Monthly Archives: October 2014

Windows 10 offers two-factor authentication out of the box – Thank’s, Microsoft!

30 October 2014

Native support for Two Factor Authentication in Windows 10. This news saved my day!

This new security feature in Windows 10 might be the reason why IT groups start evaluation of Windows 10 as soon possible. Because with Two Factor Authorization all data breaches with root cause ‘theft of credentials’ will become impossible. Phishing attacks in the enterprise environment will become meaningless and the ‘strong password’ discussion obsolete from one day to the next.

But the best is yet to come: Two Factor Authentication will be available for all platforms. With windows 10 you can use the same Two Factor Authentication method for your mobile devices as for your laptop or workstation. It’s really a pity that Windows 10 will not run on iDevices.

For details see the Jim Alkove’s post ’Windows 10: Security and Identity Protection for the Modern World’

Hopefully, Microsoft will support Two Factor Authentication also for the Windows Home Editions.

Webinar Review: How to Stop Malware and Advanced Persistent Threats

25 October 2014

Last Thursday evening I attended the SC Magazine eSymposium: Advanced persistent threats. You have to register with SC Magazine to get access to the sessions. Please use always a strong Password.

Among the many informative sessions offered, ‘How to Stop Malware and Advanced Persistent Threats’, sponsored by AccelOps, was in particular interesting for me. In this 30 minutes session Benjamin Powell, Director of Product Marketing at AccelOps, showed how malware, in this case a Remote Administration Tool (RAT), is constructed and how it works.

It is really frightening to see what an attacker can do once he hijacked your computer!

On two slides Benjamin Powell talked about how to protect your organization against APT. Please click to enlarge.

How to Stop Malware and Advanced Persistent Threats I

How to Stop Malware and Advanced Persistent Threats I

How to Stop Malware and Advanced Persistent Threats II

How to Stop Malware and Advanced Persistent Threats II

I recommend to generalize the advice about USB drives to ‘Don’t trust USB devices and the files they contain’ because USB devices are in general dangerous. Remind the discussion about BadUsb in summer.

I am often asked ‘What should I do with this USB stick full of documents I got from the organiser of an event’. My standard answer is ‘Never use it! Shred it!’

If you can’t avoid using USB devices for data exchange securely erase all data on the device before copying your data. Format the device and run cipher /w on the volume from a command prompt. Cipher /w (w for wipe) overwrites in 3 passes each block on the device with zeros, ones and random numbers. This makes it very unlikely that an attacker could re-create deleted files.

On Friday I got an invitation to the InformationWeek webinar ‘3 New Tactics To Protect Data On The Move’. First 40 registrants get an 8 GB Dual Purpose USB! It’s hard to believe …

Shred it!

Software manufacturers have no sense for IT security – Part II

23 October 2014

Sometimes malware protection software works too well. I found some emails with malicious executables, disguised as pdf files, in the attachment in my junk-mail folder. Unfortunately the anti-malware system removed the attachments and replaced them by the filename.

Some weeks ago a new kind of malware that resides solely in the registry was in the news. To implant Poweliks attackers must exploit a vulnerability of the system and, the good faith of the users. Pdf or rtf documents with embedded malicious code are used very often to start the attack.

Just why is the Adobe Reader such a popular tool for attackers?

Adobe Reader is very popular for viewing of pdf documents, and very notorious for its vulnerabilities. The list of known vulnerabilities published in the National Vulnerability Database is really long, and some of them are perfectly suited to implant malware. By the way, Adobe Flash Player is as popular as the Adobe Reader for attackers, and the list of vulnerabilities is of comparable size.

Fortunately advanced security options like a sandbox are available to defend malicious attacks, but these are not activated during a standard installation. Even for enterprise users the standard installation procedure must be pre-configured.

I can’t find a reason why Adobe does not install the Reader with advanced security options enabled by default. Apparently, Adobe is not interested in protecting the privacy and security of their customers.

Fortunately the National Checklist Program Repository provides ‘detailed low level guidance on setting the security configuration of operating systems and applications’.

For Acrobat Reader X a checklist is available which could be easily adapted to the Acrobat Reader XI. Although this checklist is meant for pre-configuring installation packages the configuration hints could be used to secure existing installations as well:

Navigate to menu Edit/Preferences.

In category General section Application Startup activate option Use only certified plug-ins.

In category Security (Enhanced) set the protection options as described below:

Adobe ReaderEnhanced Security Settings

Adobe ReaderEnhanced Security Settings

[1] Enable sandboxing for all files

[2] Enable Enhanced Security

[3] Disable all Privileged Locations.

Although this sounds somewhat paranoid viewing of pdf files is much more secure now. A pdf file is now opened in a sandbox running at the lowest integrity level. Most features are disabled by default, but could be enabled with just one click.


A brief introduction to Trusteer Apex Advanced Malware Protection

18 October 2014

The Trusteer approach to malware protection could be ground-breaking in the defence of zero-day exploits and phishing attacks.

Trusteer analysed millions of applications exposed to the Internet and created lists of valid application states and operations in a database.

For example, saving a web page to OneNote is a legitimate operation when it’s run from a process created by the user. In this case the Windows Explorer is the so-called parent process. If this operation is performed by an internet explorer process that has no valid parent process, it is very likely that a malicious operation is executed.

A watchdog process is monitoring the applications exposed to the Internet. If an application executes a sensitive operation the watchdog process checks its database and approves the operations if it’s valid. Invalid operations are rejected.

Brilliant idea! A watchdog process that checks the state of an application. I would appreciate it to get this for my windows phone. The ‘Here Drive+’ app hangs sometimes, in particular in foreign cities when you need it the most. A watchdog process could check the state and restart the process in such cases. This would be very helpful.

For more details about Trusteer Apex see the Trusteer Apex Product Flyer.

Unfortunately there are some minor flaws.

Trusteer Apex monitors only applications exposed to the Internet like Browsers, Java applets, Flash player or Office applications. Although the technology could also be used for protection against traditional malware like computer viruses, the product does not support this.

This means that Trusteer Apex is only useful in addition to traditional security products like an antivirus product.

Remember that every additional product increases the attack surface of your computer or network. It is not only the continuous patching to mitigate known vulnerabilities. Trusteer Apex receives e.g. application state updates across the internet, which could be tampered by an attacker. Moreover, the Trusteer computer scientists get their raw data from millions of computers operating in untrusted networks. If an attacker tampers some raw data and masks malicious states as valid, the entire installed base could be tampered.

This is the first signs of paranoia. I’m doing definitely too much threat modelling at the moment. But remind the words of Sigmund Freud:

‘The paranoid is never entirely mistaken.’

Just think of the impact of an attack against the master pattern database of a well-known provider of anti-malware software…

Don’t Panic!!

Dropbox Hacked – Minimize your Attack Surface!

16 October 2014

I heard the news Tuesday evening at 10 o’clock: “Dropbox hacked”. About 7 million usernames and passwords stolen.” I could hardly believe it. My first thought was: Why only 7 million credentials? Dropbox has 200+ million users? Why should someone be satisfied with 7 million credentials if he could have 200 million? Something seems to be very wrong with this story. Moreover, the quality of the data is very bad. Please check the Pastebin site for a sample.

And then the recantation: Dropbox announced that there was no data breach. “‘These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks, and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well,’ a Dropbox spokesman said in an email to Reuters.” For details see Hundreds of alleged Dropbox passwords leaked.

Since the media interest is nearly zero today the story is certainly true.

What really annoys me is how sloppy user credentials are treated by the ‘other services’. Data and log-in credentials were stolen from third-party apps, which actually should simplify the daily life with Dropbox. For more details see the great report Snapchat And Dropbox Breaches Are Really Third-Party-App Breaches by Elise Hu from 14 October 2014.

Unfortunately these apps increase the complexity of our life and gadgets. Each app comes with its known and unknown vulnerabilities which could be used by an attacker to get access to our private data. But the worst is yet to come: You are surrounded by friends with buggy gadgets which will have an impact even on your life when hijacked by an attacker.

To put it concisely: The more apps you use, the greater becomes your attack surface and, the higher is the danger of a data breach.

How to solve this problem? Simplify! Focus on the really important apps and uninstall the others. Activate TFA and use strong passwords. And tell your friends to decrease their attack surface as well.

Don’t Panic!

It’s all about strong passwords, but what is a strong password?

11 October 2014

In his report Apple security depends on users, hack shows. Warwick Ashford talks about the latest Apple security issues:

‘However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.’

To put it concisely: It’s all about strong passwords.

But what is a strong Password?

There are lots of advices how a build a strong password like ‘#Q7fr%78’. Unfortunately those passwords are really hard to remember and to input. Some days ago I watched a webinar about WordPress security where a different approach was presented.

It’s all about password length because the number of combinations an attacker has to try in a brute force attack depends essentially on the length of the password:

Number of combinations = [Number of characters] to the power of [length of your password]

That’s just boring math. Thus let me show what this means by an example:

If you choose a password from lowercase letters ‘a..z’ only, the number of characters is 26. For a four character password like ‘abcd’ the number of combinations an attacker has to try is

26 to the power of 4 = 26 x 26 x 26 x 26 = 456976.

That takes about 0,2 milliseconds on a desktop computer with Intel I7 processor for cracking. Four characters are definitely too short!

For a 12 character password like ‘abcdefghijkl’ the number of combinations an attacker has to try is

26 to the power of 12 = 95428956661682200, and the time to crack is about 1.5 years.

The following table shows the cracking time in relation to the password length:

Password cracking time vs. lenght

Password cracking time vs. lenght

The yellow marked shows the one-year-time-to-crack for the character set. The one-year-time-to-crack is the password length where an attacker with an Intel I7 processor based computer needs one year to find the combination with a brute force attack. For our plain character set the one-year-time-to-crack is 12.

With character set ‘a..z A..Z0..9’ the one-year-time-to-crack is 10, With the complex character set ‘a..z A..Z0..9 _-%$§&/()#=?’ the one-year-time-to-crack is 9.

Even with the complex character set you should use at least 9 characters.

As a result we get: It’s all about the password length! The influence of the character set is negligible. Even with the plain character set one could create hard to crack passwords.

I would recommend to use at least 14 characters even with the complex character set. Just to be ready for faster CPUs and to anger the NSA!

How to build strong passwords?

My passwords are easy to build and remember. Start with 4 randomly selected words, in total more than 14 characters, like

‘Never use the word.’

This password is rated ‘Strong’ by the Microsoft password checker. Never use the first words of your favourite song or something you published on Facebook or elsewhere, because an attacker will do some social engineering and use this results first.

Strong is not enough, thus write the first character of each word in capital letters and add a special character or two at both ends:

‘#Never Use The Word._‘

This version is rated ‘Best’.

If you are a masochist, hurt yourself and change the first vowel in each word to a number:

‘#N1ver 2he Th3 W4rd._‘

Isn’t this an easy to remember password? 😉


The JPMorgan Data Breach – How could it happen?

9 October 2014

Let’s start with good news. In JPMorgan’s FORM 8-K report from 2 October 2014 we could read that it could have been a lot worse:

Only ‘User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.’

And ‘… there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.’

But what really confuses me is the statement ‘As of such date, the firm continues not to have seen any unusual customer fraud related to this incident.’

How can they be sure that it has stopped?

The big question in the JP Morgan case remains unanswered: How could it happen?

Currently neither the bank nor the FBI had given an official report about the details of the cyber-attack. But reading between the lines can help to gain a rough picture of what probably had happened. I really like developing new conspiracy theories ;-).

On 2 October 2014, Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth reported in The New York Times:   “Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. … By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.”

CNET report ‘JPMorgan hackers altered, deleted bank records, says report’ from 28 August 2014 brings some light in the dark: “This case, however, involved outsiders who targeted specific employees at JPMorgan Chase to gain access to their computers and the bank databases.”

This sounds to me a lot like a successful phishing attack. Incredible!

In his post ‘JPMorgan breach heightens data security doubts‘, Alex Veiga, AP Business Writer, reports on 3 October 2014: “In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.”

Why should a company reset the passwords of all its technology employees? This makes only sense if they suspect that the passwords were compromised.

The phishing attack theory becomes much more credible!

But the most exciting statement could be read in the CNET report: ‘If hackers are capable of accomplishing this, it means they have spent a significant amount of time studying the [bank’s] records system before attempting any kind of serious manipulation,” he said. “It’s not impossible, however, if they were able to modify records using high-level credentials and do it in a way that was undetected.”‘

How can they be sure that it has stopped?

Threat modelling helps identifying the crown jewels

4 October 2014

The crux of the matter with complex application systems is, that they are composed of lots of components which communicate which each other. Most of the users, and sometimes even the IT application administrators, associate a single component, e.g. the web-service they use with their browser application, with the entire application system.

When it comes to information classification this limited view prevents the identification of the really important components, namely those where the critical information is stored and processed. As a result money is wasted for the protection of less relevant system components while critical components remain unprotected.

In these cases the development of a threat model will lead to a far better understanding of the application system.

Just start with the user’s view of the system. Arrange meetings with application developers and administrators, key user’s, system architects and administrators. Show them your model and ask them to add more details. After some time you will get a more detailed model and a much better understanding of the application system, the really important components and the information flow between the components.

Light Bulb Moment

Light Bulb Moment

On Wednesday I had such a light-bulb moment. We discussed information stored in an EH&S system. From this system Material Safety Data Sheets (MSDS) are created for shipment of dangerous goods. The carrier receives a copy and has to show this copy to the authorities on request. Why should we keep this information secret?

After some discussions we identified the system component where the really important information was stored and managed. The EH&S system holds only an extract of the information which is required to create the MSDS.

The threat model was of great help in this case. As soon as we added the new component the STRIDE approach showed us the direction to a stronger protection of the critical information.

Have a good weekend.

Word of the day: Malvertisement

2 October 2014

Lots of exiting news at the moment. The Bash Shellshock bug would be surely worth a post. But the Word of the Day from 30 September, Malvertisement, is such terrifying, that I decided to write about this today.

What makes Malvertisement particularly dangerous is that almost every website with advertisements could be potentially dangerous. In addition, the way your computer will be hijacked, is based on standard internet technology like pop-up Windows.

‘Malvertising is becoming so prevalent that many security experts recommend that users block all pop-up ads and create an application whitelist that will only allow their computer to run programs that have been positively approved.’ Ok, this sounds like a plan, but application whitelisting is a hard job, in particular for home users.

Using Internet Explorer 11 on Windows 8.1 in kiosk mode will mitigate the risk somewhat because Internet Explorer runs in an isolated AppContainer at the lowest integrity level. Although the handling of Internet Explorer on a laptop with Windows 8.1 is a little getting used to, the additional security delivered by the AppContainer technology makes the change easy for me.

For advanced security requirements the usage of micro virtualization technology makes sense. Micro virtualization systems can isolate applications from each other as well as from the operating system.

Don’t panic! Have a good day.