Thursday, 19 February 2015

Lenovo's Superfish is Adware at Best and Malware at Worst

Since the middle of 2014, Lenovo have been pre-installing a piece of software commonly known as 'Superfish' onto its new laptops and PCs. In recent days the "Cyber Security" press has questioned the validity of Superfish, saying that it invades personal privacy, and that it exposes Lenovo users to data theft, they do have a point. Although Lenovo aren't the first to covertly push the privacy boundary for commercial gain, and they won't be the last either.

Adware at Best
Superfish operates fairly covertly in the background of the operating system, as you search online the software returns related advertisements back onto the desktop. These advertisements are chosen by Lenovo, and provide revenue to Lenovo when clicked upon. This is in affect adware, namely a user unwanted and unnecessary piece of software running on the operating system, it appears to be of no benefit or aid to the user, its main purpose is to provide an income for Lenovo. If we needed any additional help with our online searches, I am sure Google would have thought of it first and have provided it. Therefore I can only conclude, Superfish has to join the long list of adware software, which includes every browser search toolbar under the sun, as they simply aren't necessary, if anything they slow your web browser and searches down, for what? to make money for a non-welcome third party. Yes, adware is unwelcome on any system.

Malware at Worst
Superfish goes beyond being just adware, and has a more serious privacy and security concern, the software opens up users to the possibility ofprivacy snooping directly by Lenovo and by malicious third parties.  When you access a encrypted (https) website through a web browser, the browser sets up an end-to-end encrypted communication channel directly to the website, protecting all traffic sent to and from. This encrypted communication is vital security requirement to protect online banking, e-commerce, social media, and even web searches from being spied upon and stolen by third parties. Superfish installs a self-sign root certificate on the operating system, this allows Lenovo to intercept web traffic between the web browser and with any https protected website. The reason behind this is to allow the Lenovo advertising system to read and analyse the data, as sent by the user over the encrypted channel, so appropriate advertisements of interest can be placed onto the desktop. In wake of the Snowden relations, the internet has rapidly adopted encrypted website connectivity, even search engines like Google now provide https encryption connectivity by default to protect their user's privacy, this is why Lenovo need to use this dodgy method to break the Google website encryption to access their customer's search data, a goldmine of commercial exploitation for Lenovo.

The Superfish method of breaking https is nothing new, and has been used by malicious actors for years, it is commonly known as a "man in the middle" (MITM) attack. 

The Superfish method, as with any MITM attack, most users are oblivious that their secure https web connection has been compromised, and their private data is being snooped upon by a third party. With Superfish, we need to trust Lenovo, a Chinese company, will be completely ethical with this power, and not use Superfish to snoop people's private information. Given Lenovo's keen interest in directing advertisements for profit at its customers, the abuse of this power has to be a concern. But it gets worse, Superfish opens up the possibility of malicious actors taking advantage, by creating malware that exploits the Superfish software, cyber criminals may be able to use the Superfish root level certificates to MITM attack any website accessed through the Lenovo host system by the user.

Current Situation with Superfish
After receiving user complaints Lenovo announced it had "temporarily removed Superfish from consumer systems". 

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues. - Lenovo Forum AdminThere have been a few other statements made by Lenovo since the negative publicity, saying they will remove Superfish from new machines and disabling it from others. However Lenovo are being far too coy for my liking. Therefore I suggest Lenovo users check for the presence of Superfish, and if it is there, remove it themselves.

How to Detect and Remove Superfish
Not all new Lenovo Laptops and PCs had Superfish pre-installed, so first determine if you have Superfish installed, there are several methods, here are three...

  • This website will test for the presence of Superfish https://filippo.io/Badfish/
  • If you notice while searching a "Visual Search Results" section and "powered by Visual Discovery", it is certain you have Superfish running.
  • Press the "Windows Key" & "R" to open the Run tool, then enter certmgr.msc and run to launch Window's Certificate Manager. Then click the "Trusted Root Certificate Authorities", next click "Certificates". if you see a certificate which says "Superfish, inc".

Example of the Superfish Certificate

There are several methods to stop and to remove Superfish, but the sure fire way to make sure your Lenovo system safe is to delete the Superfish Trusted root certificate..
  • Press the "Windows Key & R" for the Run tool, enter certmgr.msc and run to launch the Certificate Manager, then select "Trusted root certificate authorities", next click "Certificates", find the Superfish entry, right click it and select "Delete".  Also make sure to check under each user account on the system. I recommend using a registry cleaner to make sure all instants of Superfish Certificate are gone. Finally to ensure it has gone, visit the test website https://filippo.io/Badfish/ 

Friday, 23 January 2015

The Ongoing Security Awareness Problem:

Quite often I am sent reports, InfoGraphics and articles to post on this blog, many are too sales orientated or too off topic to consider, but the odd one is well worth sharing. So the following post and InfoGraphic has been provided by the UAB Collat School of Business, focusing on, in my view, the most riskiest and yet most neglected areas of Information Security, staff information security awareness. This maybe a little US focused, but the findings and advice mirrors what's seen within UK businesses. I've highlighted some very alarming statistics which shows the management 'god complex' attitude towards information security, and the business data leakage to the cloud.

Employees and General Information Security
Over 80%t of companies say that their biggest security threat is end user carelessness. 75% of companies also believe that employee negligence is their greatest security threat. 3% of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over 33% percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority of these incidents.

Top Mistakes
Many mistakes committed by employees are entirely avoidable. Things such as sharing passwords with others and leaving their computers unattended outside the workplace all contribute to security problems. Employees are strongly encouraged to use different passwords for different websites, and to change them frequently. Additionally, it is important to delete data when it is no longer being used on the computer, as well as avoid connecting personal devices to company networks and databases.

Largest Threats to Information Security
Senior managers are as much a culprit of problematic behaviour as their employees. Over 58% of senior managers have accidentally sent crucial and private company information to the wrong people. 51% percent of all senior managers have also taken private files from the company with them after they left the job. Business owners may end up compromising their own company’s security as well. Over 87% of all business owners regularly upload files from work to a personal cloud or storage network. 63% of  business owners also use the same passwords to log into different systems in both business and personal affairs.

Tips on Promoting Security
There are many solutions that can be taken to help keep the workplace safe. One of the first of these is to implement a strict, written set of security guidelines. Enforcing physical restrictions to personal data is also recommended. Destroying older data in a more timely fashion can also help resolve many security risks. Generally raising security awareness in the workplace by training and educating employees in proper and improper behaviour can be a good idea. All business owners and leaders are strongly encouraged to become more vocal about security in the workplace.

Employees and Specialised Training
Proper information and security training on a professional level can also help reduce the frequency and severity of security breaches. Over 37% of employees had received mobile security training, while over 40% of employees had received information sharing training. Increasing this number can help spread security awareness in the workplace on a much more efficient level, and businesses are encouraged to introduce some type of professional training program.

Current Bring Your Own Device Practices
Fortunately, while there is room for improvement in many companies, management professionals are also looking into ways to help improve Bring Your Own Device standards and practices. Over 40% of companies currently consider mobile device insecurities to be a large security concern. 15% of employees believe that they have minimal, or practically no, responsibility to safeguard the personal data stored on their devices. This type of thinking is what encourages security risks to occur in the first place. As a result, there is going to be an expected increase in security strategies of upwards of 64% for employees concerning the use of their personal devices over the next twelve months.

Information Security Recommendations
Numerous security recommendations are already being considered by many companies and many businesses are planning on introducing more data leakage protection to help control what data mobile employees will be able to send through Bring Your Own Device practices. This can help prevent the transfer of regulated data through unsecured apps. These plans can also help prevent employees from accessing data on unsecured devices, or transferring unsecured data on their own devices. Future demands will also require owned devices to have a password necessary in order to access the stored data. Many training programs are also going to be planned as well, which will inform employees of the necessity of adhering to, and enforcing, data security regulations.


Tuesday, 6 January 2015

2015 & UK websites still fail miserably to protect Customer Data

The New Year was ushered in with news that both Moonpig.com and the UK Police National Property Register websites, had vulnerabilities that placed millions of UK citizen’s personal information at risk of data theft.

Moonpig had 3 million customer records exposed by a basic web application vulnerability. By changing the customer ID number on an unauthenticated API request (the website's Application Programmable Interface). An attacker could return different website users personal data, which included their name, address, birth date and email address. By writing a simple script an attacker could (might) have taken a copy of millions of customer records. Worst still this serious vulnerability was reported to Moonpig some 18 months ago.

It only takes a few minutes on the Moonpig website to see they are a million miles away from adhering to industry best practice web (application) site security, as advocated by the likes of OWASP. It appears that the Moonpig website has never been properly Penetration Tested; if it has, then either the pen testers have done a terrible job, or the Moonpig staff have completely ignored fixing vulnerabilities discovered by the test.

The first thing I noticed when I set up a Moonpig account a couple of years back, is that I was provided with a default 8 digit password. That’s digits as in just numbers, even primary school children know only using numbers is a terrible idea when setting a password, trust me as I have educated quite a few school kids on password security in my time. Poor default passwords are a tell-tale sign of overall poor website security.

Moonpig.com has still not been Secured
The next thing I observed (which is still present as I write this), is the website does not timeout user sessions in an adequate timescale. When you close down the Moonpig.com website on your web browser, you may believe you have logged out of the website, but give it 20 minutes or so, open Moonpig.com on your web browser, then you, or if using a shared computer possibly someone else, still has a user logged in access to the Moonpig website (authenticated).  It is 101 web application security to set a website session idle timeout, depending on risk, to between 5 and 15 minutes. This logs an authenticated website user out of the website when a user is not actively using it. User session timeouts times play an important role in protecting user account against session hijacking and man-in-the-middle attacks, and is important enough vulnerability to be listed 3rd on the OWASP Top Ten.

If you have an account with Moonpig, you are probably thinking it would be wise to delete your account to ensure your personal information is kept safe. The problem is that you can’t delete your account via the Moonpig website, the best you can do is to remove all names and addresses of your loved ones and friends from your Moonpig address book. If you want your Moonpig account removed, which you fully entitled over UK law, I suggest you phone Moonpig on 0345 4500 100.

I expect the Information Commissioners Office (ICO), an independent body responsible for protecting UK citizen personal data, will take a dim view of the Moonpig's website, and take enforcement action against the business for the apparent flagrant disregard in protecting their customer's personal information.

Immobilise WebApp flaw was both Serious and Embarrassing
The serious vulnerability in the UK Police National Property Register website, Immobilise, is highly embarrassing to say the least. The Immobilise website allows members of the British public to list valuables kept within their homes. A similar web application vulnerability to that of the Moonpig website was found, by changing the ID number in the website URL, an attacker could gain access to different people’s records. This is possible due to a lack of a user authentication check by the website code. The Immobilise website data includes a name and address along with a list of valuables with an estimated value of each item, this just happens to be the perfect information for any would be burglar, hence the high embarrassment. Over 4 million records were placed at risk by this basic web application coding vulnerability.  Recipero, the provider of the Immobilise website, acted quickly to resolve the vulnerability, however the presence of this kind of vulnerability suggests the website was not properly penetration tested, or it was and either a poor testing job was done, or the vulnerability was previously detected but not fixed. 

The Moral of these Website Vulnerabilities
The moral of both these news stories, if your business has a website which holds personal or confidential information, ensure you have the website penetration tested by a reputable penetration testing company before the website goes live on the Internet. Then ensure the website is penetration tested on an at least annual basis there after, and after any significant change made to the website code. It should go without saying that any vulnerabilities found by pen testing are resolved. A quality penetration tester will be happy to explain the vulnerabilities found, and to advise developers on how to fix them. Make sure any Critical, High and Medium level vulnerabilities detected are not only resolved, but are re-tested before going live with the website.

I also recommend to perform an automated vulnerability scan of all websites. Subject to the risk, conduct automated vulnerability scans either daily, weekly or at the very most monthly, quarterly is not frequent enough in my view. The likes of Outpost24 Outscan provide quality external automated website vulnerability scans, which detects many web application vulnerabilities, helping keeping a step ahead of the bad guys that seek to exploit website vulnerabilities for personal gain.

Tuesday, 18 November 2014

MS14-066: To Patch or Not to Patch?

Note: Since I originally posted this, Microsoft have updated the MS14-066 patch, which they say now resolves the issues the original patch caused.

A week ago (11th November 2014) Microsoft released a patch for of the one most critical Microsoft vulnerabilities seen in a long time – MS14-066. The vulnerability is in the Schannel (Microsoft Secure Channel) component, which is present in pretty much every version of Microsoft Windows, including the unsupported Windows XP and NT. The vulnerability may allow remote code execution by an attacker, but what makes this vulnerability stand out as a particularly more serious than the typical Microsoft remote code execution vulnerabilities, is it can be exploited directly via a network connection, and there is nothing which can be done to mitigate it, other than switching off or network disconnecting your Windows system.

Microsoft Windows servers and services that have direct Internet connectivity pose the highest risk, whether they be ISS web servers or VPN services, unpatched against MS14-066, they are at high risk of exploitation. But that is not to say users of Windows OS on desktops and laptops are not at serious risk as well.

Therefore it should be a complete ‘no brainer’ for business to quickly apply the MS14-066 patch, but a curveball has been thrown, in that there has been reports of server issues occurring after applying the patch, specifically with TLS 1.2 causing services to hang or to disconnect. Microsoft have published a work around for this issue, which involves deleting the following ciphers from the registry, a simple enough fix.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

So to the question I have been asked quite a bit this week, should this patch be applied now or should we wait until Microsoft release a more reliable patch?

Well firstly a golden rule of patching critical servers is to test the patch first, as patching always carries a risk of impacting the availability of services and breaking applications. The TLS 1.2 issue is straightforward to test for and simple enough to resolve if found to be a problem in testing.

Another golden rule of patching is to have a back-out plan, any patch carries a risk of breaking systems and applications, even with testing, so there should always be written plan to roll back critical systems should a patch cause an issue.

The ‘whether to patch now’ question becomes even more clear-cut when you consider it this way; with this vulnerability remaining present (unpatched), it means there is a significant risk for the compromise of confidentiality & integrity, whereas applying the patch carries a risk of losing server/service availability. 

High Risk of Confidentiality Compromise (unpatched) Vs Low Risk of Availability (patched)

Availability rarely trumps confidentiality in InfoSec, and in my view it certainly doesn’t in this scenario when weighing up the risk of not applying the patch, remember there is nothing that can be done to mitigate the risk of an unpatched system, other than applying the patch.

Therefore my conclusion is to quickly apply the patch to all Windows OS, testing for TLS 1.2 issue with any critical systems, and to start with patching all Microsoft OS Internet facing services first.

Sunday, 28 September 2014

Why the UK Needs More Cyber Professionals

I am a huge fan of well a made Infographic, as they make an effective method to quickly convey issues backed by statistics, so when Norwich University’s Online Masters Degree in Information Assurance sent me a compelling Infographic they created on 'Why the US Needs More Cyber Professionals', I'd thought it would be very handy to share it. 

The Norwich University Infographic might have 'US' in the title and talk about dollar costs, but you can easily substitute 'US' to 'UK' and the $s to £s, as in the UK we too are facing a serious skills shortage of Cyber Security Professionals, just ask any InfoSec recruiter. The Infographic shows the demand for cyber security professionals has grown 3.5 times faster than the demand for other Information Technology professionals in the past five years. This is the simple economics of demand exceeding supply, which is leaving businesses with rudderless information security management and practises, this in turn eventually leads to needles and expensive compromises.

The question is what is going to be done to tackle this issue, how can we produce a continuous crop of significant numbers of Information Security professionals to keep pace with the demand of UK business.

Sunday, 21 September 2014

InfoSec Blogs You Should Be Reading

The Security Innovation Europe Blog has listed 40 Information Security Blogs You Should Be Reading, which lists some of the best InfoSec bloggers around, and myself. So if you are lacking a bit of information security reading or just want an alternative opinion to the mainstream media InfoSec FUD, you know where to go.

Friday, 18 July 2014

A developer's guide to complying with PCI DSS 3.0 Requirement 6

I have written the following article for IBM which was published on IBM's DeveloperWorks
A developer's guide to complying with PCI DSS 3.0 Requirement 6 (website)

A developer's guide to complying with PCI DSS 3.0 Requirement 6 (PDF)

The Payment Card Industry Data Security Standard (PCI DSS) is a highly prescriptive technical standard, which is aimed at the protection of debit and credit card details, which is referred to within the payments industry as cardholder data. The objective of the standard is to prevent payment card fraud, by securing cardholder data within organizations that either accept card payments, or are involved in the handling of cardholder data. PCI DSS consists of 12 sections of requirements, and usually responsibility for compliance rests with IT infrastructure support. PCI DSS requirement 6, however, breaks down into 28 individual requirements, and sits squarely with software developers involved in the development of applications that process, store, and transmit cardholder data. PCI compliance heavily revolves around IT services. IT focused compliance managers that are tasked with achieving compliance within organizations, often lack the required software developer knowledge and experience to help assure that the application development meets the arduous requirements of PCI DSS.

Sunday, 6 July 2014

Xbox One & PS4 Gamer Security

From the very first moment gamers played online, their accounts have been targeted by hackers. But hacking gamer accounts is no longer just about revenge and community kudos. There is serious money to be made from stealing access to gamer accounts, ranging from selling virtual gaming items and gaming currency for real money, to stealing bank account & credit card details. It is a subject I have touched upon several times over the years:

How to keep your Final Fantasy XIV Online Account Safe & Secure
PlayStation Hack: PSN Gamers Security Help
Is Club Penguin Safe for my Child?
World of Warcraft: Does the Internet have controllable Borders?

Last year's launches of Microsoft's Xbox One and Sony's PS4 consoles, have swelled the number of online gamers into millions, so is gamer security a problem that is set to raise? 

Yes, and no, I think online console gaming security has improved in recent years, as Microsoft and Sony understand a secure online gaming network is an essential part of their billion pound business model. Poor online gaming availability and the loss of trust by the millions of gamers using their gaming consoles and services, equates to a significant loss of revenue, so their motivation for having a decent level of security to protect their gaming systems is clear to see.

There will always be cases of third party gaming websites that are breached, which result in gamer account details being compromised on mass. Website security is an issue that is not going to go away any time soon, regardless of the industry.

New gamers need to be continually educated about the third party risk to their accounts, as many assume there is none.  Gamers need to be aware of the various pitfalls enacted by scammers seeking access their valuable gaming accounts. The most common gaming account thefts occur due to phishing scams, trojan horse websites & forums, and dodgy third party game plug-ins.

MicroTrend has kindly provided the following "Ahead of the Game" InfoGraphic on gamer security, there's some big numbers in there.



Sunday, 22 June 2014

Scan your app to find & fix OWASP Top 10 2013 vulnerabilities

I have written the following article for IBM which was published on IBM's DeveloperWorks

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (website)

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (PDF)

Today's modern web applications are more than a match for most desktop PC applications and continue to push boundaries by taking advantage of limitless cloud services. But more powerful web applications means more complicated code, and the more complicated the code, the greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious actors, bent on profiteering from data theft, or gaining online notoriety by causing mischief. This article looks at securing web applications by adopting industry best application development practices, such as the OWASP Top 10 and using web application vulnerability scanning tools.