Cyberweekly #46 - People & Security - forever intertwined

Sent on 2019-04-06

Michael has kindly let us guest edit Cyber Weekly this week (thanks Michael for inviting us along).

The theme we have chosen is 'People & Security'.

These two things are intertwined, sometimes when we least expect them to be. People are the greatest asset in security and as time goes on we're seeing excellent growth in user-centric security.

This week we gather together stories that show (for better or worse) 'people' and 'security' in the same conversation.

(Assuming he doesn't change all the passwords after reading this week's edition, we'll be back next week with more cyber stories that have fascinated us.)

Jon & Joel.

This World of Ours - James Mickens [PDF]
http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf

Wherein it is revealed that 1024-bit keys cannot prevent people from sending their credit card numbers to Nigerian princes. (I think that 1025-bit keys might solve the problem, but nobody listens to my common-sense advice.)

Wrapping up our theme on people and security, I don't think there's been a finer paper written about cyber security than this seminal work from James Mickens.

Any cyber security guidance that includes the guidance "Magical amulets? Fake your own death, move into a submarine? YOU’RE STILL GONNA BE MOSSAD’ED UPON" can only be the perfect end to this week's CyberWeekly.

Top 5 Ways The Red Team breached and assessed the Physical Environment
https://medium.com/@adam.toscher/top-5-ways-the-red-team-breached-and-assessed-the-physical-environment-fa567695b354

"We tailgate, skim and clone. Social engineer and deceived to employee and CISO alike, to get onsite and hit our “Breach” Physical, or “Red Team” goal. In my years performing physical security assessments, these are some of the techniques my peers and I found successful."

This article collects together a fantastic range of techniques used by red (offensive security) teams to get on premises and inside your trust boundaries. It's really easy to dismiss some of these attacks as being too esoteric, and the sorts of things no one will ever bother with - but they're worth understanding. Protecting against them isn't trivial, of course - you could quickly end up with an environment that's unusable; and the temptation is to say 'more training and education' for staff, and pass the buck.

Our view is that as defenders you need to learn about all types of attacks. Maybe you can't justify protecting against all of them all of the time, but there may well be places in your estate worthy of additional defence - and understanding these sorts of attacks helps with this.

$67 million (on top of last year's $92 million) for Australian digital identity
https://www.governmentnews.com.au/67-million-for-digital-identity/

The Digital Transformation Agency (DTA) is developing MyGovID, which will create a single digital identity that Australian citizens can use to access online government services through a single portal.

Under the system users will be required to take a photo and provide a mobile number and email address as well as details from a drivers licence, passport or Medicare card.

The government says the system will enable it to personalise and streamline services, but it has been trying to reassure critics who have raised concerns about privacy, security and potential misuse of the data.

Tying together people and security often leads to identity and assuring that identity - knowing (to your required level of assurance/confidence) that the person is who they say they are and when they say so.

In contrast to the UK's GOV.UK Verify which uses a federated identity provider model, our Aussies friend down under are building a central identity database.

MyGovID has approximately 15 million user accounts, 3 pilot integrated services (8 in total forecasted by end of 2019) and has been going since 2013. Time will tell how the Australian public respond, where privacy concerns are raised and (touch wood not) the consequences of any breaches.

Identity is hard. Assuring identities are even harder. Privacy when building a central national database is even harder(er).

Computer virus alters cancer scan images - BBC News
https://www.bbc.co.uk/news/technology-47812475

The researchers, from Ben Gurion University's cyber-security centre, said the malware could also remove actual malignant growths from image files to prevent patients who are targets getting the care they need. [...] The researchers suggested the security flaws could be exploited to sow doubt about the health of government figures, sabotage research, commit insurance fraud or as part of a terrorist attack.

In the security research community nothing (NOTHING) is sacred and researchers have once again shown that technology can be corrupted to potentially mortal consequences. People and security overlap often when they are least expected to.

'Basic hygiene' (commonly accepted truths for what minimum security or security practices should look like) remain elusive (patching, for example) however this is another lesson that security (or at least measures to maintain integrity) belong wherever technology does.

How to send forgot password link on email for reset in asp.net C# - Neeraj Code Solutions
https://www.neerajcodesolutions.com/2015/01/how-to-send-forgot-password-link-on.html

Troy Hunt (https://twitter.com/troyhunt) Hey, just thought I'd leave you some friendly feedback as there are a few rather serious security vulnerabilities here you might want to address

This is from 2015 but including as this is comically bad so was somewhat amusing to read. Here the author is developing/promoting several bad practices but the worst being storing passwords in plaintext (a carnal sin in 2019).

The answer here (as Troy as generously done) is to offer advice and education to ensure that software code (that underpins many aspects of human life, whether utility services or social media websites) is fundamentally well made through the humans that make it.

(but sometimes you can't help but chuckle)

The latest dark web cyber-criminal trend: Selling children's personal data | ZDNet
https://www.zdnet.com/article/the-latest-dark-web-cyber-criminal-trend-selling-childrens-personal-data/

Demand for this data appears to be growing in dark markets, with a small group of sellers repeatedly emerging to offer data to customers at a cost of just $25 for data about a child. [...] One seller who regularly deals in this information re-emerged in January this year. They claim to have hacked into a paediatrician in the US, offering buyers information on children as young as four years old. [...] Cyber criminals will often take this information and use it to make fraudulent claims for child tax credit – especially if they also have data on the parents and can paint an accurate picture of a whole family.

Forging or stealing individual documents for single-use or briefly stealing an identity pales in comparison to the ability to cultivate and persistently control a legitimate identity where the true holder is entirely unaware so does not detect or report misuse.

Manipulating the identity of a child takes this one step further, allowing the fraudster to operate for potentially years undetected, until the child is of an age to use their own identity (opening bank accounts, voting and so on) or their parent/guardian makes efforts to protect their identity for them.

While identity monitoring/protection services are limited in capability and largely retrospective, they may be the best course of action to protecting your children's identity footprint before they are ready to use it.

The 737Max and Why Software Engineers Might Want to Pay Attention
https://link.medium.com/JMvsckQU3U

The 737Max’s Manoeuvring Characteristics Augmentation System (MCAS), in the default configuration, uses a single sensor as input to measure this critical metric. [...] What is different here is: the MCAS commands the trim in this condition WITHOUT notifying the pilots AND to overrides the input, the pilots must deactivate the system via a switch on a console, NOT by retrimming the aircraft via the yoke, which is a more common way to manage the airplane’s trim.

The differences/changes in the 737Max over other aircraft (mainly strapping on larger engines) required engineers to fundamentally change aircraft handling, with some of that being 'for safety' but when those changes were implemented in software they were implemented in such a way that it acted without notification and required atypical override that pilots were not instructed/informed of, to tragic consequences.

The 737Max incidents - and following media coverage, financial pressures (share prices) and so on - are likely exerting significant pressure on engineers and software developers and there are important lessons to be learnt about documentation, testing, feedback loops (in this case, in software/hardware but also to pilots), vendor transparency and commercialising safety.

Frank Abagnale - FedTalks 2013 - YouTube
https://www.youtube.com/watch?v=iJIc16aqpO8

"Catch Me if You Can: A Lesson in Security and Identity Management" - Frank Abagnale

Have you seen "Catch Me if You Can" (2002) with Leonardo DiCaprio and Tom Hanks? This is who it is based on (also a book).

Frank's keynote is an interesting insight into his exploits, psychological manipulation of people (etc) and fits well with this week's theme.

“...no one can hack my mind”: Comparing Expert and Non-Expert Security Practices [pdf]
https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf

Non-expert participants reported being reluctant to promptly install software updates [...] password managers were regarded with skepticism [...] one participant said, “no one can hack my mind.”

More work has to be done on improving [...] security practices [...] by non-experts.

[...] some promising security advice emerges: (1) install software update, (2) use a password manager, and (3) use two-factor authentication for online accounts

A study has shocked (SHOCKED) the cyber security community by discovering that cyber security experts value cyber security things more than non-cyber security people ( yes, sarcasm :-) )

The study describes (among many things) 'non-experts' as being sceptical over applying updates because updates change/break functionality and the value of a password manager is unclear.

We have a long way to go to truly embed cyber security within hearts, minds, services and products but it is a mountain that must be climbed.

(to the subject who said "no one can hack my mind", to you I say "not yet... but unfortunately phishing exists, and it is very good at convincing you to volunteer what you know")

Cyber attack on Hydro Magnor - YouTube
https://www.youtube.com/watch?v=S-ZlVuM0we0&feature=youtu.be

Meet our heroes: Hydro became victim of an extensive cyber-attack in the early hours of Tuesday, March 19 2019, impacting operations in several of the company's business areas.

The magnor extrusion plant in Norway was one of the 160 Hydro sites hit by the cyber attack. Meet the heroes who stepped up when it mattered the most.

Being the victim of a cyber attack is not something that anyone seeks out. A lot of the time when things do go wrong, there's a feeling that as the victim organisation, you've failed and will be blamed for the attack. Maybe you missed a patch, maybe you delayed an upgrade, maybe you simply lost track of a system deep in your network, that ultimately was the source of the problem. No one likes admitting fallibility, and so there's an understandable reluctance to share details of what happened.

Full credit to Norsk Hydro, the Norwegian aluminium producer, who suffered a ransomware attack recently, for releasing this video so soon after the problem about how they responded. And double credit to them for their focus on their people, and how they reacted, banded together and helped get things running again.

For Everyone - PagerDuty Security Training
https://sudo.pagerduty.com/for_everyone/

This is an open-source version of "Security Training for Everyone", PagerDuty's internal employee security training, given to all PagerDuty employees as part of our annual security training program.

This is a fantastic example of security training done well - balancing humour, technical messaging and key messages in a consumable format.

Previous Editions