Tuesday, June 19, 2018

Cross your fingers "security" the current gold standard.

It's mid week, not even a Friday and things are heating up.

Headline: "Enterprises take huge risks with our personal data".   Please.

Not a big surprise to security professionals as we are constantly "fighting" for adequate security.

By adequate, I mean normal, sensible, security.

I was contacted by several journalists this morning with regards to a services portal that operates in the municipal space as an SAAS provider. 

This "service" manages something to do with leisure activities.  I don't want to name them since I like my enemas handled by qualified doctors and not legal teams with an absence of comprehension of security hygiene means.

So this portal supports 100's of municipalities and has 100's of thousands of users, yet security was never addressed.

Why do I say "never addressed", simple.... I cannot say never reviewed, because I do not know if these things where simply ignored or judged not important at the time, or if they simply did not know.

I'm actually still on the fence with which I like best, someone who lies to me or someone who is incompetent.

The issue is simple (and multiple issues should have been identified by a qualified security expert).

For one, the site uses a sequential ID in the calling URL.  This means (you guessed it), changing the ID means accessing someone else's file.




That alone is already an issue, but it gets worst.

You don't need credentials to get to it.  Anyone can create an account without any email validation, so once you have created your fake account, you can read everyones file.

But wait !  There is more!

The personal data includes home address, phone number, birthdate, medical conditions and allergies !

But wait !  There is yet more!

Social insurance numbers are not only stored non hashed within the database but it is returned to your browser when you view your file (or anyone's file since you can change the ID number to "see" someone else's file).

Here is the awesome protection on that one field..... it is return with the awesome html type = "HIDDEN" so it doesn't display on your screen  ;-)




So what is the lessons learnt here....

1) Municipalities (and private sector) should not trust an SAAS provider just because they say "everything is fine.  "These are not the drones you are looking for" is not a security approach.

2) If the SAAS provider tells you they have awesome security because they are hosted as a CLASS 1 datacenter called AZURE, AWS, GOOGLE, etc.   run !  The means they do not grasp that the security of their hosting provider is only the plumbing section and it means nothing as far as the "quality" application that the provider is throwing on top of the certified infrastructure.

3) Security testing is a MUST and it must be performed by someone qualified.  

4) Account creation should be limited to valid email addresses

5) Authentication mechanisms should limit the sessions visibility into data (certainly no client side security)

6) Being a small unknown company in the wild and huge world we call the Internet doesn't mean you do not need security.  Crossing your fingers and hoping for the best is also not the best approach.

7) Logging and alerting when someone is leaching your entire client database is probably a good idea.

I'm going to stop, because I'm getting sarcastic again.  I really do need therapy.

On a very serious note.  When dealing with sensitive, regulated PIPEDA type data, perhaps some security is a fair expectation and a reasonable minimum.

From a GDPR perspective, everyone involved here is a potential winner of a multimillion euro grand prize.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, June 14, 2018

When the girl is too good to be true.... dive right in !


So I get a friend request on Instagram.

She is too cute and too young for me to not feel so so special.

I was ready to buy a plane ticket and jump onboard.

Her name is Caren A Lewis.  And this is the story of how I played with her all week.



So being the security pro that I am, I immediately started chatting with her/him/it because I need more friends like her.

I wanted to get to know her.  The real her ;-) 

Well turns out she is from Helena, Montana.  Far enough away that I can't just stop by for a visit.  And turns out what cute young girls want today are online relationships and money to buy a new iPhone because it is her birthday in a few days.  Poor thing, using an old samsung!

After many days of chatting and exchanging, we finally got down to making a deal ;-)



As you can see from this segment of the exchange, she was being a little pushy as her money hungry fangs felt the proximity of potential cash.   Except I finally revealed what I called something kinda kinky... who I was, and that I actually had a good buddy of mine at Instagram online working with me to fry that sausage for good. 

I won't show that part of the message, because I used a lot of military language that my commanding officer warned me about not using in public.


SAFETY TIPS 101

Here are some tips for anyone foolish enough to fall for one of these scams.....

Do yourself a favour and do these two things :

1) Upload some of the pictures to google IMAGE SEARCH.  Google will find all the pictures that look like your new imaginary lover and you may notice that the pictures come from either other fine young ladies or have been identified as pictures used by scammers (as is the case with this one).





2) This one is important, since your blood flow may be ill-routed.  If you still have doubts or are plain delusional that a random sexy young lady picked YOU....  ask her, by her, I mean the hairy dude behind the keyboard... ask her to send you a picture of herself holding the local paper.     Trust me, the conversation will dry up almost as fast as that blood flow issue will resolve.

Important Internet Safety Tip #4931:  Don't be a dumb ass

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


When a security vendor ignores security - What could go wrong.

Another week, another embarrassing security issue.

I'm going for something light this week, to end the week smoothly.

So many news items to pick from, my eyes and heart landed on a highly secure digital padlock.




What could go wrong

Well, it seems, everything could go wrong since this padlock has a list of transgressions longer then Donald Trump.

Note that their selling points include ZAMAK 3 Zinc Alloy metal body with cut-resistant stainless steel shackle.  Double layered design with anti-shim and anti-pry..bla bla bla...

Pretty solid lock right !    Well.....If you loose access to the padlock, no worries, just get a GoPro sticky mount pad, stick it to the back and twist the back open. Once it's popped open, pretty easy to physically unlock it.  That's right... the back twists and pops off... you know... for maintenance and oil changes!



Twist and pop !



And on the digital front, the claim military grade security.  AES128 isn't really military grade, but we can let that one slide.  What is interesting is the fact that the communications from the cloud with the lock are all done over the very secure HTTP protocol.  That's right folks, no S on the HTTP.

The blue tooth low energy:  Vulnerable to replay attack (easy hack)

Quote from the research article:  


Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I could go on and on, but the following two articles do a much better job providing something to laugh at and giving you something to avoid in your own projects.

Walk through of all the issues:
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/

SC MAGAZINE article about it all:

https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-digitally-vulnerable/article/773348/


LESSONS LEARNED

Having a "qualified" security person in any of these architecture and design meetings would certainly have made these issues float to the surface.   Instead, the only thing that floated to the surface, was a genuine sh*t product.

So to be fair, they may have had a security person in these meetings.  So they either had someone with inadequate qualifications or they did like most startups (and cough cough large enterprises) and said shut up with all these issues, we need to push this to market to get our first round of financing pushed through.  

Kids, this is why we can't have nice things.  

If Gordon Ramsey would have been in this kitchen, he would have told their CEO that he is either blind, incompetent or stupid, or a mix of all three.

Nothing wrong with making money but it kinda stinks when you can't make "honest" money and produce "quality" products, especially when the product is a "security" product.

Do we really need more landfill ?

**** (EOR) END OF RANT


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com

Wednesday, June 6, 2018

INTACT Insurance fails GDPR compliance logic check



It is no secret that every enterprise will claim to be onboard for GDPR compliance.

It is also no secret that no one is GDPR compliant.  However to what degree and how much will they declare remains to be seen.   And some are going out of their way to prove they lack either competence or desire.

Many "normal" citizens feel that large multinational corporations actually care about them.  They love the points programs, and they love the perks.  They also fail to see that these "programs" are meant to keep you as a customer through the illusion that you are special.  You are not.  You are a requirement for doing business, and corporations love taking your money while delivering the most cost effective service possible.  This is a polite way of saying they deliver the least possible costly service while balancing the illusion that what they lay are only golden eggs.

One of the main parts of GDPR (and many would say common sense) is Article 25.

Article 25 is all about "Data Protection By Design and By Default".  It means build something that doesn't get you fired.  Build something that is reasonable and respectful of the data you are processing.

So lets take a look at INTACT INSURANCE TODAY.




They have a great app that they advertise with a catch phrase that translates into "reap the benefit of secure remote access to your data".  I didn't bother going to see the English version because hackers are lazy.  But it turns out, large corporations too.... read on....




Would it be any surprise that they are not GDPR compliant or it seems actually compliant to anything significant when it comes to security ?

Take a look at the User Agreement section on security:





How good do you feel as a customer now? 
Do you still feel valued?   
Do you still feel special?

If you do, contact me immediately, I have a new cryptocurrency to "sell" you at an amazing rate!

So as far as compliance to GDPR, they are failing in many areas way beyond "Secure Design".

It is fascinating to see how a legal department pumps out these gems to "protect" the enterprise and "protect" the share holders while letting everyone know that they will take no responsibility for pushing out bad software to their customers mobile phones and potentially exposing sensitive information or allowing identity theft.

Now what if this was actually all a magic trick and what they are actually doing is full out spying on their customers.   I didn't think of this one, my friend Eric (not the voice in my head) had this genius idea.   A mobile phone certainly knows what locations you visit, how fast you drive, and probably a bunch of other interesting things that they could always claim was done by spyware since "we do not guarantee" anything!

Maybe Facebook and Google have a lot to learn because this is actually pretty clever.  Build a contract that says we don't guarantee anything, hide it in a lot of legal terms, and your golden.  Oh... wait... GDPR actually says you cannot do that.  darn it.  

One thing remains certain is that large corporations have very large legal budgets and will work hard to ensure they take as little responsibility as possible

This is only Mid-Week.  So many breaches can come out before the weekend giving us all many other examples of GDPR failures, this one just happens to come before the breach.

Ultimately, if you read the small print or pay close attention, most enterprises already radiate their GDPR failure through their daily actions as is this example.

If someone takes the time to read through GDPR it all makes sense, but it relies on people knowing what they are doing and doing a good job across the board.  Not something most large enterprises are awesome at.

I'm really eager to see what the end of week breaches will be.  I always feel like Christmas day when Friday is just around the corner !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com

Friday, June 1, 2018

When praise hides incompetence. How BMO and others are failing their “customers”




We all have to start realizing that we are not really their customers.  That we are their product.  We are an annoyance that is required for them to make money.

If we indeed where their customers, then they wouldn’t be handing over all our personal information to third parties like Equifax without actually doing a quality due diligence.

So this weeks blunder on the BMO and CIBC side shows us just how much big enterprises care, and how big enterprises are actually prepared to deal with major data breaches.  They aren't.

Several “customers” who happen to be friends of mine sent me the messages they received from the banks.  One friend who happens to be at the top of the “security” food chain actually called BMO after receiving the notice that his information had not been exposed and he requested a written confirmation that his information was all safe.  The response……. Sir we cannot do that, if you get a call from us, then your information is involved, if you don’t get a call then you are all good.

Awesome maturity!  Awesome process.   How proud they must all be.

This is unacceptable for many reasons.  The most important one is the fact that waiting for a call that may never come isn’t really a way to manage data breaches.  What if they call the wrong number.  What if I miss the call.  I may never officially know that my information has been exposed.

Then we have the warm feeling some of us got when they announced the breach publicly, it seems, hours after the breach was exposed.

Many (rightfully so) praised the quick “customer” notification.  The reality however is not as awesome.  Turns out I was right…. It was a hostage situation.   A sample set of customer data had been posted on PasteBin. 

Somehow the banks managed to shovel shit down our throats by telling us that they instantly put in place “enhanced security” and that the breach point was identified and closed and everything is now fine.

This alone for any security professional should cause concern.  If someone breaches your system and then asks for a ransom, chances are things aren’t fine.  It could be that they also put in a backdoor, but it is 100% certain that all 90,000 leaked accounts HAVE LOST THEIR INFORMATION TO CYBER CRIMINALS.  The 90,000 can’t change their dates of births or their social insurance numbers. 

So instructing your clients to change their passwords and offering credit watch services for one year is 100% BULLSHIT, 100% SECURITY THEATRE and 100% NOT TREATING YOUR CUSTOMERS LIKE VALUED CUSTOMERS.  After you loose all my shit, you should legally be forced to provide credit monitoring services until I drop dead.

Cyber criminals don’t use stolen personal information for identify theft immediately.  They assemble information into a higher value profile and then use it.  The repercussions of all these data breaches will be felt for many years, not just 12 months.

This is where I like GDPR.   Chances are out of the 90,000 people exposed, some may have dual citizenship (European citizens).  This would mean that BMO and CIBC have just been proven to be NON-COMPLIANT.  This means they are exposed to a significant penalty.  It’s basically 20 million euros or 4% of their numbers, which ever is bigger.  Guess what.... it's way more then 20 million!

But this won’t change anything.

Here is why.

Financial penalties impact the bottom line of the enterprise temporarily.  

Watch the stock fluctuations of any breached traded company and generally they bounce back really quick.

Heck, Equifax MADE MONEY selling their credit protection services!  
Talk about screwing the citizen!

The CEO’s and senior executives will come and go.  They all get paid LARGE sums regardless of their failures, and they never have any real penalties for non-compliance or major failures under their management.

Bottom line, they have NO REAL MOTIVATION to change anything and no real need to do so.

What we need, is a set of laws that includes personal liability for senior managers.

Hey…. We are all allowed to have a dream.

Or, alternatively, we need a NEW system that makes these personal pieced of information irrelevant.  Enter blockchain technologies perhaps.

Things must change because it is simply NOT TRUE that my name, address, DOB, and SIN are actually confidential.  These have all been breached numerous times and should NOT be personally identifiable information.

Something to think about....


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...