Wednesday, December 16, 2020

Who really got hacked. Air Canada? Vancouver international?

News is flowing that Everest hacking group hacked Vancouver Airport and Air Canada, but this appears false.



When you visit the Everest Ransomware groups darkweb site, the information published looks to be a contractors data with regards to construction projects @ Vancouver International, that includes the Air Canada Lounge and various other enterprises across Canada including Pomerleau.


At first glance, it looks more like a contractor got hit and the files have been broken down into the various subjects since every leak on the Everest site has the exact same type of data (architecture diagrams, electrical diagrams, demolition plans, etc.)




Everyone is reaming on Air Canada/Vancouver airport today without looking at the data, and this looks more like a consultant got hit.



Now, since we have the plans for Vancouver International Airport (or partial plans), and the Annex Skywalk that leads to the Air Canada Lounge, should we now expect John McClane to kill off Colonel Stuart's mercenaries with his Beretta 92?


After all, we are certainly in the Christmas period and a nice Die Hard scenario would certainly spice things up.





Wednesday, December 9, 2020

FireEye piraté, une occasion manquée de se taire

Grande nouvelle cette semaine : FireEye fait les gros titres avec un nouvel incident cybernétique très médiatisé.


On dirait que leur boîte à outils d'exploits militarisés qui utilise des vulnérabilités connues a été levée.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


En entendant et en lisant ceci, j'ai pensé... oui ... et alors...  Tout le monde peut se faire pirater, c'est juste un avant l'autre.

Cependant, ils semblent mettre tellement l'accent sur "leurs outils militarisés", presque comme s'ils voulaient avoir l'air cool en se vantant que leur boîte à outils est si géniale.


Jetons un coup d'œil à cela....  Si vous aviez une arme nucléaire... la sécuriseriez-vous avec :


1) Une surveillance 24 heures sur 24, 7 jours sur 7.

2) Un registre détaillé de toutes les personnes qui s'en approchent.

3) Des alertes et alarmes et toutes sortes de trucs sympas pour le protéger.


Je suppose donc qu'ils ont échoué sur quelques points.


Mais en voici quelques autres.  Ces exploits semblent faire appel à des CVE pour la plupart documentés


Donc rien qui soit vraiment un ZERO DAY dans le sens où il serait totalement inconnu.  Ils en ont probablement des juteux dont ils ne parlent pas encore....



Voici le véritable coup de pied... ils ont publiquement révélé qu'ils mettraient désormais à la disposition de leurs clients des outils pour détecter ces attaques.


C'est mon moment WTF.   Pourquoi ne pas avoir mis cela à la disposition de leurs clients avant cette brèche.

Pensent-ils vraiment que personne sur la planète n'aurait trouvé ces vulnérabilités "connues" ?


ou bien veulent-ils simplement continuer à exploiter ces vulnérabilités avec leurs propres clients lorsqu'ils font des tests de pénétration pour pouvoir obtenir des résultats garantis.


Peut-être n'auraient-ils pas dû révéler tout cela pour être ouvertement critiqués


Ce que j'appelle une occasion manquée de se taire.   Non pas à propos de la brèche, mais à propos de leur excellente offre de protéger désormais leurs clients.....


De tout cela peuvent surgir d'importantes questions d'éthique.


De quoi alimenter une bonne réflexion.


_______________________________________________


Eric Parent est un expert en sécurité (et un pilote chevronné), spécialisé dans le coaching de cadres supérieurs.  Il enseigne la cyber-sécurité à l'École Polytechnique et aux HEC de Montréal, et est le PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés de sécurité privées du Canada.


Suivez Eric :

Twitter @ericparent

LinkedIn : EVA-Technologies



www.eva-technologies.com



FireEye Hacked, missed opportunity to shut up

Big news this week as FireEye makes the charts with yet another high profile cyber incident.


Looks like their toolkit of weaponized exploits that makes use of mostly known vulnerabilities was lifted.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


As I heard and read this, I thought... yeah .. so what...  Everyone can get hacked, this is just the one before the next one.


However, they seem to put so much emphasis on "their weaponized tools" almost like they want to seem all cool by bragging that their toolkit is so awesome.


Lets take a look at that....  If you had a nuclear weapon... wouldn't you:


1) Have it watched 24x7.

2) Have detailed logging of everyone who comes near it.

3) Have alerts and alarms and all sorts of cool stuff to protect it.


So I guess they failed on a few things.


But here are a few more.  These exploits appear to be making use of mostly documented CVE's


So nothing that is truly a zero day in the sense that it would be fully unknown.  They probably have some juicy ones that they are not yet talking about....



Here is the real kicker... they publicly disclosed that they would now make tools available to their clients to detect these attacks.


This is my WTF moment.   Why not have made this available to their clients before this breach.


Do they really think that no one on the planet would have found these "known" vulnerabilities?


or did they simply want to continue milking these vulnerabilities with their own clients when they do penetration tests so they can score.


Perhaps they shouldn't have tossed that out there to be torn apart ;-)

What I call a missed opportunity to shut up.   Not about the breach, but about their great offer to now protect their clients.....


Some serious ethics questions can surface from all this.


Food for thought.


_______________________________________________


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



www.eva-technologies.com





Do we really want to stop cheating

Cheating in colleges and universities.   This may be news to the normal citizen, but for people who have been in the education field, this is another Monday morning.


If you have "feelings", you might want to stop reading now.




Many news articles have been written over the last weeks, because final exams are taking place, and with COVID this means finding new ways to do exams, and control cheating.


Here is a reality, plagiarism and cheating cannot be successfully subdued with marketing campaigns.


This is much more a PR (public relations) stunt, to save face, and inspire students and employeurs that the universities take this so so seriously.


I call bullshit.


Here is why.


After teaching in a dozen different establishments over the last two decades:

  • I have seen them ignore it internally
  • I have seen them take a purely political stance at enforcing punishment
  • I have seen them protect the student because the student is a "paying client"


Why will  the marketing campaign not really change anything...Simple...


They let in students that would NEVER pass without cheating.

Think about that for a minute.


YOU WILL NEVER PASS.... why wouldn't you risk cheating or copying since it is the only way you WILL pass.


Our education system tends to shovel a lot of shit in my opinion.


They will tell you that they want to produce the best students.  They will not tell you that this is a secondary objective.  


Of course, who would offer to sell you a car and tell you the engineers can't count to 20 without an iPhone.


And our schooling system relies on money..... lots and lots of money... and for every student that is enrolled, a large financial incentive is present that goes well beyond what the student is paying.


So in other words, the motivation to enrol students is larger than the desire to kick them out when they cheat.  Of course, we cannot say this, so what we do is put in place complexe political processes that protects the poor innocent student in case the bad bad teacher doesn't like them.  And then throw in any other excuse such as "I'm too short", "I had a bad cough last week", "the teacher doesn't like me", or the race or gender card and you have yourself the entire recipe for a system that will continue to fail, and continue to produce sub quality students.  


Here is the reality, I do not know your name.  I have 60 students, they all have a number, I correct everything without even knowing your name.  I do not care what your sexual orientation is, or your hair colour, I am a professional, I do my job.  You are a student, why don't you do yours.   


I have had a case that even accused me of discrimination because the individual wasn't a minority.  As a society, we have become weak, spineless imbeciles who refuse to take responsibility for our lack of effort.  It is a classic case off finding an angle that make you look good, and makes you the poor helpless victim.


Think about that if you have open heart surgery... Did my doctor graduate because he took the class 11 times or cheated consistently through his educational career?  Was he lucky enough to always be sitting near the "smart" asian kid.


Yeah yeah, I know, that is cultural appropriation.  Yet another term for all the losers who need to have their feelings protected.  We all know that asian kids rock because THEY READ THE FUCKING BOOK and show up in class prepared you whiny ass losers.


Obviously, medical studies have other safeguards in place.  Yet we still get shit doctors.


What about all the other fields that are not regulated or controlled for quality, aside from trusting that beautiful certificate from a prestigious establishment.


Things will have to get worst before they get better.


Obviously, when management is looking at the short term, these are the results you get and should expect.

 

Will we ever see the quality we once had along with long term vision and values?


Since society is going to hell in a hand basket, and since the people in power are in it for their yearly bonus....   I will not hold my breath.


In the mean time, perhaps a good safe guard is to ask for a PhD for any position, this way you know that person has gone through a long process of refining their political skills ;-).  Instead of getting a normal cheater, you will get a professional who has demonstrated mastery of multiple domains combined with patience and perseverance!


In closing, most students I have had demonstrated good values, good competency, and I would hire them.  My point is simply that by tolerating the 5% who are beyond shit, the image of an entire industry can be impacted, and the trust over time will erode.  This will result in people like me not being able to simply "recommend" someone because they went to XYZ academy.  My response will always be... let us interview the candidate and determine what the quality is on our own.


End of rant.


Wednesday, April 1, 2020

Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story.

Zoom this week is being targeted by what almost looks like a coordinated smear campaign with an overwhelming amount of bad press with regards to exposed credentials.

As a security veteran I do clearly get upset when security stories are blown way out of proportion.

Especially when it appears that someone is trying to manipulate the public opinion and bash a specific product.  Even more so, when the issue is actually a Windows OS issue.

Journalists are irresponsibly claiming that using zoom sends off you username and passwords and allows attackers to connect to your computer.

THIS IS FALSE.

First off, this issue only manifests itself if someone in your meeting sends you a link to click via a chat session and you click on it.

Secondly, your username and password is not just sent out in clear, it is still hashed (protected with some cryptography).  So this applies to you if your password sucks and not if you use a good quality and length password.

Thirdly, inbound connections are blocked by your home router/firewall and your enterprise firewalls. This means an attacker can't just reconnect to your computer.  And remember number 1, the attacker would be someone you invited into your meeting.

So if your meetings have passwords and you don't just let everybody in, how would the attacker even know your meeting is happening and get in there......

Also, simple fix.... turn off the chat function in your meetings until this gets fixed.

Wow... simply fix eh!  The sky is not falling after all.

Second thing of high importance as pointed out by a colleague.  Don't click on Zoom links that come into your email unless you are expecting it.  

Another attack vector currently in play is that a malicious link sent to you, could open your zoom client and trigger this vulnerability.  So the old rule still stands, don't click on links that you don't trust.  If you are expecting a meeting invite, all good.

Some technical changes can be made to your Windows workstation so that it no longer sends off NTLM outbound, and this would be the ideal scenario, however, not everyone is technically tooled to do this.

What would be ideal is if Microsoft would patch this and change the default forcing Windows to NOT send out NTLM to the Internet.

keep in mind that if your password is of good quality (a long and complex password), this vulnerability fails since the attacker cannot break your password.

So lets all calm the hell down.  Yes you can keep using Zoom.  This risk is LOW.

Until these articles, I had not created a Zoom account.  Well, I just did, and I actually really like the thing.  It allows me to change my background to a beach, and with all the self isolation we are going through during this Covid crisis....  I think I really like that option.



In closing, Zoom has had numerous security shortcomings in the last months and years.  They certainly do not appear to be perfect in any sense.  Lets just keep the over exaggeration of security findings down to a minimum. 

There currently is a significant increase in malicious meeting invites and the bad guys are targeting the most common tools like Zoom.  

So this means that we will see breaches attributed when all these factors are combined.  

Keep in mind that some of these tools (like Zoom) are free, and that means that you are the product in some way.

_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Monday, February 24, 2020

Qualified lead, or outright fraud. When journalists help push snake oils and magic dust.

Journalists look for good stories.....  and sometimes someone serves them one that is too good to be true.  But a journalist isn't a security expert, so if the speech is really good, they too fall victim and inadvertently help market something they shouldn't.

Nothing gets me out of bed faster then receiving a message about an article showing a journalist falling for a manipulative marketing trick and actually become part of the unjustified hype machine that promotes unethical services. 

Well, ok... that's not exactly true... I can think of a few things that would get me up in the morning, but I digress.

All joking aside, this subject is so important, that I felt compelled to produce a video in both French and English to address the subject with my clients.

Their are hundreds of sites offering DarkWeb monitoring...

In fact, as I teach in various Universities and Colleges, I made it a mission to give an entire class on this subject over the last few months.



---

Just to be clear, this is about cybersecurity and lacking morals, willing to do anything to get business, not sales, but let me open with this.

Qualified leads.   The bread and butter of a heathy sales cycle.

What if we could find a way to drive customers directly into our sales pipeline....

Well, many companies are doing this today with the help of cool and frightening cybersecurity term that you may have heard.   "SEARCH THE DARK WEB".

So here is the problem with that.

Marketing and security do not play well together.  If your motivation is to sell something, chances are security is a secondary objective.

What if someone told you they could check out your health at the click of a button, and come back and tell you they found nothing wrong with you.  Or worst, they found two things wrong with you, and you can correct them with the "doctors" help.

You would feel great.  Thank goodness someone was nice enough to help me identify these two things so I could handle them.  

Well, the problem is, that "doctor" didn't actually check much of anything compared to what you perceive.  After all, are you qualified to know if that doctor did a good job.  Or even did anything qualified for that matter.

----

Searching the dark web and telling you if you have been breached so you can sleep well at night is as close to fraud as you can get unless it is clearly explained to you that the chances of finding your data is slim, and that you are mostly looking for passwords, not actual corporate data.

It isn't that you cannot find things on the dark web, it is that you cannot find your things on the dark web with any level of certainty.

Let me explain with a visual diagram, take a good look at these three tiers:





So lets break this down into logical and comparable pieces.

PART 1:  Surface web

The surface web is you everyday Google searchable results.  Compare that to a published catalog or menu of items.

If someone is selling your data on the surface web, you MAY find it by crafting a good search query in google.  It still remains unlikely to find it, because the internet is endless, but it is certainly possible.

Sites like PASTBIN are common grounds to at least start the exchange of data by providing samples, and an email to start the trade.

So lets compare this to visiting every bar in the world, sitting at every table, and asking every shady individual if they are selling your data.

Not impossible because of tools like google, but still a challenge.

PART 2:  Deep web

This is still on the regular public internet, but, it requires a user account to log in.  So imagine we compare this to visiting a bar again, well, this time, you have to find the right bar, AND when you sit at the table to chat, they have to know you, trust you, and decide they want to share information with you.  

Now some of these bars are listed in the phone book, and some aren't and you have to get a referral to find them. 

This is where it becomes IMPOSSIBLE to guarantee that a service can tell you if your data has been exposed.  So when marketing folks tell you that you can sleep tight, they have clearly committed an ethical fraud.   

PART 3:  Dark web

This is the funniest one.  Everyone uses this term to inspire fear and misunderstanding.  History has shown us many times how fear can be used to sell snake oils, and magical cures, and this is no different.

The dark web is an isolated network.

The dark web is similar to the deep web, some listings exists, but all the good stuff is not listed.  That is the point of the dark web.  So not only do you not know all the addresses for these bars you want to visit, but you most definitely need an invite to get into the good stuff.

Bottomline, it remains an impossible objective to infiltrate even a small number of actual dark web ecosystems that would yield results.

The best you could do, is manually navigate SilkRoad3 (the eBay of the darkweb) and maybe get lucky.  But this is not where the REAL exchanges of sensitive information takes place.

PART 4:  Cyber criminals
Yes folks, there is a part four......  The fact is, your information might be out in the criminal world and NEVER touch any of these "sites".  

You see, cybercriminals are smarter than you think.  If they have valuable information, they hang on to it, they share information behind closed doors, and they may never leak the information because of an espionnage golden rule.

"A tactic known is a tactic blown".  Your information looses value quickly once it is known.   Lets face it, once a data breach is published, people normally change their passwords.

So lets go back to these "services" that will allow you to sleep good at night because they checked the "Dark Web" cough cough for you.

Surely you have heard of these emails people get, that tells them their computer has been hacked and shows them a password they are familiar with.  They then ask you to pay a ransom in bitcoins or they will publish videos recorded from your laptops camera.  Now I have had people call me in a panic that didn't even have a built in camera on their computer.  So these tactics work.

These passwords are taken from LEAKED password databases.

There are tons of these sites.  RAIDFORUMS is one.  Several terabytes of leaked data.

But, you can also check for yourself for free at HAVE I BEEN PAWNED to see if your email address or domain name has been exposed in the past.

So just like these fraudulent emails, these "services" that claim to check the dark web only check the most basic of elements.... leaked password databases.

Now... how do you test this.

Well, it is actually quite simple:
  • You create a leak of false data representing a new and fictitious enterprise.
  • You insert it into several EASY places found on the Internet
  • You insert it into several known, but closed forums
  • You insert it into Silkroad3 (the darkweb market place)
  • You insert it into one or two REAL underground sites

And then you test the service.

You know what will come up.

Nothing.

And if you read the disclaimer on these services you are subscribing to, the legal wording makes it clear that you have no guarantees and it may become clear that they are not catching much.  I have read a dozen disclaimers from carious sites, and non of them made me feel good about the service.

So it's a great way to drive the uneducated and unqualified to your sales pipeline.  Great way to sell them something else after you have established a relationship.   But for many qualified security professional, this is unethical and immoral since the client perceives that their are somehow protected.

Lately, some articles have been published that in Quebec alone we have over 17,000 security resources.

No, we have less than a 1,000 in my view, and less then 100 in the highly qualified portion.  

This type of marketing proves that point.

Security is about maturity and about perception.  The fact that you add the word security in your marketing literature does not make you a valued security partner.

A false sense of security is what resulted in the sinking of a 46,328 ton vessel called the Titanic.

Now, to the journalists and websites that cover these less then ideal services and push referrals to them and actually help these snake oil salesmen sell more magic dust, please... please... validate your stories with vetted security professionals and make sure to explain the limits of these services.




_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies










Friday, February 21, 2020

DNA sequencing computer attacks - The large security gap chasm that enterprises face

I was having a discussion with a friend who works in a three letter agency about the large gap that most enterprises have in their security and overall maturity.

Overall, maturity across most enterprises remains low when you look at the full width of what would be expected of a secure enterprise.

In a humorous text message, my friend sent me an really cool conference on DNA sequencing used to attack a computer system.

Here I am arguing 

  • about the value of isolating a compromised workstation even if it is the CEO's laptop.
  • that Winter2019 is a terrible password 
  • that the user who changed his password when told it was a bad password, from Summer2019 to Winter2019 lack computer security competency
  • that if performing a simple vulnerability scan across your network causes major issues it means your systems are at the bottom end of the quality scale

.... and in a lab somewhere in Washington, they hacked a computer using DNA.

Yes, you read that right.

If you want to expand your views of the complexities enterprises face in defending against malicious attacks, listen to this 29 minute talk.




Summary (extract):
A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.

Thats right folks, as security professionals, we have to test users for weak passwords, test computers for malware, and test software for out of band attacks coming in through DNA.

I thought this was a really cool image that is being painted about how wide protecting enterprises against attacks can be.

We have to explain to management that Winter2019 is a bad password AND we have to explain that software in an embedded system could be exploited by a DNA sample.  If they do not even understand the first one..... that second one is going to be a hard sell.

The reality is that attackers invest all their time in finding weaknesses that they can exploit.  Enterprises still struggle to have enough budget just to keep systems updated. 

Lets just say that breaches will continue to happen, and sites like databreachtoday.com might have to change their names soon to data breach this hour . com


So if you are competent in cyber security... job security is probably ensured.

This week, our local government announced yet another data breach where a user account was used to log in and steals the personal information of 360,000 employees (TVA Nouvelle - Ministère de l'Éducation).   

A single user account that can suck out all the records over the Internet.

What a wide chasm we indeed are facing.


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Friday, January 31, 2020

Laurentienne bank ATM attack - Engineering 101 Failure

Laurentienne bank ATM attack - Engineering 101 Failure




Earlier this week, I was contacted by a journalist who had gathered some very high level details about the loss of funds at Laurentienne bank.

At that time, all we knew was that a few ATM had been targeted and the losses totalled $55k.

I explained to the journalist the various attacks that are possible on an ATM including attacks that take over the ATM, and the most probable scenario that remained appeared to be a simple card skimming/cloning attack.  Even though these attacks are less and less popular, I couldn't imagine that the actual ATM in a bank (not one in a corner store somewhere) would be victim to an actual jackpotting attack.  Original article.

Many years ago (15+) , I was in charge of ATM selection for a large bank and these attack vectors had already been examined, and the ATM solutions selected had to meet certain physical security characteristics to be considered for purchase.

Well, I think everyone is a little stunned to hear that the attack that was demonstrated 10 years ago at Defcon18 and BlackHat 2010 appears to be the attack that took place on a commercial grade ATM directly in several bank branches.  

I know that I am flabbergasted (to use the term of a colleague).

There is a significant difference between true commercial grade systems and the little ATM systems found in various stores.... or at least there should be.

Turns out, we are faced with a problem which we could call a SECURITY ENGINEERING FAILURE.

News report state with a large exaggeration that these ATMs spat out $200,000 in a minute, which mechanically they simply cannot do, but a significant engineering failure is still present.

Older ATMs from reputable vendors have a modification available that blocks this attack.

To recap, accessing the inside of the ATM and perhaps connecting to a service port (USB port anyone...) can grant access to the operating system either directly or through a vulnerability.  Since the software controls the cash dispenser, you can simply inject code that asks the cash dispenser to dispense.  

Emptying $100,000 in 20 dollar bills means spitting out 5000 bills.  This does take time, but if it is 1 am, perhaps no one would notice.


So how is this a failure of engineering ?



The cash dispenser can be equipped with an electronic circuit (with no computing intelligence) that simply counts how many bills have been dispersed in a given sequence or time period.


Most banks will let you take out a maximum of $500 per transaction, so if the electronic circuit detects 26 bills leaving the cartridge within say 3 minutes, the circuit could initiate a shutdown of the ATM, ring an alarm, call its mommy, or do whatever... resulting in the attack being uncovered, and the losses contained to $520 buckazoids.   Thats right folks... a space quest reference on a Friday!

So essentially, we have a series of commercial grade (cough cough) systems that have been engineering without security engineering in mind.

The electrical modifications to actually simply block this attack is actually relatively simplistic and therefor "cheap".

For the Laurentienne Bank, it seems it may have cost them a little shy of a million dollars in losses, that I am certain their insurance will cover with a smile.

Well... maybe not with a smile.

If you have never seen the original attack demonstrate at DefCon18 (2010) by Barnaby Jack, the link is here.

These types of engineering failures happen more frequently than one would think.




Debit card processing machines that allow you to configure the device with your banking information yet retains the default administrator password of "12345".  An attacker can simply get to the admin panel, and credit their debit card, walking out the door with amounts as high as $5000 a shot.
ENGINEERING FAILURE !




Airplanes not allowing system updates through a circuit that cuts the power to the USB service ports unless there is weight on the wheels....
ENGINEERING SUCCESS !







Having a USB port front facing or "easily" accessible on a public ATM 
ENGINEERING FAILURE !









Here are links to two interviews I just did on this subject.

FM 98.5 (French):  The general topic of the breach

QUB RADIO (French): The general topic & the engineering aspect



Keep in mind that these ATM systems probably needed some serious software updates and might even be running Windows XP, the once gold standard of ATM controllers. ;-)

Minimally, from an engineering perspective, having a USB port that you can get to from the front of the ATM, also seems obviously like a bad idea to a typical guy like me.

But.... I ain't no engineer. ;-)


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Tuesday, January 14, 2020

Scaring grandma - A vicious news cycle of incompetence

As someone pointed out, its been awhile since I published something to stimulate the mind and piss off someone in need of an attitude readjustment.

Well.... happy new year !  

The last months have been overwhelming for many enterprises, as breaches surface faster then grandpa's bubbles in the spa.

No lack of cases to pick at, and over the last month and a half, I was called into over 30 television and radio interviews for various screws up and potentially news worthy events.

This week, some news stories floated to the top, but as is often the case, the media misunderstands risks, and sometimes they call in technology experts that are not tuned to security and the results are messages that frighten everyone with no significant value.

Lets take this case:  Quebec hacker arrested for Sim Swapping and stealing millions in bitcoins.

https://www.lapresse.ca/actualites/justice-et-faits-divers/202001/12/01-5256560-un-presume-pirate-montrealais-aurait-vole-des-millions-en-cryptomonnaie.php

I was listening to one of my favourite talk show hosts... drive the car literally off the cliff.  I actually texted him while he was on the air with the word "STOP!".

His interviewée was going on about how SIM swapping takes over the persons phone.

First off, NO.  SIM swapping takes over the persons PHONE NUMBER.  It has very little to do with their emails on their phone or the other applications on that phone without numerous other attack vectors.

As the car drove off the cliff.... it accelerated.... going on about how emails and everything on the phone was compromised.....  once again... a stern and firm NO.

I'm all for scaring grandma.   But I prefer to use valid old school techniques like C4 or the right mixture of potassium nitrate, sulfur and carbon in her granny panties drawer with a drawstring and a hidden camera.

So lets make sure we break this down and understand.

If someone called your provider and had the right personal information, they could activate a new SIM on your current phone number.  Your phone would go mostly dead (no calls, no phone carrier internet), but if you are on wifi, you might not even notice until you try and make a call.

If that same someone, had access to even more personal information, like your banking information (bank name, account name, password) they could log into your bank account even if your bank uses SMS based MFA (Multifactor authentication).  They would simply login, when asked for the temporary secret code, they would receive it on their newly configured cell phone SIM card enabled device, and you wouldn't receive anything nor know that this happened.

So back to the bitcoins worth millions.

These victims are not the sharpest tools in the shed.

Sure they had MFA activated on their ONLINE WALLETS..... 

But these wallets are ONLINE and they had millions in them.

So not only did they trust the MFA (which is ok to do under most circumstances), but they also trusted a software system, hosted on the internet, to hold millions of dollars in bitcoins.

That is not a very smart move.

As a solid comparison, I have an electronic bitcoin wallet in an android phone.  This device is ONLY connected to the internet via wifi (no SIM card) when a bitcoin transaction is to be done.   I have the wallet secret key encrypted with a mechanism that only I know, and printed and placed in a physical vault.

So my risk is reduced to a window of time, equal to the moment I connect to the Internet to perform a transaction (a few minutes).

Ok sure, some additional risks exists.  Since I just mentioned that I have a paper version that only I can decrypt stored away in a vault somewhere.  So I'm now a potential kidnap victim.  On the positive side, I'm batshit crazy, heavily armed, ex-military, over 50 with a short fuse.  

That is called risk management.

And you won't hear me crying that someone stole my bitcoins anytime soon.

So all these people, rapidly moving with the technology are not aware even at the simplest level, of the risks they are taking.

Trusting a website to hold your bitcoins (or anything related to your wallet) to me, is as close to crazy as one can get.


So once again, everyone relying on technology would benefit from a lunch with a qualified security professional.

People, feed your nerds and geeks.

It can save you millions . ;-)

And as for the media, it would be nice if they would gradually learn to stop calling an 18 year old "hacker" a computer genius simply because he had the patience to exploit a series of people who where totally useless and careless in their protection of valued assets.

Just to be clear, because someone knows more about something than you do, does not by default make them a genius.

And also, how many people actually have millions in bitcoins protected by their phones.....

---

On a second note, big news today about various social media being caught selling your shit again.  How this is new news is beyond me, since all experts keep saying that if it is free, you're the product.

Ok, in this case, these services are not ALL free ( Tinder & Grindr ), but some features are, and lets face is, companies are there to make money, not offer a quality service as a primary objective.






Now I'm not saying that quality isn't important to them and that all social media and dating apps are bad, I'm saying that most will sell any data they can to make more money because companies prioritize profites over quality of service.

What we do not know at this exact moment are the exact data elements sold.  Is it just statistical data (so many men looking for XYZ in this geographic area).  But either way, are we really surprised that they package usage data and sell it..... come on now.  Grow up.

So, back to basics:

1) If it is free (or mostly free) you are the product or part of the product
2) If it is extremely valuable, it shouldn't be on anything connected to the Internet

Paris Hilton and many other famous people learnt that the hard way (no pun intended).


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com





Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...