city skywards but are we building on fractured foundations?

According to CCS Insight, we can expect to see the number of IoT devices available to rise. Wearable tech alone is expected to rise from 123 million (2016) to a sky-scraping 411 million in 2020, valued at $14 billion. What an empire it will be; but answer me this, should we build this awe-inspiring empire on rock or sand?


Coding is broken.  This is a fact known throughout the security industry.  We have seen Smart devices being hacked because of insecure coding, the result being that they have been infected with malware. Once infected, they can be hijacked and used as zombies in a Distributed Denial of Service attacks on a massive scale.  Last year, we witnessed speeds of up to 620Gps, like Krebsonsecurity.com suffered last year.  It was discovered that much of the traffic originated from zombified IoT devices, like IP cameras and Digital Video Recorders.

What speeds will hacked IoT devices reach in the future and what scale of DDoS can we expect to see this year?  What about next year? Will we even have dependable internet in 2020, or will we see rolling internet blackouts?  The need for the market to produce quality products is more important now.  This calls for a change in culture throughout the IoT market.  Quality no longer needs to equal 'does it work?' but rather, 'does it work securely?'.  When the market is looking to push out their latestSmart device, security vulnerabilities should be addressed how a coding bug would be.  The code would have to be stripped back to address security vulnerabilities to ensure that they produce a Smart device that not only works well but is secure. 

The market is not on its own in fixing the foundations of our future empire.  Hajime was first discovered in October 2016 and appears to be the work of a hacker who has set out to neutralise as many Smart devices as possible.  It spreads using Telnet and at first was suspected to be a developing malware that could potentially be used in a DDoS but the attack never came. Hajime is self-replicating and appears to be fighting malicious botnets like Mirai for control of IoT devices.  Unlike malicious botnets, Jajime allows the IoT device to continue to work normally, in fact, most of the time you won't know that you have been hit by it!  Once a device has been infected with Hajime, it closes ports 23, 7547, 555 and 5358 which are commonly exploted by IoT malware.  Once these ports are closed, it contacts a Control and Command (C2) server with the following message;

On a personal note, I think it is wrong to affiliate the term malware to Hajime.  Hajime to me is not malware, it is helper software or 'helware' (a new term, I just made it up)!  Hajime was not the first helware, Wifatch was discovered in 2014.  Again, this was used to secure devices and even left a message asking owners to update the device and change default passwords.  Like Hajime, it leaves a signature, 

However, some malware out there is there to brick your IoT device which removes the threat of it becoming a zombie but with one small change; you won't be able to use it either.  BrickerBot (spread via Telnet) was detected in March 2016 and is designed to logically destroy IoT devices.  It damages devices to such a degree it results in a Permanent Denial of Services (PDos).  There is an upside though; it can't be used as a zombie anymore...

Let's think about the amount of Personally Identifiable Information (PII) held on Smart devices.  How many of you store credit card details on your phone, or have contact information on your watch?  What does your fitness tracker say about you? Smart devices usually have GPS, microphones and cameras built-in, they can track what you do, where you go, who you meet with, what your interests are, what you like to buy, amongst any other  details of our personal lives that we would prefer not to share publicly.  Put away the tin foil hats, my point is this: in the eyes of EU GDPR, should these devices become breached and your PII is available to attackers, who is to blame?  Will the suppliers of insecure IoT devices be liable to 4% annual turnover or €20 million fines?

Apple stands alone in the defence of their products.  Other vendors allow third party security apps to be installed such as Malwarebytes and Mcaffee.  I contacted Apple to ask how they protect their devices from hackers and why they choose to stand alone;

<Customer Service>
Thanks for contacting Apple Support. My name is <Customer Service>. Please give me a moment to look over your information.

<Customer Service>
Hi Will, How can I help you?
Will
Hi how are you? I'm acutely aware of the threat of Ransomware and alike and have searched the App Store for an app to provide a level of defence for my systems, but unfortunately - was left wanting.
<Customer Service>
I am good, thanks for asking.
<Customer Service>
I Will be glad to help you find the best solution to remove Pop-ups.
Will
I contacted a well known AV vendor who has stated that Apple has made the decision to prevent AV scanners to access the iOS.
Will
They continue to tell me that security against these threats is maintained by Apple alone. Can I ask why Apple choose to stand alone to defend my devices against a plethora of malware?
<Customer Service>
Apple devices are designed to be secure against malware and the like.  Though I can certainly understand your concern with the rising levels of cyber crimes.  I can certain submit feedback for you and provide you with a link to submit feedback directly to Apple.  That link is http://www.apple.com/feedback   Apple has engineers dedicated to monitoring these comments for quality assurance and improvements in our services and products.
Will
Thank you for your response. It is a major worry for the rise and rise of malware and alike. How do my devices receive the security updates? I know MS have patch Tuesday but the Apple updates seem to be irregular at best.
<Customer Service>
Security concerns are addressed with each new release of iOS to make sure that the new iterations of iOS are ready for release, Apple puts them through rigorous testing.  This would explain the gaps between releases.
<Customer Service>
One thing you can do to increase your safety directly with Apple is to turn on Two-Factor Authentication on  your Apple ID.
Will
Ok thank you for your help. Are you saying that any additional AV or alike would be made redundant because of the excellent and rigorous testing of patches Will prevent malware infecting my devices?
<Customer Service>
That is correct.
Will
Two factor authentication Will not stop a Trojan infecting my devices.
Will
Ok thank you for your help,

Some companies are now beginning to realise how important secure coding is, some even use a secure coding assessment as a part of their interview process.  However, many are still more concerned with pushing an insecure product to market, to meet the needs of the many, quickly.  These needs include browsing your social networking sites which not only shows all of your contacts, interests and hobbies but you can also control your Smart heating and Smart lights via your Smart phone not to mention using it in conjunction with toasters, blenders, fridges, locks, cookers, vacuums, scales, sprinkler systems and mowers.  Your Smart watch handles all your messages, emails and contacts while your Smart fitness tracker tells you if you can have a takeaway that night.    Having smashed your steps you can order your pizza with a touch and a swipe as you've already been Smart and stored all your banking information on what you assumed was a secure device, that it had been subjected to rigorous testing...Smart right?  Companies who rush to push a product to the market fail to see the big picture, they fail to see what can happen to our empire if we continue to build on sand.

"Weinberg's Second Law:  If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilisation."

Tuesday, 28 February 2017

GPDR and Cloud Services – Prepare for Stormy Weather


Will Lambert, Cyber Security Sales Support, ZeroDayLab

25th May 2018 is a date that many businesses are almost relishing, they see it as a fresh challenge:a new way to do business, an exciting opportunity to use BREXIT to enhance and develop their existing security controls.  These companies get it.  They understand the cyber threat landscape, the dangers of the web, have carried out the crucial Business Impact Assessments (BIA) and have, or are in the process of getting, their house in order; not unlike some American states battening down the hatches in preparation for an earth-shattering tornado.  However, there are businesses that are unwilling to admit, or are still unaware of the storm of implications a post-BREXIT Britain and the legalities, more specifically, the penalties the EU will deliver to British business. 

I should make it clear at this point, I am no lawyer.  For many of you who know me personally, you are probably thinking, 'thank goodness'! After recently attending The European Information Security Summit (TEISS) held in London in February of this year, I picked up points that I, myself, was unaware of and if I can share this information freely to strengthen Britain's business; then that can be only a good thing - agreed?

Take a mixing bowl, add 200g of privacy as a declared human right and gently fold in 400g of technological culture, a culture that values the need for WIFI and enhanced battery life as more important than basis physiological needs (water, food, shelter...AIR! Maslow's hierarchy).  Add into the mix the known cyber skills shortage felt globally, add just a pinch of the fact that cloud services are not regulated; do I dare say it's a recipe for disaster?  Too obvious?  Maybe, but it is fair to proclaim we are facing quite a challenge to adequately protect Personally Identifiable Information (PII) data from pernicious attack.

In today's digital age, we expect our tech to always be on, available anywhere, dynamic and agile.  These expectations are being significantly boosted by the Internet of Things, which of course, are all Secured by Design because of the basic human right of privacy.  It's expected, right?  We place our trust in regulatory bodies to ensure that the products we buy are harmless.  We don't expect our water to be poisoned, or our vehicles to be released with faults; why would our smart tech be any different?  That being said, we don't have to look far to see examples of everyday devices (thermostats, smart watches, fridges - and in the future ...toasters!) being hacked to prove that maybe, we trust these devices a little too much. 

This issue extends to cloud-based tech also. Who regulates the Cloud? The worrying answer is, unfortunately at this moment in time... no one.   No regulatory body has stood up and taken responsibility for cloud-based tech.  The issue becomes even more disturbing considering cloud services have been running since 2006 (Amazon released Elastic Compute Cloud) but some rumour a date of 1996! Cloud Service Providers (CSP) have been operating using best practice for 10+ years and we have several examples of best practice such as, ISC2 STARWatch program and the Cloud Computing Security Professional training that they offer.  Now, I'm not saying that CSP are inherently a bunch of cowboys doing what they want, the message that I am trying to get across is simply this; if your organisation processes or stores PII in a cloud environment, you are ultimately responsible for data on someone else's machine. 

As I understand it, (remember, I'm not a lawyer!) Article 32 examines due care and due diligence responsibilities.  Have you done your research?  Are the protective controls of your customer's data as best as they can be? Can you prove that through thorough Cost Benefit Analysis (CBA) of business actions/risks of your own environment?  If yes, great! Now, do you or your suppliers use a CSP to process PII data? If yes, more good news.  Apply the same works to these environments, including the physical verification of where the CSP hosts their services. Just because they say to you 'we host in the UK, so GDPR doesn't apply', diligently check and provide evidence of this check.  The fine will be yours if they are found to be being 'creative' with the truth.  The process is a long and costly one, but remember, breaches will happen.  That is a disappointing fact of modern life. 

I know what you are thinking, breaches are mainly caused by the carbon-based interface, i.e. the users.  I completely agree, the EU agrees, but it's only the eye of the storm.  A cool, calm area, all parties agree, it's almost harmonious.  Moving on! In case of a breach through a user, can you, as an organisation, provide evidence that you have delivered effective threat awareness and education?  How often?  When was this training delivered, how was it delivered? You will need to provide evidence of training, if not, you will be without a stitch.  We must also work to provide an effective layered defence approach to protect our business assets.  We must be able to demonstrate that we have 'done our homework', that we can show due care and due diligence to protect our customers PII through effective BIA.  All of these elements combined will provide an umbrella from the storm of penalties the European Court of Justice has at its disposal.  Don't be left naked in the wind and rain and feel the full force of a penalty of up to 4% global turnover or €20 million.  I'm not saying you won't get wet but there's a marked financial difference between slightly soggy and saturated. 

EU GDPR will not be dissimilar to, and as common to society as, lawyers.  I'm not going into lawyer bashing mode here; that's too easy (I'm only jealous). Everyone thinks that they are just after picking money out of deep pockets and to a certain extent, it is my personal belief that harvesting the money will indeed please them.  I know it would me but I also believe, more importantly, they want to improve our digital age.  The Regulations have been brought about to improve our digital landscape so we are all safe to operate and trade in a secure environment via the implementation of an innocuous networking culture where our business PII and indeed our own personal data can be exchanged with minimal fear of compromise. 

"We will pay for security, one way or another."
Anon

Monday, 19 December 2016

LinkedIn training arm Lynda.com suffers data breach


Online training company Lynda.com, owned by LinkedIn (which itself is being acquired by Microsoft), has suffered a security incident which saw a user database accessed by unauthorised parties.

The "cryptographically salted and hashed" passwords of some 55,000 accounts were reportedly accessed in the incident, which Lynda.com is resetting.

A further 9.5 million users of the skill-learning site are being warned in an advisory email that other information has been accessed - including contact information and details of viewed courses - although their password data is said not to have been exposed.

In an advisory email, Lynda.com is informing those users of the incident:



We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

If you have questions, we encourage you to contact us through our Support Center.

The Lynda.com team

The wording of the email is a little odd, and makes me wonder whether this was a traditional "hack" or more a case of a security researcher stumbling across a user database on a server that shouldn't have been publicly accessible, or found a vulnerability that allowed them to access user information.

Disappointingly, I was unable to find any reference to the data breach on the Lynda.com website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox.

Cited by Graham Cluley 

300,000 PayAsUGym user details compromised in hack attack

The company, which sells passes for gyms around the UK, acknowledged that 300,000 email addresses and passwords of its members had been accessed on Thursday.
The website said it did not hold financial or credit card details of its users on its servers.
Customers have been advised to change their passwords and the company has also migrated to new servers.
PayAsUGym alerted its members to the security breach in an email on Friday which said "one of the company's IT servers was accessed by an unauthorised person".
It went on: "Although we do not hold any financial or credit card information, the unauthorised person could have accessed the e-mail address and password of our customers.
"Passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password."
Several customers' email addresses and passwords appear to have been published online.
PayAsUGym said once it was alerted, it "closed down" the breach and contacted the police.
It has also started using new servers after speaking with cybersecurity professionals.
The website uses a "tokenised system" for customer payments which, it says, means card details are stored at the payment gateway - not on its servers.
"This is the highest level of security process for dealing with payments," it said.
PayAsUGym added: "We take the security of customer information very seriously. Unfortunately cyber attacks are becoming more frequent which is why, as a policy, we do not (and will never) hold financial or credit card details and we insist that all passwords are encrypted when stored."
Cited at BBC news