Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
[ICYMI] You Get To Cheat 😉
In This Issue:
- You get to cheat
- Corporate espionage – no, not that kind
- FaceApp… Facebook… what's the difference?
You Get To Cheat
If you work in a field even sort of adjacent to infosec, you'll arrive at this particular mental state eventually. It's not despair—not quite. Call it fatalism. It's the creeping realization that the hackers are always one step ahead. You follow all the security recommendations you can, you use hardware-based 2FA, you deploy multiple information security products from respected vendors, and you even take the time to try to explain to your irritating golf buddy why frequently changing passwords isn't as good an idea as it sounds.
You will still get hacked. The hacker probably won't be caught.
"Even if you know what country they're in, their government doesn't care and won't do anything about it," says the salesman, in this melancholy article: An IT security salesman told me his software doesn't work.
The salesman has definitely arrived at the fatalism stage of his career. He's not saying that his software is fraudulent, just that it isn't magic. It prevents some threats, but the hackers are still a step ahead. How do you fight the feeling of "why bother"?
You didn't think your cynical authors were going to preach the virtue of optimism, did you? Instead, we'll drag out that old joke about hiking in the woods with friends, and encountering an aggressive bear. To survive, you don't have to outrun the bear—you just need to run faster than the other hikers.
Most hackers are in it for the money. They make the most money by hitting the easy targets whenever possible. Don't be an easy target. You will still be compromised, so design your network to lose as little as possible when breached. Have an incident response plan. Take out cyber insurance. Don't ignore security, but don't get sucked down by despair, either. Use this Tweet to cheer up:
'"Cybersecurity is a game in which you get to make the rules. You are under no obligation to play fair; it's *your* *network*. You *get to cheat*."
This, more than anything else, is what offense knows implicitly but defense is always *gobsmacked to hear*.
YOU GET TO CHEAT.' – Dan Kaminsky - @dakami
Corporate Espionage—No, Not That Kind
This week saw a variety of news about nations spying on their own citizens.
Postpone that that eye-roll emoji; we're not going to preach about the morally distasteful nature of privacy invasion at scale. What's of interest is the recurring trend of snoopy governments demanding that corporations help with the snooping.
While a select few enterprises are paid for their assistance (Revealed: This Is Palantir’s Top-Secret User Manual for Cops), most are just ordered to fork over the data. Some companies are even required to alter their products to facilitate government spying. Australian company Telstra says that this adversely affects their relationships with suppliers, and limits what they can offer their customers: Latest technology could miss Australia due to encryption laws: Telstra.
In some parts of the world, legislation requiring massive data collection by private corporations is being considered: Home Affairs floats making telcos retain MAC addresses and port numbers. Meanwhile, the European Court of Human Rights is hearing cases brought against Sweden and the UK by citizens' groups who want dragnet surveillance outlawed: Sweden and UK's surveillance programs on trial at the European Court of Human Rights.
This is a touchy issue, and different jurisdictions handle it in different ways. Keep an eye on your own government's current requirements. If you haven't already, this would be a good time for a strategy meeting with legal and marketing teams. What is your plan if a government agency asks you for information about your customers? What are the costs associated with complying? What are the risks involved in refusing?
It's not quite as simple as "Of course, we'll comply." Some customers will inevitably be grouchy about loss of privacy. And any data you collect has to be stored securely, which increases infrastructure costs and also increases the risk of liability. Governments may want you to disclose customer information to them, but they are still fully capable of issuing a GDPR-style fine if you leak the data to anyone else: $5b privacy fine against Facebook seen as ‘chump change’. There are no easy answers, but you’re at slightly less risk of harm if you think about this stuff before the spooks show up.
FaceApp… Facebook… what's the difference?
There's an app that modifies photos to make the people in them look substantially younger or older. And—gasp! Shock!—"users have been surprised to learn that the app’s creators are harvesting metadata from their photos."
No, the app is not Facebook. Though if you have even a passing familiarity with Facebook's recent history, this article is worth reading for the (probably unintentional) social satire: FaceApp is back and so are privacy concerns.
The Countermeasure is not suggesting that large-scale metadata slurping is a good thing, but we would like to respectfully point out that almost every mobile app known to humankind probably does something similar or worse from a security or privacy standpoint. Just a few random examples from our previous editions:
- Ever app users uploaded billions of photos, unaware they were being used to build a facial recognition system
- WhatsApp exploit let attackers install government-grade spyware on phones
- Runaway Saudi sisters call for 'inhuman' woman-monitoring app to be pulled
You get the idea.
So why are people grumpy when FaceApp's attitude to privacy is… relaxed? FaceApp is based in Russia.
So basically, it's OK if we do it, but not if they do it.
Misconfigured security is the most common flaw found in applications. (This makes the earlier stories even more frustrating.) Nearly every week, there are stories about data left exposed though poor configuration. This week we have two: Fortune 100 Passwords, Email Archives, and Corporate Secrets Left Exposed on Unsecured Amazon S3 Server and 'This Repository Is Private'—So What's It Doing on the Public Internet, GE Aviation?
"Misconfigured" definitely sounds bad, but it's rather vague. Pen-testing-as-a-service firm Cobalt did some research to get more details on what the most common config mistakes are (What the AppSec Penetration Test Found):
- 30.1% of security misconfigurations were in security headers
- 28.5% were in application settings
- 12.7% in encryption settings
- 11.5% in server configuration
- 9.6% in mobile settings
- 4.9% in cloud settings
- 2.9% due to an improper security control
The most common misconfigurations weren't necessarily the highest risks. Server configuration mistakes and application settings mistakes were the most dangerous.
You probably don't need to get flustered about FaceApp, except as another employee time-waster. But the brouhaha suggests an interesting thought exercise to try when considering the security and privacy implications of just about anything. "Would this be cause for concern if a company based in $_geopolitical_rival did it?" Yes? Then maybe we shouldn't be doing it either. The internet is a fickle place; the next company facing a FaceApp flap could be yours.
Tool of the Week
Ransomware Decryption Tools. Updated to include decryption keys for some forms of GandCrab ransomware.
Resource of the Week
Tweet of the Week
"If most corporate tax loopholes are eliminated in favor of qualifying for some of them *only if you haven't had a data protection violation that quarter* might serve better as an ongoing motivator for privacy vigilance.
Thoughts?" – Katie Moussouris - @k8emo
How Hacking Works - xkcd
- German banks are moving away from SMS one-time passcodes. Even if SIM swapping didn't exist, SMS messages wouldn't be a very secure form of 2FA.
- For pity's sake, groans Mimecast, teach your workforce not to open obviously dodgy emails. The dodgy bit is the .SHTML attachment.
- GUEST ESSAY: 6 unexpected ways that a cyber attack can negatively impact your business. One of them actually was unexpected.
- How to Catch a Phish: Where Employee Awareness Falls Short
- Cybersecurity: Do these six things to protect your company online