Archive for the ‘Vulnerabilities’ Category

I get my hair cut at the local salon of a famous chain of beauty schools that stretches across the US. They are a subsidiary of a much larger, high-end beauty products conglomerate. I have gotten my hair cut at various locations for years. It’s a good value for the money, and the resulting hair cuts are at least as good as and often better than ones I have received at their full-price salons.

Friday, I called to schedule a haircut and a facial. The scheduler asked for my credit card number to reserve my appointment. I asked if this was a new policy. The scheduler said they only asked for a credit card number for services that had a large number of no-shows. I asked when my card was charged, and she tried valiantly to explain how it worked.

I declined to give her my card and asked her to set up an appointment only for the haircut.

The next day, when I went in for my hair cut, I asked for their written policy on storing credit card numbers:

  • How long is the card stored in their system?
  • Who has access to it and what can they see?
  • How and why is a transaction against my number authorized?
  • What other information are they storing with my credit card number? Name, address, phone number …
  • Are they using a third-party application or does a third party have access to my information?
  • Are they following the best practices (for example, encrypted databases and hashing card numbers) recommended by the Payment Card Security Standards Council, in particular, the Payment Application Data Security Standards, which are available from https://www.pcisecuritystandards.org/security_standards/index.php ?

The receptionist referred me to their call center, where I eventually spoke with a manager, who could not answer my questions. She promised to find out and email me the policy, which I have yet to see.

I mailed a letter to the executive chairman of the beauty products conglomerate and the manager of the local school. I am not going back unless they come up with a satisfactory policy. Any organization that stores credit card information should have a written policy that explains how they protect it, and it should be available on customer request. It is not only best practice from a Payment Card Industry point-of-view, but it avoids misunderstandings between customers, employees, and management.

I’ve been a customer for over 20 years. Privacy matters, data security matters, and if your organization doesn’t think enough of my business to adequately protect my information and be able to show me, I am going someplace that will. No matter how much I like your hair cuts.

I had an interesting experience last week (my life seems to be full of them!). I signed up to take a class that purported to give me a better understanding of what I was looking for in a career.

The first day of class the instructor gave us the URL for an application that he had developed to collect a considerable amount of information about each of us: likes, desires, Myers-Briggs profile, and results from other assessment tests. During the class break, I asked him why the application was not using HTTPS. He said it did, but it used a referrer. I looked at the code of the web site. Hmm, not that I could see.

When I got home, I loaded up Wireshark so I could watch the interaction of the packets with the application. The application definitely did not use HTTPS. I emailed the instructor. Oh, he said, there was a mistake in the documentation, and he gave me the “real” secure URL.

Ok, so this application is sending his clients’ first and last names, email addresses, passwords, and usernames in clear text across the Internet. Not a big deal, you say?

It is a big deal, because many people use the same usernames and passwords on their accounts around the Web. Then add in their email address and their personal information is owned by anyone sniffing packets on any unsecured network they might be using, such as an unsecured wireless network in a coffee shop, an apartment building, a dorm room ….

So, next—because I now had their “secure” website URL—I checked their website against http://www.netcraft.com/, https://www.ssllabs.com/ssltest/, and some other sites—all public information. According to these tests, the application was running Apache version 2.2.22, which was released on January 31, 2012, WordPress 3.6.1 (released on September 11, 2013), as well as PHP 5.2.17 (released on January 6, 2011). It is never a good idea to run old software versions, but old WordPress versions are notoriously insecure.

Please note: I am not recommending either of these websites or their products; I merely used them as a method to find information about the application I was examining.

Not only that, but the app used SSL2 and SSL3, so the encryption technology is archaic. Qualys SSL Labs gave the app an “F” for their encryption, and that was after he gave me the HTTPS address.

(“It was harder to implement the security than we thought it would be,” he said.)

Although I did not find out the Linux version running on the web server, based on my previous findings—which I confirmed with the application owner—I would be willing to bet that the operating system was also not current.

So, then I tried creating a profile. I made up first and last names, user name, and a test email from example.net (https://www.advomatic.com/blog/what-to-use-for-test-email-addresses). I tried “test” for a password, which worked. So, the app does not test for password complexity or length.

He asked me on the second day of class if I now felt more comfortable about entering my information in his application since it was using HTTPS. I said no; I said that his application was so insecure that it was embarrassing, that it appeared to me that they had completely disregarded any considerations about securely coding an application.

He said that they never considered the necessity of securing someone’s information because they were not collecting credit card information.

I said that with the amount of data they collected, a thief could impersonate someone easily. I reminded him that some people use the same usernames and passwords for several accounts, and with that information and an email account, any hijacker was in business.

Then he said that he was depending on someone he trusted to write the code securely.

Although I believe in trust, if it were my application, I would verify any claims of security.

I told him he was lucky someone had not hacked his website to serve up malware. I said that I was not an application penetration tester, but that I could hack his website and own his database in less than 24 hours. I said the only reason it would take me that long is because I would have to read up on how to do it.

I told him I would never feel comfortable entering my information in his application because of the breach of trust between his application and his users. I said that while most people would not care even if I explained why they should care, I have to care. It is my job. If my information was stolen because I entered it in an application that I knew was insecure, I could never work in information security again.

So, what should you look for before you enter your information in an application?

  1. Does the web site use HTTPS? HTTPS stands for Hypertext Transfer Protocol Secure; what that means is that the connection between you and the server is encrypted. If you cannot tell because the HTTPS part of the address is not showing, copy the web address into Notepad or Word, and look for HTTPS at the beginning of the address.
  2. Netcraft.com –  gives some basic information about the website you’re checking. You do not need to install their toolbar, just put the website name into the box below “What’s that site running?” about midway down the right-hand side.
  3.  Qualys SSL Labs tests the encryption (often known as SSL) configuration of a web server. I do not put my information in any web site that is not at least a “C.”
  4. Another thing you should be concerned about is a site that serves up malware: Here are some sites that check for malware:

http://google.com/safebrowsing/diagnostic?site=<site name here>

http://hosts-file.net/ — be sure to read their site classifications here

http://safeweb.norton.com/

  1. Do not enter any personal information in a site when using an insecure Wi-Fi connection, such as at a coffee shop or a hotel, just in case the site doesn’t have everything secured on its pages.

I have recently started using the WhiteHat Aviator browser, which uses the anonymous search engine Disconnect. It is available for Windows and Mac here. It works pretty well (although it is sometimes slow). When I use it for sites like Gmail where I use two-factor authentication, I do have to enter both the second factor and the password every time I load the website. It will not save the code like Firefox can for thirty days.

I am planning on installing Disconnect on my phone next. If that works out, I will try the premium version, which includes encrypted Internet, safe browsing, and location control.

Another anonymous search engine is DuckDuckGo.

I also use Firefox with extensions NoScript, Ghostery, Adblock Plus, and Lightbeam. Lightbeam is particularly fascinating to look at; it shows all the sites that track me, even after all those add-ons. NoScript can be painful to use because you have to enable every single site.

After the last set of Adobe Flash 0days (two in a week!), I uninstalled Adobe Flash and Air. After all, if I really need Flash, I can always use Google Chrome, where Flash is built in.

I rarely use Internet Explorer any more.

And while you are updating your browser, make sure your Java version is current.

Crime in the Workplace

Posted: January 20, 2015 by uszik11 in Security Breach, Vulnerabilities
Tags:

Your need to protect yourself from your co-workers is an unspoken truth. In criminology, we say “crime knows no neighborhood.”  In other words, crime is everywhere, not just in one bad place. People are people everywhere.   At work, we steal inventory and information from our employers.  We steal money and other tangibles from our colleagues.  Of course, I do not do those. Of course, you do not, either.  But other people do.  Here in America, about 20% of us are habitual perpetrators.

If you work in a small shop, you probably are among people you know well enough.  Nonetheless, your company is still in a shared space of some kind, a building, a strip mall, a street. Everyone there is in your world. You cannot know them all.

If you are in a large enterprise, the statistical facts are warnings.  If you have 1000 people in your building, then you meet 200 perpetrators every day.  Background checks only reveal the habitual, compulsive, or genetic predators who have been caught.  But many aggressors are opportunistic and competent. Routine offenders get away with harming others because no one speaks up.  And it is not easy to confront a bully or report a thief.  So, the harms and crimes continue.

Generally, security falls under the control of the facilities manager.  Rarely does an organization have a chief security officer at the same level as the chief financial officer or chief information officer. Facilities managers are concerned only with keeping costs down. Facilities managers seldom have professional training in security. As a result, most buildings have too few guards, posted in the wrong places, at the wrong times, assigned to futile activities.  Security is reactive, not proactive.

Badging and other controls for identity and access tend to be minimal and ineffective. You have no idea who is in your building with you.  Vagrants know all the ways to get in.  Professional thieves have no problem getting through the front door.

Professional thieves work large office buildings with public traffic. They look just like everyone else in our casual dress society.  They walk the halls peeking into offices, and trying doors.  Laptops are an easy grab.

Engineers and programmers are a special problem.  They enjoy getting around locks; and they are good at it.  The statistics apply to them as well. People who make a lot of money steal and bully just like poor people. Crime knows no neighborhood.  Even the 80% of them who are nice, still leave us vulnerable when they gimmick, jimmy, or shim a lock.  They have no control over who the next person will be to come through that door.

Protecting yourself at work begins with a few simple rules.  Lock your desk and your computer when you leave the area.  Always take your purse or wallet with you.  Never leave your laptop, phone, or pad unattended in the cafeteria or restroom.

Generally, if you have a problem with someone, you have six choices.

  1. You can confront them.
  2. You can go to your manager.
  3. You can take it to human resources.
  4. You can report it to security.
  5. You can call the police.
  6. You can ignore them.

The bottom line is that it is better to prevent a problem than to fix one.

 

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

Shellshock (CVE-2014-6271 and CVE-2014-7169) is the name of a bug affecting the Gnu Bash (Bourne-again shell) command-line shell, which can be used on many Linux and UNIX operating systems, as well as Mac OS X. It does not affect Windows computers unless you’ve installed Bash with something like Cygwin. While it’s unlikely that most consumer computers will be targeted, it’s a good idea to watch for updates for operating systems, firewalls, routers, switches, modems, printers, and household items that can be assessed over the Internet–TVs, thermostats, IP cameras, and other items.

It is already being exploited by worms and other malware.

Cisco, Red Hat, Debian, and Ubuntu have already issued updates. The first patch issued did not completely fix the problem, so make sure you update to the version that addresses CVE-2014-7169 as well as CVE-2014-6271. Apple has not issued any updates as of September 28, 2014.

This bug has been around for a very long time; the latest (safe) Bash version is 3.2.53.  Brian J. Fox wrote Bash in 1987 and supported it for five years, and then Chet Ramey took over support–his unpaid hobby. Mr. Ramey thinks Shellshock was accidentally added in 1992.

We have a Macbook that was running a vulnerable version of Bash. I manually updated Bash per this article.

According to Qualys, here’s how to test for the vulnerabilities; at the command line, paste the following line (make sure this line is exact):

env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true

If you have a vulnerable version of bash, the screen will display “vulnerable.” Just to be safe after updating, check the bash version by typing:

bash –version

Vulnerable versions will be before 3.2.53.

If you applied a patch before Friday, you might have a less-serious version of the error, which you can check by typing the following:

env X='(){(a)=>\’ bash -c “echo date”; cat echo; rm -f echo

This line will display the date if bash has not been completely patched.  After patching, you will get an error when running this command.

I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

  • On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
  • According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
  • According to Target, the issue only affected US stores; purchases made online at Target.com or in Canada were not part of the breach.
  • In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
  • PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
  • There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
    • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
    • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
  • The US Secret Service is investigating, as well as an unnamed outside investigator.
  • Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

  1. Monitor any account(s) used at Target at least daily for evidence of tampering.
  2. Check out the Target breach details.
  3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year. https://www.annualcreditreport.com/index.action
  4. Target says they will pay for credit reporting; they will have more details later.
  5. Replace your card:
    • If you use a Target REDcard, contact Target for a replacement card.
    • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
  6. If you choose not to replace your card, at least change your PIN number.
  7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
  8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
  9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
  10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

  1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
  2. Put a block on your credit report at one of the three credit reporting agencies:
  3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.

I recently read an article called the “Rise of the Warrior Cop” in the Wall Street Journal. Ordinarily, I would tend to blow off an article such as this.

Except there are too many articles like these:

Reasonable search and seizure? It’s supposed to be a right guaranteed by the Fourth Amendment of the Bill of Rights.

Electronic car fobs broken by car thieves

I’ve said it before and I’ll say it again: Do not leave valuables in sight in your car. TODAY goes on to recommend that you don’t leave your garage door opener or your car registration in your car either. You’re leaving yourself open to a home invasion and identity theft as well.

Twitter recently added a new security feature that allows you to have your phone send a security code that you use as your passcode when you log in. While it’s true that using more than one type of account verification can make your account safer, does Twitter’s new two-factor authentication really make your account safer? Maybe not. Watch Josh Alexander explain it in this YouTube video and decide for yourself: Personally, I agree with Josh Alexander that Twitter’s SMS-based two-factor as presented in the video doesn’t go far enough to protect your information.

What makes a safer log-in? Well, believe it or not, when your bank makes you enter your user name on one screen [hopefully using HTTPS; there should be a lock somewhere on the page] and then the next screen has a picture that you chose and/or asks a challenge question or might even save information about your computer like the IP address. If the picture is wrong or you expected challenge questions that didn’t appear, don’t log in! If you log in from a different computer, you may get one or more challenge questions that you must answer before you’re authorized to enter your account. Adding SMS onto one or more of these authentication methods might make your log-in safer.

Yes, it’s painful, but it’s safer.

Why is what the bank does safer than what Twitter’s doing?

Because if you’re not really at the bank’s site, the hackers won’t  know which picture you chose or the correct challenge questions to ask you. Hackers can’t (yet) make a bank website using your picture or the correct challenge questions, so it won’t be your account log-in.

What else makes online banking safer? According to this article http://news.yahoo.com/blogs/upgrade-your-life/banking-online-not-hacked-182159934.html, use WPA2 on your home wireless router, make sure your computer is virus free (OS patched, use an up-to-date antivirus program), and don’t use public Wi-Fi nor public computers. Another tip: Don’t choose challenge questions that anyone could easily find out about you, such as your mother’s maiden name. Under some circumstances, you can use your phone for online banking. Make sure you use a password screen lock on your phone. They also recommended that you have a remote wipe program installed on the phone; if your phone is lost or stolen you can remotely delete all the data off your phone. (Yes, remote wipe actually works. I tried it and bricked my iPhone, but the Apple Geniuses came through like champs!)