Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
As Always: No Such Thing as ‘Unhackable’ 😑
In This Issue:
- A Cryptographic tool that overpromises, but still looks promising
- Just when you thought business travel couldn’t get any worse
- More than just your bank account number
A Cryptographic Tool That Overpromises, but Still Looks Promising
Who doesn't want to be hacker-proof? This article about a new cryptography project sounded awesome, but seemed too good to be true: Cryptography That Can’t Be Hacked.
Public interest technologist Bruce Schneier checked out the tool in question: EverCrypt: A Verified Crypto Provider Engineered for Agile, Multi-Platform Performance. Schneier's opinion was that it's a "cool project," but not "hacker-proof cryptographic code": Unhackable Cryptography? This isn't a scam, just people getting over-enthusiastic about a neat tool. So let's take a quick look at what makes EverCrypt cool.
Cryptographic libraries are a potential weak point in applications. They’re often buggy and slow, and can be vulnerable to side-channel attacks. But no one is suggesting that we should just skip encryption. Instead, the coders behind EverCrypt wanted to create a crypto library that was provably free of at least the common bugs.
They used a mathematical strategy called “formal verification” to specify "exactly what their code is supposed to do and then [prove] it does that and only that, ruling out the possibility that the code could deviate in unexpected ways under unusual circumstances," the Quanta article says.
EverCrypt may not be totally hacker-proof, but it does claim that it is free of bugs that could cause buffer overflows, make the wrong crypto computation, or allow for timing attacks. This is a good beginning toward cleaning up cryptographic libraries, and something that will become increasingly important as hackers' code-breaking capabilities increase.
A related article is Quantum Computing and Code-Breaking, which discusses the code-breaking capabilities of quantum computers. This is a largely theoretical threat at this point, but one that needs to be taken into account before quantum computing becomes more commonplace. Everyone who works in security is going to need to learn more about strong, agile cryptography, and soon.
To defend against increased code-breaking capability, abandon the eggshell model of a strongly-defended perimeter with a squishy, defenseless network inside of it. Every server in your network needs to use encryption. The last article suggests setting up access policies that use unique encryption for different data sets, making it harder to decrypt more than just a piece.
Just When You Thought Business Travel Couldn’t Get Any Worse
Booking a hotel? You may be giving out a lot more info than you think, according to this: Majority of Hotel Websites Leak Guest Booking Info. According to the article, research from Symantec shows that a majority of hotels — from small independent properties to large five-star resorts and chains — routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.
The details can include "full name, address, mobile phone number, passport number, and the last four digits of credit card numbers."
One of the more common ways for this information to leak is through the use of a confirmation e-mail using a static link that contains the booking reference code and the guest's email in the URL itself. The booking reference code lets anyone who has it view booking information and other customer data, and it is often shared with social networks, advertisers, search engines, and analytics.
Oh, and many airlines use static link booking confirmation as well. Great.
As a customer, you cannot do much more than raise a stink about their sloppy security. But if you’re a web developer who works on these sorts of sites, the cure is to use encrypted links. And, as mentioned in the article, "ensure that no credentials are leaked as URL arguments, for example by using cookies."
Pretty please. Cramped airplane seats and terrible hotel wifi are hassles enough for one business trip.
More Than Just Your Bank Account Number
You already know that bank account numbers, payment card information, and login credentials are attractive targets for criminals. But there's also a growing market for additional information that can help defeat banks' anti-fraud systems. This article describes the “Genesis” darknet market that sells exactly that: 'Digital Doppelganger' Underground Takes Payment Card Theft to the Next Level.
"It uses stolen information about the users' online digital characteristics - such as their devices' operating system, browser, GPU, DNS, and online behavior patterns - from financial institutions' anti-fraud systems to confirm that online transactions are being conducted by account owners and not fraudsters.
These so-called digital masks, used together with the victim's login and passwords for his or her online accounts, allow a criminal to pose as that very user."
This article illustrates how seemingly harmless bits of information can be used together with unfortunate effect.
App developers want to collect information about users' systems for 'quality assurance purposes.' But do they want to be responsible for securing it?
The much bigger issue here is the sort of information collected without users' knowledge or consent during routine online activity. It's not (necessarily) being collected by criminals, but rather by advertisers, social media websites, and data aggregators. Here are a couple of resources for preventing browser tracking:
Threads of the Week:
“I hear a lot of folks (especially outside the USA / UK) having difficulty finding infosec meetups, conferences, or communities in their area. If you’re looking for gatherings where you are, why don’t you use this thread to post the metro area or region, and perhaps we can help you!” - @Hacks4Pancakes
“A couple of simple questions for the day. First one! Is a red team a pentest?” - @strandjs
Tweet of the Week:
Hey folks… Here’s some advice for students 18+ interested in cyber careers: compete in #CyberQuests to exercise your skills & earn a spot in the @USCybChallenge camp → http://CyberQuests.org Enjoy! :) - @edskoudis
Podcast of the Week:
How the ‘New York Times’ Protects its Journalists From Hackers and Spies. The interviewee, Runa Sandvik, is a former hacker who once hacked a smart gun. Hackers Can Disable a Sniper Rifle—Or Change Its Target. Sandvik now works for the New York Times, and in this podcast she shares how she raised awareness about cybersecurity threats at the news organization.
We’ve previously mentioned that recurring news items make us sad. Dear Facebook and friends, could you take a week off from doing something heinous? No? OK, let's do this.
- U.S. senators introduce social media bill to ban 'dark patterns' tricks. The proposed bill describes yet more creepy social media practices, but wants "social media companies [to] create a professional standards body to create best practices to deal with the issue." Yep, that'll work great.
- A Year Later, Cybercrime Groups Still Rampant on Facebook
- Facebook still tracks you after you deactivate account
- Safe Harbor Programs: Ensuring the Bounty Isn't on White Hat Hackers' Heads
- Meet Baldr: The Inside Scoop on a New Stealer
- Mar-a-Lago intruder had instant-malware-inflicting thumb drive
- Knock and don’t run: the tale of the relentless hackerbots
- Bootstrap supply chain attack is another attempt to poison the barrel
- Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018
- Small banks, credit unions under attack
- New Android Malware Adds Persistence, Targets Australian Banking Customers
Tool of the Week
Okay, it doesn't exist yet. Tool of… the future? Craigslist Founder Funds Security Toolkit for Journalists, Elections