Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
It's a big 'un...
In This Issue:
- Facebook cares about privacy, except when they don’t
- Ever wanted to be a public interest technologist?
- The key to user education: a dirty toothbrush
- Spy stories: we wish they were only fiction
- The Internet of Cheese
Facebook Cares About Privacy, Except When They Don’t
Did anyone else roll their eyes when they heard about this? Facebook to refocus messaging around encryption and privacy. Apparently, Facebook really means it, and wants to be taken seriously. The word “pivot” has even been invoked. Facebook's privacy pivot vs Microsoft's 2002 security pivot: Facebook has more to prove.
So this was maybe an inopportune week for the news about how Facebook uses phone numbers to surface. When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security. Oopsie.
Actually, this was not new news. The Electronic Frontier Foundation had already protested that Facebook should leave your phone number where you put it. (This is part of a larger EFF campaign to get companies to fix colossal privacy and security holes in their products: Fix It Already: Nine Steps That Companies Should Take To Protect You.)
So that made this week’s spate of coverage about the issue… awkward for Facebook, from a marketing standpoint. (Though we note that the first article we linked to said that Facebook was going to “refocus messaging around encryption and privacy.” Not actually provide encryption and security. Just messaging about it.)
Luckily, not everyone is dead inside and thus completely numb to this sort of hypocrisy. The Electronic Frontier Foundation followed up with a more comprehensive post: Facebook Doubles Down On Misusing Your Phone Number. Graham Cluley also got in on the action: Facebook isn’t letting you opt-out of having people search for you by your phone number.
Cluley points out the obvious one: “If you really must use Facebook, don’t give it your phone number - not even for 2FA.” He also helpfully provides a link to an entire podcast about how to quit Facebook. 075: Quitting Facebook. In the bigger picture, however, tech companies are going to keep right on doing what they do unless enough of their users tell them to stop, loudly and repeatedly. So look up that EFF list, and start making noise until the companies mentioned therein Fix It Already.
Ever Wanted To Be a Public Interest Technologist?
This is a slippery concept to pin down in a summary, but it’s an important one. A public interest technologist is more than just a white hat hacker, political activist, or security educator, though the role includes aspects of all of these. Bruce Schneier wrote a long, thoughtful, highly recommended piece about how society (including IT practitioners) should be dealing with technology: Cybersecurity for the Public Interest.
“The problem is that almost no policymakers are discussing this policy issue from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate. The result is both sides consistently talking past each other, and policy proposals -- that occasionally become law -- that are technological disasters.”
Public interest technologists should be the people who bridge this gap, Schneier says. But that isn’t their only possible responsibility. He also envisions public interest techs operating like lawyers who provide pro bono services to the disadvantaged.
Schneier and other public interest technologists hosted a full-day seminar at RSA to discuss the idea.
Detailed coverage is provided here: Meet the New 'Public-Interest Cybersecurity Technologist'
Read both articles. They’re worth it. Then get some conversations going. Aspiring technologists: do you want to be a public interest tech when you grow up? NGOs: do you have a public interest technologist or equivalent on your staff? How do you plan to deal with the technological aspects of your mission? Vendors: what could you be doing for the public good? Altruism makes for good marketing opportunities. It also gives you a warm, fuzzy feeling.
The Key To User Education: a Dirty Toothbrush
The RSA Conference ended March 8. Already there are fascinating and horrifying nuggets of wisdom making their way into the tech press.
A cluster of articles from early in the conference focused on security awareness and user education.
- Consumers Care About Privacy, but Not Enough to Act on It
- How to keep your flock of users secure: Let them know exactly who and where the wolves
Boring topic, you say? Perhaps the boringness is part of the problem. How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse. The academics whose research forms the basis of this article (Dr. L. Jean Camp, Sanchari Das) say that “clearly explaining the actual need for this extra layer of account security”
is what makes the difference.
They don’t add that the visceral ickiness of their chosen analogy makes it stick in the mind. But that is probably also true. One of the important principles in Moonwalking with Einstein: The Art and Science of Remembering Everything is that ideas are a lot more memorable if they are lewd, hilarious, or horrifying. (Wait, did he just explain 4chan?) Foer’s book is a good read, but if you want a few quick examples of what he considers memorable, check out this review: How to Memorize Everything. The Incredible Hulk makes an appearance on a stationary bike.
if you need to convince someone of the need to take security seriously, then 1) explain clearly, and give reasons why it’s important, and 2) show them something they can’t unsee. If dirty toothbrushes don’t work for you, perhaps evil clowns will.
Just don’t use phone number-based 2-factor authentication on Facebook. Even if the toothbrush video tells you to.
Spy Stories: We Wish They Were Only Fiction
Apparently, we’ve gone from “It's irrational to build state actors into our threat models, because it's statistically unlikely that we will be the target of one,” to having enough state actor hacks to make this a weekly item. Weekly items give us the security sads.
First, a pair of news stories:
- Chinese hackers strike US universities in bid for military technology
- FBI boss: Never mind Russia and social media, China ransacks US biz for blueprints, secrets at 'surprisingly' huge scale
But this week, there is also the relatively rare chance to get some detail on what cyber espionage looks like. This story details how Operation Sharpshooter (a piece of reconaissance malware) works. RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope.
The incredibly short version starts with a link to an infected file in Dropbox. The file contains a ‘weaponized macro’ that places embedded shellcode into the memory of Microsoft Word. This, in turn, downloads a backdoor module that runs in memory and gathers intelligence.
Operation Sharpshooter targets have included financial services, energy companies, and governments.
The malware has not been firmly attributed to any state or hacking group, though analysis has revealed some similarities to the work of North Korean state-sponsored actors the Lazarus Group.
Lazarus Research Highlights Threat from North Korea. This article has more depth on the Lazarus Group, and on a recent trend in bank malware: if detected, the malware destroys data, doing as much damage as possible on the way out. RSA Conference 2019: Data-Wiping Cyberattacks Plague Financial Firms. The last piece is an interview with Tom Kellermann, chief cybersecurity officer at Carbon Black, about the issue. It’s also available as a podcast.
While it’s daunting to defend against the resources of a nation-state, doing something is better than doing nothing. Bang the security awareness drum. Operation Sharpshooter’s first step was a phish, and education can make people less susceptible to phishing. Systems administrators, consider blocking any methods of file sharing that aren’t absolutely critical to your organization. Block domains, use an application-aware firewall and consider a cloud access security broker to extend your security policies beyond your own premises.
The Internet of Cheese
We almost got away without doing our weekly segment pooping on the Internet of Things. This was a mercifully quiet week for IoT debacles. But then came Fromaggio. Smart cheesemaker Fromaggio launches on Kickstarter.
We can’t honestly think of why someone would want to hack an Internet-connected cheesemaker, other than the usual reason of wanting to get a toehold in your network somewhere. But hacking someone’s cheese app to give them food poisoning could possibly be the most implausible plot ever invented for a murder mystery.
Poor Fromaggio. It’s actually too early to tell what the product’s security will be like. Smart cheese just tripped our weird-o-meter. But let’s hope it’s a lot more secure than this IoT ski helmet. Leaky ski helmet speakers expose conversations and data.
From the article: “The culprit here is the Insecure Direct Object Reference (IDOR). This exposes an object, such as a file, directory, or database key, without authenticating access. That makes it possible for an attacker to manipulate the object, which could be a simple number attached to the end of a URL query string.”
How that plays out in the case of the ski helmet: type anything into the helmet’s companion app, or Outdoor Tech’s API, and you can see every other entry containing the same word, name, or even single letter. This does more than just expose names of other app users. Security researcher Alan Monie was also able to get e-mail addresses, phone numbers, real-time GPS positions of users, and password hashes along with their reset codes in plain text.
Oh, and he could also listen in on users’ walkie-talkie conversations with friends. Be careful not to fracture your forehead while facepalming. Maybe someone should invent something to protect us from facepalm-related head trauma. Like maybe a helmet.
IoT security is multi-tentacled eldritch horror that cannot be fully solved by simple measures. This doesn’t mean that you shouldn’t take precautions. Don’t buy a smart device if a dumb one will do. Ask yourself “does this really need an Internet connection?” If you must buy an internet-connected device (like a car), ask probing questions of the manufacturer and salespeople. 6 Questions to Ask While Buying a Connected Car.
But what happens if there are no available non-IoT versions of a device? What happens when every single car is networked? Or when your employer, or landlord can force you to use a connected device even if you have security concerns? Do renters have the right to reject smart home technology?
This moves from a discussion about individual products and vendors into a discussion about policy, legislation, and rights: IoT security: Where do we go from here? While some governments have addressed the IoT issue, they’ve done so in vague terms, and many have relied on vendors’ voluntary participation: Security by design: California’s new IoT security laws.
Maybe we need some public interest technologists to explain things to politicians. Oh, they already did? Yep, they did: IoT Security for Policymakers. Maybe they need to throw in a video about a dirty toothbrush to make it stick. Or maybe a lot of us need to help the Internet Society make a big, irritating, prolonged noise, until our various governments pass IoT legislation with teeth. Clean teeth.
Want More RSA?
As mentioned in last week’s Countermeasure, you can sign up to get free access to recordings of many of the RSA presentations. But if you’re looking for a quicker recap of announcements and goings-on, there’s a pile of RSA coverage in the tech press this week. Here are a couple of articles to get you started.
- RSAC 2019: TLS Markets Flourish on the Dark Web
- RSA Conference 2019: How to Be Better, on Trust, AI and IoT
Tweet of the Week:
“We started ingesting traffic in the RSAC SOC roughly 26 hours ago. We’ve seen 33,581 clear text passwords in that time. A lot of that is SNMP, but there are thousands of HTTP, POP3, and IMAP account creds in there too. Oof!! #rsac #rsacsoc @rsa @rsaconference” - @Grifter801
Video of the Week
Tips for an Information Security Analyst/Pentester career - Ep 70- Automating large pentest – Mattia Campagnano – Peerlyst
Podcast of the Week
118: The 's' in IoT stands for security. But there’s no “s” in “IoT”…oh.
Tool of the Week
DetectionLab. DetectionLab is “Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.”
This post has a detailed walkthrough of installing DetectionLab. Very detailed. Enjoy. Trying DetectionLab.
The NSA released a decompiler tool at RSA; so of course, there’s already debate about whether or not there’s a backdoor in it. Free NSA GHIDRA Reverse Engineering Tool Now Available. For a rollicking good dose of paranoiac fun, read the comments on this article: Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'
Whether or not you believe the whispers is up to you. But if you want to play with Ghidra, the ZDnet article on the subject gives useful instructions: NSA releases Ghidra, a free software reverse engineering toolkit.
- MY TAKE: Memory hacking arises as a go-to tactic to carry out deep, persistent incursions
- ThreatList: Porn-Focused Malware Triples, Dark Web Loves It
- Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty
- 18 percent of Americans admit to having their identity stolen
- Firefox to add Tor Browser anti-fingerprinting technique called letterboxing
- Data Leak Exposes Dow Jones Watchlist Database
- Japanese police charge 13-year-old for sharing 'unclosable popup' prank online
- Google rolls out Web Risk API in beta to help businesses protect their users
- The reason why 'ji32k7au4a83' is a common and terrible password
- Word Bug Allows Attackers to Sneak Exploits Past Anti-Malware Defenses
- Level up Mac security, and say game over to malware? System alerts plus Apple game engine equals antivirus package
- Saudi caller ID app leaves data of 5+ million users in unsecured MongoDB server
- Hackers Sell Access to Bait-and-Switch Empire