Thursday, June 18, 2015

Stranger than fiction: the week's security news

I love science fiction. I enjoy sarcastic fictional news such as "The Onion." I even enjoy watching CSI:Cyber despite its far-fetched depiction of security. But when reality exceeds even the wildest imaginable fictional scenarios, wow. The US government outsourcing administration of sensitive databases to China; professional sports teams hacking one another; security tools themselves turning into risks; and a ruling that websites may be held liable for things that anonymous readers have to say? I can't make this stuff up. Some highlights from this week's news:

OPM Hack

The US Office of Personnel Management seems to be the "hack that keeps on giving." The organization has been in the news several times over the past few years for network breaches, but the news of the past few weeks takes the cake. OPM is essentially Human Resources for the US federal government. they manage personnel records, including the background investigations that are part of security clearance to work on sensitive government projects.

On June 4, OPM released a statement confirming a breach that may have affected 4 million current and former federal employees. A week later, it was widely reported that a second breach exposed information related to the extremely thorough background investigations conducted on current, former, and prospective government employees. Then on June 16, testimony during a congressional hearing revealed that administration of OPM databases and servers had been outsourced to contract employees, some of which reside in Argentina and the People's Republic of China.

I can't make this stuff up.

The organization that maintains personnel and thorough background investigation records for current, former, and prospective employees, as well as others that have sought federal security clearance, outsourced administration of that data to China.

Brian Krebs has an excellent timeline of possibly-related investigations going back a few years.

Cardinals hack Astros

Professional sports have long been a cutthroat industry. The FBI is said to be investigating Major League Baseball's St. Louis Cardinals for breaking into a proprietary database on the Houston Astros' network. The database contained confidential data on players, presumably used in planning draft picks, trades, and other player actions. As the story unfolds, it appears a former executive for the Cardinals was hired by the Astros, and certain individuals from the Cardinals' front office used passwords this executive had previously used, to break into the database at his new employer.

Even harder to believe is an ESPN story suggesting that breaking into a rival's database is not necessarily a crime. a Legal Analyst for ESPN writes that a prosecutor must show that the information accessed was "the product of significant effort" and not publicly available, and that "the Cardinals executives knew they were committing a crime." I'm all for some sanity when it comes to defining appropriate versus inappropriate computing behavior, but that's about the most insane interpretation of the CFAA I have ever heard.

Pwn a Samsung phone via the keyboard app

Samsung mobile devices include a customized version of the "Swift Keyboard," which among other things powers the word prediction function on those phones. Like many programs, Swift periodically checks for and installs updates. Unlike many programs, Swift runs as "system" and thus has very high privileges on the phone. Worse, the program does not properly verify that an update is genuine before installing, and so can be tricked into installing a fake, malicious update. Essentially, if an attacker can control the network to which Swift connects (for instance, if you connect to an untrusted Wi-Fi network in a coffee shop), they can deliver an update that takes control of the phone.

This is precisely the same sort of flaw as I discovered and documented in certain small office / home office routers last year: the router checked for updates but did not verify that the updates were genuine, thus an attacker could supply their own malicious firmware update. In that case I worked with the manufacturer to ensure newer firmware properly checks that any updates are genuine.

Unfortunately, in this case there is no easy solution. The Android phone market is fragmented and very much dependent on each telephone carrier to provide over the air updates for their respective devices. While Google says newer devices that have upgraded to Android 5.0 ("Lollipop") should be protected, there are many millions of devices old enough that the cell phone carriers simply are not making updates available. For those devices, the only real solution is to not use them on an untrusted network.

Update: Samsung says that they will push a security policy update for newer phones (Galaxy S4 and newer - anything that includes their KNOX security platform) to mitigate the SwiftKey vulnerability. This is very good news for owners of relatively recent devices.

Security tool LastPass popped

Like many security professionals, I recommend using a password manager - a program that stores passwords for online sites, making it practical to use unique and strong passwords for every website. Password managers come in several flavors, from the truly classic (paper and pencil, which is completely immune to cyber threats but not very convenient) to software that stores passwords in a local database only, to software that stores encrypted passwords in the cloud for easy sharing between devices. LastPass is in the latter category ... and informed its customers this week that its networks had been breached.

In this case, the attacker managed to access email addresses and master password hashes (a scrambled version of the master password that cannot be unscrambled; to log in, you provide your master password, which the program runs through the same scrambling algorithm. If the hash of your provided password matches the stored hash, then you provided the correct password).

My recommendations for LastPass users? Change your LastPass master password, enable two-factor authentication where websites support it (at least for high-value sites such as banks and email), and be wary of clicking links in any email claiming to be from LastPass - crooks would love to send you a fake "I'm from LastPass, click here to make it all better" phishing mail.

European court rules that websites are liable for reader comments

Many websites (this blog included) provide a means for readers to comment on stories. In some cases, websites allow for anonymous or uncensored replies. While this might not be advisable (comments filled with spam, unrelated replies, or abusive language tend to turn away readers), it's a business decision, not a legal one, right? Ars Technica reports that the European Court of Human Rights has ruled that an Estonian news site can be held liable for anonymous and defamatory comments from its readers, in part because it would be difficult to identify and prosecute the actual offender.