What is the “Principle of Least Privilege”? It’s the idea of only giving people access to what they need. It commonly comes up when talking about directories and file permissions, but it can apply to much more than that.

When was the last time you received a letter? As in a physical letter, sent to you in the mail (I know, it’s been a while). If you dig one out and look at the “to” address, you’ll probably see several pieces of information:

4. ,

Now here’s a question, what parts of the address are necessary for the letter to arrive? You can debate parts of lines 2 – 4, but line 1 is clearly extraneous. It doesn’t help the postal service deliver the letter. It does violate the principle of least privilege. The person delivering the letter now knows your name, they know the sender knows your name, and they probably know the name of the sender. Not the end of the world, but your network infrastructure might be quietly leaking similar information.

One easy place to look is at the web server header response using an nmap script. If you run this on your web server and get back accurate information about your webserver, it’s leaking some information it doesn’t need to. A good article on disabling this on Apache can be found here.

First of all, my sympathy goes out to the celebrities who have had their privacy compromised this weekend. Having your personal photos taken and plastered all over the internet is not fun or fair. I’m about to comment on things that could’ve been done to improve their privacy, but I am not placing the blame on them. As with any cyber-bullying typed event, the fault rests with the bully. And shame on them for abusing their knowledge to harm others.

If you keep tabs on both mainstream media and security blogs, you have probably noticed that this event has gotten lots of attention in the former, and almost done in the latter. This may seem odd as it seems this attack has had a fairly high impact, but it makes more sense when you look at the method of attack or “kill chain”.

Vulnerability in iCloud

iCloud had a vulnerability that allowed you to try as many passwords as you wanted without either forcing a delay. A more secure system would allow a limited number of password attempts (let’s say 3 to 5) before forcing you to wait for a time period (let’s say 5 minutes) before trying again. This may not seem like a security hole until you combine it with the next two things.

Brute Forcing a Password

Let’s say I know your iCloud email, but not your password. I decide to try and guess you password. iCloud passwords are 8 characters minimum, so my first guess is

“aaaaaaaa”

If that’s not right, I try

“aaaaaaab”

then

“aaaaaaac”

and so on until I’ve tried enough random combinations of letters, numbers, and characters to guess your password. With (very) little programming skill, I can have my computer generate passwords very quickly.

Common Passwords

Apparently, humans who speak the same language tend to think of a lot of the same words to use in passwords. After enough time spent creating, using, and guessing passwords, we start to see common patterns. This makes guessing a password much quicker, because instead of just starting with “aaaaaaaa” I can start with words I already know are common, which speeds things up a lot.

So now I can try to guess you password an unlimited number of times, as fast as I can, and a way to make my guesses more accurate. It was a privacy compromising combination.

These items are all common knowledge in the security industry that have no been applied to high profile targets. So this isn’t terribly interesting from a theoretical perspective, but it is a good opportunity to remind everyone to use good password management practices.

Recently a number of mass media articles have started discussing a JP Morgan “hack” and alluded to 4 other companies that were also hacked. This story has the potential to be really interesting if more details emerge.

http://www.usatoday.com/story/money/business/2014/08/27/reports-jpmorgan-hack-attack/14706545/

http://blogs.wsj.com/cio/2014/08/28/the-morning-download-j-p-morgan-hack-strips-bank-of-sensitive-data/

http://money.cnn.com/2014/08/27/investing/jpmorgan-hack-russia-putin/

Right now all we know is that JP Morgan is admitting to having seen attacks (which is not uncommon) and that “some data” may have left. That isn’t a whole lot to go on. Data could be their company lunch menu, or details on customers and their financial history.

Interestingly enough, this story has yet to hit any of the security blogs I follow such as Krebs, Naked Security, Schneier, etc. For the time being, I’m classifying it as interesting news, but nothing actionable. Worth watching, but not worth panicking over.

Fair warning, this post is going to be very “professional developmenty”.

I’ve watched this scenario play out a number of times already in my relatively short career. A manager asks a question of an employee, and the response is, “I don’t know.” Followed by an awkward silence while the manager waits for more.

In technology no one knows everything. Even in a specific job function the most qualified, brilliant, senior employee will have to look something up or ask for help every once in a while. So while true, the right answer is very rarely (if not never) “I don’t know.”

In a lot of ways this is a strength of the “Google Generation”. The Google Generation gracefully accepts that there are a lot of things they don’t know. We don’t know how old Michael Jordon is, we don’t know who directed Space Jam, and we don’t know how many servers are in the DMZ. But we know how to search the internet, or the environment for the answer.

Here are some suggestions of responses you can use other than, “I don’t know.”

“What are you trying to accomplish?” – Maybe something you do know will help them.

“Are you looking at a problem?” – If it’s a non-technical person asking, they might not know what they really want to ask.

“When do you need to know by?” – If it’s not urgent, you can take some time to find the answer or find someone who can.

“Who wants to know?” – Give the question different priority if it’s someone important asking. (TIP: Don’t say this like a guy who is answering cops knocking on his front door.)

I’m about to (attempt to) wax eloquent about the philosophy of cyber security, so this post will probably get real existential (and perhaps not terribly applicable). Credit to John Strand for bringing up some of these talks during a recent conference.

A common adage on the elementary school playground is, “There’s always someone out there bigger, stronger, and faster than you.”

If we swap “bigger” and “stronger” for “more clever” and “better typer” we have an incredibly true point for cyber security. No matter how smart you are, or how good you are at detecting attacks, there is going to be someone in China or Russia who knows more than you do. There will always be a zero day exploit someone can buy that you will never see coming. There will be the script kiddy in his basement who manages to find the one thing you forgot about.

This isn’t to say we shouldn’t try, quite to the contrary, we should try all the harder. But it should change the way that we think about our perimeter defenses. Your IDS, firewall, and AV aren’t get out of jail free cards. You can’t just play them like a wild card in uno (the only card game I’m good at).

Rather you should think of them in context. When you’re designing your perimeter defenses, you should put effort into doing them correctly.
But then when you move on to designing your client based security (client side AV, client based IDS) you should assume that your adversary has effortlessly bypassed your network based IPS.

Then when you are working on your database security, you should assume your adversary has walked past your perimeter security and your client side security. You should assume that compromised devices are hitting your database server directly and design the security with that in mind.

Cyber Security is a frustrating field because you never know for sure that you have done it well and correctly. You only (sometimes) ever sometimes find out that you have done it completely wrong.

Obviously this could turn into a black hole of time and money. Since you can never say, “We are now secure” you could always spend more money and time making things safer.

That’s really why God invented managers and gave them check books. Obviously security professionals have to keep some concept of budget in mind, but while they’re focusing primarily on making things more secure, managers are able to provide some perspective on what’s reasonable.

So in conclusion, assume everything you’re doing doesn’t work well. And then keep on doing it better.

A new cyber security story has hit the news this week: Blackshade. The FBI put out a notification about it, so it’s likely to get some play in the media. But what is Blackshade and what does it mean for you?

What is it?

Blackshade is a RAT (Remote Access Trojan). If you’ve ever had a tech support technician or friend remote control your computer this is the same idea, but without the positive intentions. It gives an attacker remote access to your computer and thus potentially access to the things you do with your computer such as social media, web cam usage, files, and email.

Why should you care?

Do you remember the Miss Teen USA incident where a teenager was blackmailing Miss Teen USA with compromising photos? Those were taken with very similar technology. Having someone with remote access to your computer is always concerning. Especially if you tend to leave your social media logged in or do banking from your personal computer.

Who is at risk?

Blackshades is a little different than most of the cyber security news events we’ve seen lately. It’s not a terribly sophisticated attack, and it’s not really aimed at stealing c from companies. It’s more aimed at an interpersonal level, like the teenager who took pictures of Miss Teen USA.

Brian Krebs had a very interesting quote:

In short, Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag.

All of this means that Blackshades (and RATs in general) are more of a risk to individuals than they are to businesses. Since this is more of a risk to you than your credit card company, you should pay extra attention.

What should you do?

If you are a company, the best thing to do is to search your web proxy’s logs for any activity to the known Blackshades domains, which are available in the Flash Announcement. You should also check if any domains associated with your company are in there, just in case your infrastructure was used to spread the RAT.

If you are an individual, there are a couple steps you should take.

• Read through the FBI’s article on determining if your computer is infected with Blackshades and check for the files they list. Find someone to walk through this with you, if you are unsure of how to perform the steps

• If you are concerned, but don’t have time to check if your computer is infected take some precautionary steps like

1. Cover up your webcam with a post it (prevents someone from taking pictures of you)
2. Log out of any social media, email, or IM accounts (to prevent them being used to spread Blackshades)
3. Don’t do any banking on your computer
4. Backup any important files (school papers, financial documents, etc) to prevent them from being deleted or tampered with
5. Leave your computer off if possible (an attacker can’t hurt what’s not turned on)

• Generally good advice, never click on links that look suspicious (especially if they are from a boy between the ages of 13 and 24). Even if you trust the person that sent it to you, if it’s a link with no context or explanation, make sure they meant to send it before you click on it.

Here’s an interesting tidbit: Google shows you a lot of information about your posts and the traffic to them.

This is especially interesting because of this article. I first posted it a couple days after Heartbleed came to light when there was lots of attention and activity. But now, weeks later it’s still getting a decent amount of traffic. And it certainly isn’t the only article about scanning for Heartbleed with nmap (one of my favorites), so we can assume that those other posts are getting as much or more traffic.

Most of the major security vendors have released signatures for Heartbleed at this point, so most of the people searching for cheap ways to scan for Heartbleed are likely working at smaller companies that either don’t or can’t afford an expensive vulnerability scanner.

My point is that Heartbleed could continue to be an issue for a while. Probably not for larger companies, but for smaller groups with fewer resources to throw at resolving it will probably continue to work on patching for some time.