Monthly Archives: September 2015

Is ‘Encryption of Everything’ the new savior in the Cyber War?

26 September 2015

Data breaches in 2015 are at record level. By September 22, 2015 the Identity Theft Resource Center (ITRC) identified 563 data breaches with 150,196,896 records compromised in total. The number of compromised records is nearly twice as high as in 2014, where 85,611,528 records were breached in total.

Encryption is recommended as a means of choice for protection against data breaches and theft of intellectual property as well. Friday evening, I attended the SC Magazine WebCast “Creating an Encryption Strategy for Modern Risks Mitigation”. David Shackleford and Charles Goldberg are drafting a “Encryption Everything” strategy for all company internal information irrespective of whether it is stored on premise of in a cloud.

The idea of ‘encryption of everything’ has a certain charm and, if well implemented, will avoid that internal information is useable outside the encryption key perimeter of a company. But it is dangerous to assume that encryption of everything will prevent data breaches.

The problem with encryption comes always from the users who are authorized to access the information. And the big question is always how an authorized user can be uniquely identified.

It’s not easy to answer the question, whether an authorized user is signing in to your system or a cyber attacker with the credentials of an authorized user because in both cases the event log will only show a successful sign-in attempt of a user.

Encryption plays an important role in a company’s security strategy. If used as isolated protection measure, it’s just waste of money.

Have a good weekend!

11 Million Ashley Madison Passwords Already Cracked

14 September 2015

This LIFARS post from last Friday should shake up every service provider. It’s definitely time to make Two Factor Authentication (TFA) obligatory for all services which process personal details.

Microsoft Authenticator App

Microsoft Authenticator App

TFA is no longer a matter of technology. For example, Authenticator Apps are available for all phone operating systems and, really easy to use. Combined with even a weak passwords the one-time passcodes generated by the authenticator apps form a nearly unbreakable authentication method.

In my opinion it’s high time for service providers to make procedures for the use of TFA for their services technically available. And they should force users in their own interest to switch to TFA, if necessary by proper terms of use for their services.

With this, news like Ashley Madison Breach Reveals Ridiculously Weak Passwords are a thing of the past.

Take care! And learn how-to protect yourself against identity theft.

Excellus BCBS Breached, 10 Million Customers’ Records Affected

12 September 2015

When I read the headlines of this LIFRAS post my first thought was:  “2015 is going to be an annus horribilis for the US healthcare insurers”. Anthem, Premera, and now Excellus, what organization will be the next?

One paragraph in the Excellus announcement of the data breach is really interesting:

‘On August 5, 2015, Excellus BlueCross BlueShield learned that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.  Our investigation further revealed that the initial attack occurred on December 23, 2013.’

It took 590 days to identify the breach! That are 8 days more than the maximum Mean Time To Identify (MTTI) of 582 days the latest Ponemon cost of data breach study found for 2014.

This is really remarkable because it makes clear that a ‘very sophisticated’ cyber-attack is hard to identify, even with latest security technology in place. And I bet, Excellus has such technology installed. I am really curious about the details of the attack.

Take care! If you like to do some further reading please take a look at the latest issue of the Cyber Intelligencer ‘You can’t detect what you can’t see’.

Attackers do code reviews!

8 September 2015

Java server pages are often used for implementing web applications. I found well written applications that were, very often, badly deployed in unprotected folders on the application server. This is a head start for attackers because they can easily analyze the code to find vulnerabilities for further exploitation.

Although this problem is known for many years application admins make still the same configurations errors. In my view there’s only one solution to this problem: Automated web application assessments before a service goes online, and periodic reviews afterwards.

For a really good presentation of the problem and the solution check the OWASP Code Review and Deployment page.

That’s it for today. Take care of your application code!