Tuesday, July 21, 2015

Ashley Madison - What the news rampage is missing. The lies! It's all about the lies!

After watching a report on CTV and one on CNN, I realized reporters are missing a really important fact with this story.

Normal (non tech) people are being lied to all the time.  Some call it marketing, some call it a business practice.  It is actually a pretty shady business practice and experts would call it fraud. 

The website shows you security related images, logos that make you feel good about the site and its security.  


The security certifications are made up, two of them don't really exist.  They are there to make you feel good about the site and not read the small print.

TRUSTED SECURITY AWARD
This claim probably tries to sell the idea that security is important, and that the website has been tested.  The cold hard fact is that you cannot click on this logo and be taken to a "real" security testing company who will vouch for the quality of the site, and the tests performed.  

A real attestation would show dates the analysis was performed, and what kind of testing was done.  

100% DISCREET SERVICE
This is the most insulting type of made up rubber stamps.  Discretion is subjective it seems.  Users of the site get a weekly email with links they can click to see their matches.  If you click on any of these links, your taken directly into the users account.  No username is requested, no password is asked.  Emails are like post-cards as they travel across the Internet, anyone who can sniff (observe) the network can grab your emails.  That is why security standards dictate you do not send sensitive information by email.  This includes; credit card numbers, location you buried the dead body, information that discloses you like rubber hoses (access to Ashley Madison anyone).

SSL SECURE SITE
This is the oldest type of bullshit rubber stamp.  What this means, is that the website uses encryption to secure the data in transit (while the data is transferred onto your screen).  Ask a regular person what SSL is, chances are you will hear their brain stop working.

As far as the rest of the web sites security, it is meaningless.  

It says nothing as to the :
  • Quality of management
  • Quality of the hiring and subcontracting process
  • Security of stored data
  • Security of backed up data
  • Security of the software development lifecycle
  • Quality of the testing and maturity of security and its integration
  • .... I could go on, and on....
Also, I love that their maturity is so high, that they are claiming to have searched through the entire Internet and have removed all their data.

So here is a valid question.  Who did handle their security ?
And who is this "world class IT-Security Company" that is handling this breach, as they reported.

From experience, when the names are hidden...... it's all smoke and mirrors.

My original blog posts really get into the details, including screen shots of my.... test... account.

The sad truth is that these marketing tricks are often used, security professionals know they are meaningless, and also mostly lies.  The general public however get a feeling that the site is SECURE, DISCREET and ok to share your most perverted stories with.

1ST BLOG POST:

AshleyMadison - 5 things that should haunt their clients and many of our senior executives

2ND BLOG POST:
Ashley Madison - Who is coaching these nut jobs!

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com

Monday, July 20, 2015

Ashley Madison - Who is coaching these nut jobs!

Wow.   I'm sitting here in a stunned silence.

This is a followup to my original blog post:  http://ericparent68.blogspot.ca/2015/07/ashleymadison-5-things-that-should.html


Ashley Madison has just declared having searched through ALL of the Internet for their clients data, and having requested a DMCA take down from anywhere that their (our) data was found.  Concluding this security breach, and classifying it as now resolved.

On top of that, they are sticking to their guns, that without any fancy database encryption, their PAY-TO-DELETE feature 100% guarantees your data is all gone if you so choose.  Even from offsite backups... or perhaps they do not have any of that.

They also keep going on about their awesome "stringent" security provided from vendors all over the world, which we all know is a valid requirement for a good team of security professionals.

Both the person holding the microphone and the person giving them that microphone needs to be fired.

Stringent security!  Really!  

You send off links by email (unsecured, exposed as it travels across the Internet) to advise your users that these 6 new hot prospects are waiting for them.  

Anyone intercepting these unsecured links can then click on them, view the new hot prospect and also access your full user profile!  That is STRINGENT !   Wow....

Please do not start developing nuclear weapons, nuclear reactors, heck, anything sharp.


http://media.ashleymadison.com/statement-from-avid-life-media-inc-july-20-1225pm/





_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com

AshleyMadison - 5 things that should haunt their clients and many of our senior executives

UPDATE:   Ashley Madison is now telling lies !  Seems they have taken down ALL the

Big news this morning, if you have an account at www.ashleymadison.com

Wether the breach turns out to be true or not, one thing is certain, we can all learn a lot from this breach.  You can also tell a lot about a company and its values by how they manage a breach.

Also, did you know that your profile on this website can be accessed without a username and password..... read on.....

One thing is certain, we, as a people, are entirely too trusting and easily fooled by flashing lights and cool looking websites.


1- FAILURE TO TELL THEIR CLIENTS
24 hours after the news has hit, still no notice to their clients.  The front page still looks the same, nothing is telling me that a breach has taken place or that I should change my password, or prepare my wife for some shocking news.   

This breach is all over the Internet, yet nothing on their website talks to the client. Public statements by management are being made to downplay the breach as the act of a trusted insider or saboter, yet no message has been made visible to their users, all 37 million of them must rely on CNN and FOX news to understand what is happening to their personal data.  


2-FALSELY CLAIMING TO BE SECURE

The web site still displays three important and inspiring security elements to ensure that users "feel" secure.  Websites need to stop doing this.  It is FALSE ADVERTISING.



First off, TRUSTED SECURITY AWARD is meaningless.  You cannot click on the icon and "see" who is putting their reputation on the line that the RIGHT level of security testing has been performed.  When will a journalist skin this cat alive!

Secondly, 100% DISCREET SERVICE is a self made claim.  How discreet is the service if I do not require a username and password to access my profile ?   Yes, you read that correctly (more further down).

SSL SECURE SITE, is yet another "out of context" claim.  Sure, the communications over the internet are secured, yet someone who reads my emails can access my profile without my username and password, and they access it securely via SSL.

Security testing means it is audit-able, verifiable and heck.. true.  OWASP is the gold standard for web applications.  

Over all, this web site, along with the entire infrastructure is not operating as a secure ecosystem and having these logos displayed if your not doing it, or not doing it ADEQUATELY is FALSE ADVERTISING.

So CEO's check your websites for little logos, and if you cannot click on them and get transferred over to the third party who did the testing and get some details on what the heck was tested...... your guilty of "security advertising"!


3-FAILURE TO TAKE RESPONSIBILITY  
Their senior executives have come forward telling us that it is NOT an employee but a trusted contractor (or something of the sorts).  Why would I, the client, CARE !  Why would you tell anyone this!

Telling the world that you KNOW who it is doesn't make things better.  Telling the world that it isn't one of your employees but a contractor tells us entirely too much about your poor security practices.  Are you telling me that your application developers have access to production data?  No.... then who is this contractor and why did he have access to MY data?   

As a client, I expect you to take responsibility, but above all I expect you to take action. 

This story will die down in the media, and people will forget.  It is the first thing your crisis management team will tell you.  What is surprising is that this "news" should kill a company that did not take the steps to secure such sensitive data, yet chances are, it will simply be a blimp on the radar and business as usual soon there after.

In this case, at BEST, they are pointing the finger at someone, shifting the blame (poor us, a disgruntled or crazy contractor did this), or at WORST, completely damaging an ongoing investigation by divulging that they suspect a contractor.  

In short, the information handed out to the media so far, damages the investigation.  This incident is not being handled correctly.

4-FAILURE TO PROVIDE A SECURE SERVICE (THE REALLY BIG NEWS HERE)
Did you know that you DO NOT NEED your username and password to access YOUR profile.  If you are a client, you should be very VERY upset about this.

So get this.....every week users of the site get a friendly email showing them their weekly "matches".  This email shows you new profiles that you might want to click on and see more information.  When you click, you are redirected to the website and you see the profile you wanted to see. You are also logged into your account, no username, no password required.  I wish banking systems worked like that.  So this means that anyone listening on the internet that can intercept emails (emails are like postcards by the way) can collect these LINKS and connect to the users account.

STEP BY STEP:

1- Intercept an email (the network techs at large telcos must be having a blast)




2- Click on the sexy lady (or guy) that is being offered.... and BOOM, your in.



From here, one can view your profile, you correspondence with friendly girls and boys, the ratings that you have attributed to "mates", etc... etc... you get the picture....

5-FAILURE TO ACT AS CONTRACTED - TO BE CONFIRMED
It seems, and this one remains to be proven, that they charged $20 to have your account deleted.  Some articles talk about 1.7 million in revenue from these charges. 

Some other articles are claiming that they DID NOT ACTUALLY DELETE ALL your data after taking your money.  This breach, if the data is retrieved and analyzed, might expose this fact.   

Offering a paid deletion service is a dangerous thing.  It is almost impossible to do unless the data is individually encrypted (client by client, using a unique key for each client) and the keys are extremely well secured, not duplicated or backed up past the resilient architecture.  This means that the encryption key is deleted when a client PAYS to have his data deleted.  This results in the clients data becoming impossible to access. 

Why do it this way?  Simple, data gets backed up.  Deleting data from a production system is easy, deleting it from all known backups is a much more complexe task.  If you delete the key, the encrypted data on the backups is unretrievable.

The pay to delete service was more then likely "sold" to management as a great new feature and money grab, since I doubt that the actual architecture provides compelling evidence that the data actually is DESTROYED.  This breach might shed light on all this.



IN CONCLUSION

Having a nice policy statement like the one below is not enough.  If you are going to state that INDUSTRY STANDARD PRACTICES has been respected, shouldn't you do it?



SecurityWe treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to "firewalls", encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.

The take away here....
  
AshleyMadison should:

  • Have their architecture reviewed by REAL professionals
  • Have an independent third party perform security testing and have the results summary accessible for all to see (The good old put your money where your mouth is)
  • Get a new incident handling team lead that will tell them what to do, and what to say next time the shit hits the fan.
  • And for the love of which ever God they pray too, take responsibility and tell your clients the truth and actually do something about it.
Chances are, this is what is going to happen;  Hire a big reputation firm, get some auditing done, get some fixes done, get a report that says they have done something and off they go to get more funding.  After all, they can now rely on the fact that they paid a lot of money to have a reputable firm tell them they have done what needs to be done.  Rare are the cases that actually end with the hire of a true security professional that will write up an optimization plan for the long run and actually bring security value to the business process.

Chances are, this will be a short term fix. Unless the owners of Ashley Madison and their executives actually want to optimize security, take charge of the issue, and safeguard their CLIENTS data.

...pause..... my phone isn't ringing... ;-)

If you think your significant other would find a brief walk through your profile mildly amusing, remember that the site also tracks details that perhaps... are harder to navigate when you get home after this breached data gets published:







_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com

------------
Follow up posts of interest:
http://mashable.com/2015/07/20/ashleymadison-is-fucked/

UPDATE:   Ashley Madison is now telling the INTERNET that they have successfully used DMCA requests to take down ALL, read that again.... ALL.. of its leaked customer data from the Internet.  Wow.... what a bold statement....  
http://media.ashleymadison.com/statement-from-avid-life-media-inc-july-20-1225pm/

BLOGPOST:  Who is coaching these idiots!


Friday, July 3, 2015

Quebec government systems hacked by Anonymous

Timing is everything you know

Publishing that government systems have been compromised on a Friday must be part of the Anonymous strategy.

The fact that these systems have been hacked is not the REAL story hear.

The maturity of all involved should be observed, evaluated and acted upon.

We may never know "how" the are going to address this, and how mature they are in their response.  We do however get a glimpse of serious lack in competence when we watch the news and their PR response.... time will tell.

Here is what we do know about their maturity

Three main sites have been violated


  • TRAVAIL, EMPLOI ET SOLIDARITÉ SOCIALE - QUÉBEC
    • http://www.mess.gouv.qc.ca
    • http://www.rqap.gouv.qc.ca
  • COMMISSION NATIONALE D'EXAMEN SUR L'ASSURANCE-EMPLOI - QUÉBEC
    • http://www.cneae.gouv.qc.ca/

The information collected is fascinating for one simple reason;

It seems the government systems still allow users to use their names as passwords.

I may be old school on some things, however password education is not one of them, and I strongly believe that modern and mature systems should not be built without basic security measures.

If the most basic of security features is not present on these systems, how many other security issues lie dormant, waiting to be exploited.

Wait.... I guess it isn't dormant after all.

Have fun my government friends working this weekend.

--------
NOTE:  The breached information can be retrieved from within this article

http://branchez-vous.com/2015/07/03/le-gouvernement-du-quebec-victime-de-piratage/

NOTE2:  Security researchers have confirmed that some of these accounts have valid passwords that are also used (same password) to log into mail accounts (gmail, hotmail, etc.)

If you or someone you know is in the list, change your passwords wherever you've used it.









Thursday, July 2, 2015

Penetration Test or Security Review

The most common question I am asked is how much does an Intrusion Test cost (penetration test).

There is only one intelligent response to that question, "that depends".

Ethical firms and individuals will ask questions, do some preliminary testing perhaps and list the most reasonable actions to take at the clients current maturity level.  This equates to doing a good job.  So essentially, the workload or "price" is for doing a good job.

Firms in it for the "business" will quote whatever gets them to win the deal.

I was asked this morning if I could do a job we quoted for six thousand less, my response was "of course, some things simply won't be addressed".


"Intrusion Testing is like walking buckets of water up a flight of stairs."


If you have someone who is built strong (competent) then there is so many buckets an hour to be carried, end of story.

With intrusion testing, you have no idea how much water is available to carry up the stairs, and your end goal is never to carry ALL the water up the stairs, just carry more water then what the bad guys might have carried.  Perfect security is unattainable, and cost prohibitive.  Reasonable security is simply just that... reasonable.

Security testing exists at many different phases of maturity:

1) Pre-production tests
2) Production tests - First tests ever done
3) Recurring tests that progressively go deeper and deeper
4) Targeted scenario tests - Specific product

The idea is generally to ensure that nothing embarrassing is left unresolved and that everything reasonable has been looked at.

What is unreasonable?   If you invest 5 days in security testing, your clearly stating that no one will invest more then 5 days to breach you.  

What about disgruntled employees, they have a head start, sort of like they have already invested 30 days and only need to add a day or two to cause real damage.  Same goes fora new virus that targets something very specific.

When a respectable firm quotes a security test, these same firms can always do less, they are just telling you what would be reasonable, what would be a test that everyone involved would be proud of, would respect, and would defend.

When dealing with a respectable firm, you get what you pay for, so if you decide to tell your CardioVascular Surgeon to only run half the tests, you shouldn't be surprised if something is found to be less then optimal in the future.  And all involved should also realize EXACTLY what was asked, what it means to only do part of the tasks.

One thing is certain, most companies are not truly doing security testing.  They test some things and leave out other areas that should have been looked at.

Every crisis post-mortem I did in 2014 rested on very embarrassing things that should have been known and resolved long ago.  Thinking your enterprise is different is not only dangerous, it is irresponsible.

That is why I prefer to call these tests a SECURITY REVIEW.  This way, I can provide very valuable information about the maturity of the ecosystem as a whole, since this is where the next breach will come from.

Knowing your maturity across all the areas that can impact the enterprises security, that is reasonable.  That is respectable.  That is an invaluable management tool.

The other major risk involved with low quality intrusion tests, is that a report then exists that says that intrusion testing has been done, and whatever was found was resolved, therefor the enterprise is secure.  Experts will laugh at thinking that the enterprise is secure because an intrusion test was done, managers and most importantly senior executives are not experts, they trust what they see, what is being reported to them.

That is where so called security experts that do a "piss poor job" are acting irresponsibly and causing great harm to the security industry and their own clients.  Letting senior managers think things are a certain way, when in fact they don't know shouldn't be a common practice, yet it is.
Word of the day:  Value


You get what you pay for, and if your giving your money to low competency individuals and forms, what value are you getting ?




Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...