Yahoo hacked in late 2014 – Breach detected in 2016

25 September 2016

In August 2016, a hacker offered 200 Million Yahoo Accounts for sale on the Darknet. In a first investigation, Yahoo found no evidence for this assertion. But the investigation team found indications for a data breach which happened in 2014.

Last Thursday, Yahoo announced that account information of 500 Million users was stolen in late 2014. The good news is that the company found no evidence that the attackers are still active in their network. And that only names, email addresses, phone numbers, birth dates, encrypted passwords, and, in some cases, security questions and answers were stolen.

That is bad enough, especially because reuse of account information like security questions and answers is a widespread bad habit. Yahoo users are well advised to change their security questions wherever they have reused them.

But what really worries me is that it took about 600 days before the breach was detected. That is far more than the MTTI (Mean Time to Identify) of 206 days the Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study:  Global Analysis’. And more than the max. value of 582 days.

One can only speculate whether indicators of compromise were non-existent or ignored or not recorded or not regularly reviewed. Regular review of event and incident data is a really tough job, but essential if it comes to the assessment of indicators of compromise.

Have a good week.

A 5k from Dormagen to Leverkusen

21 September 2016

For some weeks now I try to go by bike to work, at least 2 days a week. The distance from Dormagen to my office in Leverkusen is 19 km. I need about an hour in the morning, which is about 7,500 steps, or roughly about a 5k walk.

The countryside along the Rhine dam is truly beautiful, in particular shortly after sunrise:

The Rhine dam between Dormagen and Cologne

Rhine dam between Dormagen and Cologne

Have a good day, and a great 5k.

A SIEM Security Nightmare

18 September 2016

A few weeks ago, we started a small project to attach a production site to the central SIEM system.

Operational IT (OT) groups, which run the production IT systems, are traditionally not very happy when it comes to a close collaboration with Information Technology (IT) groups which run the ‘Office’ IT systems. OT groups are always afraid of negative impacts of Office IT systems and procedures to the availability and the safety of the production facilities.

Thus we started with a minimal invasive approach. Our goal was to keep the impact of the local SIEM components on the production active directory, systems and firewalls at a minimum.

The result was remarkable: Within a few days we attached some Windows systems, switches and firewalls to the central SIEM system. No technical users were installed in the production active directory, and only 3 ports were opened on the firewall for a point to point connection from the local SIEM component to the central system. More important, no reboot of whatever system was required! The OT group was positively impressed.

Unfortunately, to keep the local SIEM software up-to-date patches must be applied 6 to 8 times a year. Patching requires always a new installation and configuration of the local SIEM components. This will keep the OT groups busy, in particular at large production sites with lots of network partitions.

To reduce this effort, a management system can be set up which automates the local installation and configuration of the SIEM software components. But for the operation of the management system, we have to open additional firewall ports for communication from outside the production network to SIEM components in all network partitions inside the production network. This renders our network security concept invalid. In the worst case, attackers can use these connections to get access to the production systems from the office network.

SIEM is starting to become a security nightmare for the OT groups. Even though it would be quite simple for the vendor of the SIEM software to turn this into a really smart and secure process:

  • Change the software patching process such that the configuration of local SIEM components is retained
  • Introduce an offline management mode, e.g. admit the application of predefined configurations

With this, the impact of the SIEM software on the production network is minimized, and the overall security level is retained. Unfortunately, vendors of security software are often not interested in the overall security level …

Have a good weekend.

Apple delivered patches to mitigate state-sponsored Trident attack – Millions of Android devices potentially vulnerable?

10 September 2016

During my bicycle trip to the springs of the White Main in the Fichtel mountains news about the state-sponsored Trident attack on IOS devices went around the world. The topic was front page news even of local newspapers, very often with a certain malicious joy, because Apple’s IOS is well-known for its superb security.

Within some days Apple developed patches for the vulnerabilities and delivered them to IOS devices in the field. This was taken for granted from the public, but it is very remarkable, because only Apple and Microsoft are able to deliver ad hoc patches for their mobile device operating systems.

In report ‘A Hacking Group Is Selling iPhone Spyware to Governments’, published on 25 August on WIRED, one could read:

“NSO Group won’t be able to use this particular attack anymore on iPhones running the latest version of iOS—and one of the operating system’s strongest selling points is its high adoption rates for new versions. In the meantime, the Citizen Lab and Lookout researchers say that there is evidence that the group has ways to get Pegasus spyware onto other mobile operating systems, notably Android.

With this, all devices running Android, and this is the majority of devices, are potentially vulnerable for the Trident attack, and will remain vulnerable for their entire lifetime.

Or have you ever heard from a smart phone vendor who delivers patches for Android devices in a timely manner, and for older devices?

Have a good weekend.

Security by Design

21 August 2016

Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.

With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.

The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.

Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.

The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.

In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.

If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.

That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.

Have a good weekend.

France says fight against messaging encryption needs worldwide initiative

13 August 2016

The report “France says fight against messaging encryption needs worldwide initiative“, published on Reuters technology news last Thursday, is truly worrying.

“Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative.”

I can, of course, understand the motivation of the French Interior Minister. He must do his utmost to protect France from further terrorist attacks.

“French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram.”

Although the French Interior Minister has not requested decryption options from service providers yet, the direction of a Franco-German initiative is from my point of view clear: Service providers shall make decryption options available to national police and intelligence and security services.

With this, some attacks can certainly be prevented, but on the other hand, it puts many innocent people, which care of civil rights in authoritarian regimes, at risk.

In “Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers“, published in Reuters CYBERSECURITY at 2 August 2016, Joseph Menn and Yeganeh Torbati reported, that Iranian hackers compromised accounts on Telegram.

The security researchers who researched the attack said that “… the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.”

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

That is precisely the problem when national security services demand decryption options from service providers: The information can be used to prevent terrorist attacks, as well as for violent actions against dissidents among the citizens. Hopefully the German Interior Minister will remember the recent German history (Stasi) and reject those demands once and for all.

By the way, end-to-end encryption is the just the comfortable way of secure communications. Terrorist can turn to less comfortable, but high secure encryption options like PGP. With this the French initiative makes no longer sense because the messages are encrypted before the transport to the service provider. Even end-to-end encryption is not required.

Even though it is apparent from the context, Benjamin Franklin’s quote about liberty and safety fits very well here:

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

Have a good weekend.