Privacy Concerns With Facebook’s iPhone App

I just wanted to give everyone a quick example of why you should always exercise caution when modifying an application’s privacy settings.

Facebook is rolling out a feature in the US that allows people to automatically identify and share things they’re listening to or watching. It’s important to keep in mind that this leveraging this feature requires that you grant Facebook access to your iPhone’s microphone. This means that Facebook will turn on your microphone every time you write a status update. It is worth considering the sacrifice in privacy compared to the convenience that you gain by leveraging this feature. Is it really worth allowing an organization to hear your conversations just so you can gain the ability to easily share what TV show you’re watching?

Facebook has stated that they do not record or archive these transmissions. However, using this feature requires that you trust that a 3rd-party (Facebook) will handle your data appropriately. Do you really need to provide them with this data? Does it really save you that much time to have your background noise automatically analyzed? These are questions you should ask yourself prior to providing Facebook with this level of access.

Privacy vs. Convenience

I’ve lost track of how many useful cloud-based services I have signed up for within the last few years. I can’t picture my life without products like Uber, FancyHands and Gmail. It often surprises people to find out that these products are free or very inexpensive. If they’re giving the service away for free or at a very low cost, how can the companies make money?

Typically, a service provider is able to gain a substantial profit based on the fact that they are able to harvest your data. Imagine what an advertiser could gain just by learning information about your latest Uber ride. When using a service provider, it’s important to ask yourself, is the convenience worth the sacrifice of your privacy? While it’s possible that not all of these service providers are harvesting or selling your data, it’s worthwhile to at least consider your loss of control.

Personally, I have found that there are circumstances in which I am willing to sacrifice my privacy for a cheaper and more effective product. I feel that the convenience of being able to order a cab with the touch of a button on my phone is worth the risk of another corporation learning details about my trip. Another circumstance in which I am willing to forgo a bit of my privacy to gain a convenience would be my use of a “savings card” at my local grocery store. I have no doubt that they are tracking and analyzing my purchases. However, I have always felt that it is worthwhile to share my purchase history with the grocery store due to the discounts that they provide for using the “savings card”.

Despite the fact that I am often willing to forgo my privacy in an attempt to gain access to a service offering, there are products that I do not feel that the offered convenience warrants the loss of control over my personal information. For example, I recently looked into leveraging a service that could automatically unsubscribe me from a number of subscription emails. As annoying as those emails can be, I didn’t feel that the convenience of this service was worth letting a 3rd party parse through all of my emails.

Each time my personally identifiable information (PII) is exposed to attackers as a part of a data breach, I become more likely to voluntarily share my personal information with a 3rd party in an effort to gain a convenience. Next time you prepare to sign up for a free or discounted service, be sure to take a few extra moments to decide whether or not you are willing to expose your private information to gain access to the service. After all, there’s no such thing as a free lunch.

State Of Security Podcast Episode 4

We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.

Give it a listen and let us know what you think!

Thanks for supporting the podcast!

3 Books Security Folks Should Be Reading This Spring

I just wanted to drop 3 books here that I think infosec folks should check out this spring. As always, reading current material is an excellent way to keep your skills moving forward and allows you new perspectives on business and security matters. Even books from outside the security domain are useful for insights, new perspectives or indirect references.

Here’s what I suggest you check out this spring:

1. Antifragile by Taleb – This book will set your mind on fire if you are a traditional risk assessment person. It is astounding, though often difficult to read, but the ideas are a logical conclusion of all the previous Taleb theories from the Black Swan series. Beware, though, the ideas in this book may change the way you look at risk assessment, prediction and threat modeling in some radical ways! Long and tedious in spots, but worth it!

2. Linked: The New Science of Networks by Barabasi & Frangos – This book is an excellent mathematical and scientific discussion of networks, both logical and physical. It describes the sciences of graph theory, link analysis and relational mapping through easy to read and quite entertaining story telling. Given the rise of Internet of Things environments, social networks and other new takes on old-school linked networks, this is a great refresher for those who want to re-cover this territory with modern insights.

3. Hacking Exposed 6 by Scambray – That’s right, go old-school and go back and learn how penetration techniques from some of the best general hacking books in the industry. HE6 is an excellent book for covering the basics, and if there is anything all infosec folks need, it is a strong grasp of the basics. Learn and master these techniques in your lab. Work through the examples. Go ahead, we’ll wait. Have fun, and learn more about how bad guys still pwn stuff. Lots of these techniques or variants of them, are still in use today!

There you go, now get reading! 🙂 

How to Use Risk Assessment to Secure Your Own Home

Risk assessment and treatment is something we all do, consciously or unconsciously, every day. For example, when you look out the window in the morning before you leave for work, see the sky is gray and decide to take your umbrella with you, you have just assessed and treated the risk of getting wet in the rain. In effect, you have identified a threat (rain) and a vulnerability (you are subject to getting wet), you have analyzed the possibility of occurrence (likely) and the impact of threat realization (having to sit soggy at your desk), and you have decided to treat that risk (taking your umbrella) risk assessment.

However, this kind of risk assessment is what is called ad hoc. All of the analysis and decision making you just made was informal and done on the fly. Pertinent information wasnt gathered and factored in, other consequences such as the bother of carrying the umbrella around wasnt properly considered, other treatment options werent considered, etc. What business concerns and government agencies have learned from long experience is that if you investigate, write down and consider such factors rationally and holistically, you end up with a more realistic idea of what you are really letting yourself in for, and therefore you are making better risk decisions formal risk assessment.

So why not apply this more formal risk assessment technique to important matters in your own life such as securing your home? Its not really difficult, but you do have to know how to go about it. Here are the steps:

1. System characterization: For home security, the system you are considering is your house, its contents, the people who live there, the activities that take place there, etc. Although, you know these things intimately it never hurts to write them down. Something about viewing information on the written page helps clarify it in our minds.

  1. Threat identification: In this step you imagine all the things that could threaten the security of your home and family. These would be such things as fire, bad weather, intruders, broken pipes, etc. For this (and other steps in the process), you can go beyond your own experience and see what threats other people have identified (i.e. google inquiries, insurance publications).

  2. Vulnerability identification: This is where you pair up the threats you have just identified with weaknesses in your home and its use. For example, perhaps your house is located on low ground that is subject to flooding, or you live in a neighborhood where burglaries may occur, or you have old ungrounded electrical wiring that may short and cause a fire. These are all vulnerabilities.

  3. Controls analysis: Controls analysis is simply listing the security mechanisms you already have in place. For example, security controls used around your home would be such things as locks on the doors and windows, alarm systems, motion-detecting lighting, etc.

  4. Likelihood determination: In this step you decide how likely it is that the threat/vulnerability will actually occur. There are really two ways you can make this determination. One is to make your best guess based on knowledge and experience (qualitative judgement). The second is to do some research and calculation and try to come up with actual percentage numbers (quantitative judgement). For home purposes I definitely recommend qualitative judgement. You can simply rate the likelihood of occurrence as high, medium or low risk.

  5. Impact analysis: In this step you decide what the consequences of threat/vulnerability realization will be. As with likelihood determination, this can be judged quantitatively or qualitatively, but for home purposes I recommend looking at worst-case scenarios. For example, if someone broke into your home, it could result in something as low impact as minor theft or vandalism, or it could result in very high impact such as serious injury or death. You should keep these more dire extremes in mind when you decide how you are going to treat the risks you find.

  1. Risk determination: Risk is determined by factoring in how likely threat/vulnerability realizations is with the magnitude of the impact that could occur and the effectiveness of the controls you already have in place. For example you could rate the possibility of home invasion occurring as low, and the impact of the occurrence as high. This would make your initial risk rating a medium. Then you factor in the fact that you have an alarm system and un- pickable door locks in place, which would lower your final risk rating to low. That final rating is known as residual risk.

  2. Risk treatment: Thats it! Once you have determined the level of residual risk, it is time to decide how to proceed from there. Is the risk of home invasion low enough that you think you dont need to apply any other controls? That is called accepting risk. Is the risk high enough that you feel you need to add more security controls to bring it down? That is called risk limitation or remediation. Do you think that the overall risk of home invasion is just so great that you have to move away? That is called risk avoidance. Do you not want to treat the risk yourself at all, and so you get extra insurance and hire a security company? That is called risk transference.

So, next time you have to make a serious decision in your life such as changing jobs or buying a new house, why not apply the risk assessment process? It will allow you to make a more rational and informed decision, and you will have the comfort of knowing you did your best in making the decision. 

Thanks to John Davis for this post.

State Of Security Podcast Episode 3 is Now Available

Episode 3 of the podcast is now available!

In this edition, I sit down with Bill @Sempf to discuss application security, working with development teams and how to get security and dev folks on the same page. Bill goes so far as to recommend a simple 2 step process that you simply have to hear!

Check it out:

And give us feedback on Twitter (@lbhuston) about this and all other episodes or ideas you have about what you would like us to cover. Thanks for listening!  

How to Avoid Getting Phished

It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

Young IT Professionals, Cybercrime, Script Kiddies & CyberWarriors, OH MY!

Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.

I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.

I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….

It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂

Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.

Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Save The Date: 2014 ICS/SCADA Security Symposium Dec. 11

This year’s ICS/SCADA Security Symposium will be held on Thursday, December 11, 2014. This year’s event will be a little different, in that we are opening it up to any organizations who are asset owners or manufacturers of ICS/SCADA components. That includes utilities, manufacturing companies, pharma, etc. If you are interested in ICS security, you can sign up for the event.

This year’s event will also be virtual. It will be a series of Webinars held on the same day in 45 minute blocks, with time for follow-on questions. We will also hold a Twitter Q&A Hour from 1pm – 2pm Eastern, and we will attempt to make all speakers available for the Q&A!

In addition, we plan to stand up a supporting website for the event, and release a number of materials, including podcasts, interviews and other surprises the day of the event!

We will be tracking attendance in the webinars and providing notes of attestation for attendees for the purpose of CPE credits. We hope this new format will allow folks who wanted to attend in the past, but either couldn’t make the physical trip to Columbus or couldn’t leave their positions to attend training the ability to join us.

More details, including speakers and topics, as well as schedules, hashtags and other info will be released shortly. Thanks for reading, and we hope to see you on 12/11/14!