Usability trumps security. Stop me if you've heard this before. Paul found up this story called "Muddying the Water on Security and Embedded Devices". An FTC panel said that the functionality of devices is the most important thing, even to the point of being able to check the status of a roast in the oven while you're weeding in the garden. But, for a little more proof about how little security is thought of in many places, Paul went on a little expedition to securityvulns.com and found things like hard-coded credentials, auth bypass and XSS in your firewall! For the
The "sexiest man alive" Dave 'Rel1k' Kennedy spoke in front of Congress to talk about the lack of security in healthcare.gov. It is a good thing when a true security expert gets to go offer his opinion on security issues. He told Congress that healthcare.gov appeared to have been built to meet deadlines and security was not a consideration in the process. Security needs to be "baked in" along the way and trying to glue it on after the fact is a recipe for disaster.
Rob Graham of Errata Security came up with an isolating firewall that uses its own IP stack. It is completely blocked off other than being able to talk to the gateway. It's pretty amazing for keeping an infected system out of the rest of your network while still being able to connect to the internet. As Paul mentioned, this can be a great thing if you're trying to look at malware that has an awareness of whether it has been discovered and the internet connection cut off. The malware could possibly self-destruct and hamper any forensics being performed. With this firewall in place, everything will look normal to the infected machine, it just won't have any awareness of anything else on the network.
Ok so how's this for actual good customer service? Facebook (and reportedly some other services) mined through the Adobe breach data and checked to see if any of their user accounts matched what was in Adobe and notified their users if the password from Adobe was also being used with Facebook. Facebook then forced users to answer some security questions and reset their password. Pro-active security sounds like a good thing.
Security predictions for 2014...Greg predicts that not much is going to change. And that might end up being the most correct prediction of them all.
Wendy Nather of the 451 Group says that if you consider it a security issue to have a username reminder system which could allow an attacker to enumerate your user database, you might have bigger issues. Simply possessing a valid username should not be a major security concern. Sure, someone can brute-force accounts once they have that half of the information, but (in spite of rants above) we do need to consider usability in addition to security. We can't simply tell our users who forget their username "Sorry, can't help you. We're secure!" If a brute-force attack against usernames is the problem, then worry about that. Worrying about someone getting the usernames should be a lesser concern, especially with how easy these can be to guess. For example, we can assume with a pretty high likelihood that there is a jsmith account on most systems, or that people will use their twitter handle.
Similar to how Facebook was pro-active in security issues, GitHub tried to get out in front of a problem as well. They sustained a brute force attack against their authentication system with more than 40,000 unique addresses attacking the system all at once. GitHub then decided to simply ban bad passwords and had users change their password if they were using one of these weak ones.
As mentioned previously on the show, Cryptolocker is a real thing. This is malware that once it affects your system, it locks up all your files and gives a set amount of time to pay the ransom or else it wipes the drive. Any attempts to bypass the malware has been unsuccessful. A town police station in Massachusetts was hit with Cryptolocker last week and they paid the ransom to get access to their systems again. However what might have been the most interesting part of the article was the explanation that "we were never compromised." Umm, yeah, ok.
So check out all those stories and even more on this week's edition of PaulDotCom Security Weekly! We'll see you each week on Thursday night at 6 pm, Eastern US time!