Monday, August 24, 2015

ASHLEY MADISON are suicides the final straw? Open letter to our privacy commissioner and a call to arms for our journalists

People are now committing suicide because their lives have been impacted by this issue and it seems that we are only looking at the hackers and never really looking at the serious lack of ethics at Ashley Madison.




Over at Ashley Madison, the original landing page is back, complete with FALSE STATEMENTS about their outstanding security!

Class Action Lawsuits are being launched and should have no issue showing the lack of ethics that management has shown and continues to show.

Ashley Madison faces $578M Canadian class-action lawsuit

Yes, you read that correctly, LACK OF ETHICS at Ashley Madison.

I realize they are selling a service that many would find lacking in ethics, yet even a hitman is expected to follow certain basic rules that evade the management of Ashley Madison.

I would like to turn this blog post into an open letter addressed to the Canadian Privacy Commissioner, the law firms that are about to take an axe to the subject, and any journalist that wishes to ask that single question that kills:

QUESTION: Ashley, you claim to have a security certification or "award" as you call it, titled "TRUSTED SECURITY AWARD", can you provide the details of this award, and can we "see" the evaluation criteria and the audit report that surely accompanies such a prestigious award.

Here is the thing.  The main landing page was just put back to what is essentially the same as before the security issue, and their are numerous FALSE claims right there, right in your face.

You cannot just make up a trusted security award and give it to yourself.




You cannot claim 39,285,000 ANONYMOUS MEMBERS when your entire member list was just leaked.

You cannot claim 100% LIKE-MINDED PEOPLE when the entire world has seen your members list and at least 175,000 have downloaded it and gone through it and found an impressive amount of fake accounts. 

You cannot claim 100% DISCREET SERVICE because you have not even yet resolved the issue I blogged about several weeks ago about any intercepted emails from Ashley Madison allowing anyone in without asking for a username and password.

You certainly cannot claim all these things when people are now jumping off bridges because of your failure.

Yet you are doing exactly that.

You're also telling us in your press releases (along with a regular infusion of bullshit) that an impressive task force of law enforcement is working on this problem.

I'm sceptical here.  No one had died up until now, and to be honest, you're a bunch of clowns running a pretty shit quality service.  Sure the front page looks good, but clearly you have not invested in security practices that would make you proud.

I find it hard to believe that all these police agencies are going to invest an incredible amount of time and effort on this case, and....if they do, I would be very VERY upset that MY tax dollars are being spent looking for someone who has just slapped you around when you keep giving me endless reasons to actually fly to Toronto and smack you around myself.  Now, certainly the fact that people are committing suicide will place the case on the top of the list, but there are two criminal activities to investigate.

1) Lacking security at Ashley Madison, yet they continue to make claims of great security
2) Criminals stole Ashley Madison data

Both these things are criminal

Bottom line, Ashley, you suck and are as much responsible for the problem as the "evil" hackers that stole "our" data.

If you want to show the world you are a trust worthy enterprise, you should publish your system logs.  The logs that show the connection IP addresses for the last login from each user account.  We already have all the user accounts, why are you shy.  Perhaps you do not want the entire world to see your system logs, fine, get creative, send them to me, I will confirm what I see and destroy them when done.  Why are you not letting REAL experts look under the hood.

I will tell you why.  Fake profiles are pretty damned easy to spot when you have ALL the information.

Terrible security is equally easy to spot.  Criminally negligent is under the same banner.

Ashley doesn't want that.

Someone needs to start asking real questions about the numerous laws and privacy regulations that have been broken over at Ashley Madison.

Ashley Madison is offering $500,000 to catch the criminals behind the attack.

Is our government going to do their job and investigate Ashley Madison to the same extent....


To the law firms going after Ashley Madison, please call me.  I have a lot of interesting information to share with you.

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com




Thursday, August 20, 2015

Ashley Madison, the list is finally out, and it is awesome

Someone could make a living writing about Ashley Madison, as it appears to be an endless source of mind blowing news.





Years from now, university professors will still be using this case, as the case to use when teaching aspiring security professionals AND senior managers how NOT to handle a security incident.

The list of screw ups is long as are the life lessons.

Here is the top stupid thing they have said or done in the last month.

Told the world not to worry, we hired the BEST security firm and have the BEST working on the problem.

Reality: The statements and their current security enhancements and posture indicate they have only mastered bold stupid statements.

They have removed their false or "made up" security certification claim, and changed their main landing page.  Oooohhh  Aaaaah impressive.

If I recall, this same bunch of BEST experts helped you make another bold claim.  A claim that made even the elderly burst in laughter.  The claim that you had located ALL your leaked information and taken it off the Internet.

First off, sending out DMCA notices only works for people who give a crap, and the underground hacking community doesn't really respond well to legal requirements.   Perhaps the fine folks at Ashley Madison have not read a paper since the Apollo moon landings.  

So yesterday, big news.  The list was leaked, as promised by the initial attackers.

One download Torrent alone has had north of 170,000 downloads.






Here it is on Pirate Bay as a Torrent Download.  (Link provided for research purposes):
https://thepiratebay.vg/torrent/12237184/The_Complete_Ashley_Madison_Dump_from_the_Impact_Team


Strange, the security experts at Ashley Madison had removed all their data from the Internet.....  


Perhaps Ashley Madison has the same problem that 4 year olds have.  They have an imaginary security friend !

The phase will pass (I guess...) and they will eventually have a REAL security professional.


For the time being, they have suspended sending weekly email updates since it was brought to their attention anyone intercepting all these juicy emails could get into everyones account....(thank you for reading my blog Ashley).

What they failed to do, is expire the links on all the old emails.  (I feel cheated here, like I'm giving you free consulting....).

So anyone with access to any of the old emails, can still click on any of the links within and get right into them accounts without ever being asked for a username and password.

Bravo !!  nice fix.

Feels like Microsoft in the early 90's.

Now looking through the Ashley Madison data, should reveal even more interesting things......  If someone had "access" to the actual Ashley Madison data dump.....

Oh wait, that would be illegal, and also, Ashley might show up in the middle of the night to hand me a DMCA take down notice.

Am I dreaming....

;-0

Let the public shaming begin.  People are going to be looking up not their friends, but their mortal enemies.

A fine example:  

Family Values Activist Josh Duggar Had a Paid Ashley Madison Account

So to all the fine clients of Ashley Madison who have no mortal enemies, sleep tight.

For the rest..... there is a billion dollar pharmaceutical industry waiting to calm your nerves.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com




Sunday, August 16, 2015

The NEW improved Ashley Madison & a few loose ends


I'm starting the week off with a few loose ends, or mixed items if you will.

ASHLEY MADISON, EVIL FONTS, AND FAKE LINKEDIN PROFILES


LET'S START WITH ASHLEY !

Well, it seems my blog is being read by the good folks at ADL.  They finally stopped making false claims on their front page about having security certifications that do not exist.

Good move Ashley.

The new front page however shows big voluptuous breasts.  I'm certain someone will complain about that.  The previous version of front page was much classier.  Personally, I don't mind the eye strain.


Previous landing page (with made up fake security certifications)





The new and improved landing page, with added eye candy




Now if you could just get rid of the fake profiles and all the prostitutes trying to "score a deal" the site would be a real asset for the cheating community ;-)

Oh wait....again.....  Did you fix that problem where anyone who intercepts your clients emails can get into their accounts without a password....   didn't think so.

So to all who see this facelift (or boob job) as a sign that everything has been "changed" and is now even more secure by a factor of 5, I leave you with this:

5 x 0 = 0

Try again Ashley.


Speaking of fakes, here are two more with a different degree of bite.

WHEN FONTS BITE
In a completely unrelated note, I stumbled on an interesting email, totally unrelated to Ashley Madison.


The latest Microsoft exploit that involves using a "special" font containing malicious code to exploit visitors of websites or folks opening documents is alive and well.
Taking a look at this suspicious email (as I have no account with this bank) reveals that someone is trying to get me to click on this font exploit.
Security researchers are curious, so I "asked a friend" to take a quick look at the system hosting this malicious code.  .UA sounds exotic, and it is.  It is a domain name registered under Ukraine.  

Big surprise, the system is owned by an unrelated company, and is in "standard" security condition.  By standard, I mean terrible. So it is being used as a victim to create more victims.





It is always interesting to see a critical vulnerability be reported, and actually see it in your inbox a few days later.

Conclusion:  Patch your systems, patch your serveurs so they aren't used  to attack someone else, train your people to not click on links from banks because banks don't send links to click on... the list is endless.

Obviously the system hosted in Ukraine is voluntarily vulnerable.  That is its mission.  It makes it a believable scape goat.

Strangely, a lot of corporations are also voluntarily vulnerable, they just don't know it.

Executives, ask yourselves this:  Would you bet your house that your IT is reasonably secure.  If your answering no and are not doing anything about it......


FAKE LINKEDIN PROFILES

I get a lot of fake invites in LinkedIn, as I'm certain most people do. 

Most of the time they are hot 20 year olds with impressive titles like VP of Marketing trying to sell me appointment setting services.

This week I got one that looked alright, yet, something was off and I couldn't put my finger on it until I accepted the invitation to connect.



Then my keen...cough...cough.. senses locked eyes on the profile picture.



Something looked off, so I screen captured the picture and uploaded it into Google Images.  Voila!  The picture is from a modelling agency.  Nothing to do with a "Lindsay Campbell" from Daigo Oil.

So don't be too quick at accepting LinkedIn invitations from people who seem out of place.

The current trend is do grow fake LinkedIn accounts and then use them for such evil as:

1) Harvesting email accounts from real profiles that are all now linked together
2) Hiding their identity since they are about to make you an offer you just can't refuse.
3) Social engineering their way to top executives
4) Posting damaging information with a fake profile associated with a competitor
5) .... the list goes on, only limited by imagination

Simple Google "fake LinkedIn profile" and you will find numerous pages depicting the problem and offering tips for spotting a fake.

Here is one example :  http://www.linkedstrategies.com/how-to-identify-a-fake-linkedin-profile-what-to-do-about-it/


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com


Tuesday, August 11, 2015

Killer Gas Gauges

Slow news week it must be my young apprentice.

Related article:  Hackers are attacking US gas stations


Breaking news: Misfits rename the equipment of local service stations to funky names.

That is what the title should have been in this news regurgitation.

Sadly, that is not what is being reported.

So hackers (there is that term again), are being reported as potentially exposing gas stations to huge risks because the telemetry system that monitors the gas level in the underground tanks is vulnerable to some form of abuse.

If we keep believing the news reporters, hackers will be able to:


  • Push out premium gas when you select the cheap stuff
  • Push out leaded gas because hackers are just that good
  • Make your wife/husband more attractive by pushing out more fumes while you pump (effect will be temporary)
  • And it seems, make the staff who refuels the tanks complete idiots.


The theory behind the "security issue" is that if we think the tank is empty, then the truck that will come to refill the underground tank will overfill it and the resulting overflow will be a "significant" danger for the lives of nearby habitants.

So when it comes to bullshit, I have seen a lot, but this extract here could become the gold standard in my future teachings;


"However, the Trend Micro researchers warn that ATG cyberattacks could still cause serious issues. Hackers can monitor one to find out when a facility is expecting the next fuel delivery or hold it hostage and ask for ransom. They can also fake fuel levels to induce overflow and put the lives of people in the area in danger."

Lets dissect this golden turd as an educational exercise.

CAUSE SERIOUS ISSUES   

So this one paragraph has at least 3 major issues.  Here they are for your entertainment pleasure:

#1 Knowing when the fuel truck is expected is not a serious issue.  Perhaps one has to understand how the fuel industry works.  Perhaps I am expecting too much from a "reporter".  Gas stations rarely run out of fuel.  That is because they know the trend.  The fuel truck already comes on a fixed schedule.  If terrorists wanted to blow one up, they do not need to hack the fuel level gauge to have the truck come and fill her up early.  They already know the truck comes each Wednesday after rush hour.  Are our terrorists now so anxious that they can't wait a few hours.

#2 Taking the gas station hostage.  Security researchers are supposed to stay off the white stuff.  I cannot envision a scenario (especially in the US) that ends well for the "hacker" who attempts to take a gas station hostage by manipulating their FUEL LEVEL READINGS.  For the love of god, my dad had an aging Buick with a broken fuel gauge for years, no one died.  Someone walk me through the SERIOUS ISSUE hidden behind this gem and how one would go about taking a service station hostage?

#3 INDUCING OVERFLOW !  This one is the icing on top of the cake.  Certainly the staff that drives the truck and connects the big huge hose to the ground has something called..... two working hemispheres ......  Perhaps they would notice that things are overflowing, and stop the pump.  Perhaps the system is already designed to stop back flow, after all, the pump you use on your car has this basic countermeasure, and spilling fuel on the ground is such an expensive waste to clean up.  And another thing, how do you INDUCE something by simply misleading someone that the fuel level is low ?

One thing fuel companies are really good at is accounting.  Surely they must "account" for fuel quantity sold versus fuel quantity in the tanks.  They probably have environmental regulations to respect with these "numbers" to prove that their underground tanks aren't leaking into the local drinking water.  I guess reporting the news only means talking to one side of the story and trying to spin it into breaking news. 

So MSN news, get real reporters who focus on the actual value of the story first.

Trend Micro, I love you guys, but you need new research guys, or someone to screen the inappropriate use of adjectives.  Because it is a fact that something which is vulnerable does not equate to a "serious" security risk.

My face is vulnerable to being slapped, and sadly, that rarely happens.

So, this is not really a news story after all.  Nothing of interest to the general public.  In fact, what the news is doing, is spreading the word that any misfit could "play" around with their local service station.

So fuel corp executives might decide to address this issue, which might not even be an issue.  The price of gas will go up a few cents to offset the cost of the entire monitoring system overhaul.  No one will have done an adequate risk analysis, they will just have acted to shut the reporters up.   

Well, I'm an optimist.  I have hope that the fuel giants have better management then we have reporters.









Friday, August 7, 2015

The $10k that Chrysler could have invested to save $140,000,000

This post is more of a humorous post, taking statistics to a new level normally only seen during election campaigns.  After all, it is Friday.

Security is rarely seen as an investment.  Yet it is exactly that.  You can also call it an insurance.  What you shouldn't call it is missing.  

We once again have a very telling example.




Imagine this scenario:  Chrysler could have invested $10k to save $140 million.

Chrysler just issued a recall on 1.4 million vehicles because a security expert (hacker) demonstrated that it was possible to bypass the....lacking security controls to access critical components of the vehicles electronics.  All this from the Internet.

Palpitating news.

Recalling 1.4 million vehicles costs money.  

It certainly costs more then $1 per car, and certainly more then $10 per car.  Probably around $100 per car.  Not accounting for the customers wasted time, if they do this service immediately instead of waiting for their next over priced oil change.  So hence, the $140 million dollar price tag of this security issue.

So now the interesting part.  How could a few thousand dollars have prevented this.

Secure Architecture Review.

As an expert, if you call me in to milk my brain for a couple hours, I charge a reasonable price.  Let's say $5000 a day.  This is reasonable because you are only bringing me in for a day or two, your taking my vast experience and applying it in its full concentration and undiluted to your most pressing problems, so in a sense it is priceless.

So in this case, certain basic things have been around in the security world for a very long time.

1) Don't build your outhouse near your well (very basic)

2) Don't use your real name on the Ashley Madison website (appropriate joke this month)

3) Segment your critical assets from your low value ones (separate Virtual Lans for asset categories)

4) Don't do your banking on your kids virus infected Windows 98 laptop

So why is my cars entertainment system on the same network as critical systems like braking ????

Having a security pro in that one important architecture meeting would have resulted in a statement saying that it is a really bad idea to have every electronic device in your car able to talk to each other.  In fact, the aviation industry has entire standards for this type of communications and also a golden rule about isolation.  This means that well documented and proven standards exist that you can either copy or inspire yourself from.

So yes, essentially, having the right skill set in that one meeting would have yielded a car that offers great security by simply respecting a few basic rules.  Rules that every competent security professional should have followed.  

So we could conclude that the right skill set was not at the right meetings.

So forget the $10k, if you paid the best of the best security professional a ridiculous salary of $250,000 a year to sit in all the important meetings, over the course of ten years, you would still have saved a whopping $137,500,000. Why.. because it is certain that at $250k a year, I wouldn't let you build your outhouse right next to your well.

And if you didn't listen to me, paperwork would exist that ensures traceability (just like in the aviation industry) that shows us which level of management accepted a risk which is clearly unacceptable.  And hopefully someone would get their outhouse cleaned out.

Sadly, in the automotive industry, which is older then the aviation industry, we still lack some of these basic elements.

This means that the individuals who contributed to these terrible decisions will not be impacted.  Having a few rough meetings is not impacted.

Today it was announced that a class action law suite is perhaps underway against Chrysler (jeep).  This means that the price tag of $140 million is going to go up.  Way up.

The shareholders should be very upset.

The board of directors should also be very upset as their primary responsibility remains to maximize return on investment.  And at this, they are failing.

Poor management decisions will not result in personal liability by over paid CEO's and other senior executives who fail at addressing these issues and continue to allow KPI's that cause more harm then good.

All these errors, some of them very expensive errors, will be paid by the shareholders.

So now the lawyers are getting involved, which will make them the real winners here.

And the sad part is that no one has actually had their car "maliciously hacked".  

Security researchers found that it could be done.  So if someone really smart takes the time to figure it out, it's possible.   That does not translate by any means into a motivation to invest that time to do it just to activate the brakes on cars for a malicious laugh.

As a security expert, I can guarantee you that given enough time, I can attack anything and win.  I still need a means to translate that into money that preferably doesn't involve showering in groups.

So researchers found a bug, that Chrysler should have found by themselves.  The bug is being addressed, and Chrysler is still going to go through a law suite.

So should they have invested in security architecture review.... or security testing ?

Yes, they should have.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com



Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...