Category Archives: Puzzling discussions

Discussions about IT security issues really puzzling me.

WannaCry, Rumsfeld and Production Firewalls

21 May 2017

Today, Firewalls are the preferred means to separate a production network from a company’s intranet. Firewall configuration is performed by the Rumsfeld Conundrum: Block everything you don’t know!

Rumsfeld Conundrum for firewall configuration

Rumsfeld Conundrum for firewall configuration

For production management and IT and OT operations, we need some communication between systems in the company intranet and the production network. These required (known) connections are defined in the firewall rule base. The firewall allows communication between these known systems, and blocks any other connection attempts.

As long as the SMB V1.0 protocol is not used for communication across the firewall, the Rumsfeld Conundrum works pretty well.

Unfortunately, the SMB protocol is frequently used to implement required connections between Windows-based computers in the company intranet and the production network, e.g. for the exchange of manufacturing orders. With this, production systems become vulnerable to WannaCry although a firewall is in place because the firewall does not block communication across required connections. In the worst case, if WannaCry spreads across required connections to systems in the production network, this may result in loss of production.

Immediate action is required. The firewall rule base is a good starting point to determine how big the problem is, and to identify the systems that must be immediately patched or otherwise secured, if patching is not possible due to technical or regulatory restrictions.

Firewalls are an indispensable part of a defense in depth concept, but plain packet filtering is no effective means against attacks like WannaCry.

Have a good week, and take care of you production networks.

Advertisements

Vastly improve your IT security in 2 easy steps?

1 April 2017

Keep your software patched and defend against social engineering, and you will win the battle against the bad guys. Let me be clear: From my point of view this is simply not enough. Nevertheless, Roger A. Grimes’ post “Vastly improve your IT security in 2 easy steps” published on March 21, 2017 at InfoWorld is really worth reading, in particular the section about patching.

The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.

In particular in the production domain, where patching has always to be delayed to the next scheduled maintenance, this is a very important hint.

The big question is: How can we identify the right software on the right and important systems? Without an up-to-date asset directory with the relevant details about cyber security this is a very complex and expensive matter.

But even with an up-to-date asset directory this remains a complex task.

Rockwell/Allen Bradley Systems directly connected to the Internet

Rockwell/Allen Bradley Systems directly connected to the Internet in North America

For example, the likelihood of a cyber-attack on an Industrial Control System (ICS), which is directly connected to the internet, is many times higher than the likelihood of an attack on an ICS which is completely isolated in a security zone within the production network. The first ICS is definitely one of those systems Roger Grimes has in mind, the latter can be ignored.

But the likelihood of a cyber-attack is only half the story. For example, in functional safety the risk is the combination of the probability that a hazard will lead to an accident and the likely severity of the accident if it occurs. Thus, from this point of view, even the first ICS may be uncritical unless it is not used for controlling a critical infrastructure.

To identify the right and important systems is the hard task. It requires an up-to-date asset inventory and a smart risk management process. The plain patching process is just a piece of cake.

Have a good weekend.

Cybersecurity is just too much trouble for the general public, claims study

8 October 2016

In report ‘Cybersecurity is just too much trouble for the general public, claims study’ published on 6 October at the Tripwire state-of-security blog, Graham Cluley cites from the NIST study Security Fatigue:

“Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”

We should not be surprised ‘that the public is suffering from “security fatigue” and a feeling of helplessness when it comes to their online security’. Most of the advice for end users in the information security domain is just puzzling. Let me make this clear with an example.

Renowned German Stiftung Warentest assessed 15 e-mail providers in the October 2016 edition of the Test magazine. Focus of the assessment was data privacy, ‘the protection of customers and emails against unwanted looks’. And, of course, usability. Table 1 below shows the Stiftung Warentest quality ranking.

Provider Quality Ranking (1)
Mailbox.org Tarif Mail 1.4
Posteo 1.4
Mail.de Plusmail 2.2
GMX Topmail 2.3
Web.de Club 2.3
Web.de Freemail 2.5
GMX Freemail 2.6
Telekom Freemail 2.6
Freenetmail Basic 2.7
Telekom Mail / Cloud M 2.7
1&1 Mail Basic 3.1
AOL Mail 3.1
Yahoo Mail 3.2
Microsoft Outlook.com 3.3
Google Gmail 3.4

Table 1: Stiftung Warentest rankings

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

At a first glance, the table suggests that it is sufficient to use one of these providers (all were rated from very good to average) and security is guaranteed.

Unfortunately, this assessment is very misleading. Email encryption is just one aspect of information security. It protects against cyber criminals, state-sponsored attackers or insider attacks because the information is not readable unless the attacker has access to the encryption key.

If an attacker is able to compromise a user’s account, e.g. through a password phishing attack, he might have full access to all emails, although they are encrypted.

To secure an account against phishing with frequent password changes and the use of individual passwords for different services, is not sufficient. And usability is bad, even if password managers are used. Two-Factor Authentication (TFA) or one-time passwords are the tools of choice to enhance security against phishing attacks.

Table 2 shows the Stiftung Warentest results updated with details about TFA availability.

Provider Quality Ranking (1) TFA available With soft token With SMS With hard token
Mailbox.org Tarif Mail 1.4 (2) Yes Yes Yes
Posteo 1.4 Yes Yes  
Mail.de Plusmail 2.2 Yes Yes Yes
GMX Topmail 2.3 No
Web.de Club 2.3 No
Web.de Freemail 2.5 No
GMX Freemail 2.6 No
Telekom Freemail 2.6 No
Freenetmail Basic 2.7 No
Telekom Mail / Cloud M 2.7 No
1&1 Mail Basic 3.1 Undef. (2)
AOL Mail 3.1 Yes Yes
Yahoo Mail 3.2 Yes   Yes  
Microsoft Outlook.com 3.3 Yes Yes Yes
Google Gmail 3.4 Yes Yes Yes Yes

Table 2: Rankings updated with details about TFA

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

(2)    It was not possible to determine whether TFA is available from the provider’s homepage

Only 7 of the 15 email providers allow the use of a second factor. The limitation to one aspect of information security creates puzzling results and a false sense of security. It is therefore no wonder that consumers show the ‘characteristics of security fatigue’.

TFA with soft tokens is under normal conditions activated within seconds, and very easy to use. From my point of view, service providers should create the needed attention and force the use of TFA. It is not sufficient to notify the users of new waves of phishing attacks.

Have a good weekend.

Apple delivered patches to mitigate state-sponsored Trident attack – Millions of Android devices potentially vulnerable?

10 September 2016

During my bicycle trip to the springs of the White Main in the Fichtel mountains news about the state-sponsored Trident attack on IOS devices went around the world. The topic was front page news even of local newspapers, very often with a certain malicious joy, because Apple’s IOS is well-known for its superb security.

Within some days Apple developed patches for the vulnerabilities and delivered them to IOS devices in the field. This was taken for granted from the public, but it is very remarkable, because only Apple and Microsoft are able to deliver ad hoc patches for their mobile device operating systems.

In report ‘A Hacking Group Is Selling iPhone Spyware to Governments’, published on 25 August on WIRED, one could read:

“NSO Group won’t be able to use this particular attack anymore on iPhones running the latest version of iOS—and one of the operating system’s strongest selling points is its high adoption rates for new versions. In the meantime, the Citizen Lab and Lookout researchers say that there is evidence that the group has ways to get Pegasus spyware onto other mobile operating systems, notably Android.

With this, all devices running Android, and this is the majority of devices, are potentially vulnerable for the Trident attack, and will remain vulnerable for their entire lifetime.

Or have you ever heard from a smart phone vendor who delivers patches for Android devices in a timely manner, and for older devices?

Have a good weekend.

France says fight against messaging encryption needs worldwide initiative

13 August 2016

The report “France says fight against messaging encryption needs worldwide initiative“, published on Reuters technology news last Thursday, is truly worrying.

“Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative.”

I can, of course, understand the motivation of the French Interior Minister. He must do his utmost to protect France from further terrorist attacks.

“French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram.”

Although the French Interior Minister has not requested decryption options from service providers yet, the direction of a Franco-German initiative is from my point of view clear: Service providers shall make decryption options available to national police and intelligence and security services.

With this, some attacks can certainly be prevented, but on the other hand, it puts many innocent people, which care of civil rights in authoritarian regimes, at risk.

In “Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers“, published in Reuters CYBERSECURITY at 2 August 2016, Joseph Menn and Yeganeh Torbati reported, that Iranian hackers compromised accounts on Telegram.

The security researchers who researched the attack said that “… the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.”

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

That is precisely the problem when national security services demand decryption options from service providers: The information can be used to prevent terrorist attacks, as well as for violent actions against dissidents among the citizens. Hopefully the German Interior Minister will remember the recent German history (Stasi) and reject those demands once and for all.

By the way, end-to-end encryption is the just the comfortable way of secure communications. Terrorist can turn to less comfortable, but high secure encryption options like PGP. With this the French initiative makes no longer sense because the messages are encrypted before the transport to the service provider. Even end-to-end encryption is not required.

Even though it is apparent from the context, Benjamin Franklin’s quote about liberty and safety fits very well here:

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

Have a good weekend.

Is ‘Assume you have been breached’ really the best Cybersecurity Strategy?

19 March 2016

I watched webinar ‘The Best Cybersecurity Strategy: Assume You Have Been Breached’ this week. The summary in the email invitation sounded really interesting, thus I registered, and had to compromise the integrity of my computer once again. Why on earth presents SC Magazine all content in this security nightmare Flash Player?

Young-Sae Song, Vice President Marketing, Arctic Wolf, quotes the Gartner advice ‘Shift Cybersecurity Investment to Detection and Response’ of January this year:

Experts recommend more focus on detecttion

Experts recommend to shift focus on detection and response

Is this advice meant seriously? I don’t think so. The Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study: Global Analysis’ the mean time to identify at 206 days with a range of 20 to 582 days (based on a sample of 350 companies). And this, despite the increasing number of SIEM installations in the past years.

CISOs are well advised to make sure, that the existing cyber defense measures, including their SIEM system, work effectively before they follow this advice.

A ray of hope is Invincea’s Advanced Attack Challenge Simulator. The simulator allows to test the effectiveness of defensive measures against a variety of adversaries. For more details, please see Anup Ghosh’s post ‘Take the Advanced Attack Challenge’. I tried to cut the number of possible defense measures as far as possible. The results are really interesting. Of course only in the context of this model?

Have a good weekend, and good luck with the simulation.

IRS Suspends Identity Protection Tool after Fraudulent Logins

12 March 2016

The IP PIN is an effective means to solve the identity theft problem that caused the IRS data breach in 2015. An IP PIN is not as good as a physical second factor, e.g. a FIDO security key or a grid card, but better than easy to break identity verification questions. Moreover, IP PINs are easy to rollout by mail, and the effort for implementation is moderate.

Unfortunately, sometimes they get lost and must be recovered. This means that we need a method for the unambiguous identification of a person. For this the IRS uses easy-to-guess identity verification questions. On Krebs on Security we read:

‘The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.’

One could get crazy!

Dear IRS,

the White House wants YOU to #TurnOn2FA! For more details, please see the Cybersecurity National Action Plan published on 9 February 2016:

‘Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security.  By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.’

Have a good weekend.