Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
In This Issue:
- AWS re:Invent coverage: Is the Public Cloud Really More Secure?
- Toyota and Lexus owners beware!
- Don't bank on your phone
- Holiday Cyberattacks on the rise
AWS re:Invent Coverage: Is the Public Cloud Really More Secure?
AWS re:Invent was this week, so cloud security is making headlines. One headline had us preparing to arm the outrage cannons: Avoid ransomware by moving to the cloud, says AWS Public Sector boss.
Just to be clear, the public cloud isn't a magical +2 Cloak of Anti-Ransomware. In most cases, backups are your only hope, and they need to be separated from your main infrastructure, or they’re useless. Merely moving some data off premises does not change this. (To be fair, a lot of ransomware can be caught by filtering URLs and e-mails for the obvious badness, and some ransomware can be defeated by blocking access to the command and control servers before encryption of the endpoint/workload/device/etc. begins; but once that starts, you're hosed without backups.)
Fortunately, AWS worldwide public sector vice president Teresa Carlson wasn't trying to say that the cloud eliminates the need for backups. (Outrage cannons, stand down!) Basically, she implied that on-premises public sector security, backup, and DR is so awful that moving the cloud will be more secure.
Carlson's statement that "All these customers I talk to are running on data centres, unpatched, they talk about having a DR strategy -- but guess what, they don't have that" is not something that we can contest.
Of course, low-information IT buyers can fare poorly in the cloud, as an overheard comment at re:Invent proved. AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things. These are all things that every AWS customer should understand, but at the end of the session we overheard one attendee say to another: "So basically we need to reconfigure everything.'"
Access Analyzer will "alert you when a bucket (an area of storage in S3) is configured to allow public access or access to other AWS accounts." And it's long overdue: If the cloud is ever going to deliver on the oft-hyped promise of handling these kinds of IT chores, sane and secure defaults are going to be important.
Amazon also announced other products aimed at securing cloudy stuff: Amazon Detective to investigate security issues within workloads. This is worth looking at, if you plan to do anything cloudy in the near future.
While Amazon's shiny new stuff might be a great step toward the sane and secure defaults needed, please do not stop engaging your brain when administering things in the public cloud.
Not all things Amazon are secure by default, and "secure" is a relative term anyway, as organizational needs, legal requirements, and regulatory burdens can vary dramatically. Do not throw away your cloudy security analysis tools. If you don't have any, get some. Remain vigilant.
Toyota and Lexus Owners Beware!
Don't want people stealing your high-end Toyota or Lexus? Wrap your fob in tin foil! Toyota, Lexus owners warned about thefts that use 'relay attacks'. There are a few things to unpack here.
First: any car that will drive away without you physically inserting a key of some variety is designed wrong. Two factors are better than one, but if you must rely on only a single factor for authorization, "something you physically have" is infinitely better than "something that can be cloned or relayed wirelessly".
By all means, make a car that starts remotely. But under no circumstances should that car actually DRIVE anywhere without you putting in a key, pressing an RFID implant against a receiver, or entering a password.
Do not buy any vehicle which can be operated solely based on wireless authentication. If your company has a fleet of vehicles, it's about time to start paying serious attention to vehicle infosec.
Today, you can use a simple replay attack to steal a car. Tomorrow, when that car's onboard computers are tied into your cloud computing infrastructure for some reason or another, what will such an attack manage to unlock? The Internet of Things is coming for you. Down the highway. Don't get hit.
Don't Do Banking on Your Phone
As a general rule, we're not big on phone banking. Website-based banking from a hardened desktop operating behind layers of network-based defenses is one thing, but phones—especially Android phones —do not strike us as being something we'd trust with access to our life's savings.
This: Vulnerability in fully patched Android phones under active attack by bank thieves is a great example of why. And there's this one—not StrandHogg, just yet another Android security issue: This new Android malware comes disguised as a chat app.
As much as we're personally paranoid about using smartphones for banking, however, we're far more concerned about the possibility of access to corporate banking on these devices. The internet is littered with stories of bean counters getting duped into sending thousands—even millions—of dollars to a scammer based on nothing more than a phishing e-mail. There is no universe in which it’s rational to assume that those same individuals will somehow notice when their smartphone is infected.
It is worth seriously considering banning all banking apps—and all apps with the name of banks, etc.—from corporate smartphones. Education about banking application malware should be mandatory for everyone, and regularly updated.
Even if you are 100% certain that your bean counters won't give away the farm by playing Farmville, your employees are generally less productive if they get ctrl-alt-deleted by a fake Nigerian prince who managed to sneak something past Google Play's notoriously lousy application filters.
Holiday Cyberattacks on the Rise
Scammers try a new way to steal online shoppers’ payment-card data. This happened just after our last edition was written. At this festive time of year, more payment-skimming attacks are to be expected.
Crooks have lived up to (down to?) this expectation over the past two weeks. The one covered in this article tried something new-ish. "Rather than infecting a merchant's checkout page with malware that skims the information, the thieves trick users into thinking they've been redirected to an authorized third-party payment processor."
This is particularly unfortunate because it will probably create distrust about payment processors, which can be a more secure option "for smaller sites that don't have the resources to harden their servers against sophisticated attacks. That includes the rash of hacks coming from so-called Magecart groups that target the Magento ecommerce Web platform."
Magecart malware is still going strong, as Salesforce’s Heroku Used to Host Magecart Skimmers, Stolen Cards and Smith & Wesson Web Site Hacked to Steal Customer Payment Info ably show.
So businesses have problems no matter how they choose to process online payments. Happy Holidays!
Update all the things. Put web application firewalls in place. Get a competent IDS/IPS. Did we mention patch all the things? Patch all the things. And maybe disable every feature and even every user access capability that doesn't absolutely need to be enabled for your ecommerce site to work.
Yes, this is one of those "it sucks, but it's time to just roll up your sleeves and do the work" moments. It sucks. But getting hit by this malware sucks even more.
Resource of the Week
Thinking of getting a security certification? There are many. This infographic might help you pick one.
Security Certification Progression Chart – SinecureLife - /r/cybersecurity
Video of the Week
For Laughs: Things That Just Shouldn't Be Connected to the Internet
- Cat door
"Getting DDoS'd by my cats - whose dumb idea was this cat flap?" – Norm Driscoll - @n0rm
"I promise I am not making this up. I have just been asked to upgrade the firmware for my new toilet." – Rory Sutherland - @rorysutherland.
Cybersecurity Stocking Stuffer
EFF Passphrase Dice. Give someone the gift of stronger passphrases. Or just use these as projectiles against people who still use "passw0rd123". How they work: EFF Dice-Generated Passphrases
- HackerOne breach lets outside hacker read customers’ private bug reports
- Retailers, prepare wisely: DDoS remains a holiday threat
- Iranian hackers deploy new ZeroCleare data-wiping malware
- When Rogue Insiders Go to the Dark Web
- It’s Way Too Easy to Get a .gov Domain Name