Blog

ArmorText: Tech Articles Worth Reading – 06/24/16

General

Where to start?! With “Brexit”, another Slack hack scandal, and more fallout from the LinkedIn breach there’s a lot of news to cover this week. Let’s jump right in!

Falling Flat on Security

Teachers insulted students in private Slack chats. After a hack, they resigned in disgrace.

  • Here’s the full article.
  • Slack conversations between the teachers at the Rhode Island school were filled with expletives
  • The private messages, which are under investigation, became much more public earlier this week
  • Allegedly, comments were shared school-wide via Google Docs
  • Key Quote:“It’s just damaging to think that the people that are encouraging you are just behind your back saying, ‘She can’t do it, she’s such a dumb [expletive],’” Deighan told the newspaper. “I was building confidence, slowly and surely, but now they’ve wrecked that with a few messages.”
  • Key Takeaway: This incident underscores the importance of a strong security foundation and oversight capability within any workplace chat tool.
    “ArmorText: Tech Articles Worth Reading – 06/24/16”

ArmorText: Tech Articles Worth Reading – 06/17/16

General

For the week’s tech news we look at the recent House action on encryption, another massive data breach, and the DNC hack. Let’s get to it.

Falling Flat on Security

There Has Been Another Mega Hack – This One Affecting 45 Million Accounts From 1,000 Websites

  • Here’s the full article.
  • Actually, more than 1,100 websites operated by VerticalScope have been affected by the hack
  • LeakedSource first reported the breach which impacted sites like Motorcycle.com and AutoGuide.com
  • Passwords were encrypted, but sadly very weak encryption was used for the majority of them
  • LeakedSource was able to crack the encryption – likely others have as well
  • Notable Social Media accounts hacked: Mark Zuckerberg & rapper Drake
  • Key Quote: “That is because the majority of people, despite what security experts advise, reuse passwords across multiple websites and platforms. This means that if one service is compromised, hackers can try to use the exposed login information on other platforms.” “ArmorText: Tech Articles Worth Reading – 06/17/16”

ArmorText: Tech Articles Worth Reading – 06/10/16

General

We’re back! Here’s the week’s tech news you should be reading – summed up . We look at how even multi-factor authentication isn’t enough to stop a motivated hacker, learn of yet another way your own smartphone can be turned against you, and finally we remember a legendary figure in Silicon Valley history. Read on!

Falling Flat on Security

@Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough

  • Here’s the full article.
  • There have been a rash of recent Twitter account hacks
  • Most have been due to poor password hygiene
  • Two notable incidents occurred even with 2-factor in place and strong passwords
  • The FTC’s top technologist Lorrie Cranor, along with BLM figure Deray McKesson suffered the hacks
  • Attackers were able to somehow replace the SIM information on their wireless accounts
  • This allowed the 2-factor verification codes to be intercepted
  • Key Quote: “Right now, the best way to safeguard against the kind of account hijacking McKesson and Cranor experienced is to set up a secondary code on your mobile account.” “ArmorText: Tech Articles Worth Reading – 06/10/16”

ArmorText: Tech Articles Worth Reading – 05/20/16

GeneralSecurity

Bad guys turning a new leaf, federal security execs doing nothing after witnessing OPM’s breach, anti-virus that makes you less safe…what’s going on here?

person hiding behind new leaves

Turning a new leaf…

Makers of uncrackable ransomware hand over the key

  • Here’s the full article.
  • For months the latest version of the Teslacrypt ransomware has been wreaking havoc
  • While the first generation Teslacrypt used symmetric encryption, the second leveraged asymmetric encryption making it impossible for people to recover their files without paying Teslacrypt’s makers
  • The third generation was only discovered in January, but has already been shut down
  • Even more perplexing, when asked by security researchers at ESET, Teslacrypt’s makers handed over their master decryption key
  • Within days ESET released a free fix for all those affected by Teslacrypt
  • Key Quote: “There’s also the question as to why TeslaCrypt’s developers were so willing to hand over the keys, but let’s hope that they decided to do the right thing. The alternative is just too horrible to contemplate.”

“ArmorText: Tech Articles Worth Reading – 05/20/16”

ArmorText: Tech Articles Worth Reading – 05/13/16

GeneralSecurityUsability

Tech news worth reading – Friday the 13th edition! Hey – the sun came out today so perhaps we should rethink this whole superstition thing… Read on for our tech news of the week!

This week we look at the latest fallout from everyone’s favorite workplace chat/distraction platform, WhatsApp’s “end-to-end” encryption claims (including an SS7 related vulnerability with platforms like theirs). We also check out the FTC & FCC’s newfound interest in mobile security, and we learn that CIOs are finally insisting that the enterprise take mobile security seriously. Let’s get to it!

Falling Flat on Security…

Why We Can’t Have Nice Things: Slack Leads to Federal Data Breach 

  • Here’s the full article.
  • 18F, a subset of GSA, has been using Slack to share documents and other sensitive information.
  • Security vulnerabilities within Slack may have exposed more than 100 Google Drive accounts for nearly half a year.
  • Employees at 18F were required to use Slack, even though it had not been given GSA IT approval.
  • 18F was leveraging OAuth 2.0 to connect Slack with GSA’s Google Drive accounts, which may have led to the breach.
  • In response to the breach GSA is recommending a halt to Slack use.
  • Key Quote: “All the great ideas 18F comes up with won’t be worth much if the data is not actually safe.”

3 Potential Holes in WhatsApp’s End-to-End Encryption

  • Here’s the full article.
  • It’s been about a month since WhatsApp announced it was rolling out E2E to it’s 1Billion users.
  • The announcement reignited the debate between personal privacy and national security.
  • While the content of messages are encrypted, your metadata is still visible to WhatsApp – which includes phone numbers, timestamps, etc. This is some pretty useful data to a hacker (or government).
  • How does Facebook feel about being shut out of 1 billion user’s messaging data?
  • How will providing E2E affect WhatsApp’s plans to enable businesses to communicate directly with their customers on the platform? (their only viable path to real revenue)
  • Key Quote: “Whatever happens next, there is no denying that what WhatsApp did is not only a huge step forward for online privacy, but a much needed challenge for every tech company out there.”

SS7 MITM Attack Against WhatsApp and Telegram

  • Here’s the full article.
  • While the headline indicates a MITM vulnerability, this is really more of an account spoof made possible by loopholes in the SS7 Protocol.
  • The SS7 protocol is a standard developed in 1975 that allows different mobile operators to interconnect their networks.
  • Recently, the protocol was subjected to public criticism after a CBS researcher with the help of a German security firm, used SS7 weaknesses to track and spy on a US elected official.
  • Researchers, using their Linux laptop, were able to spoof a mobile network node and intercept the initial phase of a chat between two users of an encrypted app.
  • Researchers didn’t bother to break the app’s encryption, but simply impersonated the second person in the encrypted communication channel.
  • Key Quote: “Their demonstration proved that surveillance agencies don’t necessarily need to crack encryption to spy on users, and can very well use the existing mobile networking infrastructure to carry out such operations. The attack is not tailored for WhatsApp or Telegram, and can be used for other apps such as Facebook Messenger or Viber, just to name a few.”

Regulators on the move…

FTC, FCC launch inquiry into how companies distribute security fixes to mobile devices

  • Here’s the full article.
  • According to the inquiry, regulators are concerned with how long it takes security fixes to reach consumers.
  • Both agencies have sent letters to carriers and device manufacturers asking how they screen and release security updates for mobile devices.
  • Companies were asked to list all devices offered for sale in the U.S. since August 2013, any security flaws associated with them, and if fixes have been distributed to users.
  • The inquiry specifically mentioned Stagefright, and Android bug discovered last year.
  • Key Quote: “Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered.”

The Enterprise Perspective…

CIOs have spoken: Prioritize mobile security in the enterprise

  • Here’s the full article.
  • Despite the rise in mobility, cyber risk remains a chief concern for CIOs and IT leaders.
  • The use of leaky apps that lack enterprise-grade security features remains a top threat facing the enterprise.
  • According to a recent Global C-suite Study, CIOs expect mobile to continue to be a top area of growth over the next three to five years.
  • The same study revealed that “CIOs worry greatly about IT security” and “are clearly frustrated by those who don’t appreciate the danger.”
  • Key Quote: “Employees expect mobile apps to be intuitive and easy to use. They want exceptional experiences that let them work in a more productive and collaborative manner. Their demands are incredibly high. However, CIOs know that employee expectations must be balanced with the imperative to ensure the security of enterprise data. The IT experts have spoken, and mobile enterprises would do well to heed their advice.”

ArmorText: Tech Articles Worth Reading – 05/06/16

General

In this week’s tech news we take to the skies to look at cybersecurity in the air, IBM’s invitation to “quantum computing”, and we’ll touch on WhatsApp’s struggles south of the equator. Hope you enjoy!

Falling Flat on Security (in the sky…)

Airplane illustration by FreePik
How secure is your flight? Illustration: FreePik

Hacking Airplanes

  • Here’s the full article.
  • In-flight entertainment systems have been a consistent point of weakness
  • One attacker was actually able to redirect a flight briefly by hacking the IFE system
  • New legislation would allow the FAA to establish cybersecurity standards that airlines would be forced to comply with
  • Air Traffic Control is another area of focus – this has been a topic of concern since 2008
  • Key Quote from Sen. Ed Markey on his pending legislation: “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.”

“ArmorText: Tech Articles Worth Reading – 05/06/16”

ArmorText: Tech Articles Worth Reading – 04/29/16

GeneralSecurityUsability

In this week’s tech news roundup we take a look at the not-so-user-friendly approach some popular consumer apps have taken to end-to-end encryption, something lawmakers finally seem to agree on, and yet another security stumble over at Slack. Enjoy this weeks entry!

Falling Flat on Security…

04

Slack bot developers were unwittingly leaking sensitive corporate data

  • Here’s the full article.
  • Security company Detectify was first to discover the problem
  • Data exposed includes chat logs, direct messages, and passwords
  • Affected businesses include a major auditing firm, payments companies, a global advertising agency, and healthcare providers
  • Data was exposed due to developers failing to secure tokens used to develop apps like chat bots on the Slack platform.
  • Researchers at Detectify did a simple search on GitHub for tokens containing the Slack token prefix and found over 1500
  • Slack gives tokens a relatively high default level of access, meaning that developers probably didn’t realize just how much data could be extracted from their malicious use.
  • Key Quote: “Outsiders can easily gain access to internal chat conversations, shared files, direct messages and even passwords to other services if these have been shared on Slack”
  • Key Quote: ““If you create a small funny bot, you don’t expect that someone can then scrape your credentials and use them to hack your accounts. It’s an awareness problem”

“ArmorText: Tech Articles Worth Reading – 04/29/16”

ArmorText: Tech Articles Worth Reading – 04/22/16

General

This week’s roundup of tech news covers a broad range of topics to send you into the weekend. We look at a bank that suffered a hack (to the tune of $80M) due to some cheap hardware, see how easily hackable cellphones are, and look at a market sector you might not suspect to be a target for cyber criminals – but is. Hope you enjoy!

Falling Flat on Security

Banking Woes in Bangladesh

  • Here’s the full article.
  • The Bangladesh Central Bank had NO firewall
  • They were using cheap, second-hand switches
  • Switches were apparently purchased for as little as $10
  • This made it easier for hackers to break in and use the BCB’s SWIFT credentials
  • Hackers have made off with about $81M and remain at large
  • Key Quote:”You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions,” said Jeff Wichman, a consultant with cyber firm Optiv.

Raising Awareness

Tech News: Cell Phone in hand
Is it really safe to make that phone call? Probably not.

Hacking Your Phone

  • Here’s the full article.
  • With just your phone number a hacker could potentially track your movements, read your texts, learn where you work, and even who you socialize with IRL
  • A global signaling system called SS7 enables these kinds of breaches
  • Key Quote: “With social engineering, you can’t really fix the human element. Humans are gullible. They install malicious applications. They give up their passwords every day. And it’s really hard to fix that human element.”
  • Key Quote: “…the SS7 flaw is a significant risk mostly to political leaders and business executives whose private communications could be of high value to hackers. The ability to intercept cellphone calls through the SS7 network is an open secret among the world’s intelligence agencies — -including ours — and they don’t necessarily want that hole plugged.”

The Private Sector

Cyber Criminals Target Wisconsin Manufacturers For Secrets

  • Here’s the full article.
  • Increasingly, manufacturers face cyber security risks, including the loss of confidential data and trade secrets worth millions of dollars
  • Only 33% of the manufacturers surveyed did annual computer network penetration tests
  • Some business owners believe their company is too small to be the target of a cyber attack, but the offenders don’t necessarily see it that way.
  • Key Quote: “”If we have done our homework, it’s pretty typical for us to gain access quickly, especially if a company hasn’t had this type of testing before,” said Lutgen with Sikich.

ArmorText: Tech Articles Worth Reading – 04/15/16

GeneralSecurity

Confirmed: the Canadians have had a master key to Blackberry Conversations since 2010, Filipino biometrics may have been permanently compromised, Senators Feinstein & Burr have proposed outlawing encryption, and your shortened URLs may be leaking your company’s IP, financials, and more…

Enjoy!

Falling Flat on Security

Blog - Peeping Through

Researchers crack Microsoft and Google’s shortened URLs to spy on people (Wired)

  • Here’s the full article. (Bonus reading from Freedom to Tinker here)
  • While shortened URLs are convenient and aesthetically pleasing, it turns out they can also create privacy issues
  • Researchers at Cornell Tech demonstrated brute-forcing shortened URLs as an effective way to uncover private documents
  • Particularly for Microsoft OneDrive & Google Maps, shortened URLs were limited to 6 characters
  • This meant scripts could be developed to generate all possible combinations and catalogue what was found at each
  • After generating 71 million links, 24,000 were found to be live links to files and folders
  • On finding live links, simple tweaks to the URL could be made to uncover additional files/folders from the same user
  • Given that 7% of links led to editable content, data could be altered or malware inserted
  • But, actual use of privacy enhancing browser plugins, 2FA, and VPNs was in the low teens, with encryption for email coming in at 9%
  • Key quote: “…online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities.”
  • Key quote: “They think they’re sharing a document with a collaborator. But if you’re sharing a six character shortened URL, you’re sharing it with the whole world.
  • ArmorText Note: Similar issues occur in many enterprise collaboration products that leverage public URLs for all posted files. These links can often be accessed by anyone with knowledge of the link without any passwords, certificates, or other authentication. In some cases these links were also shortened making them vulnerable to brute force attacks. In either case, CIOs should be aware of how their enterprise collaboration apps store and maintain attachments that could contains company financials, IP, M&A strategies and more.

“ArmorText: Tech Articles Worth Reading – 04/15/16”

ArmorText: Tech Articles Worth Reading – 04/08/16

General

When it comes to security & privacy, do you feel like you have super powers? You’re not alone. In this week’s roundup of articles worth reading we take a look at Consumers who don’t think they’ll get hacked & improvements to messaging & chat security that are making their way into consumer focused apps.

Enjoy!

Falling Flat on Security

Security padlock vector, Super Hero Couple, and other graphics Designed by Freepik

Don’t be these two. Protect your data before there’s a breach.

Denial Syndrome: Consumers don’t think they’ll get hacked (CSO Online)

  • http://www.csoonline.com/article/3050403/security/denial-syndrome-consumers-don-t-think-they-ll-get-hacked.html
  • When it comes to privacy & security, Consumer behavior & actions often don’t match the their words
  • In a recent survey of 2,000 consumers, 67% indicated they wanted greater privacy
  • But, actual use of privacy enhancing browser plugins, 2FA, and VPNs was in the low teens, with encryption for email coming in at 9%
  • While UX issues and impediments certainly play a role in this, humans also have a tendency to believe they’re less vulnerable than others around them
  • Worse still, taking steps to improve security can also lead to increases in risky behavior
  • Consumers may also be suffering from breach-fatigue, asking themselves “why bother?” after a series of breaches they were powerless to prevent
  • Ultimately, technology solutions need to deliver stronger security without introducing UX friction (or at least as much as they do today)
  • Key quote: “Indeed, in 1883, Dutch cryptographer Auguste Kerckhoff wrote that in order for a military cryptographic system to work, it would have to be, ‘… easy to use and must neither require stress of mind, nor the knowledge of a long series of rules …’”
  • ArmorText Note: We absolutely agree that improving security while reducing UX friction is one of the key security struggles of our era. While consumers have been benefiting from a series of improvements in end-to-end encrypted messaging, enterprises are still left scratching their heads as to why their providers can often see, read, mine, and otherwise expose their information. [insert link to GC blog posts]

“ArmorText: Tech Articles Worth Reading – 04/08/16”