Wednesday 21 May 2014

eBay compromised...

Today, eBay made the news as it was announced that their database had been compromised.  Personal information had been stolen, including names, addresses, email address, phone numbers, date of birth and an encrypted copy of the users password.  The breach was believed to have occurred between late February to early March.

If you have an eBay account, the first thing to is change your password.  

Depending on the level of encryption, all that is needed to crack the password is time and processing power.  Although the PayPal database is separate and has not been compromised, I would highly recommend changing that password, if it matches your eBay account.

Although my PayPal account rarely has much money left in it, it was only protected with a password.  After today, this was changed to send me a code via SMS when I log in, so I require my password and my mobile phone to gain access to the account now.  You can activate that on your account here,

How was eBay compromised?  Some of the eBay user credentials were obtained and used to carry out the compromise.

We've yet to find out how, but I suspect that it was either someone aware of the eBay way of working, or it obtained via a spear-phishing attack.  Spear-phishing is where specific people are targeted, where the people are either known, or information has been gathered from public sources, such as social media.  Once aware of information relating to the user, they can be targeted by many means, including email.  Typically when the user falls for the trap, software will be deployed onto their computer and the target monitored.  Credentials can be gathered and then used against the organisation the hacker is targeting.

Lockheed Martin pioneered the Cyber Kill Chain where there are seven steps to the potential compromise, and the aim is to break the chain at any one of the seven points.  The sooner, the better.

Another concern is that most organisations would require users to have privileged (such as system administrator) access to be able to access such information.  There are solutions out that that can could have prevented this by managing the password on behalf of the user. 

I'm sure more information regarding the compromise will come to light over next few weeks.  It's surprising that more protection and prevention hasn't been deployed, but being a large organisation like eBay they will always be targeted.


Wednesday 14 May 2014

Muting Social Media...

At the beginning of this month, it was reported in the news that Twitter were trying out a mute feature.  This feature is being made live this week over various platforms, but I'm surprised why you’d follow someone who over-shares.  Surely the mute feature would be to unfollow them.

I'm on a number of social media sites, including Twitter, Facebook and LinkedIn, and am all too aware of people who over-share on social media.  I'm sure you have the same with the people you are connected with on various social media sites.

In the last year or so, I've noticed that it’s the same people who share a lot on my recent news feeds, but have noticed many people have been sharing a lot less.  In fact I'm guilty of this as my regular blogging has slowed somewhat, and I'm also using Twitter and Facebook less frequently.  My LinkedIn is quite active, which I suspect was due to my relatively recent new role with a new organisation.

I believe this could be attributed to the “Snowden Effect”, as more and more people hear about and begin to understand about data privacy, they become more concerned with what they are sharing and how it is so easily accessible with the aid of everyone’s favourite search engine. 

I find I'm a lot more cautious when using social media now, as I don’t know who may read or misread my comments at a later date.  The recent news about the “right to be forgotten” in the EU court is interesting, as Google can on search on publicly available data on the internet.  It still surprises me how many people believe that Google holds all this data, although I appreciate Google does cache some information.

It’s not just about data that can be used, there are also legal implications.  We have seen a number of legal cases and prosecutions around trolling, but this does not seem to slow the flow of negative or inflammatory comments on social media sites.  Listening to the news on the radio today it seems that the Crown Prosecution Service (CPS) are issuing new guidelines towards the elderly and teenagers receiving abuse, including via social media.

After the initial explosion and the subsequent growth of social media, it has meant the laws protecting the users have always lagged behind.  It’s great to be a part of this pioneering time, but as with all pioneers, it’s difficult to protect yourself from the unknown.

Friday 9 May 2014

BYOD Revisited

I wrote a piece on a pipedream called “Bring Your Own Device” back in November 2011 (http://blog.andytang.com/2011/11/embracing-bring-your-own-device-byod.html)

Like with all new concepts, I believe my attitude has changed and mellowed as I see it being used in the real world.  I still have a number of conversations about BYOD or CYOD (Choose Your Own Device), but more around people still being unsure what to do.

I remember being asked by an ex-boss, “What BYOD solutions do we sell?” to I replied “None… We sell solutions to support BYOD policies, not BYOD Solutions!”  If we consider this for a moment, your policy could be to not allow personal devices, it could be to only to allow personal devices on the guest wireless, or it could be full access to the corporate network where the administrators can remote wipe your device.  These are different policies, and would require different types of solutions to enforce these policies.

Previously I talked about network infrastructure, endpoint security, network access, compliance and device compatibility, I don’t feel they are as important any more.  The issues I believe we need to focus on are as follows.

Wireless Security
My stance has changed from whether the wireless network cope, to whether the wireless network be secure enough?  Can the organisation deal with rouge access points, denial of service attacks, or unauthorised devices connecting to your network?  Most people can’t say this about their wireless network, which in my opinion is not good enough!  There are Wireless Intrusion Prevention Systems out there that can offer wireless access, as well as act as an overlay to your existing wireless network.

Enterprise Mobility Management (EMM)
There was a time when the concern was how we can wipe a device if it’s lost or if the employee leaves.  This led to an employee pushback around it being their device and not the company’s.  This is where MDM (Mobile Device Management) was good enough, it started to get coupled with MAM (Mobile Application Management) and more recently MCM (Mobile Content Management).  This then provides comprehensive device and data management to the mobile devices.

Protecting the Data
I only care about the data!  As an organisation, should I worry if my employees loses their device, if the wireless connection they are on is insecure, what type of device they are on, or whether they run any security on their device?  The answer should be no…

My only concern as an organisation is, is my data safe? We should be protecting the data.

Find out which data is critical to the organisation and protect it.  There are many DLP (data leakage prevention) solutions, but these need to be coupled with means with which the data can leave your organisation.  Primarily, organisations will look at the web and email vectors, before considering that ActiveSync (the protocol most mobile devices use to collect their email from corporate email servers) is also a vector with which data can leave.

Conclusion
If you feel you have to protect the device, then look at a full EMM solution and not just an MDM.  If you have to provide wireless, please secure with a WIPS.  Although the key in my opinion is to protect your data!  

Companies rarely make the news for losing a device, but they do if they lose data!

Friday 2 May 2014

The Aftermath of Heartbleed

What is the Heartbleed Bug?

I know a number of media outlets have given a variety of descriptions, but I have taken this one from the Heartbleed website (www.heartbleed.com):

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).  

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

In short, the software technology that some organisations use to protect connections and transfer of information has a vulnerability.  This could allow someone to monitor and see the data transfer of information, even though it is in a secure tunnel.

The following cartoon may be a light hearted look at the vulnerability, but it has some very far reaching consequences: 


Fixing the Heartbleed vulnerability

The software package in question, OpenSSL, needs to be patched.  That sounds like a straightforward request, but as a user you will have very little interaction to do this.  This software is often used on websites to allow it to create secure tunnels, but the reliance is on the website administrator to put these upgrades in place to remove the vulnerability.  The secure tunnel relies on the exchange of digital certificates to prove the tunnel should be trusted, but if these certificates have been compromised, they will need to be revoked and reissued. Again, this is a task for the website administrator.

Aside from websites, various IT manufacturers use OpenSSL to secure access to their solutions, whether it’s the administration console, remote access certificates, etc.  The reliance then is on the manufacturer to upgrade their solution with a patched version of OpenSSL, compile their solution and test it, before then releasing it for public consumption.  Most of the bigger manufacturers released statements within hours, and updated versions of code within days.  There are still some manufacturers who have done neither.

Next steps

If you are a user of a website that uses OpenSSL, ensure they have updated to a version without the vulnerability and as a precaution, change your password.

As an administrator of a website that uses OpenSSL, ensure the site has been updated to a version without the vulnerability, then revoke and reissue the certificate.  Prompt the users to change their password, and ensure they receive the reissued certificate.

As an administrator of an IT solution that uses OpenSSL, follow the manufacturer’s guidelines, which will be to update or patch the software to the latest version, which will include the fix to the OpenSSL issue. It may still be necessary to revoke and reissue the certificate, as well as change any passwords.

Most importantly, check your systems are no longer vulnerable after any changes.  There are a number of services that can check, including a complimentary check the organisation I work for is offering.  More information around that service can be found here: www.mti.com