Tag Archives: Social Engineering

The Death of InfoSec



Security should be built-in, not bolt-on. Security should never be an afterthought. Secure by design, secure by default these and more have become mantra, at least in information security circles. It is clear that technology, infrastructure and services initially designed for ease-of-use, maximum compatibility or openness will appear to be constrained by the security team after the event.

A notion that has been rolling around in the sometimes preternaturally silent caverns of my cranium for a while now, and something I have brought up on the last couple of panels I have sat on, is “Are we insisting hard enough?” This is not a security issue; this is a business issue.

If “secure by design” is the ideal state, why is it that we continue to have a bolt-on Information Security function? Information Security should be embedded in the enterprise structure; a business secure by design.

Another truism is that security professionals “need to learn to speak the language of business” and I have heard many security professionals express that same desire. It is equally true that business needs to learn to speak the language of security.

Every successful breach relies on a vulnerability, but there is still a disproportionate focus on vulnerabilities in code or configuration, rather than in process or people. Frequently it is simply the way that we do something, rather than the tools that we use, that enables an attacker to gain a foothold in our enterprises. Yet we still focus on patch and vulnerability management instead of embedding security in business processes.

Some more forward-looking organisations may already be exploring the concept of “security champions” or “security ambassadors” as a component of their security awareness program, but we can and should go further. The Information Security team should be distributed and embedded throughout the organisation, empowered security experts within each business function who carry that responsibility. Our business needs to be secure by design.

Meet your new InfoSec Team

The Human Resources team, Sales, Marketing, Research & Development, Finance, whatever is relevant to your enterprise; each of these need a full-time security specialist with direct impact on departmental strategy and governance, procurement, third-party management, manufacturing, design, communications and more. Each of these reporting to the CIO/CISO with a dotted line to their own departmental heads. This is your new Information Security Team

The most obvious counter argument to this kind of structure is, of course, cost. The prospect of finding the cash to fund an extra head in every department is alarming at face value, but the more you consider how this approach translates to your own enterprise, the more attractive it becomes. It is not always an extra resource, often a redistributed one; the Information Security diaspora. This individual is a security expert, but also a full-time member of their respective team with a clear understanding of the goals, the roadmap, legislation and regulation, business requirements and drivers of that part of your business. They understand the use cases and respective urgency of technology requirements and are able to correlate the business need and the security “bigger picture”. Your embedded security resource learns new skills themselves from their departmental peers and also passes on their own security culture. Your distributed team simplifies the security audit, training, incident reporting and enhances customer experience, both internal and external.

No more marketing emails that ask your customers to “click a link to update their details”, no more ad-hoc appointment of third-party suppliers with inadequate security, no more public-facing web-servers vulnerable to SQL injections, no more shadow IT. No more.

Unparalleled visibility, integration and control, continuous education and improvement, and security embedded in every aspect of the business. Information Security is no longer the Department of No, it becomes the Department of How.

The more this architecture is adopted by leading businesses, the more secure we will make our inter-corporate communications and projects, as well.  Security will find its counterpart in every partnership, you are building a secure physical API for the enterprise.

Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

Oy vey, eBay! Five questions for you…

Image courtesy of Richard Elzey used under Creative Commons

If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth

Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.

Continue reading