Monthly Archives: September 2016

Yahoo hacked in late 2014 – Breach detected in 2016

25 September 2016

In August 2016, a hacker offered 200 Million Yahoo Accounts for sale on the Darknet. In a first investigation, Yahoo found no evidence for this assertion. But the investigation team found indications for a data breach which happened in 2014.

Last Thursday, Yahoo announced that account information of 500 Million users was stolen in late 2014. The good news is that the company found no evidence that the attackers are still active in their network. And that only names, email addresses, phone numbers, birth dates, encrypted passwords, and, in some cases, security questions and answers were stolen.

That is bad enough, especially because reuse of account information like security questions and answers is a widespread bad habit. Yahoo users are well advised to change their security questions wherever they have reused them.

But what really worries me is that it took about 600 days before the breach was detected. That is far more than the MTTI (Mean Time to Identify) of 206 days the Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study:  Global Analysis’. And more than the max. value of 582 days.

One can only speculate whether indicators of compromise were non-existent or ignored or not recorded or not regularly reviewed. Regular review of event and incident data is a really tough job, but essential if it comes to the assessment of indicators of compromise.

Have a good week.

A 5k from Dormagen to Leverkusen

21 September 2016

For some weeks now I try to go by bike to work, at least 2 days a week. The distance from Dormagen to my office in Leverkusen is 19 km. I need about an hour in the morning, which is about 7,500 steps, or roughly about a 5k walk.

The countryside along the Rhine dam is truly beautiful, in particular shortly after sunrise:

The Rhine dam between Dormagen and Cologne

Rhine dam between Dormagen and Cologne

Have a good day, and a great 5k.

A SIEM Security Nightmare

18 September 2016

A few weeks ago, we started a small project to attach a production site to the central SIEM system.

Operational IT (OT) groups, which run the production IT systems, are traditionally not very happy when it comes to a close collaboration with Information Technology (IT) groups which run the ‘Office’ IT systems. OT groups are always afraid of negative impacts of Office IT systems and procedures to the availability and the safety of the production facilities.

Thus we started with a minimal invasive approach. Our goal was to keep the impact of the local SIEM components on the production active directory, systems and firewalls at a minimum.

The result was remarkable: Within a few days we attached some Windows systems, switches and firewalls to the central SIEM system. No technical users were installed in the production active directory, and only 3 ports were opened on the firewall for a point to point connection from the local SIEM component to the central system. More important, no reboot of whatever system was required! The OT group was positively impressed.

Unfortunately, to keep the local SIEM software up-to-date patches must be applied 6 to 8 times a year. Patching requires always a new installation and configuration of the local SIEM components. This will keep the OT groups busy, in particular at large production sites with lots of network partitions.

To reduce this effort, a management system can be set up which automates the local installation and configuration of the SIEM software components. But for the operation of the management system, we have to open additional firewall ports for communication from outside the production network to SIEM components in all network partitions inside the production network. This renders our network security concept invalid. In the worst case, attackers can use these connections to get access to the production systems from the office network.

SIEM is starting to become a security nightmare for the OT groups. Even though it would be quite simple for the vendor of the SIEM software to turn this into a really smart and secure process:

  • Change the software patching process such that the configuration of local SIEM components is retained
  • Introduce an offline management mode, e.g. admit the application of predefined configurations

With this, the impact of the SIEM software on the production network is minimized, and the overall security level is retained. Unfortunately, vendors of security software are often not interested in the overall security level …

Have a good weekend.

Apple delivered patches to mitigate state-sponsored Trident attack – Millions of Android devices potentially vulnerable?

10 September 2016

During my bicycle trip to the springs of the White Main in the Fichtel mountains news about the state-sponsored Trident attack on IOS devices went around the world. The topic was front page news even of local newspapers, very often with a certain malicious joy, because Apple’s IOS is well-known for its superb security.

Within some days Apple developed patches for the vulnerabilities and delivered them to IOS devices in the field. This was taken for granted from the public, but it is very remarkable, because only Apple and Microsoft are able to deliver ad hoc patches for their mobile device operating systems.

In report ‘A Hacking Group Is Selling iPhone Spyware to Governments’, published on 25 August on WIRED, one could read:

“NSO Group won’t be able to use this particular attack anymore on iPhones running the latest version of iOS—and one of the operating system’s strongest selling points is its high adoption rates for new versions. In the meantime, the Citizen Lab and Lookout researchers say that there is evidence that the group has ways to get Pegasus spyware onto other mobile operating systems, notably Android.

With this, all devices running Android, and this is the majority of devices, are potentially vulnerable for the Trident attack, and will remain vulnerable for their entire lifetime.

Or have you ever heard from a smart phone vendor who delivers patches for Android devices in a timely manner, and for older devices?

Have a good weekend.