Archive | June, 2016

Fansmitter Hacks Air Gaps – Daily Security Byte EP. 281

Back-channel attacks, where attackers send information using unusual and hard to spot communication channels, are not new. However, I think they’re cool, if not a bit impractical. In this video, I cover the Fansmitter research from an Israeli University’s Cyber Security team. I don’t think this type of attack will affect you any time soon, but it’s still a fascinating idea. 

(Episode Runtime: 4:14

Direct YouTube Link: https://www.youtube.com/watch?v=i62FCE0ydWA

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Dimension’s User Anonymization makes Data Protection Easy

Data privacy and protection is a BIG deal, and many countries are setting new regulatory standards for how to move, store, view, and report on data containing users’ personally identifiable information, or PII.

The European Union (EU) in particular is setting precedents with some of the most stringent data and privacy protection controls in the world. In April 2016, the EU Parliament officially adopted the General Data Protection Regulation framework, or GDPR, scheduled for full enforcement in two years. Obligations coming as part of the GDPR are significant, and accountability – especially regarding a business’s workforce – is an important component of compliancy. Malicious insider activities are a major source of data abuse and breaches. “Encrypt everything” is a great start, but it’s just a band-aid solution for meeting compliance obligations.

Among a new set of requirements, EU businesses will be required to demonstrate compliance with GDPR measures that include:

  • Appointing a Data Protection Officer, or DPO
  • Ensuring the pseudonymization of personal data – PII is anonymized to the extent that it cannot be attributable to its owner during any stage of processing.

WatchGuard’s Dimension™ visibility platform delivers a new User Anonymization feature that takes an organization’s ability to comply with the GDPR framework to the next level. The feature works very simply, is easily accessible and configurable, and was designed with GDPR compliance and the reality of insider threats in mind.

The best way to understand the new feature is to look at the screenshot below:

blocked-clients-screen

When enabled, User Anonymization works by dynamically replacing all PII – user names, IP addresses, host names, and mobile devices – in Dimension’s reports, dashboards, and summary pages with hashed placeholder text.

The Anonymization Officer, a new role available in Dimension to support GDPR compliance, was inspired by the Data Protection Officer (DPO) role introduced in the GDPR framework. The Anonymization Officer role was created in such a way that a technical or non-technical person can hold it, and it fulfills the “four-eyes” or two-logins approach to role-based access. For example, when an IT admin needs to de-anonymize Dimension, the admin would need approval from the Anonymization Officer. This avoids situations where a single person holds all the access to PII without any accountability or external verification.

Does your current solution provide such a comprehensive yet simple approach to data privacy protection? To find out more about WatchGuard’s solution, check out our User Anonymization Tech Brief. Also feel free to check out our Dimension demos – one with Anonymized Mode off and the other with it enabled. (They share the same login credentials.)

Note: WatchGuard Dimension is included at no charge with all Firebox and XTMv models.

Bart Ransomware – Daily Security Byte EP. 280

You might be sick of ransomware, but that won’t stop criminals from releasing new variants. Bart is the latest extortion malware that arrives as a zipped JavaScript file. Watch Monday’s Byte for a Firebox tip on how you might avoid this new threat. 

(Episode Runtime: 3:03

Direct YouTube Link: https://www.youtube.com/watch?v=20VCvOgML-0

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Little Uber Hacks Snowball into Bigger Threats

Integrity, a UK and Portugal based security consulting firm, recently released some interesting research after participating in Uber’s bug bounty program. For those unfamiliar, bug bounties are a way for organizations to incentivize security researchers to responsibly disclose vulnerabilities in their products. By promising a bounty, organizations hope that researchers will work with them to resolve security issues instead of selling them on the underground to the highest bidder.

Last week Integrity shared their experience with Uber’s bug bounty program. They describe their process for identifying bugs in the different areas of Uber’s API and mobile apps, and responsibly disclosed several vulnerabilities, which Uber has since resolved. I highly recommend you read the article, but I’ll highlight some of their more notable findings below.

Uber sometimes offers promotional codes for discounted rides either to new users or as a part of emergency ride home programs with other ride share services. In their testing, Integrity discovered that Uber had no protection against “brute forcing” these promo codes in their application. Integrity quickly found over a thousand valid discount codes, but Uber’s security team initially turned the research away because they considered the promo codes public. It wasn’t until Integrity found a $100 code, intended for a Washington-based carpool community’s emergency ride home program, that Uber bugged and resolved the brute force issue.

While intercepting traffic from the Uber cell phone app during an actual ride, Integrity also found that they could enumerate Uber User IDs by sending phone numbers to an Uber API designed to allow splitting ride fare bills. Paired with another bug, these User IDs were easily leveraged to return the personal email address of the associated Uber user.

Most frighteningly, Integrity found they could use a rider’s User ID (obtained from the previously mentioned bug) to find details about that user’s trips. The details included the date of the trip, the cost of the trip, and a map of the entire trip route. Putting these bugs together, armed only with a rider’s phone number, Integrity was able to ultimately see a scary level of detail on every Uber ride ever taken by that user.

Luckily for Uber users everywhere, these vulnerabilities were responsibly disclosed to Uber and subsequently fixed. I think Integrity’s article shows an important example where small individual security issues can snowball together and become a large threat. Yes, enumerating User IDs for a web application is a potential privacy issue on its own, but it becomes critical when those User IDs can be converted into even more sensitive information about the users.

Uber did an excellent job working with the researchers at Integrity to quickly resolve these issues. I would urge anyone involved with application development to keep an open rapport with external security researchers. Internal QA will never catch everything, meaning external researchers are an important tool in protecting your product from the bad guys. –Marc Laliberte

Double Phishing Scam – Daily Security Byte EP. 279

A new double phishing scam is targeting ISPs and pirates. Watch Friday’s video to learn how attackers are tricking ISPs into making their phishing emails look even more legitimate. 

(Episode Runtime: 3:33

Direct YouTube Link: https://www.youtube.com/watch?v=QDY7pRvJ4Bc

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Libarchive Vulnerabilities – Daily Security Byte EP. 278

Libarchive is an open source library for archive compression and decompression. Many Linux software and distributions use it. More importantly, many Linux-based appliances may also use it. Today’s video covers three vulnerabilities in this popular library, and what you should do about them.

(Episode Runtime: 1:45

Direct YouTube Link: https://www.youtube.com/watch?v=cxWk6LVo_8E

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Tape Your Webcam – Daily Security Byte EP. 277

Security nerds, like me, often advise you to tape up your webcam when you’re not using it. However, many people think this is too paranoid. “Who’s going to spy on my computer,” they ask? Watch today’s video to hear why many experts, including Facebook’s founder, think we all should protect our video privacy… and stick around to the end of the video to learn how to get a free webcam cover.

(Episode Runtime: 3:14

Direct YouTube Link: https://www.youtube.com/watch?v=R3LH2QuFACQ

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Tool Tip: ScriptSafe – Daily Security Byte EP. 276

In today’s video I share a quick security tool tip. NoScript is one of my favorite security extensions for Firefox, as it can help block web-based attacks. Unfortunately, it doesn’t work with other browsers. In the episode below, I cover ScriptSafe, a NoScript like extension for Chrome. 

(Episode Runtime: 2:25

Direct YouTube Link: https://www.youtube.com/watch?v=4EGH78n3has

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

GoToMyPC Password Problem – Daily Security Byte EP. 275

There have been tons of big password leaks lately, like the ones that affected Twitter and Linkedin. These leaks certainly suck for the people that use the affected sites, but they can also affect the industry as a whole. Watch today’s video to learn how password leaks combined with password reuse has lead to problems for GoToMyPC users.

(Episode Runtime: 1:58

Direct YouTube Link: https://www.youtube.com/watch?v=VZJs1UpwLvE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

DNC Hack Drama – Daily Security Byte EP. 274

Early last week, the Democratic National Committee admitted they were hacked. Later, a security team blamed the attack on two Russian hacking groups. Now, another hacker claims credit for the attack and shares some sensitive documents to prove it. Watch the video below to learn a bit about this hacking drama, and whether or not there is anything we can learn from it.

(Episode Runtime: 3:16

Direct YouTube Link: https://www.youtube.com/watch?v=IQrOeUxando

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: