Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Stop Trusting Wi-Fi. Now.
In This Issue:
- WPA3 defeated before most devices can even use it
- How (not) to respond to a breach
- How (not) to respond to a breach, Microsoft edition
- Adblock Plus had ONE JOB…
- Facebook is still Facebook, and you know what that means
- Cybercrime as a service
- There are no girls humans on the internet
WPA3 Defeated Before Most Devices Can Even Use It
We here at The Countermeasure cannot emphasize this enough: do not roll your own crypto. Cryptography is really – really, REALLY – hard, and security through obscurity isn't security at all. Cryptography is so hard that openness and transparency are important to the entire development process of any new cryptographic algorithm or implementation.
To create a successful cryptographic algorithm and implementation, the planet's best and brightest need to bang on it until all the bugs have been worked out. Even then, even once the best math nerds in the world have crawled up and down your newfangled crypto, somewhere, somehow, there will be an implementation bug that all those reviewers missed.
This very human inability to be perfect is what gives cryptographic algorithms (and their implementations) a limited lifespan. Modern crypto is generally not defeated by advances in processing power. Nor is it defeated by the ability for servers to run more RAM, and thus hold larger rainbow tables. Crypto is defeated because humans make mistakes, and WPA3 will go down in history as a textbook example of a refusal to acknowledge this hard reality.
Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords has the best take on the issues at hand thus far. Dragonblood: Analysing WPA3's Dragonfly Handshake is the website put up by the discoverers of the security flaw. This is an academic paper posted on the site above (with a nearly identical name): Dragonblood: A Security Analysis of WPA3’s SAE Handshake.
The Wi-Fi Alliance made serious mistakes in the development of WPA3. They should have worked with existing organizations that have successfully developed cryptographic algorithms and implementations before. They should have included as much of the infosec community as possible. They didn't.
Not Invented Here killed WPA3, and now we have to go back to the well once more, hoping – perhaps in vain – that WPA4 will last us a few years before that too renders Wi-Fi an insecure hot mess.
Don't use Wi-Fi unless you have no other choice. If you must use it, don't trust it. Everything that travels over Wi-Fi should be encrypted. Every device using Wi-Fi should be using a VPN. No ifs, ands or buts. Wi-Fi is completely, utterly, and quite possibly irrevocably compromised. This is as much because of how the standards are devised as by any individual crack. You need to develop business processes and polices that treat Wi-Fi as an untrusted means of connection. Now, and forever.
How (Not) To Respond To a Breach
Last week we talked about the importance of what happens after a breach: Notification of affected parties, forensic analysis, and making a revised security plan. Norsk Hydro was an example of how to do it well. On the other hand, Experts: Breach at IT Outsourcing Giant Wipro is an example of a breach that was handled less well.
In How Not to Acknowledge a Data Breach, Brian Krebs points out that India (where Wipro is located) "currently has no laws requiring data owners or processors to notify individuals in the event of a breach." But the rest of us probably don't have that excuse. This leads directly into Tips for the Aftermath of a Cyberattack, which is a discussion about the importance of "soft skills" to incident response. While not directly about Wipro, the timing of the article is serendipitous.
This week's podcast (below) also discusses the Wipro breach.
Learning from the mistakes of others so that you don’t have to repeat those same mistakes is generally good. Having an incident response plan is a must, but it requires that your organization come to terms with the reality that, one day, you will experience a compromising event. Overcoming the desire to pretend the inevitable won't occur is a critical – and astonishingly difficult – first step. Learning from others so that you don't repeat their mistakes should be child's play after that.
How (Not) To Respond To a Breach, Microsoft Edition
Speaking of refusing to learn from the mistakes of others, Microsoft is being Microsoft again. The story starts in a fairly normal fashion: Microsoft: Hackers compromised support agent’s credentials to access customer email accounts. Someone got credentials they shouldn't have by compromising a tech support person.
Fair enough. This stuff happens. But then Microsoft was Microsoft, and Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support. The story continued to evolve: Microsoft Downplays Scope of Email Attack.
More commentary followed – the Internet is good for something! – with Hackers could read users’ Outlook, Hotmail, and MSN email via compromised Microsoft support account, offering a notable pithy recommendation: "Questions will obviously need to be asked about how support agents are having such important accounts compromised, and what steps can be put in place to better protect them. In addition, Microsoft might be wise to be keener in coming forward with bad news, rather than letting it trickle out."
Don't be Microsoft. Come to terms with the fact that you will be compromised, that you probably already are compromised, and come up with a sane, rational, and not-a-PR-nightmare way to respond to these events. Protip: Coverups are bad. The only thing worse than screwing up is lying about it, and the Internet always finds out.
Adblock Plus Had ONE JOB…
Many people use adblockers because advertisements are annoying. Infosec practitioners use adblockers because malvertising is a very real problem, and browsing the Internet without shields is patently insane.
Far from a theoretical problem, real companies are being hit by this. Adblock Plus filters can be abused to execute malicious code in browsing sessions and Ad blocker firms rush to fix security bug offer some details on the fallout.
While the failure of one of the Internet's more popular defenses to do the one thing we actually needed it to do is annoying, Adblock Plus demonstrated a much faster and more graceful response to a breach than the examples of Wipro and Microsoft.
Don't rely on any one malvertising blocking plug-in. Adblock should be combined with – at a minimum – Ghostery and Privacy Badger. Train as many of your staff in their use as possible. Make these sorts of Internet defences mandatory for IT staff, and anyone with privileged credentials.
Facebook Is Still Facebook, and You Know What That Means
By now, it's likely that readers of The Countermeasure have read Facebook takes extraordinary legal steps to contain document leak and Mark Zuckerberg leveraged Facebook user data to fight rivals and help friends, leaked documents show. Instead of adding our own commentary, we will direct readers to Facebook user data used as bargaining chip, according to leaked docs.
Perhaps not coincidentally, Wired has an epically long piece of investigative reporting about the chaotic and sometimes toxic culture at Facebook that spawns these privacy nightmares. 15 Months of Fresh Hell Inside Facebook.
For added fun, even in the few hours it takes to do research for this newsletter, more Farcical Facebook Facepalms popped up. We literally cannot write fast enough to keep on top of Facebook's rate of footbulleting. Facebook says it uploaded email contacts of up to 1.5 million users. Facebook, you are the poop emoji that keeps on smelling.
Do not use Facebook to communicate anything important, ever. If you can avoid it, simply do not use Facebook. Be stingy with the data you provide them. Use Internet plug-ins such as Adblock, Ghostery, and Privacy Badger to prevent their little widget button from tracking you across every website you visit.
Always log out of Facebook when you are done. Make certain that everyone in your organizations treats Facebook like a wide open public forum in which everything they ever expose to Facebook – including the contacts, e-mails and other sensitive data that live on phones where a Facebook-owned app is installed – will be transmitted publicly.
Do. Not. Trust. Facebook.
If you must use it, do so from a dedicated, clean, and well-defended system.
Cybercrime as a Service
Here are a pair of stories about the dark web and the commercialization of cybercrime:
A somewhat related story is Ransomware: The cost of rescuing your files is going up as attackers get more sophisticated.
Read these. They’re educational, and this is the sort of thing that all infosec people – and those who manage them – should know.
There Are No Girls Humans on the Internet
The rather misogynistic 90s meme that "there are no girls on the Internet" is due for a revision. See Bad bots now make up 20 percent of web traffic. The proliferation of our badly scripted robot overlords is made all the more bothersome by statistics like this: 86% of Australia's top websites can't detect bot attacks: Research.
It's time to start caring about bots. DDoS bots. Chatbots. Bots that can pass the Turing test. The bots are increasingly indistinguishable from humans, and they are coming for you. Learn about them. Learn how to detect them. Their numbers will only increase.
Threads of the Week:
"Ok, let’s do this. Absurdly basic 100-level infosec-adjacent stuff you learned in college / certs / technical school yet *still actually really use constantly*... (other than calculating tips) I’ll start: mine top are the OSI model, Wireshark, and discrete math / logic diagrams. (I’m kind of trying to make a point to students and young people that sometimes the fundamental stuff you learn and expect to brain dump after the exam remains more important than you might think.)" – Leslie Carhart (@hacks4pancakes)
Tweet of the Week:
Unsure we can agree with this, but the debate is worth having. Our view is that there are legitimate uses for anonymity, especially among marginalized groups.
The only time you should pretend to be someone else is when you’re trying socially engineer someone into doing something for you. – Leslie Carhart (@hacks4pancakes)
Podcast of the Week:
The previously promised Wipro podcast. Worth a listen.
124: Poisoned porn ads, the A word, and why why why Wipro?
How the ‘New York Times’ Protects its Journalists From Hackers and Spies. The interviewee, Runa Sandvik, is a former hacker who once hacked a smart gun. Hackers Can Disable a Sniper Rifle—Or Change Its Target. Sandvik now works for the New York Times, and in this podcast she shares how she raised awareness about cybersecurity threats at the news organization.
- Android 7.0+ Phones Can Now Double as Google Security Keys
- Extortion emails a go-go
- The Samsung Galaxy S10’s ultrasonic fingerprint scanner is hacked <-- The hacker used a photograph of a fingerprint and a 3D printer
- Google’s location history data shared routinely with police
- New Attacks (and Old Attacks Made New)
- Source code of Iranian cyber-espionage tools leaked on Telegram
- Remove yourself from the internet, hide your identity, and erase your online presence
- It doesn’t matter if you don’t use Internet Explorer, you could still be at risk from this IE zero-day vulnerability
- Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer's Security <-- A more detailed explanation of the above, plus a third-party micropatch developed by ACROS Security
Tool of the Week