Pointers for Mobile App Certificate Pinning

We often get questions about Certificate Pinning in mobile applications. Many clients find the issue difficult to explain to other teams.

You can find really great write ups, and an excellent set of source code examples for fixing this issue – as well as explaining it – at this OWASP.org site.

At a super high level though, you basically want your mobile application to validate the SSL certificate of the specific server(s) that you want it to talk to, and REJECT any certificates that do not match the intended server certificate – REGARDLESS of whether or not the underlying OS trusts the alternative certificate.

This will go a long way to hardening the SSL communication streams between the app and the server, and will not permit easy interception or man-in-the-middle attacks via a network provider or hostile proxy server.

Updates to the app source code are needed to mitigate the issue, and you may need to update apps in the app stores, depending on the way your app is delivered.

As always, if you work with MSI on mobile app security reviews or application-specific penetration testing, we would be happy to demonstrate the attacks and suggested mitigations for any identified issue. Just let us know if you would like assistance.

As always, thanks for reading and I hope your team finds this useful.

Sometimes, It Happens…

Sometimes things fail in interesting ways. Sometimes they fail in dangerous ways. Occasionally, things fail in ways that you simply can’t predict and that are astounding.

In a recent assessment of a consumer device in our lab, we found the usual host of vulnerabilities that we have come to expect in Internet of Things (IoT) devices. But, while testing this particular device, which is also tied to a cloud offering for backup and centralization of data – I never would have predicted that a local device would have a full bi-directional trust with a virtual instance in the cloud.

Popping the local device was easy. It had an easy to compromise “hidden” TCP port for telnet. It took my brute force tool only moments to find a default login and password credential set. That’s pretty usual with IoT devices.

But, once I started poking around inside the device, it quickly became apparent that the device configuration was such that it tried to stay continually connected to a VM instance in the “cloud storage and synchronization” environment associated with the device and vendor. How strong was the trust? The local device had mount points on the remote machine and both systems had full trust to each other via a telnet connection. From the local machine, simply telnet to the remote machine on the right port, and without credential check, you have a shell inside the cloud. Not good…

But, as clear of a failure as the scenario above was, the rabbit hole went deeper. From the cloud VM, you could see thousands of other VMs in the hosted cloud environment. Connect from the VM to another, and you need the default credentials again, but, no sweat, they work and work and work…

So, from brute force compromise of a local piece of consumer hardware to a compromise of thousands of cloud instance VMs in less than 30 minutes. Ugh… 

Oh yeah, remember that storage centralization thing? Yep, default credentials will easily let you look through the centralized files on all those cloud VMs. Double ugh…

Remember, I said bi-directional? Yes, indeed, a connection from a VM to an end-point IoT device also works with assumed trust, and you get a shell on a device with local network visibility. Now is the time you kinda get sick to your stomach…

These kinds of scenarios are becoming more common as new IoT devices get introduced into our lives. Yes, the manufacturer has been advised, but, closing the holes will take a complete redesign of the product. The moral of this story is to pay careful attention to IoT devices. Ask questions. Audit. Assess. Test. There are a lot of bad security decisions being made out there in the IoT marketplace, especially around consumer products. Buyer beware!

Custom Security and Business Intelligence at Your Fingertips

We have decided to bring what has been a service offering to very select clients for the last several years to availability for all of our clients and the public.

For years, several of our clients have been enjoying custom security intelligence driven by the MSI TigerTrax™ analytics platform and our dedicated team of analysts and subject matter experts. The research and analysis work the team has been performing has been focused on agendas like:

  • competitive analysis
  • economic industry scale market analysis
  • consumer behavior, demographic or psychographic profiling
  • organizational human network data flows and relationship mapping
  • gathering data for marketing and sales opportunities on a global scale
  • dark net data raids
  • trend and disruptive technology assessments
  • scalability & DRM techniques
  • piracy and underground market analyses
  • and even assessments of threats against brands, nation-states and multi-national cooperatives

Our team has robust expertise to gather, profile, mine, visualize and analyze public or private data en masse for your organization.

Want customized threat data about your brands, on a global scale, updated monthly with new findings from the public, deep and dark web spaces? We can do that.

Want large amounts of competitive market data gathered, visualized and summarized? We can do that too. 

Need daily briefings on a set of specific trends, geo-locations or products? Our experts are experienced at producing it.

Desire to have entire market segments deconstructed, profiled and researched to find vendors, trends and critical relationships up to 3 levels away from the core processes? We’ve done that now for multiple industries.

How about a customized monthly briefing of industry wide changes, summaries of events and monitoring of specific sets of questions your organization may have around critical topic areas? We have done this for clients across multiple industries.

Basically, if your organization would like to have customized research, analysis and intelligence – and we aren’t talking about lists of indicators of compromises and such – but REAL WORLD operational intelligence for optimizing your products, services or marketing, then we may be able to assist you. If you need a larger world view than the data you have now permits, we may be able to solve that for you. If you need to match your organization’s internal data-driven views with the views of the public or smaller groups of the public, we may be able to turn those efforts into insights.

If any of this sounds interesting and useful, join us for a cup of coffee or a conference call, and let’s talk about your needs and our capabilities. We have been performing these services for years for a select few clients, and are now ready to open these capabilities to a wider audience. To schedule a discussion, drop us a line at info@microsolved.com, hit our website at microsolved.com and click on the request a quote button or give us a call at (614) 351-1237 today. We look forward to talking with you.

Attention to Privacy Issues Growing

From the board room to main street, digital privacy is becoming more and more of a hot topic.

Organizations have been asking us to discuss it with steering committees and boards. Our intelligence team has been performing privacy-related recon and other testing engagements for the last several years. More and more of our security engagements are starting to include elements of privacy concerns from organizations and individuals alike.

In the mainstream media, you have articles being pushed heavily like this – which discusses supposedly stolen NSA technology for monitoring, to discussions of personal privacy from the likes of Tim Cook, CEO of Apple.

As such, security teams should take the time to verse themselves in the privacy debate. It is likely that management and boards will be asking in the near future, if they aren’t already, for advice on the topic. This is a fantastic opportunity for security teams to engage in meaningful discussions with organizational leaders about a security-related topic on both a professional and personal scale. It might even be worth putting together a presentation, preemptively, and delivering it to the upper management and line managers around your company.

With so much attention to privacy these days, it’s a great chance to engage with people, teach basic infosec practices and have deep discussions about the changing digital world. That’s what your security team has been asking for, right? Now’s the time… 🙂 

Microsoft Making 2FA Easier with New App

Make sure you check this out if you use any of the Microsoft 2 factor authentication tools – they just released a new app for mobile devices to make their previously very painful mishmash of authentication tools easier!

I know a lot of clients and readers use the existing Microsoft authentication tools, so I will be eager to play with this and see just how much easier they have made it. Do you think it stands up to their claims of simplification? Let me know on Twitter (@lbhuston) what you come up with when you try it… 

Tips on Reducing Human Error Risks

One of the largest risks that organizations face is human error. The outcome of human errors show themselves in security, architecture, business operations, IT & non-IT projects, etc. The list goes on and on. You can read more about the impacts of human error on infosec here and here.

It’s important to understand some of the reasons why these errors occur, especially when critical projects or changes are being considered.

Some of the high level things to think about:

  • Physical fatigue – this is likely the leading cause of human errors, workers may not be getting enough sleep or downtime, especially during critical projects when stress and demands may be high, not to speak of their personal lives – organizations should allow for key resources to have adequate downtime to reduce errors during critical projects
  • Decision fatigue – the more decisions that someone has to make, the worse their decisions get over time – just like physical fatigue, preserving their decision making capability should be a consideration during critical projects for key resources
  • Lack of time on task – in many organizations, critical project key personnel are often called to meeting after meeting to discuss, plan or execute parts of the project – when this minimizes their time on task to perform the research, work or development for the project then quality suffers – at the very least, it may aggravate the other problems of fatigue; organizations should focus key resources on time on task to up the quality of their work during critical projects
  • Lack of peer review – peer review is an essential control for human error, since it can catch such usual conditions as typos, missing words, simple mistakes in logic, etc. Critical projects should always include several layers of peer review to ensure higher quality of the process or outcome
  • Lack of preparation for failure – many critical projects suffer from this form of error as many people assume that their plans will be successful, but failure occurs often, and the more complex the systems or plans, the more likely it is to occur – have a contingency plan to prevent emotional decisions which can deeply impact quality and successful outcomes

There are many other issues around human error in critical projects and even more in day to day operations. But, these seem to be the most prevalent and immediate issues we see around critical projects with clients in the last few years. 

How does your team manage human errors? What controls have you implemented? Share with us on Twitter (@microsolved, @lbhuston) and we may write about it in future posts. As always, thanks for reading! 

80/20 Rule of Information Security

After my earlier this post about the SDIM project, several people on Twitter also asked me to do the same for the 80/20 Rule of Information Security project we completed several years ago. 

It is a list of key security projects, their regulatory mappings, maturity models and such. Great for building a program or checking yours against an easy to use baseline.

Thanks for reading, and here is where you can learn more about the 80/20 project. Click here.

Remember the Stolen Data Impact Model (SDIM)

Just a quick reminder about the work we did a few years ago on the Stolen Data Impact Model (SDIM) project. 

Many clients continue to use the project, the analysis sheet and the insights across their incidents. 

To learn more, here is quick and easy category search with the relevant links. Click here.

As always, thanks for reading and a huge thanks for supporting MSI! 

Ready for Ransomware?

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Thanks to Columbus State Community College & Get Involved

On Tuesday, I spoke at Columbus State Community College to a group of high and middle school teachers about digital crimes, black market economics and cyber-ethics. We had fantastic discussions and as teachers, they were amazingly engaged with myself and my content. I have never taught a more enthusiastic group of folks.

They asked a lot of questions; mostly about crime, motivation and the techniques of criminals in the digital world. But, they also asked for critical lessons that they could take back to their students and use in their own classrooms. Kudos for that!

If you want to get involved in the program, please contact @sempf on Twitter for more info. They are always looking for great speakers, excellent content and especially women with experience in STEM related careers. Thanks so much to Columbus State for having me. I was honored and thrilled to participate in the GenCyber program. Thanks to @sempf for the photo!

Co3J RfW8AAem8l