Monday, October 05, 2015

Experian data breach exposes the supply chain security fustercluck

Experian bills itself as “the UK’s most trusted credit monitoring service” but, in the light of the data breach that has compromised the records of some 15 million T-Mobile (US) customers it might have to reconsider that description the other side of the pond. The as yet unknown hacker, or hackers, managed to acquire the records of customers and applicants requiring a credit card check (successful or not) for service or device financing between the 1st of September 2013 and September 16th 2015. Just for the record, yes you did read that right. To pour a little more accelerant into the flames, the breach was not revealed to customers until 1st October. Which makes another Experian strapline, this time from the Experian Data Breach Response Service service, seem equally irrelevant: “Respond, reassure and recover quickly in the event of a data breach.” Yeah right… T-Mobile CEO, John Legere, is pretty angry and says the stolen data includes customer name, address and birth date as well as encrypted fields with Social Security number and ID number (which might be a driver’s license or passport), as well as additional information used in T-Mobile’s own credit assessment.“Experian has determined that this encryption may have been compromised” Legere admits, going on to state that “I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian” as well as the usual stuff about assisting customers and taking security seriously of course. Legere also took the opportunity to assure customers that “neither T-Mobile’s systems nor network were part of this intrusion”. So that’s OK then! Is Experian really so self-important that it thinks people should trust it when it comes to mopping up this mess? Less OK, for many observers, is the fact that while that relationship review is made, T-Mobile has gone ahead and told customers impacted by the breach it can have a couple of years free credit monitoring and identity resolution service from, are you sitting down, the very company that allowed their data to be compromised in the first place.

Tuesday, September 29, 2015

Browser-based Layer 7 DDoS: inside the Chinese smartphone ad attack

DDoS mitigation experts CloudFlare has revealed that when it comes to the attack surface, theory has once again turned into reality with an attack by Chinese smartphones. How does 275,000 HTTP requests per second grab you? Or, put another way, some 4.5 billion requests in a single day against a single domain. By any measure, that’s one heck of a denial of service attack right there. That it originated from a botnet of more than 600,000 unique IPs only adds to the intrigue, especially when the vast majority of the traffic (some 80 per cent) was coming by way of mobile devices. Most of them, 98 per cent, based in China. Simply put, the smartphone browser would be served up an iframe as a container for the advert complete with malicious JavaScript code. This then initiated the mobile device to start flooding the target domain with XMLHttpRequest (XHR) requests, an API available to browser scripting languages. So what is a Layer 7 DDoS attack then? The clue is writ large in the name, and anyone familiar with the Open System Interconnection (OSI) network model will immediately know that layer 7 is the application layer. I’m not going to go into great detail about the OSI model, there’s plenty of information out there and Wikipedia is probably as good a place as any to start if you want to dig into it, but suffice to say it’s a framework consisting of seven layers that are responsible for transporting data from the client to the server and back again. Importantly, each of these layers carries out an assigned function and is essentially its own protocol. Layer 7, as already mentioned, is the application layer and a DDoS attack here can be hard to spot as they manage to mimic human behaviour quite well in interacting with the UI. Theoretically, a Layer 7 DDoS attack might target an individual website element such as a logo and keep downloading it.

Monday, September 28, 2015

Get real, China's cybercrime accord with the US will change nothing

China president Xi Jinping agreed a truce on cybercrime with US President Barack Obama last week, a little different to the talk leading up to the event of a 'cyberwar accord' between the world's two most powerful nations. There is more chance of Donald Trump saying something that isn't offensive or ignorant than there is of a cyber-peace treaty stopping anything remotely cyber-warfare related in times of war, which is probably why the two political and economic giants didn't go there. Instead, they travelled down a similar but different road: the two agreed that 'cyber economic crime' must stop. While both countries adopt a ludicrous position of 'I didn't do it' when it comes to launching any kind of cyber attacks against the other, be that industrial espionage or more traditional information spying raids, both also say the other must stop or there will be sanctions. Obama spoke of a common understanding between the US and China that neither country would "conduct or knowingly support cyber-enabled theft of intellectual property", after warning that Chinese cyber attacks are not acceptable, and Xi Jinping happily agreed that "confrontation and friction are not the right choice for both sides" and insisted both countries would abide by "norms of behaviour." To which my response is a big fat SO WHAT?

Are AI and “deep learning” the future of, well, everything?

You might not know it, but machine learning already plays a part in your everyday life. When you speak to your phone (via Cortana, Siri or Google Now) and it fetches information, or you type in the Google search box and it predicts what you are looking for before you finish, you are doing something that has only been made possible by machine learning. However, this is just the beginning: with companies such as Google, Microsoft and Facebook spending millions on research into advanced neural networks and deep machine learning, computers are set to get smarter still. But deep learning isn't about self-aware machines taking over the world. This is a story about how ingenious algorithms and code are giving computers the ability to do things we never previously thought possible.

Thursday, September 24, 2015

Laying the foundations for Internet of Things security

There’s no point being an Internet of Things denier, it’s too late for that. It’s not too late, however, to start accepting that security could be a lot better. Which is where the launch of the Internet of Things Security Foundation comes in. There’s no ignoring the Internet of Things (IoT), you only have to look at the numbers to understand why: Intel reckons 200 billion objects (or 26 smart objects for every human being on Earth) will be part of the IoT by 2020, and Siemens reports that this will equate economically to earnings of up to US $8.9 trillion by the same year. It should come as no surprise, then, that everyone is talking about the IoT; including IT Security Thing Managing Director, Ian Robson, with his ‘Internet of Good Things’ organisation that is creating a community of like-minded IoT thinkers and do’ers. While I wouldn’t go as far as flipping Ian’s naming protocol a complete 360 and referring to it as an ‘Internet of Evil Things’ there are certainly things to worry about as well as celebrate. Not least the fact that many IoT devices have already proven themselves to be vulnerable to attack by those who would exploit them: from hacking into baby monitors through to hijacking smart toilets and router backdoors to name but a few.

GreenDispenser ATM malware with added 2FA

What if you could just walk up to an ATM machine and rob the bank right there? What if you also used two factor authentication to stop other robbers doing the same? That’s what Proofpoint researchers have discovered is happening with GreenDispenser ATM malware. Proofpoint researchers have published details of a new ATM malware campaign that they have called GreenDispenser. This works in much the same way, in that it requires physical access to install and enables a thief to walk up, type in, and walk away with cash. Lots of cash. GreenDispenser infected machines will display an out of service message, but the attacker can bypass this by entering the right codes. Even better for the thief, and a lot worse for the machine provider, the whole process can be wiped using a ‘deep delete’ system that leaves little in the way for investigators to trace back. Currently the attacks appear to be limited mainly to Mexico, although India is implicated as well, and appears to be able to target hardware from multiple vendors as long as they use the XFS standard adopted by large numbers of them.

Monday, September 21, 2015

Bugzilla patch for PerimeterX privilege problem

Firefox, the browser client not the crappy Clint Eastwood movie, is built upon a background of open collaboration. Mozilla, which describes itself as “a global community of technologists, thinkers and builders working together to keep the Internet alive and accessible, so people worldwide can be informed contributors and creators of the Web”, is the organisation behind Firefox. According to Mozilla, around 40 per cent of the Firefox codebase is written by volunteers. According to Richard Barnes, the Firefox security lead at Mozilla, the Bugzilla bug tracker is “a major part of how we accomplish our mission of openness” and while much of the Bugzilla information is in the public domain “Bugzilla restricts access to security-sensitive information so that only certain privileged users can access it.” At the start of September, Mozilla revealed that not only had Bugzilla been breached but the security-sensitive information stolen was used to attack Firefox users. It seems that a Bugzilla account was compromised and a particular vulnerability being discussed was exploited. Although Richard Barnes states that the account was closed down “shortly after Mozilla discovered that it had been compromised” there is no indication of how long it had been actively compromised. However, the version of Firefox released on 27th August is said to have fixed all of the vulnerabilities that could have been exploited using the information gleaned by the attacker. Mozilla immediately took steps to reduce the risk of future attacks on Bugzilla, the first being the forced introduction of two-factor authentication along with a password change for all users with access to security-sensitive data. On top of that, Mozilla announced that it would be reducing the number of privileged access users and reducing what they can actually do. In the words of Richard Barnes “we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.” Which is where Netanel Rubin, senior vulnerability researcher at PerimeterX, came in asking the question whether Bugzilla was actually as secure as it should be. To cut a long story short, it wasn’t. Are you sitting comfortably? Good, then the long story can begin.