Category Archives: Encryption

TalkTalk – The case for a Chief Security Officer

 

unnamed-1While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few.

As the latest breach at broadband provider TalkTalk descends slowly into farce, the perils of relying on the CEO to fill these shoes become apparent. Almost one week on from the initial attack many important questions still remain unanswered or answered in unacceptably vague or contradictory terms.

The “significant and sustained” attack against TalkTalk was initially characterised as a Distributed Denial of Service attack. Commentators rightly pointed out that a DDoS in itself does not lead to information theft and that there must have been another element to it. Later reports appear to confirm that the theft was the result of a simple SQL injection attack. At a technology company! Affecting 4m people! In 2015!

TalkTalk are still unable to confirm which and how much data was encrypted. In addition to personal information including name, address, date of birth and email address, the breach also exposed financial data. The CEO initially said that they “didn’t know” if this data was encrypted or not (How can this be the case?). Now, it appears that “only” the first and last digits of credit card data may have been exposed. Of course this still carries risk, think how often those “last four digits” are requested as verification data. Since then Baroness Harding has even gone as far as the last refuge of the wicked, legislation, claiming in an interview with The Sunday Times (paywalled) that TalkTalk is under no obligation to encrypt credit card data. Really? I think that the PCI-DSS may well dispute that point with you, not to mention your customers.

Ah yes, the customers… Those four million people who will now be finding that their names, addresses, contact information and dates of birth are far more difficult to change than their credit card details (or their broadband provider) and that a year of free credit-monitoring involves entrusting yet another corporate with all their extremely sensitive information.

The handling of the breach illustrates that the role of the CISO is never a purely technical one; the CISO also owns the breach response plan, an important aspect of which has nothing to do with technology and everything to do with communications. How do you inform your customers and when? How do you engage law enforcement or forensics? What information do you need always to have to hand about the care and sensitivity with which you treat the information that has been entrusted to your organisation and how do you sensitively, accurately and promptly convey this?

Rule 1: It’s not all about you. To say, “I’m a customer myself of TalkTalk. I’ve been a victim of this attack” is crass and insensitive in the extreme. To include an assertion in your FAQ that you have not breached the Data Protection Act is both short-sighted and ill-informed, as I addressed in this piece for The Guardian.

This apparent lack of plan, this visible lack of any senior Information Security management team could well be the eventual downfall of TalkTalk, time, the markets, the regulators and their customers will decide. We could be watching the first major corporate disintegration as a result of data breach. Welcome to the future.

So, assuming you have or are planning to hire a CISO, to whom should they report? In too many organisations the CISO is still reporting to the CIO despite the frequent pitfalls. This reporting structure can be counter-productive. The question of reporting lines is often a source of friction and can really only be answered if you have managed to effectively differentiate and delineate your CIO and CISO roles.

Job descriptions are slippery amorphous things, so in the interest of impartiality I’ll use Wikipedia’s definition. CIO is “a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals”, whereas CISO “is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected”.

When put this simply, the conflict of interest in having a CISO report to a CIO becomes very clear. The person responsible for ensuring organisational information security can not be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda. An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis; neither one being able to pull rank on the other.

In the case of a conflict arising between the two, which cannot be resolved through discussion the final say must comes down to business risk and operations, requiring the involvement of COO, CRO or even CEO depending on the organisational structure.

Security should be a regular boardroom agenda item and it is only through the checks and balances of the independent CIO and CISO that it can be effectively addressed.

Superfish (and chips) or Super Phish?

 

Image credit: seekeraftertruth[.]com

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

___________________________________________________________________________________________________

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security,  and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Images are already cropping up on Twitter showing the potential implications of this functionality.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.

Oy vey, eBay! Five questions for you…

Image courtesy of Richard Elzey used under Creative Commons

If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth

Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.

Continue reading