SIM Swappers LOL at Your 2FA
In This Issue:
- SIM Swapping is now a bigger deal than you might think. SIM hijacking has big implications for 2FA.
- “I’m Not Dead Yet!” ~ Passwords. There may be many technically superior alternatives to passwords, but thanks to their ubiquity, they’re not going away any time soon, and your users are going to fight to keep the status quo.
- Incident Response Planning in a Nutshell. A comprehensive and must-read guide to thinking through incident response. The video of the week is a great BSides talk about how to validate your defense-in-depth posture from endpoint to Internet.
Busting SIM Swappers and SIM Swap Myths
h/t: Brian Krebs – Krebs On Security
SIM swapping is a process by which bad guys manage to tell a carrier that someone's existing SIM card is no longer valid, and that the mobile account should instead be associated with a different SIM. SIM swapping can be accomplished in a number of ways; from hacking the carrier's database to plain, old-fashioned social engineering.
Once SIM swappers have control of someone's mobile account, they can leverage control of the mobile number to reset passwords to various online services, such as email. From here, passwords to yet more online services can be reset. Currently SIM swapping is a popular way to steal cryptocurrency from enthusiasts in Silicon Valley, but it’s also being used to target other individuals.
This is a must-read piece by Krebs about this growing threat vector, and the implications for security best practices.
Countermeasure:
Re-examine all your assumptions about cell phones being used for two factor authentication. SIM swapping is easier than we think, and there doesn't seem to be a lot of interest in solving the problem by those responsible for doing so.
Here's Why [Insert Thing Here] Is Not a Password Killer
Troy Hunt does an excellent job of laying out why passwords are not going away anytime soon. The answer? Because everyone knows how to use them. There's more to it than that, of course, and this piece is an excellent re-examination of the classic tug-of-war between security and convenience.
Security practitioners tend to forget about the end user experience, especially when we’ve discovered some new technological toy we think will radically enhance our organization's security posture. We’re used to having 14 different 2FA apps on our phones, three Yubikeys, and something involving a scroll, two squirrels and a pigeon. We forget that even a single YubiKey can seem onerous to the uninitiated.
Countermeasure:
Imagine yourself as the user. Be resentful of any effort you’re asked to put into being allowed to do your job. Start thinking about workarounds, even if those violate security policy. Realize that these workarounds are what everyone will be doing shortly after your new policy rolls out, and then rethink your plan.
How InfoSec Security Controls Create Vulnerability
h/t: John Lambert (@JohnLaTwC) – Github
With deep contemplation in mind, Lambert delivers a must-read post about the unintended consequences of the layered security environments that are the standard in modern IT environments. Lambert identifies three primary areas of concern: lack of recursive threat modeling, security controls with dependencies that resemble a complex IT organizational chart, and the difficulty in visualizing the security dependency graph, especially as it changes.
Countermeasure:
Read Lambert's excellent post on the topic, sleep on it, and then start building recursive threat models for your environment. With luck, this will lead to simplification, and perhaps automation.
The 5 Benefits of an Incident Response Plan
h/t: Katharina Gerberding – Hitachi Systems Security Blog
No security plan survives contact with reality. The bad guys will eventually break through. When that happens, you'd better have an incident response plan. Hitachi Systems Security invested in an excellent multi-part blog series on incident response that is worth reading.
Yes, the ultimate goal of this blog series is to get you to give Hitachi's security offerings a try, but there is real value in this blog series for anyone who is new to the idea of incident response.
Countermeasure:
Have anyone on your security team who isn't familiar with incident response start their education with this blog series. And then, hopefully, adopt incident response research and execution as a lifelong learning project. In the end, it always comes down to the incident response plan.
Finding Gold in the Threat Intelligence Rush
h/t: Kelly Sheridan – Dark Reading
All the data in the world isn't worth a bent copper if you don't know what questions to ask of it. The modern "instrument all the things" approach to software development has certainly created opportunities to collect data, and the rush is on to see who can derive actionable insights from threat intelligence data.
Can malware outbreaks be predicted? Maybe, but there are a lot of factors to consider. Using big data analytics of threat intelligence data to attempt to make these predictions is the next frontier of security research.
Countermeasure:
This approach to prediction is ambitious. Educate yourself on the basics, and remain skeptical of anyone claiming to have cracked this problem. It could be that in the near future viable services emerge that make use of this data exactly as described, or it could be decades. Nobody knows, but with all the attention being paid to research in this area, soon there will be a lot of new startups, and a lot of claims being made.
Video of the Week
"Endpoint to Internet: Security Control Validation Using Threat Behavior Emulation"
Ken Jenkins and Stuart McMurray - posted by BSides DC
Quick Links
US Cyber Command starts uploading foreign APT malware to VirusTotal <-- Catalin Cimpanu – ZDNet
Why APIs are Critical for Security Operations <-- Marius Iversen – Techbeacon
VirtualBox Guest-to-Host Escape 0day and Exploit Released Online <-- Zeljka Zorz – HelpNet Security
Must-Read Discussion Threads
This thread is an excellent example of social engineering:
"Fun #Australia fact: To compensate for auroral flux"
~ SwiftOnSecurity (@SwiftOnSecurity)