Crimson Blog

Security Bytes - Issue 10

Written by Jim Tiller | Sep 30, 2022 9:04:18 AM

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

Three short stories for you this week. Of course, there’s always a lot going on, but I try to focus on stories that keep you thinking. A short version of other news… google: Montenegro attack, Chile attack FTC and Machine Learning, Instagram hack, Ragnar Locker airlines, TikTok one-click take over, Russian data leak exposes 44million records, and Turkish malware found in 11 countries via google translate. Whew… and that’s just this week’s top of the pile. Cybersecurity is needed more now than ever.

This week we have another example of how something as simple as email has become the Achilles’ heel of cybersecurity; having source code stolen can have repercussions way down the line, so we’ll see what happens with LastPass; and finally, now that multi-factor authentication is starting to be broadly practiced, SMS text messaging proves that we still have a long way to go.

--------------------

Email is Big Money

Honestly, as I write I’m not buying this is a sophisticated cyber-attack as portrayed. Essentially, it’s a type of attack that occurs far more often than one would imagine and is getting much worse. In fact, an FBI report from earlier this year highlighted more than $43 billion in losses reported to the Internet Crime Complaint Center (IC3) between 2016 and 2021 due Business Email Compromise (BEC) attacks.

In this case, the State of Kentucky performed three wire transfers to what they thought was a non-profit community action council, adding up to $4 million. However, because attackers were able to infiltrate email between the government and the non-profit, they were able to manipulate the transfer and sending the money to their accounts - $4m gone. Let’s pause for a moment and reflect on the fact that $4 million can be transferred based on an email exchange. When you start to broaden your view, you realize just how crazy that sounds. And then you realize just how much email plays in the movement of funds. Email is almost always the ultimate fallback position. We use it as confirmation on who you are and to perform all kinds of tasks… reset passwords, approve transactions, validate MFA/2FA authentication, and confirm procedures.

This isn’t James Bond level hacking… in fact, a lot of what you read about isn’t. It’s actually basic crime using weaknesses in the system. And not necessarily technical weaknesses, but rather the inherent weakness in the use of email as if it was a perfect form of verification. Add that to the near uselessness of passwords and you realize how fragile the underlying framework is. Nevertheless, in this case a simple out-of-band verification would have saved millions in losses and the expense of the ensuing investigation.

Links:

FBI report: https://www.ic3.gov/Media/Y2022/PSA220504

State of KY article: https://www.cnn.com/2022/08/29/politics/kentucky-4-million-cyber-theft/index.html

Article on BEC: https://therecord.media/fbi-business-email-compromise-attacks-led-to-more-than-43-billion-in-losses-since-2016/


You're Okay (But Maybe Not)

In a letter from LastPass, a very popular and successful cloud-based password manager, the CEO reported a security breach. In the letter and the included FAQ for readers and subscribers it was made clear that no private information was stolen, such as master passwords and password vaults. The letter goes on to explain they’ve deployed containment and mitigation measures and are looking into how to strengthen their environment.

However, they included that the attacker “took portions of the source code and some proprietary LastPass technical information.” If an attacker has some source code it’s fairly certain they can find exploitable weaknesses. Depending on the type of code and how much was taken, it’s quite possible for attackers to develop exploits to potentially obtain such things as master keys and password vaults. But this time they may not be detected.

Granted, this is complete speculation. However, historically the exposure of source code is not trivial and can lead to a plethora of downstream issues, especially in cases where credentials are exposed. In 2020 it was reported that 42.9 GB of Microsoft source code was leaked, containing data on all operating systems developed between 1987 and 2001. And back in 2017 the source code for Windows 95 was taken, leading many to surmise that a great number of sophisticated attacks were possible because deeply entrenched weaknesses in the operating system software, which could only have been discovered by looking at the source code, made it trivial to hack.

Links:

Lastpass notice: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

Article: https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen

MS 2020 Source code leak: https://www.theregister.com/2020/09/25/windowsxp_source_code_leak/


Smishing Two-Factor

I’m on record, certainly as far back to the early 2000’s, of heavily promoting multi-factor authentication (MFA), with emphasis on RSA fobs. Moreover, I’ve promoted MFA in any form to improve security. And finally, I’ve said on many occasions using SMS text messaging for MFA, while not perfect, is better than nothing at all. Ok… I’m here to eat that last part. SMS text messaging is not good for a plethora of security and privacy reasons, so using it as part of an authentication protocol directly undermines said protocol.

But it's actually worse than that, because at the heart of the problem is attackers can interact directly with individuals in a way they’re used to and comfortable with. Take for example an article pointing out that predictable MFA processes that will send a user a text message with a link as part of the authentication process, but it points to a phishing page that looks just like their normal login provider. When the user puts in their credentials and the MFA one-time password (OTP) it is then sent in real-time to the attacker allowing them to login as you.

In short, this is a problem for a couple of reasons. First, we have to recognize we can inadvertently create training scars or “grooves” in the user community with seemingly easy processes to improve security. In other words, when people are presented with something that looks familiar it falls into a known path and therefore the person responds in a predictable way; and predictability is like candy to a threat actor.

Second, mobile devices are very personal items. They are with us every minute of every day and are the source of comfort, connection, and entertainment. Don’t believe me…? turn your phone off for 24 hrs. There is an implied trust, but also an implied pattern. Meaning that a phone is a personal device and used in a personal way, as opposed to using it in a manner that benefits an employer or some organization. An example of this is MFA flooding… where an attacker attempts to login at a time that they know is annoying for the real user, such as 3am. After a few notifications waking the user up, they just approve the login to get the phone to shut up like they would an annoying group text message.

What can we learn from this? MFA and two-factor authentication (2FA) solutions are leaps and bounds better than passwords – full stop. But, as we’ve seen with every evolution in security adoption, the bad guys are quick to figure out a way to attack the protocol… people, process, and/or technology. Granted, smishing (SMS Phishing) is fundamentally just a phishing attack and can be analogous to email phishing, social phishing, voice phishing, etc., but I think most people are expecting phishing in these other domains, whereas not so much in text messaging, especially when effectively mimicking what you’re expecting. And one last point on why smishing is “special”… the amount of information to judge the authenticity of the message is virtually nil. At least with email phishing there is usually context, such as phraseology, format, and other characteristics that can lead to initial detection. But with a text message… you get a handful of words and a link, all of which can easily copy legitimate and expected messages.

Links:

Article by Brian Krebs – a must read: https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/