How to prevent a “security embarrassment?”

https://www.linkedin.com/pulse/20141028094659-7430592-how-to-prevent-a-security-embarrassment

On Oct 7, 2014, a security researcher, Jonathan Hall, posted details of a potential Bash/Shellshock vulnerability on Yahoo’s infrastructure:

• http://www.futuresouth.us/yahoo_hacked.html
• https://www.reddit.com/r/technology/comments/2ifbjb/yahoo_got_hacked_this_morning_hooray_for/

As it turned out, it was NOT a Bach/Shellshock issue. As Alex Stamos, Yahoo’s chief information security officer wrote, “it turns out that the servers were in fact not affected by Shellshock.” (see https://news.ycombinator.com/item?id=8418809). But, what happened is a lesson that should be studied. The anxiety was preventable ……

What is the real problem? 

When you look at Jonathan’s complaints, it was not about the vulnerability. Jonathan's anxiety was about the inability to get critical information to the right people inside Yahoo. The public “fire drill” and “security embarrassment” was preventable. Yahoo has one of the absolute best security teams in the industry. Using this example demonstrates how these security issues happen to the most prepared.

Understanding “Full Disclosure” 

People who find “vulnerabilities” now fall into two major camps. The first are the criminals looking to use the vulnerability to break into something. The second and much larger group are the white hats who find a problem and want it fixed. This later group wants to do the right thing. They want to get the details of a security issue into the hands of someone who can take action. They will try to contact the right people, use official channels, and use their contacts within the security community. When they hit a wall, they feel they have no other choice by to publicly “disclose” the vulnerability. This public disclosure is referred to as “full disclosure.” It is an indication of something being broken.

If a full disclosure happens to your organization, do not shoot the messenger. 99% of the time. it is a problem with your organization, not the person finding the vulnerability.

What can you do to prevent “full disclosures?” 

The following “security communications channel” best practices should be followed by operators, vendors, and any organization that has customers on the Internet.

1. /security web page (and security.example.com)

The /security web page will have as a minimum information to contact the security team inside the company. This can be as minimum as security@example.com, the phone number, and the PGP key. Most mature organizations will have a range of information, including the security/vulnerability policies, security organizations they are members, and other information help customers. 

2. /contact web page must link to the /security page.

One of the first places someone who has found a vulnerability will check is the company’s “/contact” page (i.e.something like www.example.com/contact). The /contact page is an opportunity to point them in the right direction (i.e. the /security page). The contact page is not owned by the security team, but it is important for the security team to ensure that people who submit issues via the contact page get directly alerted to the security team. 

3. Break the /security and security.example.com page into modules

A wide range of people with “security” problems will land on the /security page. Bounces are bad. It means someone with a security issue is not getting an answer they need and would lead to problems (customer problems, public vulnerability disclosures, etc). One provide technique is to break the page into modules - with each module focusing on a specific audience with a security issue. For example:

Customers with a “security problem” module. These are customers who have something they think is wrong with which ever service/product that is sold. This module is a self-help section that has knowledge and tools to help the customer figure out if there is truly a problem and what to do to resolve the problem. This module should then have a linked to customer support - allowing the customer to ask for help if it is not on the “self-help” module.

Customers seeking to improve their “security posture.” Customers would come to the /security page to get educate. What else can they do to enhance their security posture? This is often driven by some press visibility security event. The event gets people to question and look for information that will help them. Investing in this “security empowerment” module helps to prevent future issues and builds good will with customers.

Security Product Modules. Some would say that the /security page is not a place to “market” to customers. The reality inside organizations is that the product managers with security products will only support the /security page if they are allowed to participate. The image, reputation, and brand of the company are can be critically damage by a bad “security image.” So the reality is that the /security page is a form of “marketing.” Marketing that protects the brand and reputation of the organization. Security teams should work hand in hand with the product and marketing teams to do what is in the best interest to protect the organization and serve the customers.

Security Response Team Contact information. As mentioned earlier, this module would have the information for peers to reach into the organization and get to the right people who have the span of control to fix security issues.

Report a vulnerability modules. This is separate for a reason. It a module that focuses the person with a vulnerability with information to report the vulnerability. Multiple channels need to be provided - email, PGP, web form, and phone numbers are normal. Including the policies and procedures for vulnerability management would also be included on this module. For example, if someone reports the vulnerability, will the organization give them credit when it is disclosed? Links to any bug bound programs can be included on this page.

4. Work with the local CERT

Most countries have at least one national Computer Emergency Response Team (CERT). These teams become allies - allowing individuals who find a security problem to be able to report it through the national CERT. Some “finders” of vulnerabilities are more comfortable reporting through a 3rd party. CERTs are natural 3rd parties. For this to work, the CERTs need to know the security incident response team of the organization. Building a proactive relationship streamlines the communications channel for the time when a vulnerability is reported

5. Security Teams - Consistently Brief Teams throughout your Organization 

Notice what happened with Jonathan Hall and Yahoo. As soon as Jonathan E-mailed the CEO, someone in the CEO’s office immediately contacted Yahoo’s security team and action started (see the post from Alex Stamos). This internal action can only happen through diligence. The diligence of the internal security team and the diligence of the teams receiving the vulnerabilities details. This is where the security team needs to spend the time to communicate and empower their peers within their organization. They need to ensure everyone knows the security team, understand what the security team does within the team, how everyone has a “security role” in the organization, and how to contact the security team 24x7 365 days a year. 

The Extras

The top 5 are the key items provide the foundation. The apply to most organizations - be they a mobile operator, an application vendor, or a software company. There are some extras to consider depending on your organization. These help build a community of professionals who know how to contact your security team and look for the vulnerabilities.

Join Industry Forums that address security issues and vulnerabilities. Start with groups like FIRST (www.first.org) and then explore other groups. These group connect your security team to other security teams - sharing best practices and helping to build a security community.

Build a Bug Bounty Program. If you are a software company or an on-line service, seriously consider a bug bounty program. They have been working successfully and are one of the key paths for vulnerabilities to be reported.

Publish the Security and Vulnerability Disclosure Policy. Don’t wait for something to happen in the press and your customer start asking. The process of writing and then publicly publishing a security and vulnerability disclosure policy focuses the organization. It is a key part of the preparation process. 

Bottom Line

The Jonathan Hall/Yahoo anxiety might have been prevented. When you look at the above list, you find that Yahoo does all of the above and more. The fact that the Yahoo organization has already reviewed the entire infrastructure for Bash/Shellshock Vulnerability shows the seriousness and intensity placed on security at Yahoo. Their first reaction was “did we miss something” and then started to double-check their work. This would only happen with a proactive security organization.

Now imagine your organization that does none of the above. What would you do if someone knocked on your door trying to tell you about a major vulnerability? Remember, there is a market for vulnerabilities. The criminals want them and will exploit them (i.e. Target, Home Depot, etc.). The people who know on your door trying to report vulnerabilities are your allies.

MalwareTech SBK - A Bootkit Capable of Surviving Reformat

http://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html

Since i got into firmware hacking, I've been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can't post a proof of concept for many reasons (people have even contacted me just to tell me not to post it), so instead I've written a presentation overviewing and explaining the rootkit, which I've dubbed MT-SBK.

The general purpose of MT-SBK is to provide a "framework" for my previous project, TinyXPB, A windows XP bootkit. This framework enables TinyXPB to be stored and loaded from within the hard disk firmware, preventing it from being removed by: antiviruses, operating system re-installs, or even full disk reformats. This rootkit is designed for a major brand of hard disk and can infect the firmware from within the operating system (no physical access required), it's also completely undetectable to software running on the host computer. 

The only way to remove MT-SBK is by replacing that hard disk's PCB or connecting an SPI programmer directly to the flash chip and flashing it with the original firmware. 

MalwareTech SBK Overview - PDF

Sector Spoofing Example - Youtube

The Trusted Internet: Who governs who gets to buy spyware from surveillance software companies?

https://www.f-secure.com/weblog/archives/00002818.html

The Trusted Internet: Who governs who gets to buy spyware from
surveillance software companies? Posted by FSLabs @ 02:31 GMT

When hackers get hacked, that's when secrets are uncovered. On July 5th,
Italian-based surveillance technology company Hacking Team was hacked.
The hackers released a 400GB torrent file with internal documents,
source code, and emails to the public - including the company's client
list of close to 60 customers.

The list included countries such as Sudan, Kazakhstan and Saudi Arabia -
despite official company denials of doing business with oppressive
regimes. The leaked documents strongly implied that in the South-East
Asian region, government agencies from Singapore, Thailand and Malaysia
had purchased their most advanced spyware, referred to as a Remote
Control System (RCS).

According to security researchers Citizen Lab, this spyware is
extraordinarily intrusive, with the ability to turn on microphone and
cameras on mobile devices, intercept Skype and instant messages, and use
an anonymizer network of proxy servers to prevent harvested information
from being traced back to the command and control servers.

Based on images of the client list posted to pastebin the software was
purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC),
Malaysia Intelligence (MI) and the Prime Minister's Office (PMO):

Zero Day The Documentary

https://www.f-secure.com/weblog/archives/00002821.html

VPRO (the Dutch public broadcasting organization) produced a 45-minute documentary about hacking and the trade of zero days. The documentary has now been released in English on YouTube.

 

How the Experts Protect Themselves Online (Compared to Everyone Else)

http://lifehacker.com/how-the-experts-protect-themselves-online-compared-to-1720047084

If you ask the average person what the best ways to protect themselves online are, they’ll give some true answers—but they’ll likely be different than the answers you’d get from a security researcher. Here’s the difference.

Google, in a paper they’re presenting at the Symposium on Usable Privacy and Security this weekend, asked two groups—experts and nonexperts—what they do to stay safe online. While the nonexperts provided some good answers (like using antivirus software), the experts placed certain items as much higher priority, as shown in the above graphic.

The experts prioritized keeping your software up to date, and using two-factor authentication, two things that did not appear on the nonexperts’ list. Most importantly, however, the experts noted that strong passwords aren’t enough: you also need to use a different one for every account you have, which means you probably also need a password manager to keep them all straight.

Your Clever Password Tricks Aren't Protecting You from Today's Hackers

Security breaches happen so often nowadays, you're probably sick of hearing about them and all … Read more

If you’re more like the second column than the first, then good for you! Be sure to share this with the nonexperts you know. The more we can make those columns look alike, the better off we’ll all be.

Your Clever Password Tricks Aren't Protecting You from Today's Hackers

http://lifehacker.com/5937303/your-clever-password-tricks-arent-protecting-you-from-todays-hackers

Security breaches happen so often nowadays, you're probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you've heard it all already, though, today's password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here's what's changed and what you should do about it.

Blast from the past is a weekly feature at Lifehacker in which we revive old, but still relevant, posts for your reading and hacking pleasure. This week, in the wake of the Heartbleed bug, we though it was time to revive this post and dispel some myths that are still very common.

Background: Passwords Are Easier To Crack Than Ever

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

Take the password "Sup3rThinkers"—a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Web site How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a 4 billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars says:

Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou [...]and similar lists. For [security penetration tester] Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".

In other words, hackers are totally on to us!

What You Can Do: Strengthen Your Passwords By Making Them Unique and Completely Unpredictable

We've suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.

1. Avoid Predictable Password Formulas

The biggest problem is we're all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:

• Use a name, place, or common word as the seed, e.g., "fido" (Women tend to use personal names and men tend to use hobbies)
• Capitalize the first letter: "Fido"
• Add a number, most likely 1 or 2, at the end: "Fido1"
• Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: "Fido1!"

Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers ("F1d01!") or appending another word ("G00dF1d01!") wouldn't help much, since hackers are using the patterns against us and appending words from the master crack lists together.

What Professional Password Guessers Look for in Your Password

As the recent LastPass security notification reminds us, it's critical to use only strong… Read more

Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.

The solution: Don't do what everyone else is doing. Avoid the patterns above and remember the basics: don't use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it's only secure if no one else is using that rule. (Check out IT security pro Mark Burnett's collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)

2. Use a Unique Password for Each Site

We'll get back to password creation in a minute, but first: this is the most important security strategy of all. Use a different password for each site. This limits the damage that can be done if/when there's a security breach.

If you use the same password for everything, and someone gets a hold of your Facebook password, they have your password for every site you visit. If you have a different password for every site, they only have access to your Facebook account—so at least all your other accounts are protected.

4. Use Truly Random Passwords

You've probably heard that a random, four-word passphrase is more secure and more memorable than complicated but shorter passwords, as web comic xkcd pointed last year. This is true, but often irrelevant, because like we said: you need to use a different password for every account. If you can remember 100 different four-word passwords, be my guest. But for most of us, it doesn't matter how easy your passwords are to remember—there's just too many of them. (Though the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password.)

Using a variation on the same password for each site isn't a good idea, either. Say you have a password like ro7CSfac2V3p1 for Facebook, and you use the variation ro7CSlif2V3p1 for Lifehacker, and so on for all your other sites. If a hacker gains access to one of those passwords, they can easily guess the others by replacing "fac" with the letters that might match other sites (or figuring out whatever your algorithm is). It's more difficult, but far from impossible, and it isn't secure enough to rely on—if you can remember it, someone else can probably figure it out.

So: The most secure option is to use a password generator and manager. If you want to keep your accounts safe, you need to use a truly random, long, and complex password, and use a completely different one for each account. How do you accomplish this? Use a password manager like LastPass, KeePass, or 1Password. Not only will they save all your passwords for you, but they can generate random passwords for you. It's easier to use and set up than you may think.

For more information, I highly, highly recommend you read our guide on how to audit and update your passwords with LastPass for detailed instructions. Remember, the only secure password is the one you can't remember—and this is the only way to achieve that. Those clever password tricks we used to use just don't cut it anymore.

Lastly, make sure you turn on two-factor authentication for all sites that support it! It is, by far, one of the best ways to secure your accounts against hackers—even if they get your password, they won't be able to get access.