MS14-066: To Patch or Not to Patch?

Note: Since I originally posted this, Microsoft have updated the MS14-066 patch, which they say now resolves the issues the original patch caused.

A week ago (11th November 2014) Microsoft released a patch for of the one most critical Microsoft vulnerabilities seen in a long time – MS14-066. The vulnerability is in the Schannel (Microsoft Secure Channel) component, which is present in pretty much every version of Microsoft Windows, including the unsupported Windows XP and NT. The vulnerability may allow remote code execution by an attacker, but what makes this vulnerability stand out as a particularly more serious than the typical Microsoft remote code execution vulnerabilities, is it can be exploited directly via a network connection, and there is nothing which can be done to mitigate it, other than switching off or network disconnecting your Windows system.

Microsoft Windows servers and services that have direct Internet connectivity pose the highest risk, whether they be ISS web servers or VPN services, unpatched against MS14-066, they are at high risk of exploitation. But that is not to say users of Windows OS on desktops and laptops are not at serious risk as well.

Therefore it should be a complete ‘no brainer’ for business to quickly apply the MS14-066 patch, but a curveball has been thrown, in that there has been reports of server issues occurring after applying the patch, specifically with TLS 1.2 causing services to hang or to disconnect. Microsoft have published a work around for this issue, which involves deleting the following ciphers from the registry, a simple enough fix.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

So to the question I have been asked quite a bit this week, should this patch be applied now or should we wait until Microsoft release a more reliable patch?

Well firstly a golden rule of patching critical servers is to test the patch first, as patching always carries a risk of impacting the availability of services and breaking applications. The TLS 1.2 issue is straightforward to test for and simple enough to resolve if found to be a problem in testing.

Another golden rule of patching is to have a back-out plan, any patch carries a risk of breaking systems and applications, even with testing, so there should always be written plan to roll back critical systems should a patch cause an issue.

The ‘whether to patch now’ question becomes even more clear-cut when you consider it this way; with this vulnerability remaining present (unpatched), it means there is a significant risk for the compromise of confidentiality & integrity, whereas applying the patch carries a risk of losing server/service availability. 

High Risk of Confidentiality Compromise (unpatched) Vs Low Risk of Availability (patched)

Availability rarely trumps confidentiality in InfoSec, and in my view it certainly doesn’t in this scenario when weighing up the risk of not applying the patch, remember there is nothing that can be done to mitigate the risk of an unpatched system, other than applying the patch.

Therefore my conclusion is to quickly apply the patch to all Windows OS, testing for TLS 1.2 issue with any critical systems, and to start with patching all Microsoft OS Internet facing services first.

Why the UK Needs More Cyber Professionals

I am a huge fan of well a made Infographic, as they make an effective method to quickly convey issues backed by statistics, so when Norwich University’s Online Masters Degree in Information Assurance sent me a compelling Infographic they created on 'Why the US Needs More Cyber Professionals', I'd thought it would be very handy to share it. 

The Norwich University Infographic might have 'US' in the title and talk about dollar costs, but you can easily substitute 'US' to 'UK' and the $s to £s, as in the UK we too are facing a serious skills shortage of Cyber Security Professionals, just ask any InfoSec recruiter. The Infographic shows the demand for cyber security professionals has grown 3.5 times faster than the demand for other Information Technology professionals in the past five years. This is the simple economics of demand exceeding supply, which is leaving businesses with rudderless information security management and practises, this in turn eventually leads to needles and expensive compromises.

The question is what is going to be done to tackle this issue, how can we produce a continuous crop of significant numbers of Information Security professionals to keep pace with the demand of UK business.

InfoSec Blogs You Should Be Reading

The Security Innovation Europe Blog has listed 40 Information Security Blogs You Should Be Reading, which lists some of the best InfoSec bloggers around, and myself. So if you are lacking a bit of information security reading or just want an alternative opinion to the mainstream media InfoSec FUD, you know where to go.

A developer's guide to complying with PCI DSS 3.0 Requirement 6

I have written the following article for IBM which was published on IBM's DeveloperWorks

A developer's guide to complying with PCI DSS 3.0 Requirement 6 (website)

A developer's guide to complying with PCI DSS 3.0 Requirement 6 (PDF)

The Payment Card Industry Data Security Standard (PCI DSS) is a highly prescriptive technical standard, which is aimed at the protection of debit and credit card details, which is referred to within the payments industry as cardholder data. The objective of the standard is to prevent payment card fraud, by securing cardholder data within organizations that either accept card payments, or are involved in the handling of cardholder data. PCI DSS consists of 12 sections of requirements, and usually responsibility for compliance rests with IT infrastructure support. PCI DSS requirement 6, however, breaks down into 28 individual requirements, and sits squarely with software developers involved in the development of applications that process, store, and transmit cardholder data. PCI compliance heavily revolves around IT services. IT focused compliance managers that are tasked with achieving compliance within organizations, often lack the required software developer knowledge and experience to help assure that the application development meets the arduous requirements of PCI DSS.

Xbox One & PS4 Gamer Security

From the very first moment gamers played online, their accounts have been targeted by hackers. But hacking gamer accounts is no longer just about revenge and community kudos. There is serious money to be made from stealing access to gamer accounts, ranging from selling virtual gaming items and gaming currency for real money, to stealing bank account & credit card details. It is a subject I have touched upon several times over the years:

How to keep your Final Fantasy XIV Online Account Safe & Secure
PlayStation Hack: PSN Gamers Security Help
Is Club Penguin Safe for my Child?
World of Warcraft: Does the Internet have controllable Borders?

Last year's launches of Microsoft's Xbox One and Sony's PS4 consoles, have swelled the number of online gamers into millions, so is gamer security a problem that is set to raise? 

Yes, and no, I think online console gaming security has improved in recent years, as Microsoft and Sony understand a secure online gaming network is an essential part of their billion pound business model. Poor online gaming availability and the loss of trust by the millions of gamers using their gaming consoles and services, equates to a significant loss of revenue, so their motivation for having a decent level of security to protect their gaming systems is clear to see.

There will always be cases of third party gaming websites that are breached, which result in gamer account details being compromised on mass. Website security is an issue that is not going to go away any time soon, regardless of the industry.

New gamers need to be continually educated about the third party risk to their accounts, as many assume there is none.  Gamers need to be aware of the various pitfalls enacted by scammers seeking access their valuable gaming accounts. The most common gaming account thefts occur due to phishing scams, trojan horse websites & forums, and dodgy third party game plug-ins.

MicroTrend has kindly provided the following "Ahead of the Game" InfoGraphic on gamer security, there's some big numbers in there.

Scan your app to find & fix OWASP Top 10 2013 vulnerabilities

I have written the following article for IBM which was published on IBM's DeveloperWorks

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (website)

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (PDF)

Today's modern web applications are more than a match for most desktop PC applications and continue to push boundaries by taking advantage of limitless cloud services. But more powerful web applications means more complicated code, and the more complicated the code, the greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious actors, bent on profiteering from data theft, or gaining online notoriety by causing mischief. This article looks at securing web applications by adopting industry best application development practices, such as the OWASP Top 10 and using web application vulnerability scanning tools.

Forget Windows XP, Does Unsupported Java pose a Greater Risk to the Enterprise?

Recent research shows 76% of enterprises analysed by Cisco has Java version 6, which Oracle stopped supporting in February 2013, 14 months before the highly publicised end of Windows XP support by Microsoft. Running unsupported Java is arguably a far more risky affair than unsupported Windows XP in the enterprise, and according the Cisco 2014 Annual Security report, the Java problem is going under the security radar.

As most Cyber Security professional will tell you, you should avoid installing Java unless you really have to have it, as the exploitation of Java vulnerabilities is a typical culprit behind web-based desktop compromises. Recent data from Sourcefire shows that Java exploits make up a staggering 91% indicators of compromise.

The Java Applet Risk

The highest area of risk with Java lies with Java applets (applications) which are executed within a web browser. The intent is for Java applets to operate in a safe sandbox within the confines of the web browser, so limiting the applet’s interaction with the operating system. But this intent does not matchup to reality, as hackers are able to write malicious website Java applets which exploit Java vulnerabilities, leading to compromise of the operating system hosting the web browser. Due to the compatible nature of Java, hackers are able to attack most web browsers and most operating systems.

Myth Busting: Java has nothing to do with Javascripts. Disabling Java in your web browser or removing Java from your system, will not break the vast majority of websites online.

Why old versions of Java are still Present in the Enterprise
The reasons why unsupported versions of Java are still present in the enterprise, can be often attributed to internal business applications and custom written Java apps, which simply do not work with the latest versions of Java. In other cases it is a lack of desktop application patch management and desktop application control which is to blame, this is often coupled with low awareness and understanding.

Managing and Mitigating the Enterprise Java Risk
The first course of action is to understand the extent of Java installations within the enterprise, this can be achieved by using application auditing tools to ascertain Java installations, including version numbers and patch level. Next is to review the business reason for each Java installation, ensuring there is a valid reason for its presence, namely to run a specific business application. Sometimes Java is a legacy presence for applications which are no longer used or exist. If there is no reason for Java to be there, remove it and then prevent users from installing it. It is surprising how many users are duped into installing Java on their desktops when visiting websites, when they don’t actually require it.

Where Java is required for an application, verify if the application is web browser based. If not, disable Java from running within the web browser, preferably by enforcing it using enterprise management tools. This significantly reduces the risk, as it is the potential of users executing untrusted Java applets while visiting dodgy websites online which poses the greatest risk with unsupported Java versions.

Where applications are reliant on old Java versions, it can be just a question of raising the issue with developers and suppliers, and pushing them into making their applications and applets compatible with the latest versions of Java. Sometimes there are cost issues here, as developers tend to charge for software upgrades, however there really shouldn't be any excuse for applications not to be continually supported to be secure of vulnerabilities as part of their life-cycle of use. An application that doesn't work with any of Oracle's supported versions of Java, can be regarded as having its own security vulnerability. Continued patching of systems and applications is a fundamental enterprise security best practice, neglecting patching leaves doors of vulnerabilities open for cyber attackers to exploit.

The post is brought to you by Cisco

You’re so hacked, you don’t even know it!

The standard information security management doctrine is to consider the internal IT infrastructure as a secure trusted zone, free from any malicious third party compromise. But the reality is different, as network intrusions, malware infections, data thefts and other malicious activities are not being detected within most UK business networks. According to the Cisco 2014 Annual Security Report, 100% of business networks analyzed by Cisco, have traffic going to websites that host malware.

Sophisticated and expensive security monitoring may well be implemented to detect malicious activity, but in my experience, monitoring and alerting systems are often poorly configured and not correctly base-lined. This results in the security staff being bombarded with a steady stream of false positive alerts, which completely hampers their ability to spot actual attacks. Security monitoring can also lure the business into a false sense of security, take File Integrity Monitoring (FIM), an excellent tool for detecting malware on IT systems, that is unless the malware operates in RAM, and uses unmonitored temporary files, in which case FIM is never going to detected it. Anti-virus (AV) is a security staple for detecting and preventing malware within nearly all businesses. But anti-virus protection has become an endless losing game of cat and mouse, with AV companies analysing over 150,000 pieces of new malware every day, they are struggling to keep pace. While expert hackers that specifically target businesses, will take the time to customise and fully test their tools and malware, to ensure AV and monitoring systems do not detect their malicious activities.

Security Monitoring Alerts - Can't see the wood for the trees

Many of the recent high profile data breaches, have involved hackers going unnoticed and freely operating inside company networks for months on end. Networks which were assumed to be secure.

For instance Target’s IT systems were first compromised by hackers on 12th November 2013. The intruders were able to test their credit card stealing malware on a selection of Target’s Point-of-Sale (POS) systems for several days, before deploying their malware onto POS systems within all of Target’s 1800 stores, just in time for the busy black Friday shopping weekend. Over the next few weeks the hackers stole 40 million credit card details and 70 million records of customer information, a whole month passed before the breach was eventually detected. The breach wasn’t spotted by Target either, they were informed by the US Department of Justice, after several banks had noticed a massive spike in fraud involving over a million credit cards. All the credit cards used in these fraudulent transactions had one thing in common; they all had been used for purchases at Target stores.

The subsequent forensic investigation of Target, discovered the hacker’s intrusion was detected and logged from the 12^th November onwards, however Target’s staff failed to notice and react to their security monitoring system’s alerts. This failure in detection and response is exactly what any hacker stealing information desires. In the case of the Target data theft, the hackers are racing against a ticking clock to monetize the stolen credit card data as much as possible, before the banks learn of the compromise. As soon as the banks establish credit cards have been compromised, they cancel and re-issue the stolen credit cards, which significantly devalues the credit card data stolen.

Target’s failure to spot the breach has cost them dear, if the breach was detected earlier, the amount of data stolen would be far more limited, meaning fines, which are based on the cost incurred to replace the stolen cards, would have been much less. But as it stands, Target has already spent $61 million in dealing with the breach, with another $100 million planned. This has resulted in Target’s like-for-like fourth quarter profits for 2013, to be massively down, along with their share-price. When data breaches of this scale and calamity significantly hit the business bottom line, the buck stops with those ultimately responsible in the boardroom. Inevitably in Target’s case heads rolled, not only did this breach cost the CISO his job, but it led to the CEO being fired as well.

The same story of failing to detect malicious activity rings true with many of the other recent big data breaches. A massive 145 million eBay customer account records were stolen by hackers in February 2014, it was almost 3 months before eBay discovered the breach. 158 million records was stolen from Adobe in September 2013, a whole month had passed before Adobe discovered this huge data loss, but only after hackers had posted all their stolen data online.

There are many UK businesses right now, regardless of their size, industry and security posture, have compromised IT systems and data losses going unnoticed. Right now there are dark websites, forums and chat rooms where global cyber criminals are trading access to, and use of, UK business IT systems.

The lesson is to never to assume the internal networks are secure, in fact the real lesson is to always assume the opposite. Thinking in this way takes you down the road of a more proactive form of information security management. For instance adopting more proactive security techniques like cyber intelligence, by finding out what hackers already know about your organisation, what they might be planning, and then counteracting, can help nip potential serious security incidents in the bud.

The cyber threat landscape is growing at an alarming rate, fuelled by the continued business adoption of mobility and cloud services. These increasing attack surfaces present the hackers with a new world of opportunities to steal information for self-profit. Information technological change presents new challenges for cyber security, a more proactive approach is required to keep up with the highly agile cyber criminals.

The post is brought to you by Cisco

SC Congress: POS Breaches, Target & PCI DSS Compliance

I was privileged to speak at the SC Congress in London today. I was asked to talk about my views on Point of Sale (POS) credit card data breaches which had recently occurred stateside, the role of PCI DSS compliance with such breaches, and whether the UK could expect similar breaches despite widespread adoption of Chip & Pin (EMV), and what are the lessons to be learnt. 

The following is a summary of what I said.

In the United States there has been a number of high profile Point of Sale (POS) credit card data breaches, occurring at around seven shopping chains towards the end of last year. The most provident of these breaches was at Target, where hackers stole an estimated 40 million credit card details.  The hackers managed to load credit card data stealing malware onto Target’s POS systems, in each of Target’s 1800 stores. It is one of the largest and most sophisticated data breaches the payment card industry has ever seen.

As Target cashiers swiped customer’s credit cards on a POS, which is essentially a workstation with a magnetic swipe card reader, the credit card data, which is in clear text on the magnetic stripe on the back of the card, is loaded into the POS RAM. At this point the malware on the POS would copy the contents of the RAM, this is known as RAM scrapping. The malware then moves the credit card data out of the Target network into the hands of the attackers, who sell them on to card fraudsters at a profit.

But there is much more to this breach than the POS malware, to better understand this, we need to rollback the timeline of start the breach process, to see how the attackers got the malware onto the POS systems in the first place.

It all starts with Fazio Heating & Cooling LCC, a company providing Heating, Ventilation and Air Condition (HVAC) services to Target. Target have provided Fazio with remote access into their network, to allow Fazio to perform ebilling and exchange project management information. It is understood this network access was a basic remote access system, it is suggested it could be as simple as an RDP connection, with Fazio remote accessing into a Target server using a username and password.  At some point in 2013, Fazio was subjected to a cyber attack, its employees were sent phishing emails laced with malware. This attack resulted in the theft of the Target remote access credentials. It is likely these remote access credentials were offered for sale online and then bought by the would-be card hackers, this is my assumption.

In mid November 2013 the attackers supposedly used the Fazio credentials to access the Target network. It is not clear whether Target had a flat network or had their payment systems network segmented from their corporate systems, my assumption would be the payment environment and store POS systems would have been network segmented, but we can’t be certain. Either way the attackers managed to gain access to Target’s payment network and POS systems within all 1800 stores.  The attackers likely spent the first few days customizing and testing their POS malware. The POS malware itself was probably purchased from a third party, there are suggestions it was a malware kit known as Black POS, which was written and sold by Russian teenager for couple thousand dollars.

Once the attackers had finished testing and had the POS malware successfully performing, they then used Target’s own systems to deploy the malware onto POS systems within all of Target’s 1800 stores.  At this point it is getting on to late November 2013, the busiest time of year for shopping in the US, think Black Friday. The POS malware lifted credit card details in the millions over the next few weeks. Meanwhile it is believed Target’s IT system’s logged and alerted this network intrusion, but there was no monitoring and reaction to these alerts by Target staff. Which is very good news for the attackers, as the clock is ticking for them to monetize credit card data before card issuers and banks learn of the data theft, which leads to the cancelation of stolen cards and the enabling of additional anti-fraud monitoring against possible compromised credit cards, all would significantly devalue the payment card data stolen.

The POS malware deposits the vast amount of card data onto compromised systems located around world, the hackers collate the data, and put them up for sale on ‘carding’ forums, chatrooms and websites in chunks, with individual cards sold for between $18 and $38, after which card details are used fraudulently.

After a couple of weeks of selling card data to fraudsters, the likes of Visa, Mastercard and banks spot a spike in fraud, since over million of the stolen cards are now being used in fraudulent transactions. They spot a common source with the fraud spike, in that the cards were all used at Target stores.  In mid December 2013, Target are contacted and told their payment systems have been compromised.  Target have no choice but to bring in forensic investigators, together with the involvement of law enforcement and the US secret service, go onto discover the POS malware, and also uncover that more than 70 million Target customer records (personal information) had also been stolen.

The PCI Compliance Factor

In September 2013, Target completed a Payment Card Industry Data Security Standard (PCI DSS) assessment by one of the largest PCI Qualified Security Assessor (QSA) companies. A PCI assessment, even by a seasoned QSA, is a sampling exercise, it doesn’t prove the entity being assessed is actually operating in a continued PCI DSS state, 24-7-365. A PCI DSS assessment boils down to a judgment of compliance, determined by interview questions, and the QSA reviewing sample from the environment. Nether–the-less Target tried to sue their QSA company due to the breach, but the lawsuit was quietly dropped a few weeks later.

It is highly doubtful that Target where operating in a PCI DSS compliance state at the time of the breach, given; remote access appeared not to use two factor authentication, there was poor third party management, poor network segmentation, poor system monitoring and reaction, etc. all are standout PCI DSS requirements. So you really can’t point the finger at the PCI DSS, so what of the QSA assessing compliance?  All QSAs have a ‘get out of jail free’ zero responsibility card when comes to PCI DSS assessments, perhaps you could question how thorough the PCI DSS assessment was, but without reviewing the actual documentation and Report on Compliance (RoC), there no way we can know.

The breach has really hit Target hard in terms of costs, the like for like Q4 profits was down significantly, with the company already shelling out $61million in dealing with the breach, and a further $100 million allocated for the upgrade of their POS systems to Chip and Pin. With the breach hurting the profits, it is little surprise to see CEO shown the door last month.

Could a POS breach happen in the UK?

Yes, and No. Skimming debit/credit card data from POS system is more difficult in the UK, given most POS systems use a dedicated separate chip and pin device, which is more often than not, is PCI-PTS security accredited. However if hackers gain access to the payment network of a company, then there are a multitude of attack methods that can be attempted to harvest credit card data on mass, they don’t need to attack the POS.

PCI DSS isn’t a broken standard, however we see in the new version, PCI DSS V3.0, released at the start of the year, that there is already a greater emphasis of third party management and penetration testing of network segmentation (from Jul 2015), two of the biggest areas of security weakness with Target.

I also spoke about my views on lack of plastic security evolution, pretty much as per my blog post – How the PaymentCard Industry could kill PCI DSS

My Closing Remarks

Debit/Credit card data should be regarded as toxic data by your business.  The data does not belong to the business and it does not belong to your clients. PCI DSS and the authorities around it, are only concerned with protection of their payment card data while in your business possession. Worst still, if you drop the security ball in protecting the payment card data, you pick up the tab in clearing up the mess. PCI DSS is mostly made up of best practice information security, but it is highly prescriptive in nature, and so isn’t an easy standard to fully comply with. PCI DSS compliance can be very costly to continually achieve, diverting your security budget away from protecting other forms of confidential data within the business.  The best course of action is to remove and/or reduce all payment card data within the business, using card scheme accredited payment service providers, can allow you to transfer risk over to them, while technologies like tokenization and end-to-end encryption, can help to keep the toxic payment card data and the required PCI DSS controls which go with it, at a bare minimum.

I was quoted in the media as saying:

“The best approach is to find ways of outsourcing all payment processes so that no payment card data is held or processed by the retailer"

"Alternatively, if payment card data cannot be avoided, ensure that it is encrypted from end to end so that even if systems are breached, attackers cannot use the data to commit fraud” 

Cloud is the New Security Perimeter

The rise of cloud computing is undeniable and unstoppable, information security professionals have to accept resistance to cloud is futile. The Cisco 2014 Annual Security Report, projects cloud network traffic will grow more than threefold by 2017, with businesses executives eyeing up cloud as the silver bullet in eliminating expensive IT hardware. This cost saving elixir means cloud solutions are often quickly steamrollered in by business, leaving information security playing second fiddle.

InfoSec Resistance to Cloud is Futile

More and more confidential information is moving towards the cloud, and if Cisco’s projection is correct, we can expect, if not already, vast volumes of information processed and stored by business to be typically cloud based. This data moving trend is the most radical change in information security since the dawn of the commercial Internet, and presents a major shift of the security perimeter.

Blindly trusting cloud service providers to deliver a level of security which is in tune with the business risk appetite, and the information security policy is foolhardy. Every security professional knows it is ‘Security 101’ to never to assume, yet security can be left on the sidelines by business leaders, as they are led starry eyed by tech giants like Microsoft and Google, into trusting the security of cloud services. Security assumptions enforced by tours of spotless multi-million pound data centres, which disguise most of the risks posed in the modern digital age.

One risk often brushed under the carpet, is the fact that any United States cloud service provider, is subject to the United States Patriot Act and the Foreign Intelligence Surveillance Act (FISA). These laws allow US government agencies and law enforcement to covertly and secretly acquire UK business data, even when the service provider’s data centre is located within European Union, or even on UK soil. This potential third party intrusion can be highly significant with some businesses in the UK, especially those with central government and MOD as clients. UK defence contractor BAE Systems, was forced to pull the plug on moving to the Microsoft's Office 365 cloud solution, after data sovereignty could not be guaranteed.

Cloud service providers are third parties, and as such should be treated to the same rigour of risk assessment and due diligence, as with any other third party the business permits connectivity with, or shares information. But such processes are often shirked in the mad cloud rush, missing the opportunity to fully appreciate risk, and where necessary apply risk treatment. There is no reason why the security of cloud services cannot be scrutinised by customers, and where necessary security improved. For instance encrypting data client side is a simple method to assure information confidentiality, preventing the cloud service provider staff, US agencies, and in the event of a security breach at the cloud service provider, malicious actors from accessing and acquiring the business’s confidential information.

Another aspect often overlooked with cloud services is availability; a typical and incorrect business assumption is that cloud services are not prone to outages. Yet there have been frequent outages with cloud services, even the world’s largest cloud service provider, Amazon Web Services (AWS), has had frequent availability issues. For example, last August an AWS outage took down social networking applications including Instagram and Vine.  Going hand-in-hand with the service availability stakes, is the increased importance of onsite internet connectivity resilience, which is increasingly becoming ever more essential. Given cloud services are becoming more core to the business operations, business resilience in provision of access to such services must not be overlooked.

Information security practitioners have to accept cloud is here to stay, and rise to the new challenges this new information security frontier presents, standing alongside business executives, instead of being dragged along on their coattails in futile protest.

The post is brought to you by Cisco

Time to Start Preparing for the New EU Data Protection Law

It's not secret that the UK Data Protection Law is long overdue a major overhall. Today's data protection law was actually devised in the early 1990s, long before the Internet explosion, Google and Facebook didn't exist, while common day concepts like big data mining and cloud computing was even beyond the imagination of science fiction writers of the time. The UK Data Protection Act (1998) is mostly derived from the European Data Protection Directive of 1995 and the 1984 UK DPA. Back in 1995 there was barely one million internet users in the UK, since then the usage of digital personal information has massively changed, it is high time for our data protection laws to catchup.

Human rights is a cornerstone of the European parliament's legal approach, with the right to privacy and the protection of personal data, regarded as a fundamental right for every EU citizen. For years European MPs have sort to introduce tighter privacy and data protection laws, however the global banking crisis and subsequent recession had delayed any action. Commercial concerns in tying European businesses up with too much red tape as they fight to take Europe out of one of the worst recessions in living memory, has taken precedence over digital privacy concerns. But post the Snowden revelations and thanks to the privacy crusading Viviane Reding (Vice-President of the EU Commission), Euro MPs are finally pushed through a huge raft of changes in EU data protection legislation, impacting not only businesses within European Union countries, but any business processing EU Citizen personal information, anywhere in the world.

Following a European Parliament vote on 12th March 2014, the new EU data protection reform has become irreversible. The voting was resounding in favour of adoption, with a massive 621 votes in favour, 10 against and 22 abstentions. The new law now is set in stone, no matter what happens in the EU elections in May 2014. There will be an EU meeting in June 2014, which will set about its adoption by EU members, and with all companies supplying goods and services to EU consumers. It is expected to be passed into actual law in 2016. These data protection changes will be hugely significant and will be problematic for all businesses, so there is no time to dilly-dally in starting preparation to comply.

New EU Relation Key Changes (in Plain English)
Regulation, not a Directive
The current EU Data Protection Law is a Directive, a directive can be open to some interpretation by member states, countries can bend the requirements as they adopt it into their country's law, and not enforce the law to the same extent as other member states. However the new EU DP law is a regulation, a "so it is written, so it shall be done" approach, no leeway at all, everyone has to follow the same rules exactly.

1. Data Breach Notification
All Data Controllers must notify ALL breaches of personal data to the Data Protection Authority within 72 hours.

This is a very significant new requirement, as in the UK only public sector organisations have to disclose breaches, even then there is no specific time limit set to disclose. To avoid major sanctions business will need processes which expedites the reporting and escalating of incidents, together with solid incident management procedures, to ensure any personal data breaches are quickly identified, so they can be disclosed within the 72 hour time limit.

2. Data Breach Sanctions
A number of new sanctions are available against companies that breach personal data, which include the issuing of a warning letter and enforcing periodic data protection audits, but the real game changer are the new financial penalties, which go well beyond the up to maximum £500K fines that can be issued by UK's Information Commissioners Office (ICO) under the current DPA law.

The new fines are up to 100m EUR or up to 5% of annual worldwide turnover in case of an enterprise, whichever is greater.
Also there the new regulations opens the possibility of individuals and associations, in taking legal action against companies responsible for breaching their personal information. I can just see the cheesy 'Data Breach Lawyers for You' adverts.

3. The Right to be Forgotten
This means personal data must be fully deleted upon request by an individual. This could be a real problem for cloud services that host personal data, but for most businesses this requirement will require significant changes, which include new business processes to handle requests in a timely fashion, and a technical capability within IT systems to remove an individual's data. I can also see deleting personal data from backup tapes is going to be a real issue.

Obviously government and some regulated personal data will not be subject to the 'right to be forgotten' regulation. For example where there is regulatory or legal requirements to keep the personal data, so criminals and bad debtors just can't have their criminal records and bad credit history removed upon request using the law. This new privacy law is aimed at the likes of Facebook, Google and big ecommerce websites, to ensure they adequately remove personal information upon request.

4. Individual Consent
Explicit consent must be obtained from individuals in order to store and/or process their personal data. Data controllers must be able to prove consent has been obtained. This new requirement could prove painful for some businesses to adopt.

5. The Data Protection Officer Role
Where a business processes more 5,000 records of personal data (the vast majority of businesses I would say), then the business must appointment a Data Protection Officer, who has responsibility to ensure all personal data is managed by the business in compliance with the law.

6. Personal Data Portability
Individuals upon request must be given a copy of personal data in a format usable for transfer to another processing system. For example if you were to change ISPs or energy suppliers, or your bank, the supplier you are leaving must provide your personal data in an acceptable ready to read format to the supplier that you are moving to.
The will mean businesses will require new processes and a technical capability to achieve.

7. Data Processor Liability Shift
Data Processors, who currently hide behind data controllers that have the lion share of the data protection liability, will be held jointly liable under the incoming new EU Data Protection regulations. So that cloud service provider now comes directly in firing line of sanctions, not just their customers that uses their service.

"In the digital age, the collection and storage of personal information are essential. Data is used by all businesses – from insurance firms and banks to social media sites and search engines. In a globalised world, the transfer of data to third countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore." - European Commission memo 13/124

The Benefits of the New EU Regulations

The new EU data protection regulations means significant changes and cost for business, especially in their attitude towards data protection and information security. As a security professional I have to believe this is good, even if it is going to be a bitter pill for the business to swallow. But the law is not all bad news for business, it levels the playing field, in that all businesses must comply with the exact same rules, even businesses processing EU citizen data outside the EU. The new regulation makes third parties responsible and liable for protecting personal data in their care, which is great news for any business that relies on third parties to protect personal data on their behalf.

From an EU citizen's perspective, the new laws are certainly excellent news, especially for those that care about their privacy online, as even the US giants like Facebook, Microsoft and Google will be forced to abide by the new EU laws, whether they are outside the EU or hiding within a weak local data protection enforcement country within the EU. It also means we should be notified within 72 hours when companies lose our personal information, whether the breach was caused by accident or by a hacker. At present only public sector organisations within the UK have to disclose personal data breaches, which is pretty shocking. Citizens being told their personal information has been compromised, means individuals can take action to protect themselves from harm, by changing passwords, cancelling credit cards, checking for fraud activity, or even closing down accounts with companies that do a bad job in protecting personal information. If you think all of the UK banks have never been hacked and had personal data stolen, think again, it is just that they don't have to publicly disclose data breaches at present. Given that, the number of businesses that sweep personal data breaches under the carpet in the UK must be mind-boggling.

But all in all the new financial penalties, coupled with the reputational damage caused by  private businesses disclosing all their personal data breaches, will push a major shift in business leadership attitudes towards the protection of all personal data, which is good news indeed, although some might argue that the privacy horse has already long bolted from the stable.

Heartbleed made Simple

HeartBleed has suddenly become a very well known security vulnerability, because this simple vulnerability in OpenSSL has turned out to be one of the most critical and potentially devastating of all time, with over half million trusted websites said to be vulnerable. Over the last couple of days various security advocates and vendors have been lined up by the media, with ominous warnings of grave danger online due to Heartbleed.

Heartbleed is a Catastrophic Bug in OpenSSL - Bruce Schneier

However I have generally found main stream media have focused far too much on trying to sensationalise instead of explaining the vulnerability properly, and not explaining how organisations should resolve the problem, and how users can protect themselves. It is fair to say the media coverage has led to much confusion on Heartbleed, with both organisations and users alike, which I’ll attempt to dispel.

Heartbleed made Simple
Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.

The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ 

There is also a nice video explanation of Heartbleed by Elastica Inc

Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.

Business & Organisations that Operate Secure Websites, Apps, VPNs, etc

1. Immediately identify all usage of OpenSSL Version 1.0.1 to 1.0.1f  in your organisation, and patch it - download here

2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:

• Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
• Invalidate all web session keys and cookies (hopefully done as part of the update)
• Issue new encryption key pairs; assume all private keys are compromised
• Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.

Everyone (Users)

If requested to change your password by an organisation, website, application etc, like a Nike 80s commercial, Just do it!

The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.

• You can check which of the most popular websites/services are and have been vulnerable to Heartbleed using http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoidCIsImkiOiJfaDJ3emhmb2czdzhyaGJ2diJ9,
• Or, at your own risk as it maybe illegal in some countries to perform this check, you can directly check websites with http://filippo.io/Heartbleed/ 

Finally ensure to adhere to good practise password management. Considering using a password management vault system like LastPass, and ensure unique and strong passwords are used with all your website accounts. Particularly with any banking and email accounts, so should one of your weaker website accounts be compromised due to Heartbleed, the attackers don't have access to your more important accounts, which is a common issue when the people use the same password on multiple websites, the attackers understand some users do this and so check for it. 

See my other posts for further advice on password management:

http://blog.itsecurityexpert.co.uk/search/label/password%20security 

http://blog.itsecurityexpert.co.uk/2009/01/problem-with-website-passwords.html 

Heartbleed Infographic via BAE systems

Security Awareness Lesson on Loose Lips by Football Stars

Last week I was left rather concerned about the state of security awareness in the UK, after hearing various people in my train carriage rattle on loudly about information which was clearly meant to be kept confidential, a World War II awareness phrase comes to mind, Loose Lips sink Ships.  However my faith in personal security awareness has been somewhat been restored, as over the weekend I noticed many football superstars demonstrating a very simple security control, a control which I believe has been coached to them by their clubs, in other words information security awareness training. This simple tactic is to cover your month when speaking, a technique used to mitigate the risk of media, and perhaps opposition teams, from being able to eavesdrop what you are saying, namely by them using lip reading experts to interpret what is being said by watching TV or camera footage.

This practice was very evident in last night’s El Clasico, Real Madrid versus Barcelona, a match which fully lived up to the billing as the biggest club football match in the world. And what a match it was, some of the world’s best footballing talent on the pitch, playing amazing football, in a topsy-turvy match which was packed with controversy with three penalties, which saw Barca eventually run out 4-3 winners. Aside from the quality football, what I found particularly interesting, was an on the pitch conversation between Barca's Messi and Madrid's Pepe that was caught by the TV cameras, both demonstrated good security awareness by covering their mouth as they spoke to each other in conversation, see the pictures below.

 Messi & Pepe keeping their conversation private

On Saturday night I saw the same practice while watching Match of the Day. Wayne Rooney scored a goal from just inside the opponents half, mimicking David Beckham’s spectacular goal from his own half all those years ago. 

David Beckham and his family were actually in attendance, and sure enough a TV close up of David Beckham and his son Brooklyn followed Wayne Rooney’s goal celebration. Both David and young Brooklyn had their mouths covered with their hands while discussing Rooney’s goal. No doubt David was telling his son that his goal was better than Rooney’s goal. But the fact his son had his mouth covered with his hand suggests some sort of awareness training has occurred in my view, even if it was delivered by his security aware dad.

The Beckhams are Security Aware

My American friends will point out in US sports like American football, coaches on the sidelines have been hiding their mouth when barking out team instructions with a clipboard for years, but my point is this practice is relatively new to the UK sports, and I have observed it with English cricketers at the recent Ashes series, and with our Curling players at the recent Winter Olympics. But it is in football where it has become most prominent, you can spot the likes of Jose Mourinho using the mouth covering method all the time, especially after his private conversation about Samuel Eto'o and Fernando Torres was leaked to the media.

This makes me wonder what other security awareness training and practises have football clubs adopted in this technical age. These days at many Premier League clubs, players are handed iPads holding information about their gameplay and their opposition gameplay, especially so when used at half time. This information can be the difference between winning and losing a match, given the small margins involved in football,  and the vast amounts of money which can be gained or lost by success and failure, it means such information needs to be protected. The Manchester City reaction to their scouting database compromise is example of the importance of information security within the billion pound UK football industry.

Then there is social media awareness, a footballer’s comments on Twitter can land a football club in hot water with the FA and sponsors, resulting in fines and match bans for the player involved, for example Ashley Cole's £90,000 fine for a Twitter post or Jason Puncheon's recent fine for remarks on Twitter about a manager. So I think information security and the important awareness training that goes with it, is now being taken far more seriously by professional football clubs than it use to be a couple of years ago, the ultimate driver for this change is money.

Information Careless Great Britain: All Aboard the non-Privacy Train

This week I experienced a rather concerning two hour journey from London aboard a Virgin Pendolino train.

Might be the Age of the Train, but it's not the Age of Privacy Awareness

I had just taken my seat on board, and the train had just cleared the tunnel just north of Euston station. As I was settling in to the journey I noticed something through the gap of the two seats in front, like a magpie drawn to a sparkling object, something had caught my eye. I have spent years conducting security assessments, checking system logs and databases for the presence of credit card data. During this time I have unwittingly developed the canny knack of quickly spotting a 16 digit primary account number of a credit card, along with a expiry date and the 3 digit security code. My eyes were drawn to the laptop screen of the passenger in front, which had a webpage fully on show, which displayed his typed in credit card details, including the 3 digit security code, which was not obfuscated. In my disbelief I considered taking a picture with my phone, but then thought better of this, as it crosses an ethical boundary in my view. But if a more unscrupulous person than I did take a picture, then they could use the captured credit card details to easily commit credit card fraud, namely use it to buy items online.

The passenger is at fault on so many levels, obviously having your credit card details on open display within a public environment is not the greatest idea, a cheap laptop privacy filter could help reduce this risk, but not completely, I think my viewing angle would still have been good enough to observe his laptop screen. Then the website itself didn't look too secure in my view, in that the webpage didn't obscure the credit card information he had typed in, especially the 3 digit security code, which is not a good sign. Then there was the method of the internet access, I was pretty certain the laptop was connected with the train’s public WiFi. These days (hopefully) most people understand you should never enter credit card details to purchase anything over a public WiFi, as there is no way of telling if you are connected with a fake WiFi hotspot operated by data thieves, or whether someone is listening into (sniffing) all your web traffic, or even performing a man-in-the-middle attack, which is a method of defeating the encryption (https SSL) used by ‘secure’ websites.

I was still shaking my head and tutting to myself when the three ladies sat around the table seats to my left piped up. All three of them worked within the HR department of a UK footsie 100 company which I won't name, I know this because for most of the journey all they talked about was their work. First they spoke in detail about an individual which their company had recently fired. Stating this individual’s full name several times with the reason for the dismissal. They discussed how they would prepare for his employment tribunal in the following week. Next they started a real bitching session against their boss, again I'm naming no names. One of their boss’s emails was read out from a Smartphone and then ridiculed, along with further gossip...she said this, he said that, I said this. Their department restructuring is apparently a complete joke and a waste of time. Finally there were further and rather personal remarks about their boss and another individual working within their department, the irony of their HR role and the tribunal case they had been initially talking about, was not lost on me.

How many phone calls do you hear on trains?

While still doing my best to mind my own business, an annoying ring tone sounded from the seat behind me, and Mike X announced his presence to the rest of the coach, with a booming “Hello Mike X”.  He wasn't a relation to Malcolm X, I am using X to protect his real surname. We all learnt that Mike was quite the slick salesman, and how he was key to his company winning a £450K contract with a well known construction company. We also heard how he and his colleagues were going to provide the right kind of answers the construction company wanted to hear in their tender documentation, and that his company should not worry too much about details at this stage, unless it was something that was going to be clearly stipulated in the contract. Finally he told us all about his plans for the weekend, dinner with his wife on the Saturday, and golf with his chums on the Sunday.

You couldn't make this stuff up, for a moment I thought it was part of some elaborate prank, but Ant & Dec were nowhere to be seen, so I decided save myself from further annoyance by the passengers around me, I put on my headphones, pulled out my laptop, stuck on my privacy filter and wrote it up for this blog post.

Conclusion – Information Careless
I can't help but wonder whether this train carriage represents an average cross section on the level of security awareness in the UK in 2014?  No wonder cyber criminals target the UK, they know its citizen's are information careless, and are a cash rich soft touch. Information Security awareness by the UK government and companies is either proving to be not be very effective, or people already understand it well enough and are choosing not to give a dam.

Was Flight MH370 Cyber Hijacked?

The disappearance of Flight MH370 is turning into one of the biggest mysteries of the age, the evidence is sketchy, everyone seems to have their theory, and the media are running riot with endless speculation. As a security professional I can’t help but wonder whether there was a cyber element to the incident, especially given the high amount of technology used in modern fly-by-wire jet planes like the Boeing 777-200ER.

Was Flight MH370 Cyber Jacked?

I have managed and consulted with many cyber security incidents over the years, but the following will be my own conjecture. When I usually deal cyber incidents, my golden rule is to only deal with the facts and the evidence, and saving any speculation for the Sherlock Holmes fan club. But with this incident I am allowing myself the luxury of exploring potential cyber attack possibilities with the MH370 flight disappearance, as over the week quite a few people have asked me whether the flight could have been hacked, the ‘cyber jacking’ speculation will only grow after today’s headlines in today's Sunday Newspapers.

So lets start with the facts, we now know flight MH370’s transponder and the Aircraft Communications Addressing and Reporting System (Acars) were both disabled while the aircraft was over the South China Sea, and after this the Boeing 777 changed direction, heading West.

Could the transponder and Acars been disabled by a Cyber attack?

It may well be possible to jam a transponder and Acars from within the aircraft cabin, preventing such devices from broadcasting by using fairly basic equipment to swamp these devices receiving and broadcasting frequencies with noise, a denial of service attack if you will. But I think such an attack could also interfere with other aircraft systems and jeopardise the likely objective of the hijack, which appears to be taking control of the aircraft. I believe it is far more rational that the transponder and Acars were disabled by human hand, as it is far simpler to do than a cyber attack, and it guarantees these systems are actually disabled, and then remain disabled indefinitely. The human disablement is given further credence when you consider control of the aircraft had been achieved by the attacker or attackers; as control of the aircraft is proven by the radical course change.

Could the aircraft be remote controlled due to a Cyber Attack?

A Boeing 777 cannot be remotely flown from the ground as far as anyone is aware, but we cannot rule out the possibility that someone sat in the cabin could use a laptop or mobile phone, to infiltrate the aircraft’s computer systems and take control of the aircraft.  A sophisticated fly-by-wire Boeing 777 is reliant on its computer systems to fly, and can fly completely unaided through the autopilot. Attacking the aircraft’s computer systems and changing the autopilot settings is a possibility, however the problem I have with this theory is that autopilot can be overridden by the pilot and co-pilot from within the cockpit. It is very unlikely a hack could lock out the pilot controls and prevent the pilot from radioing such a situation to air traffic controllers. The most plausible explanation is usually the simplest, namely the aircraft is physically controlled by whoever is sat in the cockpit. If you have technical theory on how such attacks could work, please post in the comments as I would be very interested to learn how it could be done, but please go beyond from just mentioning PlaneSploit, and describe how such tools could be used to lock the pilot out from the aircraft controls.

Conclusion

In my view based on the current evidence, I believe we are looking at a sophisticated plane hijack, by a person or persons who have a high degree of expertise in aviation, not cyber security. Although the investigation should not rule out a cyber attack element, I think it is far more plausible to switch off the aircraft tracking and to take control of the aircraft from sitting within the cockpit, than sitting in the cabin with a laptop or mobile phone. We’ll see if my speculation at this time of posting is correct or not over the coming days and weeks, or perhaps even months or years, but lets not give up hope for a positive outcome for the many involved.

GCHQ Privacy Disregard Touches the Optic Nerve

The latest GCHQ revelation courtesy of The Guardian and Edward Snowden, is arguably the most privacy damming of them all. A GCHQ surveillance program called 'Optic Nerve', collected more than 1.8 million webcam imagines from Yahoo chat accounts between 2008 and 2010. The program saved one webcam image every five minutes from unknowing Yahoo users using private webcam chat.  One of the stolen GHCQ memos made no bones that the service struggled to keep the large store of sexually explicit imagery collected from the eyes of its staff.

The fact these images were collected on mass and indiscriminately without the knowledge of Yahoo's users, the vast majority of which are law abiding, is a real privacy invasion. Most worryingly is that such an undertaking could be "green lighted" by senior officials, this beggars belief, pointing to a general lack of human morality and to the uncontrolled power our security agencies have. This is what happens when covert security agencies are given a high degree of trust and power, but are held completely unaccountable for their actions.  

This has parallels with hackers, credit card fraudsters and even online cyber bullies, when certain people believe they are not accountable for their actions online, namely they feel they can get away with it, certain people will commit dark acts without the fear of any recourse and do dastardly things they certainly wouldn't repeat in the more accountable real world. Take the example of Curtis Woodhouse, a professional boxer who turned the tables on his cyber abuser by offering a £1,000 reward on Twitter is anyone who could identify his abuser. Duly enough he received a name and an address, and proceeded to travel across England to meet his abuser face to face, tweeting his progress along the way. As he reached the doorstep of his troll he received a full apology from him on Twitter. Just in the nick of time, and to Curtis' great credit he resisted demonstrating his boxing prowess to his abuser, but instead has used his cyber bully and the whole experience to raise awareness.

Back to the GCHQ privacy abuse, it is high time the UK government got a stronger grip with GHCQ, by holding them to account by introducing an independent privacy protection oversight function with all of their covert digital operations, and perhaps even direct GCHQ into helping to protect the UK's national cyber assets and critical infrastructure. The latter is especially important given this week we heard UK energy companies security is so weak, they can't obtain any cyber insurance.

The UK government needs to get its cyber priorities straight, and tackle the UK cyber defence problem, which is often talked about, but little is ever done. If the UK lost power or water due to a cyber attack, it would be national crises. As with their handling of GCHQ, the UK government are doing a poor job into holding profit hungry energy and utility companies to account for their security, even though their services are crucial to UK citizens and businesses alike.