Wednesday, June 26, 2019

Desjardins: We are all missing the train.



The last week has been an interesting one from a socio-psychological angle.

I am very pleased with the lessons to be learned from this security event, and I can state firmly that the next classes I teach, and the next conferences I speak at, will include some of these juicy tidbits.

After the first round of press releases, news articles and "interviewed specialists" I can firmly say that we are missing the big picture.

Only a few hours after the week started, class action lawsuits already surfaced claiming 8 billion dollars in damages for the Desjardins members.

This is totally absurd.  It would be nice if everyone involved including the high quality bottom feeding lawyers would wait for the corpse to be carried out before circling above like a vulture tasting blood which will never drip out.

Desjardins was a victim of our failing government.  A government that focuses on doing what is popular and what gets them votes and keeps their "sponsors" sponsoring.

You read that right.

In 2019, birthdates and social insurance numbers are still the central nervous system used to buy property, mortgage a house, get a loan, or get a credit card.

This is a complete failure to understand security and understand risk.

We, as a society, allow government and banks to pawn off our most vital information to companies like Equifax without our consent yet when we consent to give our information to a bank, we take offense if an employee leaves with our birthdate.

Sure, Desjardins needs to review how they let staff extract data.  Why for example would a marketing person need your full birthdate.  Why not just a year, or a range of ages.  So certainly some things can be optimized IN ALL BANKS.  So before we raise or voices with Desjardins, remember that this can happen to any bank and any company.

The big picture remains that our financial ecosystem relies on a VERY broken system of authentication that leaves the citizen scrambling when something goes wrong.  

The system offers NO protection for the innocent, and the innocent must live with the painful consequences when something goes wrong with no wrong doings from their part.  Once their identities have been used to create false loans or mortgages, they live the nightmare with no support.  Unless they subscribe to a credit monitoring and alerting service from lets say... Equifax.  How insulting.  How completely absurd that we allow an entire ecosystem to milk us and treat us like this.  How absurd that the banks hold hands in supporting this sick ecosystem.

This should not be acceptable.

Equifax should not exist.  Minimally, it should be a government run service.  

Now I am chocking as I write this.  Saying the government should take charge of something is rarely my pitch.  Because to be frank, the government always runs things so well ;-)

In this case, the government should not only abolish Equifax and take charge of the credit bureau, but they should actually walk into the 21st century and put in place a digital ID.  They should replace the dependency on birthdates and social insurance numbers since these pieces of information have been leaked and exposed for decades.  Banks use your social insurance number as a primary index key in a slew of their systems because it was convenient 30 years ago when the systems came to life.  In other words, this piece of information is all over the place.

People even post their birthdates on Facebook for all there thousands of friends to see.  And by friends I also include scrapper bots from Russia and China that harvest everything you drop.

So what should be a digital ID.  Simple, a smart card that could include a digital certificate, be fully authenticated when produced (like when you get your passport created), include digital magic like your drivers license and medicare card on the same piece of plastic, and provide vetted identification when opening a bank account, when mortgaging your house, when contracting a loan.

Now do the banks want this..... actually probably not.   It is much easier to have a marketing group signing off new credit card applications in convention center lobbies or airport lounges and relying on paper applications that fall from the sky.

So who wants this?   The citizens want this.  Because it makes sense.

The question remains, why is our birthdate and social insurance number still a critical asset, and what are we going to do about it?



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




Friday, June 21, 2019

Desjardins: Round two - The truth comes out, do banks really care?





This Friday post is all about commitment.  


I'm going to float an idea and commit to it for the next 72 hours.


FIRM STATEMENT:  The Desjardins data exposure was not performed by IT staff.

Lets review some facts.


  • The CEO stated clearly that he felt completely violated.  He didn't use words that sound more appalled, but used words that really showed he was vigorously violated. 
  • He states without doubt that the information is not for sale on the Dark Web....
  • He states without doubt that passwords, PIN numbers and secret questions have not been exposed...
  • And he stated that this was all performed by an EX employee.
  • The LAVAL police is investigating and not the Provincial Police....
  • The plot thickens....



LETS FLOAT A SCENARIO

So here is my stab at the million dollar question:  Who did it.

Someone trusted by the enterprise, working in a department that could obtain this information.  To summarize, names and addresses, birthdates, social insurance numbers, purchasing habits and which products you have with Desjardins.

The social insurance number is often the unique database key used to represent the person, so this piece may even be irrelevant and is irrelevant for my scenario.

So someone trusted who worked with this type of information and someone we fired a few months ago.  So if we fired him, he must have done something wrong, perhaps he had already been loose with the data.

And when banks fire someone they have them sign an agreement that both parties do not talk about each other, and both parties move on.  Hence the reason why Desjardins is not naming him at this point.

So enter round two....   The now unemployed person (who kept a ton of sensitive information even though he declared in his exit interview that he would retain no such data), is now sitting at home starting a new business with this stolen data.  Perhaps something that could be used in conjunction with the type of data collected.   Purchasing habits, banking and insurance adherence data.  

Perhaps this not too wise person approached various people to leverage the data in some way, and eventually someone ratted them out.

This then becomes a breach of contract based on the employee having promised not to keep or use Desjardins data after they got themselves terminated.

It all makes sense with these variables.

Bottom line, Desjardins did not have controls in place to allow for the detection and the accumulation of vaste quantities of data and never knew that their data had left the building.  Or did they..... "but he promised he deleted it".

Wouldn't this scenario make you as the CEO feel violated.

After all, someone you paid to do a job didn't respect you or your semi-binding agreements and now you are faced with the angry public and the ever so inquisitive press.

BANKS NEED TO START CARING (FOR REAL)

When someone internally defrauds a bank, the bank is much more stressed about their reputation than the wrong that was done to them.

So if John (taken from a true fraud case I worked) defrauds the bank for $500,000, the banks gets John to sign an agreement, that John is fired and neither party talks about each other going forward and the bank doesn't owe John anything, etc.

So John, crosses the street and goes to work at the next bank and performs the same types of malicious actions, but this time... he does it even better based on the lessons learnt from his first dismissal.... or was it really his first....

Banks need to start pressing charges and publicly exposing these people so that they do not go on to the next victims.

Banks do not care about the big picture or the citizens, they care about their clients perception.

So back to Desjardins, they probably fired him because he was accessing systems without cause and he was exhibiting behaviour that violated policies, or he literally access tons of data and got caught months ago.  Then he promisses to not keep any data, and now we all know why the CEO feels violated.

Desjardins and Equiflop

Initially, Desjardins offered 1 year of credit monitoring but you had to agree to the disclaimer, which was the same disclaimer Equifax tried to push down peoples throats last year.  ** If you agree to the free credit monitoring service you agree not to sue us.

Maybe someone is reading my blog, because they moved the 1 year up to 5 now, and someone seems to have removed the disclaimer.  Guess we will see when the physical letter gets mailed out next week.

Banks, please commit to being a better digital citizen.  Impose strict rules, AND enforced strict penalties.  Don't let your shit employees go to work somewhere else doing the same thing they did to you.  I know your lawyers disagree, maybe they are part of the problem.

Happy long weekend to all my friends in Quebec, and remember the old security moto:



TRUST BUT VERIFY


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com


Thursday, June 20, 2019

When the banks drop the ball - Desjardins leaks all their clients data.

CBC NEWS - Personal data of 2.9 million people leaked from Desjardins

Often, so many things are wrong with these press releases that it is easy for me to critique them and sometimes laugh.  In fact it is almost a guilty pleasure for me.

The news headlines state that 2.9 million Desjardins clients have been exposed.  
It should simply say that all Desjardins clients have been exposed and remove the ambiguity since that is the actual fact.

Why is the number important?  It is not.  Desjardins is the biggest credit union type bank in North American, and a subset of all their client data has left the building.   This could happen to ANY bank, so I am not getting on the bandwagon that Desjardins did or does a poor job.  This is far from the truth as they are often a reference in cybersecurity practices.  Like everyone, they have weaknesses the can sometimes be leveraged.  A malicious employee is near impossible to totally contain.   But I can still poke fun at the news articles....

So... they also use the word SHARE, as in a former employee shared the data.  Who the hell did they share the data with!  They stole the data.  Stop using soft words that make it sound like they hit the wrong button on Facebook!  Also, at this point, it isn't someone they fired, I hope it is someone they are pushing for criminal charges for.

A big piece remains, I fail to see anything in these articles that tell the consumer what to expect as far as repercussions down the road.  I don't want to steal the punchline from them, but you may end up owning a mortgage or a credit card that you never asked for ;-)

Data Loss Prevention (DLP)

Enterprises are constantly faced with the desire to deploy a DLP.  In fact, since the cybersecurity industry has an acronym for it, this means that it is a big problem, and big money is involved.

Not a week goes by that someone isn't talking to me about deploying the latest and greatest DLP solution.

The fact is, these solutions reduce risks involving accidental exposure but hardly make a dent in someone internal wanting to actually steal your data.  These solutions rely on many factors and ingredients to yield benefits and almost every enterprise I visit is missing most of the required ingredients for a DLP project to be a success.

Now take Desjardins.  They are big (by Canadian standards), and they invest significant sums in everything relating to security.  They don't a a security person, they have security teams (with an S).

When a rogue technology person decides to pain outside of the lines, you are in for an enlightening and embarrassing experience.

In this case, it was not Desjardins that realized they had been violated.... the cops called Desjardins to tell them they had been had.  This is an upgrade from the more common scenario when a television crew or journalist calls you and tells you the bad news, so maybe this part is a positive.    However it is more of a negative for one simple reason, if the police are involved, chances are it is a much bigger deal than when a journalist calls you.  

You see, journalists call you when someone blows the whistle.  This someone generally isn't malicious, they just want something to change.  When the police call you..... well... you do the math.

Now Desjardins is falling into the trap that many fall into and they are trying to tell the public not to panic since PIN numbers, credit card numbers, and secret questions have not been exposed.

First of all, they cannot possibly know this with 100% certainty, but lets continue....

So all the information they have on their client, all the information that can expire and be changed... that information is secure.

However, all the information that you will die with such as your birthdate & Social Insurance Number... that was stolen.

But rest assured, we are working with Equifax, a household name in extremely mature and well rounded cybersecurity practices. That last part is sarcasm, so no hate mail please.  I wrote a series of blogs posts on Equifax and their subpar security (example:  HERE)

Equifax will provide 1 year of identity theft protection payed for by Desjardins! 

Wow.... we are still going with that?

The AMF (lautorite.qc.ca) says that they are happy with the approach that Desjardins is taking in resolving this matter.

Well, AMF.... and my many friends at the AMF.  In my opinion, you are falling short of your duty.

And once again, privacy commissioner of Canada, you are also at the precipice of failure.

You see, large corporations who end up having LARGE security exposures that can screw the lives of millions should own up to the magnitude of the issue.

This means that they should dedicate staff to operating an identity theft service and provide this service until you die since the information that was stolen cannot be changed and you will remain at risk of identity theft until you are dead.  In fact, some might argue that the risk may continue sometime afterwards ;-)

So why offer only one year of "oversight"... simple ... that is how long it takes for people to forget about the issue.  The general public should be made aware however, that identity theft can happen years down the road.

Also.... all the experts being interviewed so far are missing this one important fact....the information stolen included non matching data types.   What the hell is my purchasing history doing anywhere near my social insurance number and birthdate!  What the hell is going on at Desjardins.... will someone investigate this???  ZZzzzzz

When I go to negotiate a new mortgage, does the financial advisor "see" that I buy a lot of flowers ?

Can they then conclude that I apologize a lot to my wife hence the flowers !

Can they conclude that ANYONE who has to apologize three times a month by giving flowers MUST be a higher credit risk...

you get the picture....

As usual, these breaches end up opening the floor to more questions.. many many more questions.

So in closing, to the many enterprises that I have crossed and to all the enterprises that I will cross who have the attitude that their IT is the best, that they have no security exposures, that they are golden in this area... I leave you this thought to ponder:  Desjardins is at the top of the ladder and invests millions in a variety of security controls including non heterogeneous security teams... and they just got screwed over by an employee.  Sure you're 100% safe because your vaste experience in another unrelated domain tells you to feel that way.

Just like an anti-vaxer who reads a few facebook posts and will argue with a triple doctorat with 30 years of research under their belt.

Go in peace my friends and be realistic about your shortcomings and expectations. 

As for Desjardins, they remain a top bank, with top notch people and services.  Be cautious before throwing the first stone since any bank can be victim to this type of attack.  Just try and not keep all your data in a single bucket ;-)


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com


Thursday, June 13, 2019

BlueKeep.... the new silent killer affects thousands of Canadian Internet facing systems

Surely you must have heard that the next wave of attacks will come through a newly minted and named vulnerability called BlueKeep.  

BlueKeep

Lets keep the cool names coming.

So as part of a research project, the 70+ million Canadian IP addresses were scanned by someone I know... cough cough.... for port 3389 which hosts the progressively more famous and exploitable Microsoft RDP service.   

Now keep in mind that many have multiple RDP services scattered across numerous ports, so 3390, 3391,....  but only 3389 was tested.  It is a certainty that many move RDP services are exposed on the Internet

For RDP3389: 102,434 systems responded and are facing the Internet today.

Just sitting there, handing over valuable information.

As an example, just grabbing an RDP screenshot can give you pictures, but more importantly usernames and OS versions.


 

So obviously giving away your OS version along with usernames isn't ideal, but having an exploitable operating system that has not been patched sitting on the Internet is even less ideal. 

So I asked my "friend" to test out the 102 thousand IP addresses to see how many would be exploitable.....

Drum roll please

Over 10,000 Internet facing systems in the Canadian IP range remain exploitable even after significant media coverage.

These devices will more than likely be hit by malware in the coming weeks since finding them does not require ANY real technical skill, and the exploits for BlueKeep are being weaponized as we speak.

Here are the actual statistics:


            IP ADDRESSES IN CANADA: 71.9 Million
            PORT 3389 IN CANADA: 102,434    
            * Note:  RDP can be found on other ports, we only tested 3389
            SAFE: 66,758 
            * But still shouldn't be open on port 3389 facing the Internet
            UNKNOWN: 17,116
            * Tests did not conclude
            VULNERABLE: 10,351

Even the NSA is pushing news articles about how bad these attacks will be.  After all, they don't want everyone using the exploit now that they can't be the exclusive user of the attack.



And Microsoft, who knows that many enterprises are still using aging systems like Windows XP actually pushed out updates for systems that haven't been supported in years.  That should be a sign that this update is worth investigating and acting on.  They even published numerous warnings.



So once again we are faced with the same age old issue of patching.

But keep in mind that when I tested Heartbleed in 2014, I found over 40,000 systems unpatched and exploitable within the Canadian IP range.  When I tested in 2018 about 10,000 remained.  This was for a vulnerability that literally spat out confidential information in 64k blocks.





So using this trend, BlueKeep will be around for awhile.

And also, corporate "America" is going to focus on patching the external facing systems while ignoring the internal ones which means that when Jenny the new less than bright CSO that was put in place to give that traded company plausible deniability clicks on that juicy phishing email, the lateral movement across the internal network is going to be easy for years to come.

So, once again, two lessons to learn here:

1) Patch all your systems for critical exploits

2) Know your inventory so you get them all

3) Place RDP behind a VPN, because password guessing and other attacks on RDP still exists or will surface!

4) Don't hire fake paper security experts to fill in a role and help shovel IT risks under the rug so that the shareholders feel all cozy

Wait.... that was four.... damned Thursday morning Jello shots.

I have to go, my phone is ringing with yet another Ransomeware victim who had to find $60,000 in bitcoins before midnight ;-)



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com

Wednesday, June 12, 2019

Will the CBP have to report to the Canadian Privacy Commissioner?

I haven't written in awhile, not for lack of options or subjects, mostly lack of time.

The last few months have been riddled with new business relations who are being hit with advanced Ransomwares.

Something has changed in the last year, and these attacks have clearly gone from fully automated to hybrid and manual.

So be warned, the bad guys will outsmart you.  They will figure out how your backups work and remove them.  They will take their time to figure you out and find the weakest link.  One attack replaced the backup systems DLL file and continued writing backups... with all zero bits.... which compared correctly at verification so the backups seemed to work fine.  The attackers waited over a month to deploy their ransomeware.

But on another subject, Will the US Customs and Border Protection agency (CBP) be above the law?

Will our privacy commissioner impose our new disclosure law on the CBP?

You see, turns out the CBP has been tracking our vehicles and our faces at border crossings.  Also turns out that security was weak and hackers got into all that information and left with it.

Since November 1st 2018, Canadian law dictates that breaches impacting privacy be reported to the privacy commissioner and that EVERY affected person be notified if there is a risk of harm to the individual.

The key thing, is that they worded the law in a way that gives a lot of room for wiggling out.  They used the term "significant harm".

Now it gets worst (or at least more interesting), it was actually a subcontractor who had the breach, but the CBP doesn't want to name the contractor.   Well not to worry, it looks like the friendly hacker community is taking care of that and it is a company called Perceptics

Turns out:  "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," CBP said in a statement.



So back to my overwhelming ransomeware events.  When someone calls me in the middle of a panic because of a ransomeware, I already know what the bad news is:

1) Turns out our backups didn't work since last June... 2018
2) Turns out our malware detection system was not configured correctly
3) Turns out we have to pay the ransom and have no idea what a Bitcoin is

But here is the kicker, 9 out of 10 times, it was a subcontractor that had the most contributed to the breach and failure of IT systems.

a) We thought the backups were good

b) We thought the backups were running

c) We thought our systems didn't have 6000 Shekels of exploitable vulnerabilities

d) We didn't know that a Shekel was an ancient measure of mass equally as old as our IT infrastructure and capacity to be resilient to failure

e) We didn't realize that we opened up our network across all protocols to a third party because management pushed the IT guys to open up the firewall because the F'n project must be delivered on time

f) We didn't realize that our really good IT guys are actually really good IT guys based on the perception that they keep the lights on and as far as security goes they do not have the knowledge or luxury to handle security adequately

Anyways, you get the point.   Everyone is always surprised when they get hit by a Ransomeware but the security experts are certainly not surprised and often your own IT staff aren't either because it dawns on them that their technology debt equates to a security debt which therefor results in large security exposures.

So lessons learnt here.....
1) Trust but verify your third parties

2) Do not blindly prioritize projects and ensure you have security oversight and firm checkpoints

3) Have VERIFIED and OFFLINE backups

4) Have storage technologies that are not integrated at the OS level (no AD integration, completely isolated like iSCSI) and ensure that snapshotting features are in place (with adequate storage you cheap bastards)

5) And while we are at it, make sure your security countermeasures have all their features turned on, because that my friends is really really embarrassing.

Now, I'm still curious.... and would certainly love to hear our privacy commissioner on this CBP breach of data.

Silence......  crickets......  and soon forgotten data breach....

Visit databreachtoday.com 
It isn't called data breach this month folks !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...