Monthly Archives: February 2016

Big Banks Increase Cybersecurity Investment to Stop Data Breaches

 

FinanceA recent article in Forbes Magazine reports that big banks including Bank of America and J.P. Morgan Chase are pulling out all the stops when it comes to their cybersecurity budgets. According to the article, B of A CEO Brian Moynihan has declared that cybersecurity is the only area of his company that has no budget constraints whatsoever. Another financial giant, J. P, Morgan reportedly doubled its budget in 2015 from $250 million to $500 million.

The increased investment in cybersecurity should come as no surprise. As Infosecurity Magazine reported last year, the financial services industry is 300 times more likely to be the target of a data breach than any other sector. In another study, insurance company Lloyds of London found that cyber-attacks can cost organizations as much as $400 billion a year.

Putting more focus and dollars into data security is a wise move. However, increasing security posture depends as much on what you invest in, as it does on how much you spend. Like all industries, financial services is facing an increasing number of threat vectors and security challenges, including dependence on cloud-enabled services, an explosion of mobile devices in the workplace, and BYOD, to name a few. These vulnerabilities are being exploited by increasingly sophisticated and connected criminal hacker syndicates and nation-state attacks bent on thwarting whatever security solutions are put in their way. One only has to survey the high profile data breaches in 2015 to realize that throwing more money at blocking threats from gaining entry won’t necessarily solve the problem.

The answer is not to abandon critical preventive measures such as AV/heuristic indexes, sandboxing and IPS. These are important technologies that have a place in a sound cybersecurity strategy. But organizations need to consider adding technology that can protect the network after the evasive malware bypasses security, but before they have to call in the disaster recovery team to assess their losses. One way to accomplish this is to add traffic anomaly detection. This is technology that continuously monitors all outbound network traffic to detect anomalous behavior and contain suspicious data transfers before an active infection is discovered. Such technology can augment preventive measures like sandboxing, but it requires that banks and other organizations first accept that no security tools exists that can stop 100% of malware. Even with unlimited budgets, stronger cybersecurity readiness can’t begin without that acceptance.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 2

CIA-flag

This is the second entry in a two-part series covering the NSA’s chief hacker’s recent talk at a security conference. Rob Joyce, the head of the Tailored Access Operations program put in place by the NSA to conduct cyberespionage operations on foes and allies alike, briefly revealed how state-sponsored hackers infiltrate their targets’ networks, often successfully.

Rob Joyce quickly ran through a list of to-dos for those who are looking to make his job harder. He could be forgiven for cutting short this particular portion of his talk.

Speaking candidly, the NSA hacker-in-chief explained that special access privileges to critical systems ought to be restricted to a select few. This inherently makes the NSA’s task difficult as the number of targeted are lowered. Furthermore, he nodded toward segmenting networks and vital information and data. Such a move makes it harder for hackers to gain access to what they’re looking for.

The NSA employee also recommends patching systems regularly. Application whitelisting is also important for trust. Hardcoded passwords are a strict no-no and ought to be removed. So too should legacy protocols that aren’t updated and are still functional. More specifically, protocols that transmit passwords in the clear, should be curbed.

Joyce also pointed to roadblocks that make his job significantly harder. One such roadblock is an “out-of-band network tap.” This is a device that continually monitors network activity and maintains logs that can record anomalous activity. When these logs are being looked and read into regularly by a system administrator the game is up.

Another insight revealed by Joyce goes against popular opinion that state-sponsored hackers via the NSA or other agencies around the world. He claimed that the NSA does not rely on zero-day exploits, not extensively anyway. He says the NSA doesn’t heavily look at zero-days, simply because they don’t have to.

“[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,” he says.

There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 1

NSA-seal

The National Security Agency’s hacking chief reveals insights and tips to block the world’s best hackers.

Here’ how NSA’s hacker-in-chief Rob Joyce began a recent security conference in San Francisco.

I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done

My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard.

As the head of NSA’s Tailored Access Operations – the team tasked by the government to infiltrate foreign adversaries and allies’ computer systems and networks, even Joyce made light of the awkward situation. He was in a room packed with security professionals, journalists and academics, telling them exactly how they could keep state-hackers like him away from their computers and networks.

The NSA Trap

The NSA isn’t one to look for the login credentials of any targeted firm or organization’s management. Instead, the agency looks for the credentials of network and system administrators, those with high levels of network access and privileges. The NSA, as reported by Wired, also seeks to find hardcoded passwords embedded in software. Similarly, the agency also sniffs for passwords transmitted and used by legacy protocols. Basically, the entire sphere where it detects a vulnerability, none of which goes unnoticed by the agency.

Joyce said:

Don’t assume a crack is too small to be noticed, or too small to be exploited.

If users ran penetration tests of their network and infrastructure to see 97 devices pass the test while three failed, Joyce claimed that those three seemingly harmless vulnerabilities are the ones that the NSA or other state-sponsored attackers will see as sweet spots.

We need that first crack, that first seam,” explained Joyce, noting that every single vulnerability matters. “And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

If a user is approached by a vendor to open the network, however brief, to fix a concern remotely, Joyce advises it. Such a situation is just one of the many opportunities that nation-state hackers are looking for as vulnerabilities, he added.

Surprisingly, Joyce also pointed to personal devices such as laptops that are used by office employees that are running gaming platform Steam, as a favorite attack target of the NSA. When the employee’s kids load Steam games on to the laptops and the works subsequently connect to the organization’s network, an attack vector is opened.

Basically, the NSA and state-sponsored spies and hackers in general are well equipped to get into a user’s network, simply because they know more about the network than most users do.

We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he stated. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”

New Law on Sharing Threat Info Aimed at Preventing Data Breaches

Gavel_copy

High profile data breaches seem to occur in an almost predictable cadence and no industry is immune. This has frustrated organizations who want to believe their security is strong enough to keep them from experiencing the bottom-line-bashing data theft they see in the headlines. The fact that the majority of both business and government functions have gone digital opens up doomsday scenarios of which government agencies, from state and local up to the federal level, are well aware.

Another factor that should be cause for alarm is that some of these breaches are generated using malware that’s been around for a while. For instance, reports at the time allege the Home Depot and Target data breaches were caused by variants of the same malware. This goes a long way in validating that organizations aren’t sharing threat information, which is the issue behind some recent legislation, The Cyber Security Information Sharing Act (CISA). The new law is designed to incentivize private industry to share cyber threat information with the Department of Homeland Security (DHS). The incentives for participating include ensuring liability protecting any trade secrets of businesses that choose to participate.

The information being sought includes security vulnerabilities, malware code, damages from past breaches, and the steps the organization took to mitigate known or unknown threats.

While a move to more information sharing as a way to increase cybersecurity seems like a good idea, a recent article in Forbes Magazine entitled, Big Decision Time for Business As Cyber Security And Privacy Collide Again, points out a couple of reasons businesses might resist participation.

  • Proponents of the law can’t point to a single data breach that this legislation would have prevented, begging the question, why do we need this law?
  • Business may be concerned that the information they provide to DHS could be given to NSA, the agency whose history displays a decided lack of concern for privacy rights.
  • Companies may feel compelled to ignore these concerns because not participating in the CISA sharing programs may deprive them of critical threat information they need.

As the Forbes writer points out, making the sharing of threat information a law, is a small but critical step in supporting an atmosphere of intelligence sharing that will benefit everyone in the long run. He also points out that businesses in some industries are already sharing this sort of information which is encouraging. Each of these steps represents an advancement in the war on cyber threats in which we all participate, whether we know it or not. Any action that moves us forward, no matter how small, should be welcomed.

PROPOSED STATE BANS ON PHONE ENCRYPTION MAKE ZERO SENSE

 

Lock_Case
American politics has
long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower.

Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.

If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones?

Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents’ more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.

Crypto Has No Borders

If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook.  It could stop selling phones in two of America’s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.

The last of those scenarios is Apple’s most likely move, says Singh Guliani, and yet would result in a “logistical nightmare” that still wouldn’t keep criminals from encrypting their phones’ secrets. She compares the laws to state-wide liquor regulations: “People will travel over the border to buy alcohol in states with the standards that suit them,” she says. If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones? “Nothing would stop those who wanted a more privacy protective phone to get one from out of state.”

In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it’s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. “That would be a massive technical change to support this kind of device,” Zdziarski argues. “It would be literally cheaper for Apple to stop selling phones in California altogether.” Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone’s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.

The technologically savvy will find ways to get encryption, while the average smartphone user’s data will be left more vulnerable.

In other words, that would make the New York and California crypto bans statewide bans on software, an idea roughly as practical as policing undocumented birds crossing the Mexican border. And if Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent any location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. “This legislation is going to be technologically useless,” says Zdziarski. “Anyone who wants a device that doesn’t have law-enforcement-reversible encryption will be able to get one.”

Pressuring Congress

Neither Apple nor Google, which followed Apple’s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to WIRED’s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells WIRED that the state-level bill is meant to pressure Congress to follow with its own legislation. “When there’s no national legislation, states take efforts on their own to solve an issue,” says Titone’s chief of staff Chris Bauer. “That can speed the process along to make the federal government take steps.”

Skyler Wonnacott, the director of communications for the California bill’s sponsor Assemblyman Jim Cooper, offered a similar argument. “California is leading the fight…It’s got to start somewhere,” Wonnacott says. “Just because you can drive into Nevada and buy a phone or download software doesn’t mean there isn’t an issue and these phones aren’t used in crimes.”

Congress has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn’t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance’s office writes to WIRED that the DA’s office pushed for state legislation, and still hopes to find a compromise with device makers. “When Apple and Google announced the switch to full-disk encryption…with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,” writes the district attorney’s director of communications Joan Vollero. “If the companies have a solution, we encourage them to engage in a productive dialogue.”

Constitutional Questions

But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the “dormant Commerce Clause,” which gives the exclusive right to regulate commerce between states to the federal government. “States don’t have unlimited power to enact regulations to burden interstate commerce,” says Crocker. “If I’m Apple, this seems like a huge burden on my business.”

Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones—though they’d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. “New law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the paper reads. “The prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.”

And Crocker reiterates that state-level bills wouldn’t be just problematic or risky, but “wildly ineffective,” as those who want encryption will easily get it from out of state—in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user’s data will be left more vulnerable. “The ones who will actually be impacted are the less sophisticated people who don’t know how to get this protection,” says Crocker. “You’re looking at a cost that falls on innocent people, not criminals or terrorists.”