Don’t Take Your Security Advice From The Media

 Computing, Media, Security  No Responses »
Oct 242015
 

Rusty_PadlockRelated to my rant regarding the TalkTalk hack that I've just posted, is an associated rant about security advice from the media. It's spotty at best, and downright unhelpful or just plain wrong at worst.

I've been stuck indoors today waiting for someone to paint my front door, so amongst various household tasks that I've reluctantly undertaken, I've also had the BBC News 24 channel blaring out. And of course the TalkTalk hacking incident has been making a regular appearance. And on occasions the security advice has been less than stellar; in fact some of it stinks like a rhino's rancid rectum.

It Was A DDoS

(bang) as my head hits the table.

No, the TalkTalk hack had nothing at all to do with a distributed denial of service attack. There may have been a DDoS attack just before the hacking incident, but it was not related (even if it was done by the same people). A DDoS attack is the cyber equivalent of getting all your friends to shout at someone you don't like; it's noisy, stops you communicating, and is as annoying as hell.

But once it is over, things are back to normal (except for writing an incident report). 

Breaking into a server and stealing the personal data of customers is not any kind of denial of service attack. It's an intrusion, and an exfiltration; there are two seperate events there. Labelling either as a "DDoS" just makes you look like an idiot.

Look At The Email Headers

(bang) as my head hits the table.

Email headers can be forged; those headers you see normally ("From", "Subject", "Date", etc.) are nothing more than comments. They are not to be trusted. Even if you reveal the hidden headers (and there's a lot you don't see), the story they show can be mostly forged. It takes a real expert to distinguish between a phishing email and a legitimate email from just the headers.

Even something geeky like PGP digital signatures can be forged if you are dealing with an organisation that has been compromised. And who uses PGP?

Don't trust emails with the name of a compromised organisation on.  

Change Your Passwords As Frequently As Possible

(bang) as my head hits the table.

Changing you password frequently doesn't actually accomplish that much. It is better to keep the same password for a year, if it is long and strong, than it is to change your password every month if it is simple and weak.

Long and strong passwords are tedious to remember – especially for web sites you rarely use. So use a password manager like KeePass. If you want to use a different password manager, seek out a security geek and ask for their recommendations. And the geekier the application site looks, the better; the site should be droning on about 3DES, AES, and all sorts of inscrutable cryptogeek mathematics; you don't have to understand it all, but it's absence on a web site is a bad sign.

Use different passwords on different sites. This is also tedious, and can be relaxed for less important web sites – that is those web sites that don't store more personal information about you than your name. And tedious is a good thing when it saves you from the stress of finding out your bank accounts are empty.

Don't Blame The Victim

It's all very well being sympathetic to those victims who have found their bank accounts emptied, but they are not necessarily related to this latest incident.

And they're not entirely blameless. 

If they hadn't shared information with hackers who already had some of their data, or they had not used the same password for their bank as TalkTalk, then they would not be victims.

And this is hardly new advice.

The media should be sending the message that these victims have been dumb; yes there may be extenuating circumstances, but they have still been dumb. And dumb TalkTalk customers will likely end up with their money and/or identity stolen.

TalkTalk Hack: Let’s Not Get Too Sympathetic To The Executives

 Computing, Security  No Responses »
Oct 242015
 

The reaction to the latest big leak (from TalkTalk) has been interesting … there's a certain amount of sympathy for TalkTalk, with people blaming the cybercriminals and claiming that no system can be made fully secure. There's a nugget of truth in saying something like that, but it's not the whole truth.

Yes, there is a truism within the security world that there is no such thing as a secure computer; or rather that the only secure computer is one that has been turned off, had it's disks thrown into an active volcano, has been entombed within a huge concrete block, and has been buried at the bottom of the Mariana Trench (add as many ways of saying "unreachable" as your audience can stand). But it's a truism, and isn't supposed to be used as a get out of gaol free card by anyone getting their data hacked.

If it is true about the ransom demand (and it's not impossible that the ransom demand came from someone other than the group that hacked TalkTalk), the hackers were probably just after money. In which case they didn't target TalkTalk directly; they probably targetted all of the big ISPs and picked the "low hanging fruit". That translates as the hackers did a vulnerability scan of all the ISPs and found that TalkTalk were the easiest to attack. 

And it is not as if this has not happened before :-

Looks like they keep getting hacked (and these are just the ones that we know about). By selling the details on, the hackers will have already made plenty of money from hacking TalkTalk.

Yes, ultimately the cybercriminals are responsible for hacking TalkTalk and stealing the data, but that does not mean that TalkTalk are not to blame for not taking adequate action to protect themselves against hacking. There is a whisper that this hack was due to an SQL injection attack which isn't some kind of masterclass hacking attack, it's in the hands of script kiddies. And is prima faca evidence that TalkTalk haven't reviewed their code for security vulnerabilities for years

There's calls for the government (it's interesting how the free market fans always cry help to the government every time they encounter a problem) to tackle cybercrime.  But it is also time to give the Information Commissioner the power to fire company executives, and use it against the TalkTalk executives. Simply blaming the cybercriminals lets executives who are asleep at the wheel to get away with their incompetance. 

And perhaps the Institute of Directors should start talking about minimum budgets for IT security.

But more importantly, it is essential that security is deeply embedded throughout every department of IT; it is all too easy to establish security tokenism. Simply appoint someone in charge of security, and then say "No" to any suggestion that requires money or incovenience.

 

CSI: Cyber: Hit or Miss?

 Computing, Media, Security  No Responses »
Oct 212015
 

So there's this new TV series called "CSI: Cyber" (well technically it's new to me and the UK) which is all about an FBI cybercrime unit. 

As it hapens cyber security (if you insist on calling it that) is something I know a bit about. And so this new TV series has two ways of amusing me – the normal entertainment that TV offers, and of course the chance at falling about laughing at the mistakes.

Is it entertaining in the first sense? It's an American cop show with a bit of added "tech", so to some extent it stands out of the American cop show crowd (or perhaps flood). So yes, it's mildly entertaining; nothing worth staying in for, but it will kill an hour that you're too tired to do anything more productive with.

In the second sense I mentioned – yes it's got that in spades.

The most obvious flaw is that everything happens too quickly. Analysing a malicious printer firmware as you plug in the USB disk that contains it? Not going to happen. Finding a zero-day exploit in a collection of IoT devices within an hour? Not going to happen. Hacking a municipal transport network whilst being driven around at furious speed? Well that could happen if you had already done it (they hadn't), but it isn't something you would really try.

Causing a printer to burst into flames with a malicious firmware? I believe the possibility was jokingly mentioned a few years ago when printer firmware became a target for attack amongst the white hat community, but it was also mentioned that it was pretty unlikely as things like thermal cut-out units are isolated and hardwired – you can't turn them off.

Or a malicious exploit causing a laptop battery to burn up; I'm not saying that's impossible, but again battery pack microcontrollers are usually isolated from the computer they power. 

Labelling "zero-day exploits" as something that effects personal devices? Just plain daft, although the rest of the definition was Okay.

Is this a problem? Well, sensible people will realise that this is all just entertainment and will not take it seriously. Indeed it may increase the realisation that criminals with IT skills (and governments) can cause nasty things to happen; even if this show highlights the wrong kind of nasty things. 

Of course the knuckle-dragging neanderthals (with apologies to the real Neanderthals) who watch this show and pay attention (so perhaps there isn't much danger after all) will assume that everything this show demonstrates is for real. And starts panicing anytime someone whips out a copy of metasploit

I imagine I'll be saying: "It's just entertainment" many times over the years.

Regular Password Changes Considered Harmful

 Computing, Security  No Responses »
Sep 122015
 

According to the latest advice from CESG: "Regular password changing harms rather than improves security, so avoid placing this burden on users."

Wrong!

(Thanks to xkcd.com).

Most of the advice given is eminently sensible, and indeed forcing password changes on a frequent basis does more harm than good – when forced to change their passwords every 30 days (yes really!), people will commonly resort to sanity and use passwords of the form: someword-${month} (such as "happy-July"). However the advice to never force password changes was obviously written by someone who is under the belief that staff accounts have a somewhat limited lifetime – people change jobs, etc.

There is still a great deal to be said for changing passwords less frequently – say every couple of years. Or even a random number of days between 730 and 1,095, which will help to randomise calls to the Helpdesk. Amongst other things :-

  1. The concept of a strong password changes over the decades; allowing account passwords to remain the same for the lifetime of a staff account will mean that a considerable number of staff accounts will have weak passwords.
  2. There is such a thing as "accidental shoulder surfing" whereby someone acquires knowledge of part of your password by merely being present when you enter it. Over time they can acquire more and more of your password. 
  3. Only changing an account password when there is a suspicion it has become compromised means that there is no mechanism to lock stealthy intruders out. Whatever kind of anomolous account behaviour detection mechanism you have in place, there is always the chance that a compromised account can remain below the radar; periodic password changes do lock this intruder out.
  4. Less directly, but forcing regular account password changes on an infrequent basis does have the side effect that it allows the education of people that passwords can be compromised.

Of course every security person who read the CESG advice on passwords probably thought "Great. Now who is going to educate the auditors?". 

Security: So What Is An Exploit Anyway?

 Computing, Security  No Responses »
Jun 122015
 

This is going to be relatively lightweight in terms of technical content; most explanations of what a security exploit is do tend to be very technical in nature. 

So what is an exploit? At the most fundamental, it is what an attacker uses to take control of your computer. It can be compared with the installation routine you normally run to install a new application, because an exploit is effectively how an attacker installs their agent onto your computer.

There are on a simplistic level two kinds of exploits out there – the kind that works against people (the attacker tricks the person into running their code) or the kind that works against software. Of course there are exploits that sit in the middle and defy this simplistic classification, but as this is a simplistic posting, we'll gloss over those.

Exploits against people are frankly quite boring. All that is needed to protect against them is to apply the relevant operating system patches and avoid turning off malware protection. Unfortunately people tend to be very resistant to operating system patches and often indulge in practices that turn off their malware protection (drinking!).

The technically interesting exploits are the exploits against software. And when I say "technically interesting", it means that they get very technical and difficult to describe very quickly.

But at the core, such exploits involve tricking the computer into treating what should be considered as data as code. As a very simplistic example, imagine you have a web form that takes input from random strangers on the Internet, and the input from that form is added to a database. If the code has been written naively an attacker can simply append their code to the end of the input and it will be run.

All computer data is at the lowest level nothing more than numbers. The word "Hello" is actually encoded as a stream of numbers: 72, 101, 108, 108, 111, 10. Taking just the first three numbers, and I find there is a photo of myself with that sequence. And one of the editors I use (EMACS) also contains that sequence. The meaning of a sequence of numbers is dependent on how the computer chooses to interpret it.

A great deal of computer code is dedicated to interpreting those sequences of numbers as intended – so a picture is shown as a picture and not run as code in a Python interpreter. If a computer mistakenly (or is tricked into) misinterpreting a sequence of numbers as some kind of data that it is not, then the result could be just about anything but is most likely to be a crash or displaying garbage.

And just occasionally the computer will run that misinterpreted data as code.

And that in some circumstances can be called an exploit. But what happens after the exploit? What does the attacker do then? 

That's something for another time.

Elements Have Their Way

 Older Entries  Newer Entries